Removing malicious software from your device

If our chatbot has diagnosed you with a malicious software (Malware) infection then pick the section below that matches your device and follow the steps. If you haven’t used the chatbot yet, we advise you to describe your issue to the chatbot and get an expert opinion on the problem. However, common signs of a malware infection include slow performance, the device not starting properly, remote use of your device, changes to where adverts are displayed, your homepage being redirected and lots of pop-ups carrying warnings.

Before you start the process listed below it is important to think about your level of IT knowledge. If you are not a confident IT user then we strongly advise you seek expert help in finding and removing the malware. There is a risk of losing your data or harming your device if the steps below are not followed directly.

We want to better understand the impact of you experiencing this issue, can you share your experience by filling in this online form? This will help us better protect future victims.

Malware infection - Do this first!

  • Disconnect your device from all other devices and the internet to stop the infection spreading any further. This will also stop the malicious software communicating with the cyber criminals and stop their access. Unplug all other devices such as external hard drives and USBs. Disconnect from the wireless or wired internet connection until you are ready to clean the device.

  • Be careful what you type - Many types of malware have a keylogger (a piece of software that copies what you type and sends it to the cyber criminals). Don’t log in to any of your online accounts.

  • Protect payment details - If you were tricked into buying what you thought was a legitimate malware scanner or clean up tool (but really got a malware infection) then call your bank and let them know ASAP. It is important to have the card cancelled before the cyber criminals try to use it.

Removing malware from a Windows device

  1. Remove any unknown Apps - You may be able to remove the malicious software manually. For example if you are infected with Adware - you are experiencing lots of adverts and redirects - then in Windows 10 you can go to the ‘Apps and Features’ section in the start menu. Once there you can review the list of installed software and remove (uninstall) any you don’t recognise.

  2. Enter safe mode - Safe Mode only allows trusted applications to run - the malware is unlikely to work in this mode. Turn it on by turning your computer off and on again. Then, as soon as you see anything on the screen, press the F8 button repeatedly. This brings up the Advanced Boot Options menu. From there, choose ‘Safe Mode with Networking’ and press Enter. For now, keep your PC disconnected from the internet. The approach to turning on Safe Mode can differ by version of Windows (eg. Windows 7, Windows 8 and Windows 10). Search for your version and ‘start in safe mode’ here if the F8 didn’t work.

  3. Delete temporary files - This is optional, but it may be a good time to delete your temporary files. This will make the malware scan faster, free up some disk space and may even remove some of the malware. To use the Disk Cleanup utility included with Windows 10 just type Disk Cleanup in the search bar.

  4. Download a malware scanner - Reconnect to the internet and download a malware scanner - once you have downloaded the scanner and it has updated, disconnect from the Internet again to perform the scan. There are two types of malware scanners and you will want to use both. The first is a real-time scanner that runs continuously and watches for malware on your device. The second is an on-demand scanner where you open the scanner and kick of a scan of your device. Start with an on-demand scan and then try a real-time scan as a follow up. Good quality (and free) on-demand malware scanners include Malwarebytes, Avast, BitDefender Free Edition and Microsoft Defender Advanced Threat Protection. If you are struggling to download the malware scanner on the infected device you can use a different computer to download the scanner onto a USB and then plug it into the infected device (this is actually a more secure option if you have the ability to do this).

  5. Run a malware scan - Once you have downloaded the malware scanner run the set up file and follow the instructions. Once installed open the scanner and start a scan of your device or if your anti-virus has boot-time scan options and it is enabled then reboot/restart your device. The scan may take up to an hour, but will give you some information on progress as it runs. If the scanner finds malware then follow the steps to remove it from the device. If the malware scanner fails to run or disappears when you start the scan and won’t reopen then you may have a Rootkit or deep malware infection. These types of infections change the way your computer operates and it is likely that the best way to recover will be to reinstall the operating system (see below). If the first scan doesn’t find anything then repeat the process with one or two more scanners.

  6. Fix your web browser - Malware infections can damage Windows system files and other settings. One common malware trait is to modify your web browser’s homepage to reinfect the PC, display advertisements and prevent browsing. Before launching your web browser, check your homepage and connection settings. For Internet Explorer right-click the Start button and select Control Panel, then Internet Options. Find the Home Page settings in the General tab, and verify that it’s your usual home page. For other browsers simply go to the settings window of your browser to check. It is also a good idea to clear your browser cache - just go into your browser settings and clear the history.

  7. Recover your files if Windows is corrupt - If you can’t find or remove the malware - or Windows has been damaged and won’t work properly - you may need to wipe the device and reinstall Windows. Before you do this it is a good idea to check you have a good back up of the device - or copy your files and settings onto an external drive. You need to be careful here not to transfer the malware.

  8. Reinstall the operating system - Reinstalling the operating system essentially wipes the device clean and then reinstalls the software as it would have been when you first got it. Use the 'Factory Reset' feature if available or wipe the disk and reinstall the operating system. Use the Microsoft Help site to guide your through this.

  9. Change your passwords - It is worth changing all of your passwords. That means the device password and all online accounts that you may have used on the device or had connected to the device. There is a chance the cyber criminal now has a copy of them.

  10. Consider notifying your bank - It is likely that your card details where on the computer somewhere. It is worth contacting your bank and letting them know that you have been a target of a cyber attack. They may monitor your account more closely or may reissue your cards and change your security details just to be safe.

Removing malware from a Mac

  1. Shut down and restore - If you have a recent Time Machine back-up (or something similar to Time Machine) then close down your Mac and restore from the back-up (we advise restoring MacOS and files option). See the Apple guide on how to do this here. Ensure that the backup is from a time you know to be before the malware infection. Be careful not to have any external devices connected to the Mac while you are restoring. You may want to check external devices with a malware scanner before you plug them back in.

