Removing Viruses and other bad stuff, Step by Step

You might want to print this out as there will be a lot of rebooting the computer through these steps. f you are lucky there is a printer icon along the top of your browser that can be used to print out the page you are looking at. If there is no printer icon, try CTRL P, that works in most places.  On the down side of this advise, there are a lot of links that you may need.  Perhaps, print out as a backup.

I put these notes together because friends kept wanting me to come over to their house and fix their computer because it was acting all strange.  I could usually tell over the phone that it should be checked for viruses and as this is a  many hour task, I did not look forward to spending that much time at their house and neither of us were happy with the idea of giving me their computer to work on.  With this set of notes and a few phone calls anybody should be able to get their machine cleaned up.  These notes are always in a state of flux, if you see something that needs clarification or correction, feel free to drop me a note about the problem.  bill@frisinger.net

Also you might want to look at my notes on speeding up a PC.  The problems are related.

If your computer files are all locked up and you are getting a ransom note, then with LUCK, No More Ransom may be able to bail you out for free.  This site is supported by a  very good group of organizations.  It they can not help you then neither can I.

Good Luck!  Cleaning up your PC is a time consuming task but better your time than mine.  Remember the proverb, "give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime"  Happy "fishing".

You may wonder it the order of steps is mandatory.  The answer is no.  If I obviously have a  problem, I will run Malwarebytes right away then go back and work on the other steps more methodically (and run Malwarebytes again).

Note:  If you get asked what operating system you have (window XP or 7 for example) or whether you have a 32 or 64 bit operating system and do not know, click HERE for notes on how to find out if you do not already know.

Step 0)  If it is obvious you have a virus, then jump down to step 6) to get at it then backtrack to the earlier steps.

Step 1)  Some signs you have a virus

a) You have not run anything other than your regular ant-virus software in a while.  A while is probably 2 years if you do not do much on the internet, 1 month if you visit a lot of fee porn sites or free game sites from companies that are unknown. Disney is probably safe. Not all viruses show symptoms on your computer.  One of the main category of viruses uses your computer as a remote place to launch denial of service attaches on other computers.

b)      Your anti-virus software will not run.  Viruses often attack the anti-virus software first.

c)      You suddenly have a different anti-virus software that you do not remember installing or you may have gotten a free anti-virus software off the web from a little known company.  Viruses often masquerade as an anti-virus program. For example Security tool and Antivirus pretend to be anti-virus programs but are actually viruses. Anything that mentions Systweak is also bad news. I think PC Power Speed Antimalware is also bogus.  This list is definitely not all inclusive.

d)      Strange things start popping up on your computer.

e) You get a warning that the FBI or some such organization has found something illegal on your computer and you must pay a fine.  (This was a big thing in 2012)

f)      Other odd behavior.

Step 2) Get rid of suspicious programs particularly if they promise to get rid of viruses or speed up your PC. A program is definitely suspicious of it is not from a well known company or one mentioned in a well know resource or was advertised in a pop up add or you do not remember where you got it from or do not remember installing it at all.  It is also VERY suspicious if it has been recently installed and you do not recognize it.  To see what programs are installed, click the windows icon into he lower left of your screen then select the settings (the gear icon) then Apps, then Apps and features if not already selected.  It defaults to showing the apps in alphabetical order.  To see it in the order they were installed, look at the top of the list, you will see "Sort BY: Name.  click the drop down arrow and select "Install Date".  To uninstall a suspicious one, click on it and select "Uninstall"  If that does not work you almost certainly have a problem so Goggle it and see what you can find out.

Step 3) Verify your anti virus software is running and up to date or download and install one if nothing is running.

You should be able to verify it is running by looking for it's icon in he lower right of your screen or click on the double up arrow to bring up a fuller list.

Also in Windows 7 you can check the "Action Center".  The easiest way to get to it is to type "action center" in the search window that pops up when you click on "Start" Then click on action center in the menu that pops up.   It will probably be the top item.  If you have Windows Vista or XP then you use "Security Center".  You open it by clicking on the icon that looks like a shield and is the lower right corner of your screen.  You may have to click on the "<" in the circle to expand the window to see it.

