Malware Cleaning

I've been meaning to write this article for a while and when my wife's laptop recently got infected with malicious software, it reminded me that I should do so. After spending almost a decade troubleshooting and cleaning computers, I have developed a prevention and cleaning process that works very well. Whether infected by spyware, adware, viruses or other malware, the process I detail here will clean a Windows computer and resolve a great deal of the remnant problems associated with those infections.

All Viruses Are Malware, But Not All Malware Is A Virus:

Before we begin though, it's a good idea to understand the tools we use and why we do so. So, let's start by examining the two main categories of software protection and the two methods of malware removal. First, you have to understand that not every undesirable program is a virus. In fact, viruses are only one portion of malicious software. While there are literally hundreds of thousands of viruses that have been written since they first appeared in 1982, they only account for a fraction of the infections that people encounter on modern systems. There are many other types of malicious software, including but not limited to, browser hijackers, trojans, adware and also spyware. These each operate in a different way and have different purposes. Generally, we consider the programs designed to damage files, the Operating System and a computer, viruses, but that is a very broad categorization. Other applications monitor your activity and usage (spyware), force you to view unsolicited sites and advertisements (adware) or redirect your computer to unwanted sites (browser hijackers).

These lines are grey though, because viruses can contain trojans, which like the story from ancient Greece, defines a program that presents itself as one form of desirable software, perhaps a screensaver or that new game you wanted to try, but it drops a separate and malicious payload on your system when it gets installed. The payload of that software may be one or many of the aforementioned types of software. Regardless of the purpose or outcome, all of this activity is malicious in nature and therefore falls under the larger umbrella of software called malware.

Potentially Unwanted Applications (PuA):

Now, it gets even more complicated, because not all malware is necessarily pure evil. There are plenty of spyware and adware programs for example, that are considered legitimate software. They come with their own licenses and disclaimers. Often, when you choose to install a particular program that you willingly sought out, these secondary programs will also be installed as "value added" software, even presenting check boxes and license agreements to the user, requesting permission to be installed. In doing so, they legitimize themselves, but do so in much the same way that a drug dealer launders money. This new approach that malware has taken in order to spread itself across the Internet has resulted in the classification of yet one more category of software, called Potentially Unwated Applications or PuA. That's why it's very important that you actually read the installation screens for every program that you install. The strength of this process for malware developers is that their programs can no longer be called viruses and as such, cannot be included for removal by traditional anti-virus programs. They've essentially protected themselves behind a barrier of legality, just like the Mafia.

Protection On Two Fronts:

That's where the two categories of software protection come into play. By now, everyone using a computer has heard of anti-virus software and I would hope that everyone has some form of anti-virus installed on their computer. However, as I've just explained, anti-virus protection is no longer enough. Additionally, everyone should now have malware protection. This form of software protection goes the extra distance. It helps identify adware, spyware and other PuAs.

Calling In The Reserves:

Secondly, I want to discuss the two different methods of software protection that exist. They are real-time protection and on-demand scanners. Think of your local emergency services. You have the police that patrol your city, with the purpose of keeping you protected and stopping crimes before they happen, as they happen and to catch the culprits, after the fact. You also have the local fire department, who extinguishes fires, enforces guidelines for local fire safety and also keeps the city safe in a much different method than the police. Think of those as your anti-virus and malware protection programs on your computer.

However, when disaster strikes, the local police and fire departments are sometimes not enough. That's when the local authorities have to call in the S.W.A.T team or local militia to deal with situations that have gotten out of control. Think of those as your on-demand scanners. These are the programs that come in after the fact, when you know that there is an infection and that the regular, real-time protection is not enough to take care of the threat. You don't always need them, but they are a necessary backup plan when things really go awry. That's why we have two different types of protection; anti-virus and malware protection, and two different methods of protection; real-time and on-demand scanners.


Now we know enough to get to work. Start by picking an anti-virus program and a malware protection program. I currently recommend using Microsoft Security Essentials and my long-time favourite for malware protection remains Spybot SD. Although, you can select other choices from the pages below.