  2. Download a malware scanner and scan the Mac - If you don’t have a backup then you need to download a malware scanner and scan for the malicious software. There are two types of malware scanners and you will want to use both. The first is a real-time scanner that runs continuously and watches for malware on your device. The second is an on-demand scanner where you open the scanner and start a scan of your device. Start with an on-demand scan and then try a real-time scan as a follow up. You can also download malware scanners direct from these websites - Malwarebytes and Avast, or open the Mac App Store and download a malware scanner like Bitdefender. If you can, download the scanner onto a USB using a clean computer and then insert the USB into the infected device to run the scan (this stops you connecting your device to the Internet and enabling the malware activity). Alternatively, you can access the internet on the infected device and then disconnect as soon as you have the scanner downloaded so you can scan offline.

  3. Check browser settings & clear cache - Malware infections can damage system files and other settings. One common malware trait is to modify your web browser’s homepage to reinfect the Mac, display advertisements and prevent browsing. Before launching your web browser, check your homepage and connection settings. Simply go to the settings window of your browser to check your homepage settings. It is also a good idea to clear your browser cache - just go into your browser settings and clear the history.

  4. Empty download folder - Drag everything in your download folder into the trash and then empty your trash.

  5. Recover your files - If you can’t find or remove the malware - or MacOS has been damaged and won’t work properly - you may need to wipe the device and reinstall the operating system. Before you do this it is a good idea to check you have a good backup of the device - or copy your files and settings onto an external drive. You need to be careful here not to transfer the malware.

  6. Reinstall the operating system - Reinstalling the operating system essentially wipes the device clean and then reinstalls the software as it would have been when you first got it. Use this Apple Support guide to help you do this.

  7. Change your passwords - It is worth changing all of your passwords. This means the device password and all online accounts that you may have used on the device or had connected to the device. There is a chance the cyber criminal now has a copy of them.

  8. Consider notifying your bank - It is likely that your card details were on the computer somewhere. It is worth contacting your bank and letting them know that you have been a target of a cyber attack. They may monitor your account more closely or may reissue your cards and change your security details just to be safe.

Removing malware from an android device

If you are running Android you are likely on a mobile phone or tablet. Follow the steps below to remove the malware from the device.

  1. Switch to safe/emergency mode - Put your phone or tablet into Safe mode. This prevents any third-party apps running, including any malware. On many devices you can press the power button to access the power off options, then press and hold Power off to bring up an option to restart in Safe mode. On other phones you hold down volume-down during boot-up to enter Safe mode. If neither of these options work, Google 'How to put [your model name] into Safe mode' and follow the instructions. When in Safe mode you'll see 'Safe mode' at the bottom left of the screen.

  2. Find and remove the app - Now go to settings and click on the ‘Apps’ section. Look for a list of current apps (you may need to select ‘App manager’ for a full list) and locate the malicious app. Open the app info and then select uninstall. This should remove the malicious app. If the uninstall button is greyed out then the app has likely given itself administrator status. You will have to remove this status before you can uninstall. To do this go into your security settings and find a section called something like ‘Device Admin Apps’. Simply untick the app you want to remove and then hit deactivate on the next screen. You should now be able to uninstall the app.

  3. Download an anti-malware app and run a scan - While the malicious app has now been removed it is worth running a malware scan to check. Download an anti-malware app from the app store and run a scan. Try a scanner like Malwarebytes or Avast.

  4. Change your passwords - It is worth changing all of your passwords. This means the device password and all online accounts that you may have used on the device or had connected to the device. There is a chance the cyber criminal now has a copy of them.

  5. Consider notifying your bank - It is likely that your card details were on the computer somewhere. It is worth contacting your bank and letting them know that you have been a target of a cyber attack. They may monitor your account more closely or may reissue your cards and change your security details just to be safe.

Report the crime

If you are in the USA you can report ransomware to the FBI through their IC3 reporting portal here or to CISA here. You only need to notify one authority, and they will notify others.

How to avoid a malware infection in future

  1.  Back-Up – Having a back-up copy of your files can really reduce the impact of malware. Get an external hard drive and do a regular back-up of your device. Make sure you disconnect the external drive after use to make sure it doesn’t get infected too. It is also worth using a cloud service that automatically backs-up your files.

  2. Use a good antivirus solution – This will stop the majority of old versions of ransomware and give you an option to remove quickly if new ransomware gets through.

  3. Do your updates ASAP – When software updates are available do them as quickly as possible. If possible turn on automatic updates. The majority of these updates include security fixes that may stop or limit ransomware.

  4. Trust no one – Be extremely careful about clicking links or opening attachments in your email or any other messaging platform. Legitimate email accounts can be hacked and used to send malicious messages and emails can be designed to look exactly like they are from your bank, shop, account etc. Get Safe Online has a good overview of email security here.

  5. Don’t download apps from outside of official app stores - The safest way to download apps is from the official app store. Apps on the app store are scanned for malware and typically verified by the developers. Disable the option on your device to download outside of the app store.

  6. Check app permissions - Make sure that you are only giving apps the right level of permissions required. Be extremely careful of apps that request admin status.

Donate

To help people like you we rely 100% on donations from people like you.

Without donations we cannot keep our service free and provide help to the most vulnerable victims of cyber crime when they need it most. As a not-for-profit organization, 100% of your donation goes towards keeping The Cyber Helpline up and running - so 100% goes towards helping people like you. Donate now and help us support victims of cyber crime. 

To help people like you we rely 100% on donations from people like you.