If you do not see it, but think you do have it installed, check START  > ALL PROGRAMS and look through the folders and file names for it.  It may be installed but turned off.  If turned off, turn it back on and make certain it stays on.

If you do not have one installed, then get one installed right away, see my LIST for some suggestions.  For most people one of the free ones is adequate.

Also the virus definitions need to be up to date.  The anti-virus software will automatically check for updates but if your computer is shut down when it does that, it will not get the updates.  It will normally worn you if this is a problem but you may miss the warning.  The warning is typically is a little flag on the icon for the antivirus software.  If you open up your anti-virus software it will be obvious.

Note:  No tool removes them all, you will probably have to do some searching to find out what works.  Also if you switch from one program to another and the new one finds something, it does not mean it is a better program than the one you were using.  Each program captures a slightly different list of problems.

Step 4  Do you have all the security updates to windows and your other programs installed?
The ones for Microsoft programs usually install automatically, Microsoft releases updates once a month and many relate to security threats.  You hopefully selected the option to update automatically but something may have gone wrong.  To check your update status,  Click the start button, then in the bottom window labeled "Search programs and files", type "windows update".  Near the top of the menu that pops up, you will see "Windows Update".  Click on it.  In the window that opens, you may see a comment that you have some important and some optional updates to install.  Install all the important ones.  You may want to look at the others to see if you want them.  If there is not a comment about needing to install updates, double check by clicking on "Check Updates" in the upper left.

 Note 1:  Occasionally you may not want to keep your version of windows up to date.   The only case I am aware of is if you are running an illegal copy of windows.  If you are, it might get disabled.  There are usually work abounds in this case but it is messy.

Note 2:  You can set when windows checks for updates.   Typically it is set for some time in the middle of the night.  If you turn your computer off at night this will pose an obvious problem.  You can check manually as outlined above, you can set it to check when you normally have the computer on, or you can leave the computer on at night at least periodically.  Laptop type computers are typically set up to sleep when they are not used for a while.  They will not check for updates if they are asleep.  You can set them up to not go to sleep when they are plugged in to a wall outlet.  The screen will still go blank.  To see how, click HERE.

Note 3:  There is merit in installing updates for all your programs.  You should install updates to all your programs when  you are asked to however make certain they are asking about a program you actually have.  Some common programs to make certain are up do date are as follows:
Adobe Flash, a program used to help display graphics on the internet is so virus prone that Apple will not allow it on the iPhone. (You can check to see if Adobe Flash is installed on your machine and if so, is it up to date, click HERE.) It will initially install the latest version then will check to see if you have earlier ones.  If so follow their advice and remove them.
Adobe Air, tools used by some web pages.  For updates, click HERE.
Adobe Acrobat Reader, used to read .PDF files used by many web sites to display pages of documents.  For updates, click HERE.
Java is another program like Adobe Flash that helps to display web pages. Viruses can hid in old versions.  To see if you have any old versions luring around click HERE.  
 
All of these programs are free but they default to adding crapware at the same time so look closely for check boxes that are already checked and uncheck them before downloading the software. Typically you are asked to update these programs every few months but if you have not been pestered in a long time, it is good to download the latest version.

To check to see if other programs are up to date, I recommend:
Secunia Personal Software Inspector (PSI) will check to see that all security patches are added to your software (that your software is up to date).    I like it somewhat better than Update Checker because it seems to find more programs that need updating without false ones. Be careful if you are installing Secunia as it wants to install a number of unrelated programs so read each of the pop up messages to see if you want to install them or not.  The Update Checker program is actually called FileHippo.com Update Checker if you go to delete it..  Both are free. 

