How Do I Remove Malware From My Windows Laptop?

What’s the cheapest way to get my Windows laptop swept and cleaned out of malware etc?

There are two obvious ways to clean a Windows laptop, and both of them are free. The first is to run a number of anti-malware programs to find and remove the bad stuff. The second is to reset it to factory condition. Most people take the software approach. This can take quite a long time, but you don’t have to re-install all your programs and data. If you don’t have a lot of programmes and data to restore, then a reset could be quicker. In this case, you can either use Windows 10’s built-in reset system or take the nuclear option of reinstalling Windows 10 from scratch. I recommend the nuclear option for bad virus infections and for laptops that only have 32GB of built-in storage. It’s also the best option if you are going to sell a laptop, or give it away. Of course, it’s better to avoid having the problem. It’s well over a decade since malware affected any of the PCs in our house. That includes my wife’s machines, and she has no interest in becoming a computer expert. Assuming you run antivirus software and have a firewall turned on, you can generally avoid Windows malware by keeping all your software up to date – which I do – and by not making any silly mistakes. Today, this seems to apply even if the only antivirus software you run is Microsoft’s Windows Defender. Which in my case, it is.

Fear the rootkit

Whichever route you take, start by running one or more programmes designed to find rootkits and similar software. Rootkits are designed to avoid detection, sometimes for many years. Rootkit writers try to hide code in places where they can avoid detection. Late last year, ESET antivirus researchers found rootkit code hidden in the Flash memory of a PC’s Serial Peripheral Interface, where it could survive even if you did a clean reinstallation or changed the hard drive. This was the first attack of its kind to affect Windows 10, but it could become more common. It’s the kind of approach used to attack IoT (Internet of Things) devices, where recovery involves not only changing the software but updating the firmware. Users sometimes find out they have a rootkit because something odd – high processor usage or unexplained internet traffic – prompts them to check their firewall logs to find the culprit. Rootkits act mainly as backdoors so that other programmes, such as keyloggers and viruses, can be installed from remote servers. This is one-way malware can reappear after you’ve removed it.

You can check for rootkits by running the Windows Defender Offline scan. To do this, run the Windows Security app (which used to be the Windows Defender Security Center) and select “Virus and threat protection.” In the section for current threats, click on the words “Scan options.” Click the radio button for the Windows Defender Offline scan and then hit “Scan now.” This will restart your PC. Several companies also offer free rootkit scanners. Try Malwarebytes Anti-Rootkit, which is now being beta-tested, and Sophos’s Rootkit Removal. For more information, see CSO’s: How to identify, prevent and remove rootkits in Windows 10. Rootkits are scary but relatively rare. I’ve never found one despite decades of trying.

Software clean-ups

If you have a PC that has been infected for a while, don’t run one scan and think you’ve solved the problem. A bit of malware that’s become securely embedded may well bring in its friends, who will bring their friends. Some of them will try to hide each other. Remove one malicious program and a second scan – or scanning with a different utility – may find other malicious programmes that were previously hidden. Save and back up your work, and for the best results, keep these three things in mind:

1. No single antivirus programme will always find everything. Try two or – if one of them is Windows Defender – preferably more. It’s a bad idea to install more than one antivirus programme, but you can run one-off scans with as many as you like. Malwarebytes Anti-Malware and Spybot Free Edition (formerly Spybot Search & Destroy) have often found things other programmes have missed. Avast is another good option. ESET has a good free online scanner. Kaspersky’s Virus Removal Tool could be worth a go. Malwarebytes’ (formerly Xplode’s) AdwCleaner targets PUPs (potentially unwanted programmes) that some antivirus products leave alone.

2. No single scan will always find everything. Checking every file for every known virus could take hours, and some malware can hide other malware. If an antivirus programme finds some malware, restart your PC, run it again and it may find more.

And while it’s useful to run antivirus programmes in standard mode, you must run some scans after restarting your PC in Safe Mode with Networking. Safe Mode loads a minimal set of programs and drivers, which makes malware somewhat easier to spot.

3. You may need outside help. Some virus infestations are particularly hard to remove. Happily, you can go to an online forum and get an expert to analyse the problem and walk you through the removal process. In this case, my first choice would be Bleeping Computer. It provides a simple tutorial on removing malware and, if that fails, clear instructions on how to request help. The alternatives include, in alphabetical order, BestTechieGeeks to Go and Major Geeks. These forums are run by volunteers so be respectful, follow instructions, and reply promptly.

Do a reset

It should be obvious that a software clean-up could easily take half a day, and in the worst cases, several days. It might be quicker to reset your PC to factory condition. It depends on how many programmes you would have to re-install, and how well your backups and data are organised. For this very reason, I have all my data archived separately from my system backups. A backup allows you to recover a device if something goes wrong, such as a disk failure. However, you don’t want to restore a backup that’s riddled with malware. Having a separate archive on an external hard drive means I can access all my data from a different PC, or copy it to a new PC without restoring any infected files. Either way, make a backup and check that all your files are stored safely off your PC before going any further.

To reset Windows 10, run the Settings (cogwheel) app, select “Update & Security,” go to the Recovery page and look for “Reset this PC.” The reset offers two options. The first removes all your programmes and settings but keeps your personal files. The second removes everything, so it should remove any viruses except, perhaps, rootkits. However, I’d still want to reformat the hard drive to be sure. Note that the PC manufacturer’s bundled programmes and any special drivers – plus digital licenses for some apps and paid-for content – will be deleted along with everything else.

For the nuclear option, download a new copy of Windows 10 from Microsoft, along with the media creation tool. Use this to create a USB thumb-drive (8GB or larger) or a DVD that you can use to install Windows 10. You shouldn’t need a product key because it’s stored online. If your PC is licensed to run Windows 10, it should authenticate automatically. However, remember that in many cases, you will need DVDs, product keys, log-on details and passwords to reinstall some programmes and otherwise get back to where you were. You must also keep a record of your Windows 10 administrator’s log-in details – usually a Microsoft email address – and password so that the Windows Store can replace apps and update the new installation with your preferences, including wallpapers. Microsoft offers instructions on how to do a clean installation of Windows 10, but so do many other websites. Read a few examples, such as the ones at Windows Central and Expert Reviews. It’s not hard, but it’s not always as easy as it sounds.

Credit: Jack Schofield for The Guardian, 11 July 2019.