Posey's Tips & Tricks

Malware Removal: 3 Steps To Take

Computer malware has been a big problem for decades, but it seems to be on the upswing lately, requiring a thorough response. In that context, I wanted to share three steps I like to take to ensure its removal.

In my own organization, malware gets singular treatment. I reformat the hard drive and redeploy Windows from an image file. However, I get a lot of phone calls from friends and family with malware infections, and in those situations, formatting the hard drive usually isn't an option. Here's an approach to take in those cases.

Step 1: Remove the Hard Disk and Scan It
The first thing that I usually do when faced with such infections is to remove the machine's hard disk. I have a laptop that I carry for the sole purpose of cleaning viruses. It runs Windows 7 with all of the latest security patches, and it has several malware removal tools installed. Nothing else is loaded on the laptop because I don't want to risk infecting one of my production machines while trying to help a friend.

Once I have removed the hard drive from the infected machine, I attach it to my laptop using a USB-to-SATA interface. This approach allows me to work on disinfecting the hard disk without having to boot the infected operating system. If the hard disk has been encrypted, this technique won't work, but thankfully most home users do not encrypt their hard drives.

After I have scanned the infected hard disk with the various tools and removed any malware detected, I then reinstall the hard disk into the machine from which it came. My experience has been that although the technique that I just described will remove the bulk of infections, it doesn't usually result in a total removal of the infected files.

That being the case, the next thing that I like to do is to boot the machine into safe mode, install some anti-malware tools and rescan the system. What I have found is that occasionally the antimalware tools will find things that weren't previously detected because the machine had been running an infected operating system.

Step 2: Reset Internet Explorer
Regardless of whether or not any additional infected files are detected, I like to reset Internet Explorer. The majority of the malware that I have encountered in recent years is specifically designed to target Internet Explorer. Since it is impossible to be sure whether or not Internet Explorer has been fully cleaned, I like to reset it just to be safe.

The technique for resetting Internet Explorer varies depending on which version is being used. To reset Internet Explorer 9 (running on Windows 7), open the browser and click the red "x" icon as quickly as possible to try to prevent Internet Explorer from fully loading the default page, which may be infected. Click on the Tools button. Next, click Internet Options. When the Internet Options properties sheet opens, go to the Advanced tab and click Reset. Now, select the Delete Personal Settings check box. This causes Internet Explorer to remove the browsing history, search providers (a popular way to link to malicious Web sites), accelerators, tracking protection and ActiveX filtering information. The Favorites list, however, will be preserved. Finally, click Close, followed by OK.

Step 3: Check Add-Ons and Processes
Once Internet Explorer has been reset, I recommend taking a look at the list of add-ons. Because different techniques must be used to reset different versions of Internet Explorer, the add-ons may or may not be affected by the reset. You will often discover that the add-ons have been disabled, but not removed.

It's a good idea to browse the list of add-ons to make sure that anything potentially malicious is removed. Be sure to pay attention to the publisher listed for each add-on. Malware authors typically give names to add-ons that mimic legitimate system components in an effort to confuse users and discourage removal. Verifying the publisher is a good way to tell whether or not an add-on is legitimate.

The last thing to do after cleaning an infected system is to reboot the system and then open the Task Manager to look at what processes are running on the system. I perform a Google search for the file names of any processes that I do not recognize so that I can determine whether or not each process is legitimate.

If I do find a process that is linked to malware, but my antimalware tools are unable to detect it, then I manually remove the process by delving into the registry. However, this is an advanced technique that is better suited for a separate discussion.

About the Author

Brien Posey is a seven time Microsoft MVP with over two decades of IT experience. As a freelance writer, Posey has written many thousands of articles and written or contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. When He isn't busy writing, Brien Posey enjoys exotic travel, scuba diving, and racing his Cigarette boat. You can visit his personal Web site at: www.brienposey.com.

comments powered by Disqus

Reader Comments:

Mon, Jul 25, 2011 James Hevener - vaITpros.com Richmond, Va

1. Cables 2 Go has a nice kit - $35 that works with most drives, even laptops. 2. Keeping a cuttent copy of Norton AV with code on hand, has a bootable CD that is quite good. 3. BitDefender ISO is good too. Those along with MalWare Bytes and Exterminate-IT have served me well. All priced reasonably. Go ahead and license for your customers / client/ friends - build into your cleanup cost. Save the hard work for yourself. 4. For disk imaging if you want - it is going to be hard to beat ActiveDisk - unless you use something more manual. ActiveDisk is near as good as Symantec Backup Exec System Recovery - and/or Ghost - and half the cost. 5. Even System Restore via the OS has come in quite handy, with Safeboot, msconfig, etc.

Thu, Jul 14, 2011 Bill R Herlong, California

FYI: Most laptop HDDs are removable without special tools and can be fitted with adaptors for around $15.00

Sat, Jun 25, 2011 Brian Chicago, IL

I want someone to explain how computers are getting infected? I can clean the toughest virus, but why are systems getting infected in the first place. Why does malwarebytes detect and clean these virus, but vendors like McAfee, Symantec, and Microsoft fail to detect or clean. Sure I can remove administrator access, but that not the point. I’m guessing most people are getting infected through outsourced advertisements. I’ve had computers get infected from just browse a well-known sites.

Wed, Jun 22, 2011 Sirish Dangol Kathmandu, Nepal. (Currently in London)

Yes, these are the better techniques that I've been using and they are really effective and works almost 90% of time. But, sometimes you have to be careful that some infected system files are not being deleted. Thanks and looking forward to see lots of articles similar this one in future.

Tue, Jun 21, 2011 Mike Mesa, AZ, USA

Thank you Brien. I will use your article with some of my computer classes, if that's OK with you? I am curious about the malware tools you might be using? I have been using the free stuff malwarebytes.com, spybot portable and avast, how about you?

Mon, Jun 20, 2011 Dimitrios Kalemis Athens, Greece

You can open the Internet Options properties sheet without opening IE. One way is to open Internet Options from Control Panel.

Mon, Jun 20, 2011 Frank Germany

Looks like an easy "how-to" - but what to do if the infectet device is a laptop itself? You can´t remove the hard disk from most laptops without special experience. And often the interface of such hard drives is a non standard one... Maybe it´s a good idea to "clone" the hard drive before working with it if you accidentally delete too many files ;-)

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.