[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More



Published on
43,886 Points
56 Endorsements
Last Modified:
Editor's Choice
Community Pick
For those who are facing the challenge of malware removal, here's a basic guide on what to do when the system is infected.
But I strongly recommend posting a question for there are times when ComboFix and MalwareBytes are unable to remove the infection. For malware that patched system files we need to determine which file is patched and replace it before we can continue the cleanup process and run diagnostic tools.


The very first thing you should do is to isolate the infected system from the network to stop the spread of infection.
Turn off the internet connection except while you're downloading the tools to use which shouldn't take long.  Or you can use another pc with internet access to download the files into a USB.  Unplug the network cable, turn off wireless connections of the infected system. Do not share removable media device.


DO NOT disable System Restore, you need to keep those restore points intact in case you need it later, you can disable it afterwards when the PC is clean and stable.
Any viruses in the System Restore (if there are any) are harmless so they pose no threat while in that folder.  
For further information about viruses in System Restore check out below link -->  http://www.experts-exchange.com/articles/Software/Internet_Email/Anti-Virus/Viruses-in-the-System-Volume-Information-System-Restore.html


As a precaution, you need to back up your important files now while you still can just in case something goes wrong during the cleanup and you have no choice but to reformat. Bear in mind that you MUST scan the backup before you start using them.

"      ERUNT (Emergency Recovery Utility NT):

Some malware will turn off System Restore and other windows features to lessen the PC's functionality.  If you noticed that the System Restore had already been turned off or tabs are grayed, use ERUNT to do a complete backup of the registry. Registry export is not good enough. Removing nasties requires making registry changes and if the registry is corrupted it can prevent the pc from booting. The ERUNT backup can then be restored later if needed.

Complete ERUNT tutorial:

If the virus has already disabled SR and you don't have ERUNT backup then the next thing you should do is run ComboFix before you run any other tools so you have a registry backup. Post a question and we'll guide you with its usage.


Download the programs needed for the cleanup. There are many free tools out there but these ones below are among the most commonly used, they work well and they are FREE.
Usually MBAM or ComboFix alone will remove most infections but it's good to also clean temp folders.

*** UPDATE ***

Since some rogue/malware stops programs from executing, desktop shortcuts/startmenu are being moved, files may be hidden, utilities are disabled among other issues, I suggest you run TheKiller first followed by the tools like MalwareBytes, TDSSKiller and ComboFix.

Download TheKiller by maliprog
Note that "TheKiller" is renamed as explorer.exe
Double click on it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
Press OK when the program finished.
Do not restart your system after this step. You then run other tools like MalwareBytes, TDSSKiller or ComboFix.
If malware blocks TheKiller from running please try to run it again.

a). ATF Cleaner or TFC
b). MalwareBytes  
c). SUPERAntispyware  
d). TDSSKiller
c). Combofix(with a Helper's guidance). Post a question if using ComboFix and attach the log file for us to analyse.


If the problem is not resolved after scanning with reliable scanners, then scan for rootkits, I prefer using Gmer and RootRepeal. Even if the issue no longer exist it's always a good idea to scan with these tools for the reassurance that nothing is hiding.


Once the problem is resolved and the system is clean, you can then disable System Restore to purge all those restore points, then turn it back On and immediately create a new and clean restore point.

How to turn Off/On System Restore:


Prevention is better than cure so make sure that you have the 3 basic security real-time protections in-place, without doubling each one.

1. Antivirus
2. Firewall
3. Anti-malware

Make sure all your installed programs have regular updates and windows have all the critical security patches. Tighten security features in your browsers, if using Firefox use the 'no-script' add-on.  
Install the latest version of java to minimize the risk of vundo threats as lower versions are very vulnerable to vundo exploits.
Use a customized Hosts file to block unwanted nasties.  Browse the internet using a limited user account, even though this (LUA) is 'not useful' against the rogue family of antivirus it is still better than browsing online with an Admin account.

NOTE:  the best protection is User Education.

For more in-depth info on prevention please read below links:

TonyKlein's article "So how did I get infected in the first place?
miekiemoes' "How to prevent Malware"
Simple and easy ways to keep your computer safe and secure on the Internet:


Even though the problem seems to be resolved, it's still a good idea to post the logs to be analysed to make sure those are clean.
Just because the popups have stopped and other symptoms seem to be gone it doesn't always mean that the system is clean.

Happy and safe computing!
LVL 40

Expert Comment

Voted yes, above.
LVL 38

Expert Comment

This is exactly the kind of Article we need more of on EE.
You have provided all of the primary steps needed and none of that clutter about exotic "fixes" that so many others recommend.
Great stuff and I'll be linking this for a lot of our Members to read.

