A malware infection can be a challenge to completely remove. In this video, you’ll learn a step-by-step list of best practices for removing malware from any system.
<< Previous: Tools for Security TroubleshootingNext: Mobile Device App Troubleshooting >>
Sometimes it’s very obvious when you might have a malware infection. There might be weird error messages on your screen. You might get odd security alerts. There might be weird applications that have been installed. Or it may be something where your system is simply acting a little bit slow and sluggish. It’s not performing the way you would expect and you might think there is something else running under the surface that’s causing this particular performance problem.
If you believe a system has been infected with malware then you should quarantine it immediately. You should disconnect it from the network, so it can’t talk to anybody else that might be inside of your organization. And you should make sure that any removable media that’s connected to the system also stay quarantined as well. You don’t want a USB drive plugged into another computer and then spread the malware to that particular system.
If you’re successful in quarantining this system, then you’re going to prevent this malware from spreading to other systems. Don’t try to move files from one computer to another because those files may be infected with this particular malware. You want to keep everything on this system and away from all other computers.
In Windows, your next step should be to disable System Restore. Normally if you have a configuration problem, you would use System Restore to go back to an earlier point in time. And it makes sense that if you’re infected with malware or a virus that you would want to go back to a point in time where you didn’t have that particular infestation. Unfortunately, the malware authors know this, and when they infect your system they will also infect all your restore points.
So by disabling the system protection, you’re effectively going to be removing all of your previous restore points. By deleting all of these then you’re also deleting any opportunity for the malware to be re-introduced if you happen to restore from one of those restore points in the future. To perform these functions you would launch the system protection utility, you would disable the system protection, and then hit the Delete button to delete all restore points for that drive.
So now it’s time to remediate your system and remove all of this virus or malware infestation. The first thing you should do is make sure that you have an updated anti-virus application. Both the anti-virus engine and the signatures need to be at the latest versions. You would almost always have this set up for an automatic update.
If you’re setting this up for manual update that’s probably why you got infected to begin with, because these signatures are updated all the time. If you are infected with some malware, the malware itself may prevent your anti-virus application from working properly. So you may have to transfer all of those updated signatures from a different computer, and into this system, and perform the update manually.
To be able to remove this malicious software we’re going to need an anti-virus application from a well-known company. We’ll also want a standalone anti-malware remover, such as Malwarebytes, and others that may be out there. And there might even be standalone applications that you can get from your anti-virus company that will target very specific types of viruses and malware and remove those from your computer.
Even with all of these utilities of course, you can never be 100% sure that you’ve removed all of the different parts of the malicious software. For that reason, it might even be a better idea to delete everything on this system and restore it from a known good backup. If you are trying to clean this malware from this system, you may want to try starting Windows in Safe Mode. Since Safe Mode is only starting with a minimal configuration, it might also prevent some of the malware from executing when it starts up.
You might also want to become very familiar with the Windows boot environment, especially the recovery console in the command prompt. Because you’re able to get in there and make modifications and repairs to the Master Boot record and the volume boot record of your storage device.
Now that we feel that we’ve removed the malicious software, it’s time to get your system back up and running again. One of the first things you should do is make sure that your anti-virus software has a schedule to automatically update the signatures. You can usually do this in the anti-virus software itself or you may want to integrate it into the Windows Task scheduler. You’ll also want to make sure your system is configured to automatically install operating system updates as well. This will especially be useful for stopping known security problems and your operating system will remain as safe as possible as long as it’s getting these updates.
Earlier we disabled the System Restore function and we deleted all of the restore points. So now that we feel that the malicious software is gone, it’s time to re-enable the System Restore capabilities. You might even also want to click the button to create a restore point right then so that you know you can always revert back to the current configuration. This would also be a good time to educate your end users so that they are aware of the threats that are out there with this malicious software.
You might want to perform some one-on-one training with your users, maybe put posters and signs up, that people can see as they’re walking down the hallway. You might even want to put something on a message board that’s visible, next to the coffee machine, or just outside of the elevator. You might also want to consider putting a login message. When somebody logs in they would see what the latest news might be and get information on how to protect themselves from this malicious software. And of course, you can always put things on the internet page so that it’s always accessible at any time of the day.
If the system has any data classified as Protection Level 4 (P4) disconnect it from the network - don't turn it off or unplug it - and
immediately contact at (510) 664-9000 (option 4)
Attackers often leave “backdoors” on a compromised computer and removing them all can be difficult, if not impossible. We recommend reinstalling your operating system, but if that is not practical you can try this option first.