Step 5 Do a general cleanup of your computer getting rid of temporary files, cleaning up the registry etc.  I run CCleaner from Piriform The website is a little confusing as is the installation so click HERE for detailed instructions.  
Run CCleaner to delete various temporary files.  I go with all the categories of files they suggest.
Then select the option to clean the registry. Click "Scan for Issues".  Then "Fix Selected issues", I always fix all the ones that are found.  Let it save a backup copy of the registry.  Then select "Fix selected issues". I have never had to use it but better safe than sorry. I had over 250 issues when I ran it recently.  It is often a big number and fixing them never seems to make a big difference but you might as well fix them.
The reason I include this cleanup step in my steps to get rid of viruses is because sometimes, problems reside in temporary files.  Note:  If you run CCleaner again, it will still find a few problems.  They are not really problems and will continue to reappear.  Do wont worry about them.

Step 6 Next run a series programs that will do a one time scan your computer looking for problems.  These programs can be run in combination with your anti-virus programs.  I am familiar with five such programs, "Microsoft Safety Scanner", Malwarebytes Anti-Malware, Eset's On Line Scanner, Norton Power Eraser and Microsoft's Malicious Software Removal Tool.  All these are free.  They typically have more they want to sell you.  All work best when you close all other programs.

Do I really have to run all these programs?  There is no good way to tell if you have removed all the viruses.  If the behavior that was bugging you has gone away that is a good start but hardly a guarantee.  I would at least keep working through these programs until you have run at least 3 of them and at least the last one showed no problems.  I have gone back and run an earlier one and found more problems so error on the side of caution.

Also note that some of these programs may run for as much as 8 hours.  If you want a quick fix, reinstall windows or just buy a new computer.  You may have problems with your computer gets into the sleep or hibernate mode.  It will stop the program from completing its tasks.  You can move the mouse every few minutes but that soon gets old.  A better solution is to change the computer's settings for how long before it goes to sleep.  To do this on Windows 7 machines type "Power Options" into the start search box and Press enter. Then select "Change Power Saving Settings" Then "Change Plan settings" next to the selected plan. Then put the computer to sleep - Never.  There is no problem with display turning off so do not worry about that.  When done with cleaning up your computer, you may want to change the settings back, particularly if it is a laptop.  Also a desktop can produce quite a bit of heat so that is another reason to shut it down, particularly if you find it heating up the room.

If you downloaded on of these programs but can not find it on your had disk, click HERE. for hints to where it may be hiding.

Malwarebytes Anti-Malware is available HERE or HERE.  A scan may take an hour or more.  The basic version of this program is free and that is all I have ever used.   There is an enhanced version that you have to pay for.  It is a regular anti-virus program so it runs in the background all the time and can not be used in conjunction with another anti-virus program. It does not get particularly good reviews.  They will encourage you to install a free trial version of their paid version. I would skip the offer. The first thing it will ask you during the installation process is whether it is OK to install the software it the default spot which it will show you. Just say OK. It will then offer you some other software that you do not want so look out for a checkbox during installation that says to install the trial version so be careful to uncheck it if you do not want it. This shows up in the next window.  To start the scan, click on "Scan now" in the lower right. It will tell you if updates are available, if there are some, click on "Update Now" in the lower right. The scan will then start automatically.  When the free version completes its scan, it will tell you how many problems (objects) it has found.   It may then ask you to restart your computer, go ahead and do that.  The program defaults to just scanning your C: drive. If you have other drives you want scanned, then click HERE for details. Almost all problems are on the C: drive where you almost certainly have windows installed but it is a good idea to scan all your hard drives.  It is also a good idea to run the program multiple times until it comes out clean, I got about a dozen problems on the second scan.  One of the categories of problems it finds is what it calls POP.Optional.  It stands for Potentially Unwanted Software.  It typically gets installed along with something you downloaded for free.  I have never run into a case where I wanted it and I have seen systems with over 100 of these programs.  They typically do not show up when you try to do a normal uninstall.  They are not technically viruses but are used to give you adds so I always delete them.
Malwarebytes was recommended by PC Magazine in their May 2014 issue.  It is often recommended to try first and it is my favorite.   It will also run in the Safe mode if you want to try that.
If it will not run (probably because a virus is blocking it), run the Chameleon version.
If you think you have adware, (pop up adds from programs you never heard of, try Malwarebytes' companion program, Adware cleaner.  It is  quick running program.  It will probably find some POP files.  You can safely delete them but they are no big problem.

