top of page

OK, computer: How to clean out your PC after malware

  • Writer: ESET Expert
    ESET Expert
  • Aug 5
  • 5 min read

ree

Cleaning your PC post-incident? Here are a few tips and tricks that should make your PC run like a well-oiled machine.


Regular PC users are well aware of the fact that regular maintenance is needed to keep their computers running without hiccups. This usually involves deleting unused apps, clearing temporary file directories and web browser caches, defragmenting for HDD users, and more.


How does this maintenance change following a virus infection or malware? Sophisticated malware can make a mess of a system’s registry, its storage, or even memory, so it’s a good idea to do a checkup post-incident just to stay ahead of any future issues.


What sort of things can malware mess up?

First things first: prevention is perhaps the best way to live a malware-free life. To prevent malware, procuring a strong endpoint security solution is essential. However, some sophisticated threats can slip through, evading detection, which can lead to detection issues for some security products. 


In a previous blog, we discussed how fileless malware can evade detection by being present strictly within a PC’s memory. At the same time, some of the malware attacks also employ living-off-the-land (LOL) techniques, meaning that they abuse legitimate system processes/programs for their malicious activities. They reconfigure these processes, going as far as to alter the Windows registry in order to maintain persistence, for example.


The ramifications? Even after successful detection and removal, the use of LOL techniques means that malware can leave behind several issues, such as system instability due to changes made to the registry or altered configurations. In addition, there can be cases of data corruption or loss, and maybe even some residual malware, since sometimes threat actors like to leave themselves backdoors into systems for future attacks.


Deep cleaning

“You might be asking: ‘Shouldn’t my security software be able to take care of all traces of malware?’ The answer is, ‘Yes — in an ideal world.’ Unfortunately, an ideal world doesn’t have malware, so in the real world, security software cannot guarantee complete system stability following malicious behavior,” commented Bruce P. Burrell, ESET Research Fellow.


Did you know? Digging into the past of viruses In the past, some viruses were overwriters – their code was written on top of what was there originally. That means that at least a part of the original content was zapped, with the virus making no attempt to preserve what was overwritten. So, the only way to get back to normal was to restore backups of the originals. And then there were the "data diddlers," which changed parts of the host – more or less at random.  What was modified was not part of the malware's code itself – just other parts that were not needed for the malware to be able to operate.

Unlike ESET Ransomware Remediation’s automatic backup feature (to protect and restore files in case of a ransomware attack), manual restoration is necessary here, since security products will hardly be able to repair corrupted system files or damaged drivers.

There are a few ways to do this. Let’s focus on Windows in particular, as it is the most common PC OS in use:


  • System Restore – By creating a system restore point (a backup, basically), you can go back to a system state before malware infestation. However, the restore point should exist prior to the infestation and remain uncompromised during one.


  • Refresh – This option reinstalls Windows while keeping personal files intact. It removes apps and settings but preserves everything else. Technically, it should also preserve malicious files unless they are detected beforehand, so keep that in mind.


  • Startup Repair – This tool is very useful for when one wants to repair a particular problem with their system. It scans the computer for issues and tries to fix it for the next startup. Per Microsoft, this tool is especially useful if a PC is missing or has damaged system files, corrupted boot configuration data, or other issues.


  • Reset – This restores Windows to its original state. Mind you, it also deletes everything off of the computer, so unless you offload some important files to an external drive, this should be your last-ditch scenario.


For more advanced users, a good idea would be to also use the Windows Terminal command prompt and type the following commands in administrator mode:


  • Run the System File Checker – By typing in sfc /scannow into the Terminal and pressing enter, it should perform a system check and repair any broken or missing registry items.


  • Run CHKDSK – Type chkdsk c:  (replace “c:” with the desired drive’s name), press enter, and the system should check for errors in the file system, but it won’t repair them automatically.


    • For that, you need to run chkdsk (drive letter without parentheses): /f, which fixes disk errors. There’s also chkdsk (drive letter without parentheses): /r, which builds on top of /f by also repairing faulty sectors on your drive. Be warned, though: Before running /r, do a full backup. Since /r checks for bad drive sectors, any files that are present on those can get lost during the process.

It is probably worth noting that both SFC and CHKDSK may take some time to run, especially CHKDSK with the /f and /r flags. However, they shouldn’t disturb normal computer use, though it would be wise to run them uninterrupted just to stay safe.

Alternatively, use the Deployment Image Servicing and Management (DISM) tool. Compared to SFC and CHKDSK, it is a bit more powerful and is the one to use when experiencing frequent errors or system crashes. It helps with cleaning up system files, system images (a snapshot of an entire system at a specific point in time), or setup. Before using it, though, perform a full backup, as DISM can make major system changes. 

Between DISM, CHKDSK, and SFC, the reader should investigate thoroughly which option would work the best for them, depending on the issue they are experiencing.
Corruption DISMissed

There are three main uses of DISM that can be of help for remediation. Let’s start from the simplest to the most involved one:


  1. CheckHealth – This one detects whether there is any corruption inside the system image without repairing it. For this one, type DISM ine /Cleanup-Image /CheckHealth into Terminal.

  2. ScanHealth – A step above is ScanHealth, which tries to determine any problems present within the system image. Type DISM /Online /Cleanup-Image /ScanHealth into Terminal.

  3. RestoreHealth – This option both scans and repairs any issues present within the system image. Type DISM /Online /Cleanup-Image /RestoreHealth into Terminal. This command connects to the Windows Update service to replace problematic files, so it might take longer to finish, but the time it takes is probably well worth it. There’d be a lot more hair-pulling if malware residuals were floating around.

This all requires an online connection, though. There’s a fourth option (install.wim), which can source the required data from another device/storage, but you need to have a matching OS image to the one on your PC. 

For Windows 11 computers, Microsoft has an official page that offers visitors a way to download the system. It is always safer to use the official sources for these things. So, if you own a license key, you can follow the guidance on the page and remediate your OS.
Are we done here?

Barring reinstalling your OS completely (a rather lengthy process), these should be the most doable steps for anyone to solve their PC’s stability issues post-infection. 

For further optimization, we recommend reading Aryeh Goretsky’s blogs on reinstalling security software to keep it working in top condition and recoveries and backups.

Comments

bottom of page