Removing Malware – CompTIA A+ 220-1102 – 3.3

Removing malware from a system can be challenging. In this video, you’ll learn about identifying malware symptoms, the quarantine process, managing System Restore, remediating malware, and more.

In this video, we’re going to discuss a series of steps that you could take to remove malware from the system. However, this is not a best practice because you never know if you’ve been able to 100% remove every of malware from a system. The best practice almost universally is to delete everything on a system, and either install from the original installation media, or reinstall from a known good backup.

However, this process can still be important, especially if you don’t have access to a system or you need to recover enough of a system to be able to retrieve files that weren’t previously backed up. And once you’ve retrieved that information from the system, it’s then probably a good idea to delete everything and restore from a known good backup.

The first step in removing malware is recognizing you have malware to begin with. You’ll probably see messages appear on the screen or some aspect of the normal use of your operating system is not working as expected. You might see a message that says an operation did not complete successfully because the file contains a virus or potentially unwanted software. Or it may be that the antivirus software that’s already running on your system has identified malware, and it’s giving you a warning that something has been installed without your knowledge.

But it may not be something as obvious as a message on the screen. It could be that the system is booting very slowly, or when you try to start an application, you have very poor performance. If you do think that you ran a program that installed malware on your system, you may be able to research that executable and see what malware may be contained within that executable file.

The moment you think that this system may be infected with some type of malicious software it’s time to completely quarantine the system from the rest of the network. We don’t want that malware finding its way onto someone else’s system, which creates even more problems for removing this from your network. You should unplug from any physical wired ethernet connections and be sure that you’ve disabled any wireless networks on this computer.

You’ll then want to isolate any removable media. So if you have an external storage drive or you’re using a USB drive, you want to unplug those from your system, set them aside, and make sure nobody uses that media. The goal here is to prevent the spread of this malware onto other systems that may be on your network. At this point, you don’t want to perform backups or transfer files off of your system because all of those files could be infected with this malware.

This third step is not completely obvious, but it does make sense once you understand the reasoning behind it. You want to go into your system protection on your computer and disable the system protection function. Turning this function off will delete any restore points that were previously saved on your computer. That’s because the malware authors are not only infecting your current system, they’re going back into all of your restore points and infecting the restore points as well.

It might seem that you’d be able to use the system restore function to go back in time, put your system back to an earlier configuration, and therefore, remove the malware from your system. But now that this malware is on your system and has most likely infected all of the restore points, we simply need to delete those from your system. Step 4 is the remediate phase where we identify and remove this malware from your computer.

Before we begin the removal process we need to make sure that we’re running with the latest version of our antivirus software, and that we have the latest antivirus signatures. So there may be an update option within your antivirus that will check it to ensure you’re running the latest engine and the latest signatures. Hopefully, your computer has configured for automatic updates of these signatures. If it’s been set to manual, then that’s probably why this system was infected to begin with.

Manual updates would require someone to go into this system multiple times a day to keep it up to date. And that’s something that generally is not practical for most users. This brings us to a bit of a logistics problem because most malware will prevent you from performing updates to the antivirus software because the malware doesn’t want you to remove it from the system. So if you do run into this situation, you may have to download those signatures on another computer, move them to a USB drive, and plug that USB drive into your infected system.

You would obviously then need to quarantine this new USB drive that you use to transfer the files. So now that our antivirus is up to date, we can perform a scan and have the antivirus software remove anything that it happens to find. Ideally, we would use the antivirus that’s built into our operating system or one that we’ve installed from a trusted third party. You may have to use a standalone removal app that specializes in getting rid of this hard to remove malware.

Hopefully, that’s able to recover the system to a point where you can transfer any files that are necessary before completely deleting everything on this system and installing from scratch. If your system is not able to boot into a Windows desktop and give you the option to run those removal tools, then you can run in Safe Mode. This would load a limited version of the operating system that installs just enough software to get running.

Certain drivers and files will not be loaded during the Safe Mode process, and this might be just enough to get your system up and running to allow you to transfer those files out of your Windows operating system. You can also boot your system with a PE, or a pre-installation environment. These commonly boot from a USB drive or DVD-ROM, and they can provide you with a recovery console that you can then use to transfer files off of your system.

This might also be a good tool to use if the malware has corrupted anything relating to the file system, and you need to rebuild some of the boot sectors to be able to get your system back up and running. Now that we’ve removed the malware, let’s check and make sure that this system is automatically configured to keep itself up to date with all of the latest antivirus signatures. With most antivirus software, this feature is built into the software itself.

You don’t need to configure anything in Windows. You simply tell the antivirus software to automatically keep itself up to date. But if you wanted to perform this task manually, you could create a task schedule for this that will go through the process of updating that particular antivirus software. If you’re running Windows, you’ll probably find in your test scheduler some options for Windows Defender cache maintenance, a Defender cleanup, a scheduled scan, and a verification.

You not only want to be sure that your antivirus is updating itself automatically, you want the operating system to update automatically as well. So check your settings for Windows Update and make sure that it’s set to automatically update your operating system. Earlier, we disabled the system restore function so we could delete any previous restore points that may have been infected with malware. Now that we’ve cleaned the system, we can turn this feature back on.

So you want to go back into the system protection settings, turn on the system protection, and make sure that you have plenty of drive space available to store multiple restore points. Now we can shift our focus into educating the end user on how they may be able to avoid this type of problem in the future. We could do this through one on one training, where we step through some of the best practices to prevent someone from installing malware on their computer.

We could also add posters or signs that inform people of some of the best practices for keeping malware off of our systems. We could also post messages on our physical message boards at our workplace, especially if people tend to look at other things that might be on that message board throughout the week. And although the login messages you see may become more invisible after a while, it is a good place to provide people with the latest information of things they could do to protect their system.

And of course, it’s always a good idea to document this entire set of best practices, and make sure that users have some documentation they can use to know what they should do if they think malware is on their system.