Real-Time Protection:

Microsoft Security Essentials (MSE)
Spybot SD (Search & Destroy)
Other Anti-Virus Programs

Once you've installed real-time protection, MBAM and SAS are the best options for on-demand scanners. Although, you don't always need to install them. In fact, just knowing they exist and downloading a copy if or when you've actually been infected is enough.

On-Demand Scanners:

MalwareBytes Anti-Malwre (MBAM)
SuperAntiSpyWare (SAS)
Other Anti-Malware Programs

The key with this method though, is to know that there are many malware programs that are somewhat self-aware. They watch for activity by anti-virus and malware protection programs attempting to remove them and will attempt to prevent this activity. Sometimes, they will redirect you away from the actual site where you can obtain the software, or they will prevent you from installing them. SAS has a way around this. You can download a portable version which doesn't need to be installed on your computer. You can simply run the downloaded file.

Bonus Protection:

Additionally, I strongly recommend using Hosts Man to download and regularly update your Hosts file. When you install it, tell it to download the MVPs list, at the very least. A host file protects your computer by redirecting requests to sites known to contain malware or advertisements to your own computer's local address ( This will also speed up your browsing slightly and eliminate a lot of annoying ads.


The Process:

If you suspect an infection on your computer, scan your computer with your anti-virus program, reboot and do the same with your malware protection program. Next, reboot and run both SAS and MBAM. Again, reboot after running each of these.

Damage Control:

Once you've cleaned your computer with all 4 tools, the majority, if not all of the undesirable software should be removed. However, you might find that certain things within the Operating System don't work quite right. Perhaps your Windows Firewall won't turn back on or there are certain programs that don't function correctly. Some of these may be easily fixed. The All-In-One tool below fixes some of the most common problems after a serious infection has been cleaned.'s All-In-One Repair

Advanced Tools:

For users who are a little more experienced, SysInternal's tools offer two of the most important programs available for proper cleaning. Start with Process Explorer. It's an advanced task manager, but with some subtle features that make it invaluable when cleaning malware. Use it to look through the running processes and identifying unwanted programs. If in doubt, Google the file name. Once you've found the offending processes that are running, right-click them and select Suspend. Do not kill those processes. Not yet, anyway. Instead, keep looking through the list until you've found all the unwanted applications. There may be buddy programs that watch for the main program to be shut down, at which point, they simply restart them. By suspending them, the programs no longer work, but they are still considered active. This gives you a chance to find and suspend the dependent processes, as well. Once you are confident that you've found everything of concern, you can then right-click and select Kill Process Tree for each of them.

Before you reboot this last time, use AutoRuns to look through all the possible areas on your computer that can hide processes that run on startup. Find and uncheck them. Again, Google any of the ones about which you are unsure. I do not recommend deleting any unknown processes. Not yet, at least. Instead, simply uncheck them and once you're confident you've removed everything you wanted, reboot your computer.

If something doesn't run properly after you reboot, it's possible you disabled an application or service you actually needed. Be very careful! You can actually cripple your computer if you disable resources necessary for the normal operation of the system. That's why it's a good idea to only disable items you are sure you do not want running. Leave everything else alone.

It's worth mentioning again that these final two tools, Process Explorer and AutoRuns are only recommended for users who are confident in their aptitude or knowledge.

SysInternals (Process Explorer & AutoRuns)

Final Thoughts:

I did not create this process at random. I spent over a decade in call centers and technical service departments, helping thousands of people, whether directly or through team supervision, with the removal and repair of their systems after infections. So, this fine tuned process is actually the result of hundreds of technicians working through thousands of scenarios. It's proven to work far more often than not and is a complete enough process to help people recover from an overwhelming number of infections.

If you follow this process, it should save you from having to take your computer to a technician or a store to get cleaned, and if successful, it should also save you from having to reformat your hard drive and reinstall your Operating System. Good luck, everyone!

Created: 29 May 2013 02:48


Comments: 0

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License