Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.


For those who are facing the challenge of malware removal, here's a basic guide on what to do when the system is infected.
But I strongly recommend posting a question for there are times when ComboFix and MalwareBytes are unable to remove the infection. For malware that patched system files we need to determine which file is patched and replace it before we can continue the cleanup process and run diagnostic tools.


The very first thing you should do is to isolate the infected system from the network to stop the spread of infection.
Turn off the internet connection except while you're downloading the tools to use which shouldn't take long.  Or you can use another pc with internet access to download the files into a USB.  Unplug the network cable, turn off wireless connections of the infected system. Do not share removable media device.


DO NOT disable System Restore, you need to keep those restore points intact in case you need it later, you can disable it afterwards when the PC is clean and stable.
Any viruses in the System Restore (if there are any) are harmless so they pose no threat while in that folder.  
For further information about viruses in System Restore check out below link -->


As a precaution, you need to back up your important files now while you still can just in case something goes wrong during the cleanup and you have no choice but to reformat. Bear in mind that you MUST scan the backup before you start using them.

"      ERUNT (Emergency Recovery Utility NT):

Some malware will turn off System Restore and other windows features to lessen the PC's functionality.  If you noticed that the System Restore had already been turned off or tabs are grayed, use ERUNT to do a complete backup of the registry. Registry export is not good enough. Removing nasties requires making registry changes and if the registry is corrupted it can prevent the pc from booting. The ERUNT backup can then be restored later if needed.

Complete ERUNT tutorial:

If the virus has already disabled SR and you don't have ERUNT backup then the next thing you should do is run ComboFix before you run any other tools so you have a registry backup. Post a question and we'll guide you with its usage.


Download the programs needed for the cleanup. There are many free tools out there but these ones below are among the most commonly used, they work well and they are FREE.
Usually MBAM or ComboFix alone will remove most infections but it's good to also clean temp folders.

*** UPDATE ***

Since some rogue/malware stops programs from executing, desktop shortcuts/startmenu are being moved, files may be hidden, utilities are disabled among other issues, I suggest you run TheKiller first followed by the tools like MalwareBytes, TDSSKiller and ComboFix.

Download TheKiller by maliprog
Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.
If malware blocks TheKiller from running please try to run it again.

a). ATF Cleaner or TFC
b). MalwareBytes  
c). SUPERAntispyware  
d). TDSSKiller
c). Combofix(with a Helper's guidance). Post a question if using ComboFix and attach the log file for us to analyse.


If the problem is not resolved after scanning with reliable scanners, then scan for rootkits, I prefer using Gmer and RootRepeal. Even if the issue no longer exist it's always a good idea to scan with these tools for the reassurance that nothing is hiding.


Once the problem is resolved and the system is clean, you can then disable System Restore to purge all those restore points, then turn it back On and immediately create a new and clean restore point.

How to turn Off/On System Restore:


Prevention is better than cure so make sure that you have the 3 basic security real-time protections in-place, without doubling each one.

1. Antivirus
2. Firewall
3. Anti-malware

Make sure all your installed programs have regular updates and windows have all the critical security patches. Tighten security features in your browsers, if using Firefox use the 'no-script' add-on.  
Install the latest version of java to minimize the risk of vundo threats as lower versions are very vulnerable to vundo exploits.
Use a customized Hosts file to block unwanted nasties.  Browse the internet using a limited user account, even though this (LUA) is 'not useful' against the rogue family of antivirus it is still better than browsing online with an Admin account.

NOTE:  the best protection is User Education.

For more in-depth info on prevention please read below links:

TonyKlein's article "So how did I get infected in the first place?
miekiemoes' "How to prevent Malware"
Simple and easy ways to keep your computer safe and secure on the Internet:


Even though the problem seems to be resolved, it's still a good idea to post the logs to be analysed to make sure those are clean.
Just because the popups have stopped and other symptoms seem to be gone it doesn't always mean that the system is clean.

Happy and safe computing!

