Home / Windows 10

Removing Malware from a PC

Sometimes you will need manual file access to a PC to remove malware. This is because the "fix" might come in the form of detailed instructions from a security website (please only use the websites from the well-known security providers such as Symantec and Kaspersky for this). In this case, how do you get that file access without having the malware run automatically? Well, there are various options available to you for this.

Microsoft Defender Offline Scan

Windows 10 includes an offline virus and malware scanner and removal tool. You can access this from the Start Manu by searching for Windows Security (also available by clicking the Shield icon in the Taskbar notification area) and then clicking Virus & threat protection and scrolling down the page to select Microsoft Defender Offline scan. You will be prompted to restart the PC, and then the antimalware scan will be run from within the startup environment, hopefully before any malware has loaded into memory.

Using Safe Mode and Diagnostic Mode

Malware, once it gets its hooks into your PC, can be extremely difficult to remove. It buries itself in the Windows services that are automatically loaded at the PC's startup, or within the OS kernel itself. Malware will commonly run a series of codependent services on the PC. This means that when you shut one down, other malware services will recognize that it's no longer running and automatically restart it. Antimalware software can shut down all the offending services simultaneously, but this requires the malware to be identified by your antivirus software.

Should you need to remove malware manually, it can be extremely tricky but is still possible. Some malware is relatively straightforward to remove and can be done from within Safe Mode or Diagnostic Mode in Windows 10. Safe Mode and Diagnostic Mode (also known as Diagnostic Startup) are similar, but also very different from one another.

Starting Your PC in Safe Mode

You're probably already familiar with Safe Mode. This is a reduced functionality mode in which only essential Windows services, and no third-party services or apps, are loaded. There are various ways to get to Safe Mode in Windows 10. If you restart your PC while holding down the Shift key, the system will restart into the Recovery options menu. Once here, click Troubleshoot, then Advanced options, and then Startup Settings. This will restart the PC and present a version of the legacy Windows boot menu.

There are three Safe Mode options at this menu: Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt. Safe Mode is the default option. This will load the basic, essential Windows services only with a desktop interface and basic graphics, but with all networking features disabled. Choosing this option can be useful when removing malware, as you are isolating the machine, and not allowing the malware to see other PCs or devices on your network or to gain access to the Internet.

Safe Mode with Networking will also boot the minimal Windows services, but will also load the networking drivers, giving the PC both local network and Internet access. You can use this if you do not have another PC on which to download a malware removal tool, and where the download of the tool is blocked by the malware on the regular desktop.

Safe Mode with Command Prompt starts Windows 10 in a Command Prompt-only environment, with no desktop interface. If you are proficient with command-line tools and utilities and prefer to work in this way, it is a good option for troubleshooting and malware removal.

The other way to invoke Safe Mode is through the System Configuration panel. You can best access this by searching for msconfig in the Start Menu. This displays a utility from where, in Windows 7 and earlier, you managed the startup apps on your PC (a process that's since been moved to the Task Manager). It's also from where you can invoke Safe Mode and Diagnostic Startup.

When you activate Safe Mode or Diagnostic Startup using MSConfig, the PC will then always start in that mode, until you open MSConfig again and select the Normal startup option.

Safe Mode can be invoked from the Boot tab. There are various options available to you that mirror those available from the Recovery Environment menu.

  • Safe boot-Minimal will start the PC in the standard Safe Mode, with no networking support.
  • Safe boot-Alternate shell will start the PC with a Command Prompt-only interface.
  • Safe boot-Active Directory repair is an additional option that will also load the Active Directory services, in addition to networking services.
  • Safe boot-Network loads the OS in Safe Mode with networking services also loaded.

Additionally, there are four checkbox options also available:

  • No GUI boot will load the OS without displaying the Windows loading screen. This can be used when you are troubleshooting display problems.
  • Boot log saves a log of what starts and is loaded to the file C:\Windows\Ntblog.txt.
  • Base video forces Safe Mode to use only the standard VGA video drivers that come with Windows. This can be useful for troubleshooting display driver issues.
  • OS boot information can be used in conjunction with the No GUI boot option. It will display a list onscreen of services and Windows components that are loaded and run, as they are invoked. You may be familiar with Safe Mode displaying this information by default in versions up to Windows XP.
Note: You may have noticed a check box to Make all boot settings permanent. This isn't because you're paranoid enough to always want to start your PC in Safe Mode. It's instead because the four checkbox items I detailed, from No GUI boot to OS boot information, can be invoked independently of Safe Mode. Checking the Make all boot settings permanent option will write these to the boot system for your OS.

Starting Your PC in Diagnostic Mode

Diagnostic Mode is different from Safe Mode in that it's not quite as limiting. In Safe Mode, nothing except the base services and drivers are loaded when the OS starts. This leaves you with (possibly) no networking, very limited graphical functionality and, crucially, with some of the Control Panel applets disabled.

You may find this limiting and might, for example, need to access a feature such as the Windows Firewall when manually removing malware from the PC. For this you can use Diagnostic Startup. This is different from Safe Mode in that more is loaded when the PC starts, including the full Control Panel. The startup items include the graphics drivers, so you have a full desktop experience. It will mean, however, that some Windows or third-party services are loaded (your graphics subsystem will likely be a third-party service) that would not be loaded in Safe Mode, and these might be infected.

You can invoke Diagnostic Startup from MSConfig, by choosing its option under the General tab. Again, remember that when you want the PC to return to normal startup, you will need to open MSConfig again, and check the Normal startup option.

Checking Loaded Services in Safe or Diagnostic Mode

Once you have started your PC into Safe or Diagnostic Mode, you can use the MSConfig tool to check which services have been loaded, and which ones are set to load when the PC starts normally from the Services tab.

This can be much better than referring to the main Service panel. In the MSConfig panel, only the services that are set to load at normal startup are included. There is also a helpful Hide all Microsoft services check box, which will change the view to only display third-party services. Note however it may be a Microsoft Service that has become infected.

Using the Registry Editor to Remove Malware

If you have malware on your PC, then it will certainly have embedded itself in the Windows Registry. I will show you how to use the Registry Editor in depth in Chapter 26, but it can be run by searching for regedit in the Start Menu. You can also run the Registry Editor from the Command Prompt when you start the PC into the Recovery Environment, or from a Recovery Drive.

All Registry manipulation should be undertaken with great care, which is why there is an entire chapter to this book devoted to the subject.

Caution: If you can identify all the Registry entries associated with malware and delete them, including startup entries, this will still leave the malware files themselves on the hard disk, with a risk they could become reactivated accidentally.

Using a Portable OS to Manually Remove Malware

While Safe Mode and Diagnostic Modes can be useful and effective ways of removing malware, most malware embeds itself so deeply into the Windows OS that you'd never get rid of it completely if the core Windows kernel files are loaded at all. Under these circumstances, it used to be common for people to remove the hard disk from a PC, plug into a different PC, and remove the virus then while the hard disk was effectively dormant. This method should be used when you have to follow detailed instructions to remove malware manually from a PC.

Note: Booting your PC from a portable OS will not allow access to any disks or partitions that are encrypted with Bitlocker.

This was fine when most PCs were big towers, or laptops with removable hard disks. Nowadays, though, with ultrabooks and tablets that have nonremovable storage, this method simply isn't possible. It can be replicated, though, by booting the PC from a portable OS. This could be a downloadable disk Image (ISO) file of a Linux distro, such as Ubuntu or Mint. You can download a Linux distro on a noninfected PC and burn it to a CD or USB Flash Drive. Starting the infected PC from this will provide file access to the hard disks on the infected machine.