Posey's Tips & Tricks

Malware Removal: 3 Steps To Take

• By Brien Posey
• 06/16/2011

Computer malware has been a big problem for decades, but it seems to be on the upswing lately, requiring a thorough response. In that context, I wanted to share three steps I like to take to ensure its removal.

In my own organization, malware gets singular treatment. I reformat the hard drive and redeploy Windows from an image file. However, I get a lot of phone calls from friends and family with malware infections, and in those situations, formatting the hard drive usually isn't an option. Here's an approach to take in those cases.

Step 1: Remove the Hard Disk and Scan It
The first thing that I usually do when faced with such infections is to remove the machine's hard disk. I have a laptop that I carry for the sole purpose of cleaning viruses. It runs Windows 7 with all of the latest security patches, and it has several malware removal tools installed. Nothing else is loaded on the laptop because I don't want to risk infecting one of my production machines while trying to help a friend.

Once I have removed the hard drive from the infected machine, I attach it to my laptop using a USB-to-SATA interface. This approach allows me to work on disinfecting the hard disk without having to boot the infected operating system. If the hard disk has been encrypted, this technique won't work, but thankfully most home users do not encrypt their hard drives.

After I have scanned the infected hard disk with the various tools and removed any malware detected, I then reinstall the hard disk into the machine from which it came. My experience has been that although the technique that I just described will remove the bulk of infections, it doesn't usually result in a total removal of the infected files.

That being the case, the next thing that I like to do is to boot the machine into safe mode, install some anti-malware tools and rescan the system. What I have found is that occasionally the antimalware tools will find things that weren't previously detected because the machine had been running an infected operating system.

Step 2: Reset Internet Explorer
Regardless of whether or not any additional infected files are detected, I like to reset Internet Explorer. The majority of the malware that I have encountered in recent years is specifically designed to target Internet Explorer. Since it is impossible to be sure whether or not Internet Explorer has been fully cleaned, I like to reset it just to be safe.

The technique for resetting Internet Explorer varies depending on which version is being used. To reset Internet Explorer 9 (running on Windows 7), open the browser and click the red "x" icon as quickly as possible to try to prevent Internet Explorer from fully loading the default page, which may be infected. Click on the Tools button. Next, click Internet Options. When the Internet Options properties sheet opens, go to the Advanced tab and click Reset. Now, select the Delete Personal Settings check box. This causes Internet Explorer to remove the browsing history, search providers (a popular way to link to malicious Web sites), accelerators, tracking protection and ActiveX filtering information. The Favorites list, however, will be preserved. Finally, click Close, followed by OK.

Step 3: Check Add-Ons and Processes
Once Internet Explorer has been reset, I recommend taking a look at the list of add-ons. Because different techniques must be used to reset different versions of Internet Explorer, the add-ons may or may not be affected by the reset. You will often discover that the add-ons have been disabled, but not removed.

It's a good idea to browse the list of add-ons to make sure that anything potentially malicious is removed. Be sure to pay attention to the publisher listed for each add-on. Malware authors typically give names to add-ons that mimic legitimate system components in an effort to confuse users and discourage removal. Verifying the publisher is a good way to tell whether or not an add-on is legitimate.

The last thing to do after cleaning an infected system is to reboot the system and then open the Task Manager to look at what processes are running on the system. I perform a Google search for the file names of any processes that I do not recognize so that I can determine whether or not each process is legitimate.

If I do find a process that is linked to malware, but my antimalware tools are unable to detect it, then I manually remove the process by delving into the registry. However, this is an advanced technique that is better suited for a separate discussion.