Security

Improve malware removal routines with the help of this checklist

Eliminating malware requires a systematic process with no missed steps. This checklist will make it easier to do an effective, thorough job.

Eliminating malware requires a systematic process with no missed steps. This checklist will make it easier to do an effective, thorough job.


Malware removal is among the more frustrating tasks that support desks, network administrators, and IT consultants undertake. You must typically clean multiple machines simultaneously. Performed in a vacuum with no interruptions via e-mail, telephone, cell phone, and in-person contact, the process might prove manageable. Faced with endless distractions in the real world, however, the process often proves disjointed and inefficient.

A single simple form can help bring order to the chaos. Our free Virus & Spyware Removal Checklist will help you methodically isolate and remove virus, spyware, and rootkit infections.

The checklist begins by ensuring that you don't forget to create image backups prior to troubleshooting. With an image backup stored on a secondary hard disk, you can work with a safety net. Since image backups duplicate user settings, configuration information, download files, email, and all user data, you can remove infections without fear of rendering a system unusable. In worst case scenarios, you can restore the image backup and continue attempting repairs, should a specific malware removal step smoke a system. Further, image backups safely store all user data and information on a secondary disk, which you can use to recover critical data and settings if a Windows reinstallation proves necessary.

Next, the checklist covers some critical steps that are easily overlooked -- like verifying that the most current antivirus, anti-spyware, and anti-rootkit platforms are not only installed but have the most current signature updates.

If you tend to forget whether problematic entries revealed by Microsoft Autoruns for Windows were already reviewed and disabled, you'll be able to tell at a glance. In addition, the checklist reminds you to delete problematic Windows System Restore Points, remove temporary files, and uninstall unnecessary and/or rogue programs. It also reminds you to create new Windows System Restore Points once repairs are complete.

If repair attempts fail to identify and remove malware infections natively (running removal efforts within the infected Windows environment), you can follow the steps for strategy escalation. Badly infected systems, or computers plagued with a particularly problematic infection, may require physically removing the hard disk from the offending system and connecting it to a test system specifically configured to isolate and sanitize slaved hard disks. Or you may prefer to clean stubborn infections using preboot environment or Linux boot disks that leverage BartPE, Knoppix, or similar recovery technologies.

Customization

If you want to rearrange the steps or add your own special procedures, you'll find it easy to edit the checklist. The download includes versions in both Excel 2003 and Excel 2007.

About

Erik Eckel owns and operates two technology companies. As a managing partner with Louisville Geek, he works daily as an IT consultant to assist small businesses in overcoming technology challenges and maximizing IT investments. He is also president o...

9 comments
rgj2000
rgj2000

I support 350 computers and about once a week someone will get a case of scareware. The first thing I do is try to restore the system from a couple days prior to getting infected. I do that in safe mode. About 70 percent of the time, this works and I am done. At that point I do blow away the old restore points then turn system restore back on again.

alexisgarcia72
alexisgarcia72

If a machine is infected with a real bad malware and you believe you can loose your time with this (hours perhaps), the recommended practice is to replaced the machine of the user with a new ghost imaged pc. I don't loose time with malware or spyware. And if you want to avoid malware infection, just take a look to the users permissions. This is the nr. 1 issue why windows computers are infected this days. I see windows 7 pro pcs without antivirus working great because the user uses a limited account. I of course always install an AV to be safe but the permissions is the FIRST line of defense.

mike
mike

A very nice list to use indeed, although I don't agree if this is considered the order in which you approach a system. I'll take this and rearrange it to my liking and order and add what I think is missing. Thank you.

alexisgarcia72
alexisgarcia72

Do you use system restore to restore your system back to usable state? This never works for me... I use Acronis differential backups... (but I don't need to do it since I limit the permissions of my users)

Sensei Humor
Sensei Humor

....it's Windows. So many manufacturers seem to require Admin privs to run their software. Microsoft was on the right track with UAC but the fact that you can't give an application Admin privs unless the user has them, and the UAC is nothing but nagware makes this solution less than viable as well.

lburt
lburt

It would be wise to run system clean up products like ccleaner and cleanup! prior to doing full antivirus and spyware scans. Tens of thousands less files to scan can save you a huge chunk of time. Additionally, using the regclean after the AV/Antimalware scans can clean up any residual links that might lead to reinfection. Also, the time to get a system image probably isn't when the PC is highly infected, better to have one from a point in time where everything is working. Spend a bit of time backing up favorites and documents absolutely.

alexisgarcia72
alexisgarcia72

Every time I provide consulting to a company, I encourage to limit user permissions. Even in a Domain with GPOs, domain users cannot be local user admins. Some companies use this to avoid user problems with certain applications, but instead of open the door to problems, they need to work in provide compatibility with the app without open the security hole. UAC is ok (not in Vista). Windows 7 has demostrated incredible security if: - you have all updates - firewall is on - AV is installed and updated (pls use a good one!) - users have limited access This has prooved to be highly secure. Even in a isolated lab enviroment with lot of malware, spyware, viruses and trojans, the machine is clean after 48 hours.

keropifrogs
keropifrogs

Only admins should be allowed to install software. What happended to Group Policy?

alexisgarcia72
alexisgarcia72

We used scripts and GPO in the past. In order to have a good and fast GPO working in your domain enviroment, your AD and DNS must be tuned to the top. A bad GPO setup can introduce several delays during user login process. We use GPO with good results, but security in a Windows enviroment is more than that. You need to have a good hardware firewall, software firewall (windows firewall is ok), all updates, service packs, good AV, PERMISSIONS and additonal features like IDS and Forescout are always welcome. In a regular home or small network, AV, Firewall, Updates and a limited account can make a good work.

Editor's Picks