When Malware Just Won't Die - Persistent Malware Infections

You might have an advanced persistent threat. Here's how to handle it

Spider crawling in web of light streams
John Lund/Blend Images/Getty Images

Your anti-malware software found a virus on your computer. Maybe it's Locky, WannaCry or some new malware and you don’t know how it got there but it’s there. The AV software says that it has quarantined the threat and remediated your system, but your browser is still getting hijacked and your system is running much slower than usual. What’s going on here?

You may be the unlucky victim of an advanced persistent malware infection: an infection that seems to keep coming back no matter how many times you run your anti-malware solution and seemingly eradicate the threat.

Certain kinds of malware, such as rootkit-based malware, may achieve persistence by evading detection and hiding in areas of your hard drive that might be inaccessible to the operating system, preventing scanners from locating it. 

Let's look at some things you can do to try and remove a persistent malware infection:

If you haven’t already done so, you should probably:

  • En​sure that your anti-malware software has the latest and greatest definitions files
  • Run an anti-malware full system (deep) scan (not a quick scan)
  • Install a Second Opinion Scanner such as Malwarebytes or Hitman Pro and see if it detects any rogue malware that has evaded your primary AV scanner
  • Back up your important data files to backup media (DVD, USB drive, etc) ensuring that the are fully scanned for malware by updated malware software (and your second opinion scanner) during and after transfer.

How to Get Rid of Persistent Malware:

If your malware infection persists even after you’ve updated your antimalware software, performed deep scans, and employed a second opinion scanner, you may have to resort to the following additional steps:

Use an Offline Antimalware Scanner:

Malware scanners running at the operating system level may be blind to some kinds of infections that hide below the OS level in system drivers and in areas of the hard drive where the OS can’t access. Sometimes the only way to detect and remove these types of infections is by running an Offline Antimalware Scanner

If you’re running Microsoft Windows, there is a Microsoft-provided free offline malware scanner tool that you should run to check for and remove malware that may be hiding at a lower level.

Microsoft's Windows Defender Offline

The Windows Defender Offline scanner should be one of the first tools you use to try and eradicate a persistent malware infection. It runs outside of Windows so it may have a better chance of detecting hidden malware that is associated with persistent malware infections.

From another (non-infected) computer, download Windows Defender Offline and follow the instructions for installing it onto a USB flash drive or onto a writable CD/DVD. Insert the disk into your CD/DVD drive or plug the USB Flash Drive into your computer and reboot your system.

Make sure your system is set to allow booting from the USB drive or CD/DVD, or your PC will skip the USB/CD drive and boot as normal. You may need to change the boot order in the system bios (usually accessible by pressing F2 or the “Delete” key on startup of your PC). 

If your screen shows that Windows Defender Offline is running, then follow the instructions on the screen for scanning and removing malware. If Windows boots as normal, then you will have to reboot and ensure that your boot device is set to USB or CD/DVD.

Other Notable Offline Malware Scanner Tools:

Microsoft’s tool is a good first stop, but they are definitely not the only game in town when it comes to offline scanning for deep and persistent malware infections. Here are some other scanners of note that you should consider if you are still having problems:

Norton Power Eraser:  According to Norton: “Eliminates deeply embedded and difficult to remove crimeware that traditional scanning doesn’t always detect.”
Kaspersky Virus Removal Tool:  An offline scanner from Kaspersky targeting difficult to remove infections
HitMan Pro Kickstart:  A bootable version of the Hitman Pro Antimalware software that can be run from a bootable USB drive.

Specializes in removing stubborn infections such as those associated with ransomware.

While you're doing all this, read up on Bitcoin. That's the currency of choice for these hackers and you might as well know more about it.