By Ken Dwight, The Virus Doctor
In dealing with recovery from a malware infestation, it is vital the IT Support Technician consider all the various forms of damage that may have occurred. Only by recognizing and investigating all of these categories can you ensure a successful recovery.
These are the general areas of concern:
- The actual malware must be found and removed.
- Any data files that have been deleted, corrupted, or encrypted must be restored.
- The user’s normal operating environment must be restored.
- Any malicious changes that have been made to the Windows Registry must be reversed.
- Any additional software that was installed by the malware must be uninstalled.
The remainder of this article will cover specific steps the tech must follow in order to restore the computer to its pre-infection condition.
The Actual Malware Must Be Found And Removed
While this step seems obvious and may be easy to accomplish in some cases, there are several important caveats that fly in the face of a tech’s normal routine. First, a high percentage of today’s malware operates in “stealth” mode, meaning it may not be obvious to the user, or even to the tech, that the computer is infected. So, the first step in this area is to detect and identify the malware and develop a plan for its removal.
The second consideration in removing the malware is the question of whether it is best to remove it manually or trust a scan with an anti-malware program (or programs) to find and remove all traces of malware on the system. Modern malware may be very effective at avoiding detection and/or removal, so it may be necessary to follow a manual process that avoids those roadblocks. In the case of a rootkit infection, detection and removal is even more complicated.
The third concern at this stage of the recovery process is the type of malware involved. If the computer in question has been infected by encrypting ransomware, premature removal of the malware may limit the tech’s options for decrypting the encrypted data files.
Any Data Files That Have Been Deleted, Corrupted, Or Encrypted Must Be Restored
This step requires little elaboration. In most cases, the only way to restore deleted, corrupted, or encrypted data files is to use the established procedure for restoring from backups. In cases of encrypting ransomware, those backups become even more important – but they may have been encrypted by the malware as well. If that’s the case, the user may need to consider other options to decrypt those encrypted files.
The User’s Normal Operating Environment Must Be Restored
The malware may have made changes to the user’s normal operating environment; if so, those changes must be reversed. This will normally be a manual process, as there are too many variables for an automated procedure to find and undo all of the possible changes.
These aspects of the user interface are most commonly changed by malware:
- The Windows desktop
- Programs that start automatically when Windows starts
- Network connections and access to shared devices
- Browser settings, including Favorites/Bookmarks, Toolbars, and Add-Ons or Plug-Ins
Any Malicious Changes That Have Been Made To The Windows Registry Must Be Reversed
Most malware will make changes to the Windows Registry. Subkeys and values may have been added, deleted, or changed in order to activate the malware or block attempts to identify or remove it. In some cases the easiest resolution will be to restore a backup of the Registry from before the time the computer was infected. If there are no Registry backups available from which to restore, a System Restore can be an alternative method to try.
Any Additional Software That Was Installed By The Malware Must Be Uninstalled
In addition to the active malware itself, the infection may have caused other programs to be installed and started automatically. The most likely programs in this category would be remote-access or remote-control programs, such as TeamViewer or Ammyy. Any such program should be uninstalled, using the normal uninstall procedure. Additionally, sorting the installed programs by Installation Date in “Uninstall or change a program” will make it easy to identify and remove any programs that were installed by the malware.
While this overview is necessarily light on details, it does review the areas of an infected computer that could have been impacted by malware. By effectively addressing all five of these categories, there is a high likelihood you can restore that computer to its pre-infection condition.
About The Author
Ken Dwight has been a computer professional since 1966 (15 years before IBM introduced their Personal Computer). Since 2002 he has specialized in malware, as The Virus Doctor™. He is the creator of the Virus Remediation Training Workshop, training IT Support Techs in effective malware removal. Contact him at www.thevirusdoc.com.