When Malware Doesn’t Die – Persistent Malware Infections

Your anti-malware software found a virus on your computer. Maybe it’s Locky, WannaCry, or some new malware and you don’t know how it got there, but it’s there. AV software says it has quarantined the threat and repaired his system, but his browser is still being hijacked and his system is running much slower than usual. What’s going on here?

You may be the unlucky victim of an advanced and persistent malware infection: an infection that seems to recur no matter how many times you run your anti-malware solution, seemingly eradicating the threat.

Some types of malware, such as rootkit-based malware, can persist by evading detection and hiding in areas of your hard drive that may be inaccessible to the operating system, preventing scanners from locating them.

Things you can do to try to remove a persistent malware infection

If you haven’t already, you probably should:

    • Make sure your anti-malware software has the latest and greatest definition files
    • Run a full system (deep) anti-malware scan (not a quick scan)
    • Install a Second Opinion Scanner like Malwarebytes or Hitman Pro and see if it detects any malicious malware that may have evaded your primary AV scanner


  • Back up your important data files to backup media (DVD, USB drive, etc.) making sure the updated malware (and your second opinion scanner) fully scans them for malware during and after the transfer.

How to get rid of persistent malware

If your malware infection persists even after you’ve updated your antimalware software, performed deep scans, and used a second-opinion scanner, you may need to take the following additional steps.

Use an offline antimalware scanner

Malware scanners that run at the operating system level may be blind to some types of infections that hide below the operating system level in system drivers and in areas of the hard drive that the operating system cannot access . Sometimes the only way to detect and remove these types of infections is by running an Antimalware Scanner offline.

If you are running Microsoft Windows, there is a free offline malware scanning tool provided by Microsoft that you should run to find and remove malware that may be hidden below.z

Disconnecting from Microsoft Windows Defender

Windows Defender Offline Scanner should be one of the first tools used when trying to eradicate a persistent malware infection. It runs outside of Windows, so it may have a better chance of detecting hidden malware associated with persistent malware infections.

From another (non-infected) computer, download Windows Defender Offline and follow the instructions to install it to a USB flash drive or recordable CD/DVD. Insert the disk into your CD/DVD drive or connect the USB flash drive to your computer and reboot the system.

Make sure your system is set to allow booting from the USB drive or CD/DVD, or your PC will bypass the USB/CD drive and boot normally. You may have to change the boot order in the system bios (which you can normally access by pressing F2 or the “Delete” key when starting your PC).

If the screen shows that Windows Defender Offline is running, follow the instructions on the screen to scan for and remove the malware. If Windows boots normally, you’ll need to reboot and make sure your boot device is set to USB or CD/DVD.

Other important offline malware scanning tools

Microsoft’s tool is a good first stop, but they’re definitely not the only game in town when it comes to scanning offline for deep and persistent malware infections. Some other scanners to consider if you’re still having trouble:

  • Norton Power Eraser: According to Norton: “Removes deeply embedded, hard-to-remove crimeware that traditional scanning doesn’t always detect.”
  • Kaspersky Virus Removal Tool: An offline scanner from Kaspersky that targets hard-to-remove infections.
  • HitMan Pro kickstart: A bootable version of Hitman Pro Antimalware software that can be run from a bootable USB drive. It specializes in removing difficult infections like those associated with ransomware.