 Eset's On Line Scanner can be downloaded HERE.   The program prefers to run from Microsoft Internet Explorer. They will also try to sell you there full up program which can not be run in conjunction with other anti-virus programs.  I used it for a while but it does not get particularly good reviews.  As a side note, I had not run this program in a long time so before I wrote this, I downloaded in and ran it on my system.  I expected it would not find anything but it found 9 infections! and removed them.  It also took 14 hours.  At least they were all in my backup files.  Automatically scans all drives.  A friend of mine that is much more computer savvy than me uses it regularly.  It is particularly good on systems where other anti-virus programs show things down too much.   When Eset is done, there is an option to delete it from your machine.  I usually do.  You rarely use it, you will need a new version next time anyway and if it is on someone else's computer, they will only be confused by an unknown program on  their computer.

Microsoft has a product called Microsoft Safety Scanner that was recommended by Comcast and it worked well for me.  It is intended to be used in conjunction with your regular anti-virus software.  You can download it at:  http://www.microsoft.com/security/scanner/en-us/default.aspx.  The file is msert.exe.
You run it when you think you have a problem.  It does not run in the background and the version you download is only good for 10 days.  Note:  There are both a 32 bit and 64 bit versions.  If you will be running it on the computer you download it to, then it will usually automatically pick the proper one but if you plan on copying it to anther computer, then you may need to specify a different version. It will not automatically pick the wrong version for the computer it is downloading to but it may ask you which version if it can not figure it out on its own.  You will have the option of running  Msert.exe in  the full mode which will take more than an hour but when you think you have a problem, you do not to take shortcuts.  It defaults to the short version.  When it is done it will ask if you want to remove the viruses.  Even if you say Yes, it may not be able to get everything.  Look at the comments at the end closely to see if you should do something more. Also note the program may stop if the computer goes into the sleep mode.  You can either turn that off or if you are like me and you can not remember how, you can just move something around on the screen every 5 or 10 minutes to keep the computer from going to sleep.  This program also takes a lot of time.  2 hours or more. 7/14/12.  If your backup hard disk is contented to your computer, it may want to scan that too.  This will significantly increase the time required to run.  On the other hand, I did once find a virus in my backup data.  You can specifically add additional drives by selecting "Custom Scan"
If you wish to run this program again, you will not find it among your installed programs so you need to go back to your "Downloads" directory and double click on msert.exe again.  The good news is this means there is nothing to uninstall when you no longer want it.

Norton Power Eraser:  https://support.norton.com/sp/en/us/home/current/solutions/kb20100824120155EN  This may accidentally remove some valuable programs but it has an undo feature to mitigate that problem.  I  have never had a problem. The first screen click on the icon  ":Scan or Risks" Then Restart. This program found 2 additional malware infections after Malwarebytes had already removed 4.  On another occasion it found 3 problems after Malwarebytes and found a bunch then Microsoft Power Eraser could not find any more. If you have Norton on your system and have the product key, you can also download a bootable recovery tool.  Recommended by PC Magazine in their Feb 2013 issue.

Trend Micro HouseCall Runs a scan only when you launch it.  Can be run in conjunction with other anti-virus software as a double check.  It will ask you whether you have a 32 bit or 64 bit system. It defaults to just doing a quick scan so your probably want to change that by going to "Settings" and selecting "Full system Scan" and specify what hard disks you want scanned if it does not default to what you want.  This found a problem on my system that Kaspersky and Malwarebytes missed so I think it is defiantly worth running.  This program needs an internet connection to run. When done, it asks if you want to run HouseCall for home networks, it is a good idea to do it.  It checks for things like you using default passwords among other things.  It is incredibly slow, as in 3 hours. Assumedly that means it is more through.

