Best Practices for Malware Removal – CompTIA A+ 220-902 – 4.2

A malware infection can be a challenge to completely remove. In this video, you’ll learn a step-by-step list of best practices for removing malware from any system.

<< Previous: Tools for Security TroubleshootingNext: Mobile Device App Troubleshooting >>


Sometimes it’s very obvious when you might have a malware infection. There might be weird error messages on your screen. You might get odd security alerts. There might be weird applications that have been installed. Or it may be something where your system is simply acting a little bit slow and sluggish. It’s not performing the way you would expect and you might think there is something else running under the surface that’s causing this particular performance problem.

If you believe a system has been infected with malware then you should quarantine it immediately. You should disconnect it from the network, so it can’t talk to anybody else that might be inside of your organization. And you should make sure that any removable media that’s connected to the system also stay quarantined as well. You don’t want a USB drive plugged into another computer and then spread the malware to that particular system.

If you’re successful in quarantining this system, then you’re going to prevent this malware from spreading to other systems. Don’t try to move files from one computer to another because those files may be infected with this particular malware. You want to keep everything on this system and away from all other computers.

In Windows, your next step should be to disable System Restore. Normally if you have a configuration problem, you would use System Restore to go back to an earlier point in time. And it makes sense that if you’re infected with malware or a virus that you would want to go back to a point in time where you didn’t have that particular infestation. Unfortunately, the malware authors know this, and when they infect your system they will also infect all your restore points.

So by disabling the system protection, you’re effectively going to be removing all of your previous restore points. By deleting all of these then you’re also deleting any opportunity for the malware to be re-introduced if you happen to restore from one of those restore points in the future. To perform these functions you would launch the system protection utility, you would disable the system protection, and then hit the Delete button to delete all restore points for that drive.

So now it’s time to remediate your system and remove all of this virus or malware infestation. The first thing you should do is make sure that you have an updated anti-virus application. Both the anti-virus engine and the signatures need to be at the latest versions. You would almost always have this set up for an automatic update.

If you’re setting this up for manual update that’s probably why you got infected to begin with, because these signatures are updated all the time. If you are infected with some malware, the malware itself may prevent your anti-virus application from working properly. So you may have to transfer all of those updated signatures from a different computer, and into this system, and perform the update manually.

To be able to remove this malicious software we’re going to need an anti-virus application from a well-known company. We’ll also want a standalone anti-malware remover, such as Malwarebytes, and others that may be out there. And there might even be standalone applications that you can get from your anti-virus company that will target very specific types of viruses and malware and remove those from your computer.

Even with all of these utilities of course, you can never be 100% sure that you’ve removed all of the different parts of the malicious software. For that reason, it might even be a better idea to delete everything on this system and restore it from a known good backup. If you are trying to clean this malware from this system, you may want to try starting Windows in Safe Mode. Since Safe Mode is only starting with a minimal configuration, it might also prevent some of the malware from executing when it starts up.

You might also want to become very familiar with the Windows boot environment, especially the recovery console in the command prompt. Because you’re able to get in there and make modifications and repairs to the Master Boot record and the volume boot record of your storage device.

Now that we feel that we’ve removed the malicious software, it’s time to get your system back up and running again. One of the first things you should do is make sure that your anti-virus software has a schedule to automatically update the signatures. You can usually do this in the anti-virus software itself or you may want to integrate it into the Windows Task scheduler. You’ll also want to make sure your system is configured to automatically install operating system updates as well. This will especially be useful for stopping known security problems and your operating system will remain as safe as possible as long as it’s getting these updates.

Earlier we disabled the System Restore function and we deleted all of the restore points. So now that we feel that the malicious software is gone, it’s time to re-enable the System Restore capabilities. You might even also want to click the button to create a restore point right then so that you know you can always revert back to the current configuration. This would also be a good time to educate your end users so that they are aware of the threats that are out there with this malicious software.

You might want to perform some one-on-one training with your users, maybe put posters and signs up, that people can see as they’re walking down the hallway. You might even want to put something on a message board that’s visible, next to the coffee machine, or just outside of the elevator. You might also want to consider putting a login message. When somebody logs in they would see what the latest news might be and get information on how to protect themselves from this malicious software. And of course, you can always put things on the internet page so that it’s always accessible at any time of the day.