Best Practices for Malware Removal – CompTIA A+ 220-802: 4.7

Malware has become a common occurrence on our home and business computers. In this video, you’ll learn the best approaches for identifying and eradicating malware from our PCs.

<< Previous Video: Tools for Security TroubleshootingNext: Troubleshooting Laptop Issues >>


If your computer is infected with malware, you may see a number of things happening on your system. One is some odd error messages. You might get application failures. You might get this Windows security alert that an application cannot be executed because Word Pad is infected. Do you want to activate your antivirus software now?

Sometimes these messages are legitimate, and sometimes they’re not. Sometimes it looks like in antivirus software is running on your computer, like the AV Security Suite, but in reality this is a piece of malware. Sometimes you can pick out little problems like this one that says, “Update your malware database now to be sure that maximal protection is applied.”

Maybe you’re seeing system performance problems as well. Maybe applications are taking a long time to start up now. Maybe when you boot your computer, it takes a very long time to finally get to the desktop. And that might indicate that a piece of malware is on your computer.

Once you suspect there’s malware, you need to quarantine the system from infecting anyone else. So the first thing you should do is unplug it from the network. If the malware can’t communicate out, then it can’t infect anyone else on the network.

You also want to make sure that you quarantine any removable media. That’s a very easy way for a computer system to send that malware somewhere else. Because that removable media is so portable. We can grab a flash drive, plug it into another computer, and now that computer is infected. So make sure that you quarantine any flash drives, any removable hard drives, any USB drives, so that you’re completely sure that all of this malware is in one place.

You also want to prevent this malware from spreading. So you don’t want to do a full system backup that later on you might end up restoring onto your computer. It’s too late for that. The best you could think of doing is perhaps backing up certain documents that are going to be very important, because the malware has to be an executable. Malware generally doesn’t store itself inside of documents.

One thing you can also do is change the way your computer auto-plays media. If you plug-in a CD-ROM or if you plug-in a USB drive, you might want to tell your system exactly what to do with that. And turning off this auto-play function may allow you to protect yourself a little bit more. Because the malware might want to automatically play when you plug-in that USB drive. And by disabling this, you can prevent that executable from running.

In the past, we’ve talked about using this System Restore function in Windows to rewind your system back to a previous configuration. If you’ve made changes to your system and you’re having problems, that’s a good way to move back and revert to a previous config. But the bad guys know that you’re going to use this to ever move back to a previous config if you run into a problem, so they’re also going to in fact all of your restore points. So one of the things that you’re going to want to do before you get rid of the malware is to disable any of this system protection. You want to now remove all of that. Turn it off completely. Delete all of your system protection restore points. Because they’re all going to be infected at this point. If there’s any remaining on your system, make sure you click that Delete button and get rid of anything that might be there. That way, you can be assured that later on, when you turn this back on, there won’t be any of those old configurations that may be infected that might cause a problem after you’ve cleaned everything on the computer.

The primary method that antivirus software uses to find this malware is a set of signatures that it downloads and has available on your computer. Without these signatures, it can’t find the malware. So it’s important to always have the latest version of anti-virus and anti-malware signatures on your computer.

These are constantly being updated. There are lots of malware changes in a single day. You may see thousands and thousands of new signatures in a single day. So one of the things you want to be sure is that it’s constantly updating. There’s a very small shelf life for these.

You can set these updates to be automatic. That’s generally the default for antivirus software. You could also configure it to be a manual process as well, but you really need to think about that, because you now have to remember to perform that download for the viruses. And after a day, the viruses are now out of date. So you want to be very careful about setting this to manual, because it may be very, very difficult to keep your system updated with all of the latest signatures.

If you’re trying to update these signatures once you’re infected, you might find that you’re not able to do so. The malware knows that you’re going to try to do this, and it will limit your access to the websites that can help you download these updates. So you may have to go to a completely separate machine that’s not infected, download the latest signatures, and then move them over to the machine that’s infected.

At this point, it’s time to clean the malware or the virus off of your system. There are a number of companies they can help with this. A lot of the large companies that do anti-virus and anti-malware certainly have applications that can help.

There are some companies that focus solely on malware. You may be able to run their specific applications and do a little bit better job at removing some of the more advanced malware that you might run into. Some companies will make standalone applications, especially if it is a very popular piece of malware. They’ve made an app that simply is designed to remove that one piece of malware.

And ultimately, you’re never going to be quite certain that you’ve removed that malware from a system. So you may just want to delete everything on the drive, restore from a backup. That may be the only way you can be absolutely sure that you’ve removed every piece of malware on that computer.

When you’re trying to remove this malware, it may be embedded into part of the operating system that’s currently running, and therefore you can’t modify it. So it may be useful to start up your computer in something like safe mode, which is only going to load a portion of the operating system– just enough to get running, but not enough that it limits our access to remove some of these files.

You might also want to consider using a specialized boot environment that won’t load the operating system at all. There are pre-installation environments. A very popular one is the Bart recovery pre-installation environment. There are a lot of great utilities on the bar PE they can help you not only boot into that PE environment, but also help clean off some of the problems you might run into. These pre-installation environments also allow you to modify the Master Boot Record or rebuild the boot sector on your system, which some of these viruses and pieces of malware tend to destroy. So this may also be a very good way to update those as well.

Now that you’ve cleaned the virus or the malware from your computer, and you feel relatively comfortable that you’ve gotten rid of all of it, now it’s time to turn back on your system protection and have it start building restore points again. That way, if there is a problem with an application configuration and the user wants to go back to a previous version, they can do that. And of course, now that is turned back on, it will create a restore point every day and every time that an application is installed.

You need to make sure, of course, that your user community is always up to date on some of the security threats. You can use signs and messages to let people know what’s going on. Sometimes email messages will be able to inform a large number of people at one time. Email, of course, is not something that a lot of people spend time reading. So it may not be the best way to communicate with your end users.

Sometimes a physical message board– when people see, when they walk off the elevator, there’s nothing but this message board in front of them, that’s a great way to get people’s eyeballs focused on information that might be important to them. Sometimes a login message can get information to your users very easily. But you want to make sure that you update it often. If they see the same thing day after day when they log in, it tends to become invisible, and you don’t actually notice when something changes.

Of course, you should always have information on your intranet. Even if your users aren’t going directly there every day to look at that information, whenever they have a problem, you at least have a place to point them to gain more information about the problem they’re having, and what they can do to solve the issue.