Microsoft Malicious Software Removal Tool
From  http://www.microsoft.com/en-us/download/details.aspx?id=16
It is probably already on your computer if you have a Windows Vista through 10.
To launch from XP, click start, then RUN (near the bottom of the right hand menu)  Then type mrt and hit enter.
On later systems, type  “mrt” in the window of the window that pops up when you press the icon in the lower left of your screen.  If you have automatic updates turned on your version is good, otherwise download the latest from the link above.  A new version is released every month on the second Tuesday.  This program is mostly redundant if you have already ran Microsoft Security Scanner.  This program takes multiple hours to run.  It defaults to quick scan soy you may want to change that.

AdwCleaner  A program to remove adware. After it has scanned your computer, it will give you a list of programs it thinks are adware.  Review the list carefully, some may be programs you want.  If you are unsure about a program, Google it to see if it is something you expert to find on your PC.  It highlighted a program I wanted on my PC so I unchecked it.  As part of the cleaning process, it will want to close all other programs so have everything saved. 

HitmanPro Another program to check for viruses, free initially, after 30 days will only find problems not remove them.  I am still evaluating the program so I can not recommend it yet. It did find 58 tacking cookies and 30 other issues on my system but no threats.  I had the program remove them all.  It will ask you whether you have a 32 bit or 64 bit machine.

Avast antivirus software.  This is a free regular anti virus program so it should not be run in conjunction with your regular program.  This means that to use it, you need to remove or at least disable it.  It gets only average ratings for as an anti-virus program but it found a rootkit virus on my computer that was missed by Kaspersky and most of the programs above.  It defaults to a quick scan, if you want a full system scan, then select Scan the Full System Scan.  It also will check for out of date software.  It may not be as thoroughly as some others but it is much more user friendly.  To get to this option select Scan than Outdated Software. If it is concerned it will run a very detailed scan after rebooting to a pre windows screen. If you want to force this scan select Scan then Boot Time Scan from the drop down menu. The bottom line is you may want to try it but do not use it as your basic anti-virus program.

Step 7, Try  restoring your computer to an earlier point in time.
This is not a usual step but it worked for me on one occasion when none of the above worked at all. It consists of restoring your computer to an earlier point in time.  All your data files will be unchanged but anything installed after the restore point will be uninstalled.  This also a great step to take if you install something and now your computer is messed up in some way
Start by going to Settings (the gear icon) and entering "Restore" in the such box. next select "Recovery" from the drop down menu. then "Open System Restore" then "Next".  It displays the latest restore point. You want an earlier one so click the box below that is labeled "Show more restore points"  Pick a safe date, then next.   If you want to see the programs that will be affected, click on "Scan for affected programs"  If the restore operation files, try installing your ant virus software.  That is what I always have to do with Kaspersky.
If you wish to create a restore point then start by going to Settings (the gear icon) and entering "Restore" in the such box. next select "Recovery or recovery options, backup settings" then "  In the search bar in the lower left of your window, type "Restore Point"  Art the top of the drop down window you will see "Create restore point".  Click on it.

Step 8, Virus Removal Tools that work from rescue (boot) disk
This is another category of anti-virus software.  If your infection is so bad that you can not even get into windows, then they are your only choice.  Otherwise it is an optional extra. They are also good at finding viruses that do a good job of hiding.  I usually do not run any of these but I keep them in reserve.  If you are having trouble getting your computer to boot from a CD/DVD drive, you probably need to change the boot sequence to start with the CD/DVD drives.  Click HERE to see how to do that if you are not already familiar.  Booting is the initial steps a computer does when it is turned on.  It normally performs a number of system checks then loads windows. To use this method, you will need a CD/DVD burner on a working computer and a CD/DVD reader on the infected computer.  You can also use a USB drive but I have not checked that out yet. The procedure is similar, you just have to change the book sequence to read the USB drive first.  I am not certain exactly how much capacity you need on the USB drive  but the capacity of a CD should be adequate.  A CD holds about 650 MB, 0.65 GB. 
Only Norton Power Eraser requires you to be a paid customer although this requirement may have gone away.
Try putting the bootable CD in your problem computer and restarting it.  If the CD is read before windows starts you are in luck, if it loads windows you are not.  If not you have to go into the system BIOS and change the book sequence to boot from the CD/DVD (or USB) drive before the hard disk.  To see how to do that click HERE.
The file you download will either be an .iso file or an .exe file.  If it is an .exe file, just run it and it will lead you through the steps to create a bootable CD or USB drive.  If it is a .iso file and you have windows 7 or later, then right click on the .iso file and select "Burn disk image".  If you have an older computer use Windows Defender Offline because it  uses an .exe file.   Also this one is a little more strait forward in creating a bootable USB drive.   Needless to say, if possible download the file and create the CD on a computer that is not infected. Norton Power Eraser also creates an .exe file but is confusing to use.
Most of these programs have an option to update the virus definitions at the start and of course that is a good idea, particularly if you downloaded the program some time ago.

