How to Remove a Windows Virus

Is your computer sick? Try these home remedies

Virus warning on computer screen
Epoxydude / Getty Images

A malware infection causes an array of symptoms or none at all. The most serious threats (such as password stealers and data theft trojans) rarely result in signs of infection. With other types of malware, such as scareware, your system may slow down, or you may be unable to access certain utilities, such as Task Manager.

When your computer becomes infected, there are various options you can try. Here's a list of your options beginning with the easiest and working through to the more advanced.

Some of the more advanced methods may require the help of a professional or tech-savvy friend.

Run Antivirus Software

If your Windows computer is infected with a virus, your first step is to update your antivirus software and run a full system scan.

Close all programs before running the scan.

The process may take several hours, so perform this task when you don't need to use the computer for a while (if your computer is infected, you shouldn't use it).

If the antivirus software finds malware, it will take one of three actions: clean, quarantine, or delete. If, after running the scan, the malware is removed but you're receiving system errors or a blue screen of death, you may need to restore missing system files.

Boot Into Safe Mode

Safe Mode prevents applications from loading so that you can interact with the operating system in a controlled environment. Not all antivirus software supports it, but try booting into Safe Mode and running an antivirus scan from there.

If Safe Mode does not boot or your antivirus software doesn't run in Safe Mode, boot the computer normally then press and hold the Shift key when Windows starts to load. This prevents any applications (including some malware) from loading when Windows starts.

If applications (or the malware) still load, then the Shift override setting may have been changed by the malware. To work around this, disable the Shift key override.

Windows Registry Editor process for overriding the Ignore Shift instruction

Attempt to Manually Locate and Remove the Malware

Malware can disable antivirus software, preventing it from removing the infection. In that case, manually remove the virus from your system.

Attempting to manually remove a virus requires a certain level of skill and Windows knowledge.

At a minimum, you need to know how to:

Also, ensure that file extension viewing is enabled (by default it isn't, so this is an extremely important step) and that autorun is disabled.

You can also attempt to close the malware processes by using Task Manager. To do so, right-click the process you want to stop and choose End task.

Windows Task Manager being used to end problematic tasks

If you're unable to locate the running processes using Task Manager, inspect common AutoStart entry points to find where the malware is loading from. Note, however, that malware may be rootkit-enabled and hidden from view.

If you're unable to locate the running processes using Task Manager or by inspecting the AutoStart entry points, run a rootkit scanner to identify the files or processes involved. Malware may also prevent access to folder options, making it impossible to change options to view hidden files or file extensions. In that case, re-enable folder option viewing.

If you locate the suspicious files, obtain the MD5 or SHA1 hash for the files and perform a search for details about them using the hash. This method is used to determine whether or not suspect files are malicious. You can also submit the files to an online scanner for diagnostics.

Once you've identified the malicious files, the next step is to delete them. This action can be tricky, as malware typically employs multiple files that monitor and prevent malicious files from being deleted. If you're unable to delete a malicious file, unregister the dll associated with it, or stop the winlogon process and delete it again.

Create a Bootable Rescue CD

If you're unsuccessful with the above steps, create a rescue CD that provides dormant access to the infected drive. Options include BartPE (Windows XP), VistaPE (Windows Vista), and WindowsPE (Windows 7).

After booting to the rescue CD, inspect the common AutoStart entry points to find the location where the malware loads from. Browse to the locations provided in these AutoStart entry points and delete the malicious files. (If unsure, obtain the MD5 or SHA1 hash and perform an online search to investigate the files using that hash.)

As a Last Resort, Reformat and Reinstall

The final, but often best, option is to reformat the infected computer's hard drive and reinstall the operating system and all programs. This method ensures the safest possible recovery from the infection.

Change your login passwords for the computer and any sensitive online sites (including banking, social networking, and email) after you complete the system restoration.

Keep in mind that, while it is generally safe to restore data files (that is, files you created), first ensure they aren't also harboring an infection. If your backup files are stored on a USB drive, don't plug it back into your newly restored computer until you have disabled autorun. If you do, the chance of reinfection via an autorun worm is extremely high.

After disabling autorun, plug in your backup drive and scan it using a couple of different online scanners. If you get a clean bill of health from two or more online scanners, then you can feel safe moving those files back to your restored PC.