Published on
44,670 Points
56 Endorsements
Last Modified:
Editor's Choice
Community Pick
For those who are facing the challenge of malware removal, here's a basic guide on what to do when the system is infected.
But I strongly recommend posting a question for there are times when ComboFix and MalwareBytes are unable to remove the infection. For malware that patched system files we need to determine which file is patched and replace it before we can continue the cleanup process and run diagnostic tools.


The very first thing you should do is to isolate the infected system from the network to stop the spread of infection.
Turn off the internet connection except while you're downloading the tools to use which shouldn't take long.  Or you can use another pc with internet access to download the files into a USB.  Unplug the network cable, turn off wireless connections of the infected system. Do not share removable media device.


DO NOT disable System Restore, you need to keep those restore points intact in case you need it later, you can disable it afterwards when the PC is clean and stable.
Any viruses in the System Restore (if there are any) are harmless so they pose no threat while in that folder.  
For further information about viruses in System Restore check out below link -->  http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/Viruses-in-the-System-Volume-Information-System-Restore.html


As a precaution, you need to back up your important files now while you still can just in case something goes wrong during the cleanup and you have no choice but to reformat. Bear in mind that you MUST scan the backup before you start using them.

"      ERUNT (Emergency Recovery Utility NT):

Some malware will turn off System Restore and other windows features to lessen the PC's functionality.  If you noticed that the System Restore had already been turned off or tabs are grayed, use ERUNT to do a complete backup of the registry. Registry export is not good enough. Removing nasties requires making registry changes and if the registry is corrupted it can prevent the pc from booting. The ERUNT backup can then be restored later if needed.

Complete ERUNT tutorial:

If the virus has already disabled SR and you don't have ERUNT backup then the next thing you should do is run ComboFix before you run any other tools so you have a registry backup. Post a question and we'll guide you with its usage.


Download the programs needed for the cleanup. There are many free tools out there but these ones below are among the most commonly used, they work well and they are FREE.
Usually MBAM or ComboFix alone will remove most infections but it's good to also clean temp folders.

*** UPDATE ***

Since some rogue/malware stops programs from executing, desktop shortcuts/startmenu are being moved, files may be hidden, utilities are disabled among other issues, I suggest you run TheKiller first followed by the tools like MalwareBytes, TDSSKiller and ComboFix.

Download TheKiller by maliprog
Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.
If malware blocks TheKiller from running please try to run it again.

a). ATF Cleaner or TFC
b). MalwareBytes  
c). SUPERAntispyware  
d). TDSSKiller
c). Combofix(with a Helper's guidance). Post a question if using ComboFix and attach the log file for us to analyse.


If the problem is not resolved after scanning with reliable scanners, then scan for rootkits, I prefer using Gmer and RootRepeal. Even if the issue no longer exist it's always a good idea to scan with these tools for the reassurance that nothing is hiding.


Once the problem is resolved and the system is clean, you can then disable System Restore to purge all those restore points, then turn it back On and immediately create a new and clean restore point.

How to turn Off/On System Restore:


Prevention is better than cure so make sure that you have the 3 basic security real-time protections in-place, without doubling each one.

1. Antivirus
2. Firewall
3. Anti-malware

Make sure all your installed programs have regular updates and windows have all the critical security patches. Tighten security features in your browsers, if using Firefox use the 'no-script' add-on.  
Install the latest version of java to minimize the risk of vundo threats as lower versions are very vulnerable to vundo exploits.
Use a customized Hosts file to block unwanted nasties.  Browse the internet using a limited user account, even though this (LUA) is 'not useful' against the rogue family of antivirus it is still better than browsing online with an Admin account.

NOTE:  the best protection is User Education.

For more in-depth info on prevention please read below links:

TonyKlein's article "So how did I get infected in the first place?
miekiemoes' "How to prevent Malware"
Simple and easy ways to keep your computer safe and secure on the Internet:


Even though the problem seems to be resolved, it's still a good idea to post the logs to be analysed to make sure those are clean.
Just because the popups have stopped and other symptoms seem to be gone it doesn't always mean that the system is clean.

Happy and safe computing!
Ask questions about what you read
If you have a question about something within an article, you can receive help directly from the article author. Experts Exchange article authors are available to answer questions and further the discussion.
Get 7 days free