You can get these programs from Kaspersky, AVG, Microsoft (Defender) and Norton and probably elsewhere but these are the only ones I have used.  This method is useful when the more direct methods disused above do not work.  These will work even when the virus is so severe that you can not get on your computer.  In that case you will have to create the rescue disk on anther computer. 

Kaspersky Rescue Disk,  This was recommended by PC Magazine in their Feb 2013 issue.  You will need a blank CD or DVD and your computer that is still working will need to have a CD/DVD burner.  The computer that you are trying to fix will also need a CD/DVD reader and will need to be set to boot from that device first.    When it is booting from the rescue disk, a screen saying Kaspersky rescue disk will be the first thing that appears.  The download is an .iso file so  right click on the .iso file and select "Burn disk image" assuming you have windows 7 or later.

 AVG Rescue CD, This worked fine for me and was recommend by PC Magazine in their Feb 2013 issue.  This is an .iso file.

Windows Defender Offline, I have not read any reviews of this product which was first released by Microsoft in 2012 but I used it and it is easy to use.  Microsoft is a reliable company so it should at least be safe. You will need to know whether you have a 32 bit or 64 bit operating system. This program is a .exe file and when you run it (by clicking on it) it will create the bootable disk for you or permit you to make a bootable USB drive.  When I ran it, the option to do a full scan was only made available after it did a quick scan. If you need to run an anti-virus program like this, you need to run the full scan. On my system it found anther problem after numerous other programs had been run.  It looked at 13,061,334 'objects" and took about 10 hours. For comparison, my regular version of Kaspersky looked at 5,911,993 files in about the same amount of time.  I have to idea what the relationship between files and objects are.  If you are using Windows Defender as your regular anti virus program on your PC (it is the default one on windows 10), it will automatically load Windows Defender Offline if it thinks it needs to.  It will ask you to reboot your computer then it will load Windows Defender Offline when the computer wakes up again.

Norton Power Eraser Boot Disk(Norton Bootable Recovery Tool): The file is big enough to require a DVD, a CD will not work.  The download is a .exe file.  Running the .exe file gives you a bunch of options.  The one I use is at the first menu, select .iso file, then in the create iso menu, note the first option is to select the location to write the iso file to.  Change this to something you like such as the desktop of downloads.  Now move the iso file to a DVD as outlined in the first paragraph of this section. I found the program confusing to use and the most obvious option would not run on my system.  I would treat this program as our last choice.

Step 9:  If all else fails, there are still a number of options. All of these erase all the programs on your computer but keep the data.  Most computers now sold by major companies have a separate spot on the hard disk that has the information to restore the computer to the state it was when you purchased it. When the computer is first starting up, it usually tells you how to access this.  Keep in mind that all data and programs installed after you purchased the computer will be lost so find the installation disks first and back up all your data.  An remember you will inevitably forget to back something up, often something related to your e-mail program or your favorites list in your browser.
If you have a windows 10 PC, you can reinstall windows from the intermit.  to do this:
Click Start (the windows icon in the lower left of the screen)
Settings (the gear icon)
Update and security
Recovery (along the left side)
rest this pc
Get Started Alternately go back to a previous version of windows
Keep my files
It will list the programs being killed and asking you to concur
It warns you that this will take a while

A sample of things dropped
Dropbox
Google Chrome
Libre Office

If your computer is so messed up you can not log on, you can get to this point a different way.

Previous Page

Return to Home page

Rev 3/26/21