Big ol' yes vote.
LVL 54

Expert Comment

Great article!  Thanks for the time and effort to make it and the expertise you shared.  I honestly hope I will never need it but know I won't be so lucky.  In my personal KB so I can hopefully find it quickly when needed. :)

One question, you mentioned using another computer for downloading tools and a USB drive to transfer.  Also there was a bit about not sharing removeable media.  If I am reading it right it "removeable media" would include that USB drive.  Is that right?  That leads me to a question/concern I have had for a bit.  Is a USB or similar drive best?  What are the chances it will become invected and then be used to infect my computer?  Honestly that has been a real concern of mine as I have gone to help people.

Usually I have actually burned a CD.  I feel a little wasteful or bad doing this though because it is never even close to full.  Also the CD would only be good for a short period since I should be getting the latest of any of these tools.  However the CD is "disposable" and I have always kept as readonly (I don't try to make a read/write CD).  In this way it would seem to be completely safe from becoming infected and a source of spreading it.

Is there a better suggestion?  Any reasonably convenient/cheap options that could be made to readonly and be used as media for this?  There aren't many times I "long for the days of small 'floppies'" but I will admit these occassions are one.  It was always so easy to just slide the tab and make it readonly (and then reverse if I needed to put something new on).

Thanks again!  Curious about your thoughts on the above if you have time (or other expert's too).

Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!


Expert Comment

Great Great Great article .. Thank you so much you're Anti-spyware professional ;) ..
LVL 47

Author Comment

Hi bol,

Thanks for your comment and the Yes vote, much appreciated.

Some PC users share files regularly and share removable media e.g. USB disks.
When the system is infected it's wise if the user would stop sharing files and removable media, you can't be too careful.

In the case where the user has to use another pc to download the tools into a USB, then he would have to make sure to use a clean USB(not the one from the infected PC) and to make sure it is clean before plugging it back to other pc.
Yes, I remember those 3.5 inch floppies with a write-protect tab you can slide On or Off.
The good thing is, some USB flash drive comes with a write protector switch in them too to make it a read only drive so the infected PC won't be able to write to it but can still copy the files.

If your USB doesn't have the 'write protector switch' you can download USB Write Protector so you can make it a read only drive, you can also turn the 'USB Write Protector' On and Off whenever you like.

What you're doing now which is burning the tools into a blank CD is also a good idea...CDRs these days are cheap they're like disposable, :), some are only .25 cents each. We buy them in spindle of 50s.


Thanks for your comment, if you like this article, you might like to vote "Yes" :)

Expert Comment

Thank you for this helpful article and the links provided to the recommended programs. I appreciate the time and expertise you have taken to share these points. Just to add to this, I think it is important to keep up with all updates and patches for vulnerable programs like Adobe Acrobat Reader, Java and Flash along with your MS and Windows patches. How do you feel about the Secunia Software Inspector program as helping in this end? Thank you again.

LVL 47

Author Comment


Sorry I missed to reply, I've overlooked... my apology.
Thank you for the Yes vote and for your help.


Yes it is very important to keep up with updates and patches for the OS and all installed programs. Secunia Software Inspector sounds good and if it's working well for you then that's great. I don't use any software inspector, I update windows manually and I just let the programs updates take their course.
Since I only have an older pc with 512 MB of RAM, I only have the basic necessary programs.
Thanks for your comment.

Expert Comment

I have recently run into the AntiVirus 2010 malware that will not allow the infected computer to download anything remotely associated with anti-malware or spyware, it wouldn't even allow a program to be installed through a USB thumb drive.  
To this end I remove the HDD from the infected PC and use a USB to SATA/IDE adapter and clean the infected hard drive by attaching it to my protected machine and running a scan on the "E" drive.  I have found that SUPERantispyware is the most effective tool.
Great article and thanks for sharing!
LVL 47

Author Comment


Welcome to Experts-Exchange!

Some rogues are harder than others to remove but usually they have a rogue process running that makes it so hard for the pc user to work on removing it.

There's another article that talks about some options bypassing those blocks.

With some rogues like Antivirus 2010 and Antispyware Soft (both belong to family of fake AV or anti-malware).
They are getting tougher to remove that you actually have to install MBAM in safe mode and once installed navigate to the MalwareBytes directory to rename mbam.exe to iexplore.exe before going back to normal mode to update the tool which is also tricky as malware modified proxy settings and you need to be really fast after you uncheck the settings and try to update the tool.

Here's a tutorial for removing AKM Antivirus 2010 and Antispyware Soft thanks to MalwareBytes and Metallica.

LVL 18

Expert Comment

by:Ravi Agrawal

I've always been a big fan of yours and highly admire your skills in malware removal and in explaining how to do it.

Brilliant as always.

A small tip I'd like to share. In the run dialog box; type %tmp% and hit ok. This will display  the contents of temporary files folders. Ctrl + A to select all files and hit the del key to delete all the files.

Voted yes, of course.

LVL 14

Expert Comment

Good participated comments
LVL 47

Author Comment


Sorry, I didn't realize you posted a month ago.

