Malware removal is a tricky business. It often requires intimate knowledge of the inner workings of a particular piece of malcode: How it got on the computer in the first place; its attack mode; what it changes; where it resides. Malware removal is certainly not for the faint-of-heart.
Since malware is a term that describes a broad variety of unwanted software, there are a multitude details to work out before removal can commence. Each virus, spyware or rootkit can have a completely different effect on a given computer system making removal that much more complicated. For example, adware might only manifest itself in Internet Explorer (IE) browser settings; a virus might infect an instant messaging (IM) application and send IMs to the buddy list; while a rootkit can hide itself at a computer's kernel level to avoid detection by the operating system (OS), applications and the user.
Therefore, the first step in the malware removal process is identification and classification.
Aside from the basic classification terms, like viruses, worms, spyware, etc., you can classify malware on the basis of what's pertinent to administrators and users alike -- without needing to understand the precise technical definition of each term. For example, attack vector. How does a piece of malcode spread? Through email? Over IM? Does it disperse itself?
When you understand how a piece of malware infected your computers in the first place, not only will that knowledge help you identify the particular malware strain, but it will also help prevent more attacks.
Another way to classify malware is by the flaw or vulnerability it exploits. Does the malware affect a particular application like Word or PowerPoint? Does it only affect a particular version of software, like an IE 6 VBscript flaw? These vulnerabilities affect client-level systems, but what if the malware affects a more critical server system like 2003's SQL slammer worm?
The potential severity of malware is another way to classify it. Can it be easily dispersed through the network? Will it affect server-level systems? Will it be confined to only desktop systems running unpatched Office 2003 applications? Antivirus and antispyware companies often classify threats based on the extent of the damage caused by the malware to a single system and the prevalence of the flaw or vulnerability across many systems.
You can further classify malware by the actions it takes once it has infected a system. What files does it change? Does it change registry settings? Does it implant itself in the OS startup file? Does it initiate Windows processes? If it does, that is often the key to finding out if you have a virus. A tool like Sysinternals Process Explorer can help identify processes that should not be running on a clean Windows computer.
Malware removal tools
A large number of tools out there are great at detecting malware -- and usually those same tools can prevent it from infecting a computer in the first place. But far fewer tools can completely remove an imbedded piece of malcode.
For removal, you often need to rely on tools that root out malware by scanning your system for anomalies like foreign processes, altered registry settings and corrupt files. Once the tool finds and identifies a piece of malware, there are usually manual instructions available for wiping its presence from a computer -- often that information comes from security companies or even blogs, user groups or independent security professionals.
Of course, some malware is so insidious that it cannot be completely removed from an infected system. In those cases, the only recourse is to reinstall the OS. And that makes the subject of chapter three of this guide, prevention, that much more important.
This was first published in April 2007