UGTS Document #74 - Last Modified: 8/29/2015 3:23 PM
Malware Removal

Malware is a broad category of software including anything that is designed to cause harm.  Since the people that write malware intend to cause harm, they also make it as difficult as they can to remove the malware from a computer.  There are ways to forcefully remove malware, but they will be ineffective in the following two cases:
  • Rootkit Infection - if the malware is a rootkit, it can completely hide itself from you and windows, and even load in safe mode, and you would never know that it's there.  Rootkits are extremely hard to remove, and it is nearly impossible to be sure that you've removed every part of the infection.
  • Broken Windows - if the infection damages the installation of Windows so severely that you can't run the computer anymore, then the system is unrepairable from within windows.
If either of these situations is the case, then your only option will be to backup all the files on the machine, then wipe it out completely and reinstall. 

If neither of these is the case, then your installation of Windows is probably repairable.  First disconnect the infected machine from the network.  This is necessary to prevent the infection from spreading, and to prevent a remote attacker from controlling your machine and hindering your efforts.  Restart the machine in safe mode (F8).  Safe mode will almost always prevent the malware from being started when the computer starts up.

Next, if you don't already have an anti-malware CD, burn one now with the following programs on it:

Note that all of the above programs are free for personal use, but if you're running a business then MalwareBytes is not free, and MSE can only be used on up to 10 machines in an organization. 

Also note that I advise that you burn a CD rather than transfer files to the machine by USB drive, because you don't want the infected system to infect your USB drive.  If your USB drive has a read-only switch, then it's alright to use it to load the programs above.  And note that we don't download the programs directly onto the machine from the internet, because we've disconnected the machine from the network to contain the infection.

After the computer is in safe mode, load the CD and copy and install these programs on it.  Then run Autoruns and identify and remove all malicious startup entries.  Also run Process Explorer to identify all currently running programs (to make sure that nothing malicious is running).  If you find anything malicious, suspend the process rather than shutting it down.  Supension prevents a separate component of the malware from noticing that a part of itself has stopped (and thereby you prevent the malware from restarting itself).

Next, restart in standard mode (not safe mode) and run system restore to restore the system to a point in time before the infection first happened.  After restarting again, the system should be restored to a clean state with no malware on it.  However, just to be sure, run Process Explorer and Autoruns again.  Also, install one or both of the last two programs and do a full system scan to look for infected files.

Finally, if any software on the machine is now damaged and won't start or operate properly, uninstall and then reinstall that software.  Malware often breaks other programs on your machine on purpose in order to make it harder to remove the malware.