Comments (24)

Top Expert 2007


Glad to know that this article has been useful.

Thank you for the feedback and the Yes vote.

If you are infected, the only way to have a clean computer is to wipe the hard drive completely.  If you want peace of mind, its the only way to go.  Simply always have your files backed up externally (DVD, HD, USB thumbdrive, online, etc) and you are good to go.
Author of the Year 2011
Top Expert 2006

nbuonan -

As an MS MVP, 'rpggamergirl' has received world-wide recognition for her expertise in fighting malware and for many years she has been the number one provider of malware solutions to other members of Experts-Exchange.

Repairing infected computers starts with identifying the variant and then selecting the right tools to do the job. Depending on the actual infection, there are any number of subsequent steps to take.

I find that less than 1% of the infected computers I repair require more than the tools readily availble (and the knowledge to use them) - and simply formating or replacing the HDD is not as safe as you seem to think.

If you think that the hard drive is the only physical attack vector point for malware, you could be in for a real surprise one of these days. "Wipe the hard drive completely." has exactly ZERO affect on some malware.

As stated above, this Article was written as "a basic guide" and you might want to try reading through again with a eye toward learning something.


That sounds like a corporate IT blinkered viewpoint...

As younghv says, there are many other ways for malware to circumvent your methods.

If you go that route, then pull the battery from the motherboard and fully wipe/reset any flash bios too, also the same for any video card or other device that has bios extensions stored in flash or battery backed memory.  (Modems, network cards, some hard drive adapters, PCMCIA cards etc etc.)

As for backups, generally good advice, but before blindly restoring them, you also need to check them for any infeciton too.  That can get tedious and involved.

Likewise any and *ALL* external storage devices, sticks, CD/DVD's etc, need scanning and checking, that might have been connected to, or used with/created by the affected PC.   It's not as clear cut as you might think.  Compounded by much malware now only starts to play nasty, some time after going resident, so you often have little idea when a system was compromised, just based on the apearence of symptoms, or messages.  I.e.  The backups could well have the infeciton source on them too.

Even after restoring backups etc (assuming they are clean) the single biggest task, is educating the user(s) on best practices as to how not to get hosed again in the future.  Some just dont want to know, some do take it on board, most forget within minutes of you going out the door, and then re-install limewire!  (rolls eyes...  It's happened...)  

In any case, the sheer time involved in doing a clean install of a modern OS, with all the inevitable updates and service packs, plus whatever hardware based driver customisations are needed, then reloading the users app's, getting some of them re-activated/re-licenced if needed, then getting the backup data reloaded AND WORKING is not a trivial or quick thing to do, and rarely 100% successfull.

If you have backups (I presume from your comments you have.)  Are you 110% certain they are all usable and good?  Don't rely on a single copy as a backup either.  (Been there, suffered that....)   Many (I suspect most) home users have no backups in any case.

Often, it takes far longer doing all that, than researching the malware and cleaning it (if you get there soon enough.)  But OK, every once in a while, there is so much damage done by malware, it is sometimes the only viable way to go.  But it's nowhere near as clear cut a case as you might think.  Then as above, there are lots of other things to check for infectious material too.  Plus much data can still be safely extracted and backed up from a compromised machine, before flattening and starting over.  But, that too takes time and care...

The last full flatten and reload I did, was purely voluntary, on one of my own boxes, replacing Vista with Win7(HP 32).   It took a few weeks for it all to settle down and become stable and reliable for what I want, and that's a box I sit in front of each day.  Imagine letting a less savvy user loose with a shiny new reload of whatever OS they had, and the inevitable support call's you'd get.

This is based on my own hard won personal experience, supporting friends and family with all this stuff for the last 10 or more years.  While also suffering the corporite IT droids at work too.   YMMV of course.

Regards to all.

Dave B.
Author of the Year 2011
Top Expert 2006

g8kbv (Dave),
Thank you for posting such a comprehensive response.
Nicely done.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.