Thank you so much for the kind words, much appreciated.
And that tip is excellent, thanks.

To all posters:
Thank you for making this thread active, :)
LVL 27

Expert Comment


Your article has proved to have been an excellent reference, and i've used it on a number of occasions!

Definitely a yes vote, thanks  :)
LVL 22

Expert Comment

by:Tapan Pattanaik
Good Article. Thanks and Have a Great Day.

Expert Comment

Great Article.  

Thank you.

Expert Comment

I hope this gets a permanent link somewhere.  As I need to point some users and friends at this, so maybe I get less phone calls evenings and weekends!
Great stuff.
Many thanks.

Expert Comment

This article is old but the advice is very good.  So many users start cleanup and do things like disable system restore, don't take a backup, etc.  
LVL 47

Author Comment

Updated to include "Thekiller" as the first tool to use.
LVL 50

Expert Comment

Great article - I put it to use this evening and it seems to have fixed the Sirefef/Alureon infestation a family member triggered via a fake fedex email.


LVL 47

Author Comment

Glad to know that this article has been useful.

Thank you for the feedback and the Yes vote.

Expert Comment

If you are infected, the only way to have a clean computer is to wipe the hard drive completely.  If you want peace of mind, its the only way to go.  Simply always have your files backed up externally (DVD, HD, USB thumbdrive, online, etc) and you are good to go.
LVL 38

Expert Comment

nbuonan -

As an MS MVP, 'rpggamergirl' has received world-wide recognition for her expertise in fighting malware and for many years she has been the number one provider of malware solutions to other members of Experts-Exchange.

Repairing infected computers starts with identifying the variant and then selecting the right tools to do the job. Depending on the actual infection, there are any number of subsequent steps to take.

I find that less than 1% of the infected computers I repair require more than the tools readily availble (and the knowledge to use them) - and simply formating or replacing the HDD is not as safe as you seem to think.

If you think that the hard drive is the only physical attack vector point for malware, you could be in for a real surprise one of these days. "Wipe the hard drive completely." has exactly ZERO affect on some malware.

As stated above, this Article was written as "a basic guide" and you might want to try reading through again with a eye toward learning something.

Expert Comment


That sounds like a corporate IT blinkered viewpoint...

As younghv says, there are many other ways for malware to circumvent your methods.

If you go that route, then pull the battery from the motherboard and fully wipe/reset any flash bios too, also the same for any video card or other device that has bios extensions stored in flash or battery backed memory.  (Modems, network cards, some hard drive adapters, PCMCIA cards etc etc.)

As for backups, generally good advice, but before blindly restoring them, you also need to check them for any infeciton too.  That can get tedious and involved.

Likewise any and *ALL* external storage devices, sticks, CD/DVD's etc, need scanning and checking, that might have been connected to, or used with/created by the affected PC.   It's not as clear cut as you might think.  Compounded by much malware now only starts to play nasty, some time after going resident, so you often have little idea when a system was compromised, just based on the apearence of symptoms, or messages.  I.e.  The backups could well have the infeciton source on them too.

Even after restoring backups etc (assuming they are clean) the single biggest task, is educating the user(s) on best practices as to how not to get hosed again in the future.  Some just dont want to know, some do take it on board, most forget within minutes of you going out the door, and then re-install limewire!  (rolls eyes...  It's happened...)  

In any case, the sheer time involved in doing a clean install of a modern OS, with all the inevitable updates and service packs, plus whatever hardware based driver customisations are needed, then reloading the users app's, getting some of them re-activated/re-licenced if needed, then getting the backup data reloaded AND WORKING is not a trivial or quick thing to do, and rarely 100% successfull.

If you have backups (I presume from your comments you have.)  Are you 110% certain they are all usable and good?  Don't rely on a single copy as a backup either.  (Been there, suffered that....)   Many (I suspect most) home users have no backups in any case.

Often, it takes far longer doing all that, than researching the malware and cleaning it (if you get there soon enough.)  But OK, every once in a while, there is so much damage done by malware, it is sometimes the only viable way to go.  But it's nowhere near as clear cut a case as you might think.  Then as above, there are lots of other things to check for infectious material too.  Plus much data can still be safely extracted and backed up from a compromised machine, before flattening and starting over.  But, that too takes time and care...

The last full flatten and reload I did, was purely voluntary, on one of my own boxes, replacing Vista with Win7(HP 32).   It took a few weeks for it all to settle down and become stable and reliable for what I want, and that's a box I sit in front of each day.  Imagine letting a less savvy user loose with a shiny new reload of whatever OS they had, and the inevitable support call's you'd get.

This is based on my own hard won personal experience, supporting friends and family with all this stuff for the last 10 or more years.  While also suffering the corporite IT droids at work too.   YMMV of course.

Regards to all.

Dave B.
LVL 38

Expert Comment

g8kbv (Dave),
Thank you for posting such a comprehensive response.
Nicely done.

Featured Post

Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month