Removing Malware – CompTIA A+ 220-1002 – 3.3

Malware infections can be a challenge to remove. In this video, you’ll learn the step-by-step process for removing malware from a Windows computer.

<< Previous Video: Troubleshooting Security Issues Next: Troubleshooting Mobile Apps >>

If strange things are happening on your computer, you may be infected with malware. You’re looking for messages that may be appearing on the screen that describe application failures. It may have security alerts on the screen, and there may be slow performance of the system. It may take a long time to boot the system, and then once the system is running, you may find that applications are running more sluggishly than normal.

One of the things you can do is to research the messages that you’re seeing on your screen to see if they might correlate back to some known malware, and you may want to look at some of the applications that are running on your computer. Things that may say AV Security Suite and show you that they’re performing a scan and protecting your system may actually be malware that is now damaging your system.

If you think a computer is infected, one of the first things you should do is quarantine that system. That means you want to have it a self-contained system that cannot communicate to any other devices on the network. So if you disconnect it from the ethernet network or you disconnect from the wireless network, you know that this system would not be able to communicate to other devices that may also be connected to that same network.

If you do have removable media on this device, such as Flash drives or USB drives connected to the device, you should also remove those from the system to make sure the malware doesn’t infect files on those devices as well. You want to prevent this from spreading to any other devices, so don’t take files from this device and load them up on a separate computer. You also don’t want to try to backup this system for use later. You’ve already got malware infected on this system, and the last thing you want to do is restore that backup and effectively restore malware back to the system.

By default, Windows will create restore points whenever a major event happens on your computer. For example, if you install a new application, a restore point is created prior to the application install. That way, if you run into configuration problems, you can rewind your system back to that earlier date so that you know you have a known good configuration.

The malware knows that you have this particular function, and it is going to not only infect your current configuration, but it’s going to go back in time to infect all of your restore points as well. This means you won’t be able to revert back to a previous restore point, because the malware is already embedded within that restore point as well. You’re going to have to delete all of the restore points you have on this computer, and one of the easiest ways to do that is to disable System Protection entirely. And when you disable System Protection, it also deletes all of your previous restore points.

With those restore points deleted, we can feel comfortable that the user would not be able to go back to a previous restore point and accidentally re-infect their system. Now that we’ve isolated the computer and we’ve made sure those restore points are completely deleted, we can begin the process of remediating the system. And one of the things we can start with is to make sure that we have an antivirus or antimalware software running on this computer, and that we have all of the latest updates not only for the signatures, but for the antimalware engines themselves.

These signatures are updated quite often, so you want to be sure you have the latest signatures before you start any scan on this system. You can set up these signature updates to occur manually, or to occur automatically. Most antimalware and antivirus software will automatically update these signatures periodically. Setting this configuration to Manual is probably not updated given how quickly these signatures are released.

If this device doesn’t currently have antimalware software installed, you’ll want to visit a website where you can download some antimalware software. But if there’s already malware on this computer, it may be preventing you from visiting sites containing antimalware utilities and tools. Instead, you’ll want to download your antimalware software on another computer, and copy it to a removable drive. You can then bring that drive over to the infected device for installation.

You want to be very careful not to take that removable drive back to another computer. The process of connecting the drive to the infected computer could cause the malware to be installed onto the removable storage device. If you plug the drive into another computer, you could accidentally infect that machine with malware.

Microsoft, Symantec, McAfee, and other large antivirus companies make software that can look for this type of malware on your system and remove it. Some companies make antimalware software that are very focused at removing these specific kinds of infestations. For example, Malwarebytes is very good at finding these types of malware and removing it from your system.

There are also many standalone apps that have been specifically designed to remove different types of malware. These are very specific, and sometimes it can be exactly the code you need to remove nasty bits of malware from a system. Even after going through any of these removal processes, you still are never 100% sure that you were able to remove all of the malware. The default for many organizations is to simply delete everything on the computer and restore from a known good backup, and indeed, that is the only way to know if you’re able to remove every bit of malware from a system.

Some malware may prevent your system from booting up into the normal desktop. In those cases, you may want to try booting into Safe Mode, which brings up a bare version of the operating system, and from there, you’re able to run your antivirus or antimalware software. Another option would be to boot from removable media that contains a WinPE, or a Windows Pre-installation Environment.

This is a bare bones version of the Windows operating system that can boot up and get your system to a point that you can then run other applications. For example, you can boot with a CD, a DVD, or USB into a Windows PE, and from there, you can run the Recovery Console, or run antivirus or antimalware software. Many people will build their own customized Windows PE, and one way to do that is to use the Windows Assessment and Deployment Kit, or the Windows ADK.

The malware infection and the subsequent removal of that malware could cause the system to stop booting, so using a WinPE would allow you to start the recovery console, and from there, you can repair the boot sectors. Now that the remediation process is done, we can assume that we’ve removed the malware from the system. At this point, we want to be sure we’re not infected again. So we want to make sure that we have scans scheduled not only to check your system for any malware, but to also make sure that everything in your system is up-to-date with the latest version of software.

If your antimalware software doesn’t have a way to automatically update, you can always use the Windows Task Scheduler to run any type of task, including one that would update those particular files. And of course, you want to check Windows Update and make sure that it’s able to download and update the operating system so that you’re able to patch any known security vulnerabilities.

Before we remove the malware, we disabled System Protection. But now that the malware’s gone, we want to be sure that we’re able to continue to create these restore points on this computer, so you want to go back into System Protection and turn on the System Protection function. From here, you can check to see how much disk space can be used for these restore points, and you can manually force the system to create a restore point so that you have a known good place to start if the user ever needs to go back to a previous configuration.

Although the users themselves can’t be expected to stop every instance of malware getting installed on a system, it can help to inform them of what they would expect if malware was installed, and how to react if they think malware may be embedded on their system. Some one-on-one training would help them understand more about malware and how to react if a malware infestation occurs.

Many organizations will allow you to put posters and signs in areas that are high-visibility, such as a break room or coming off of an elevator, and physical message boards around the office would be a good place to catch people’s eyes. As a quick reminder, you might also want to put messages on the log-in prompt– although, over time, these tend to become more invisible, so it helps to switch those out often. And there should certainly be documentation on your internet that explains more about malware and what you should do if you think malware is on your computer.