Note: If you receive a security notice from ISO after attempting to clean the computer, you MUST reinstall the operating system (see Reinstalling Your Compromised Computer for instructions).
Instructions for Microsoft Windows operating systems:
1. Make sure your antivirus software is up-to-date.
Windows 10 comes with Windows Defender.
1.1 Double-click on the white shield icon in the icon tray bar (notification area) on the lower right portion of your screen (or search for “Windows Defender” from the Start Menu). When you move your mouse over the icon, it should say "PC Status: Protected".
1.2 Click the "Update" tab, click on the "Update" button and follow the prompts.
2. Reboot your computer into safe-mode
Follow these specific instructions for Windows 10: //support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode.
2.1 Once in Safe Mode, you’ll want to run a virus scan. But before you do that, delete your temporary files. Doing so may speed up the virus scanning, free up disk space, and even get rid of some malware. To use the Disk Cleanup utility included with Windows 10 just type Disk Cleanup in the search bar or after pressing the Start button and select the tool that appears named Disk Cleanup
2.2 Next, while still in Safe Mode, run a full scan of your system: Double-click on the white Windows Defender shield icon in the icon tray bar (notification area) on the lower right portion of your screen and select. When you move your mouse over the icon, it should say "PC Status: Protected."
2.3 On the "Home" tab select "Full" and click the "Scan now" button.
3. Download and install an Anti-Spyware program
3.1 These programs have free versions that can be run for personal use and have solid reputations.
Note: Keep in mind that some adware/spyware alerts, particularly cookies, may be fairly innocent and not represent a serious threat to your system's safety. The alerts to be concerned about are primarily those that represent installed programs or browser plug-ins/add-ons that you cannot identify.
If these steps do not return any significant problems, then the system is probably ok to use. However, be wary of any issues you notice. If these steps do not resolve the issue, you must rebuild your operating system: Reinstalling Your Compromised Computer.
* This list does not represent endorsement by the University of California or its affiliates.
/en/basic-computer-skills/how-to-customize-your-desktop-background/content/
What to do if your computer gets a virus
Computer viruses can be dangerous and should be taken seriously, but there are ways to remove them before serious damage is done. We'll go through the basic steps of virus scanning and removal, but keep in mind that it may still be necessary to hire a technical support professional to completely remove the virus and repair your computer.
Antivirus software
First, if you don't already have an antivirus program, install one. Be sure you only have one antivirus program installed because having more than one can cause significant problems. Examples of antivirus software include Bitdefender and Norton.
Run a system scan
Once you've verified that your antivirus program is running, begin a scan. If you're unsure how to do this, review the documentation for your antivirus program, which usually can be found on the developer's website. Some programs offer several types of scans, and you may want to run the most thorough type, usually called a full system scan. This may take several hours. Usually, you do not need to remain at the computer during the scan.
If no viruses or malware are found but you are still experiencing problems with your computer, try other troubleshooting techniques or have your computer assessed by a support professional.
Review discovered threats and recommended action
Either during the course of the scan or when it's complete, the antivirus program will notify you of discovered threats and recommend various courses of action. Usually, the recommended action for each threat is the best choice. If the antivirus is unable to remove any threat, don't ignore it. Investigate how to proceed with some Internet searches or by contacting a professional. The support team for the antivirus program can often help you at this point.
Malware
Your antivirus program may be bundled with an anti-malware program. If it isn't, you may want to install an anti-malware program and run a scan. This can help to find any malware your antivirus may have missed. Antivirus and anti-malware programs scan for slightly different things but they work similarly, so you can follow the same steps in this tutorial.
If all else fails
If you are unable to remove the virus—or if your programs or operating system are damaged beyond repair—it may be necessary for you to erase the hard drive and reinstall your operating system and programs. At this point, you may want to consider hiring a technical support professional, but it is still possible to do this yourself. If you perform a full reformat of your hard drives during this process, it is almost guaranteed to eliminate even the most pernicious viruses, but all data on your drives will be lost. This is one of many reasons it is crucial to keep regular backups of your data before your computer develops any significant problems. If you restore data from backups after reformatting your hard drive, perform a virus scan on the restored data to be sure it is not infected with a virus.
/en/basic-computer-skills/how-to-set-up-a-new-printer/content/