Problem solve Get help with specific problems with your technologies, process and projects.

Malware removal: Four simple steps

Many anti-malware products can find spyware and viruses, but sometimes they won't remove them.'s Assistant Editor David Nielson relates this malware removal advice from anti-malware guru and Sysinternals' founder Mark Russinovich.

While attending TechEd 2006 in Boston, I caught Sysinternals' malware expert Mark Russinovich's presentation entitled "Enterprise Malware Solutions." He began the presentation by saying, "Discovering malware is all well and good, but most people don't know how to actually remove it from their system once they find it." Given that many popular antivirus and antispyware tools don't always remove the malware they discover, I appreciated Russinovich's intent to show us how to eliminate malware by hand.

Russinovich was careful to identify rootkits as their own monster in the malware world. Rootkits have a way of disguising themselves as other types of files and processes that can hide from tools typically used to remove other forms of malware. He addressed rootkits more in depth toward the end of the discussion.

Russinovich laid out these steps to remove malware from your system.

STEP 1: Disconnect from the network

If you are connected to the network, you are vulnerable to attacks from malicious software. You are not invincible while running system scans, so the first step is to disconnect entirely.

STEP 2: Download all available auto-remove tools

Many spyware tools will show you that your system is infected with malware but won't actually remove it for you, cautioned Russinovich. Also, some tools will run free system scans and display discovered malware, but only remove it if you then pay and register for the product. Obviously, you would prefer to simply have an anti-malware program remove the infections for you.

So why not just download a well known industry-leading solution that does just that? Well, according to Russinovich, no matter how effective a tool is, free or paid for, it is highly unlikely that it will be able to remove everything in one fell swoop.

For more information
Malware removal handbook

Malware Learning Guide

"One problem in the fight against malware is that malware developers can see what we are doing, but we can't see what they're doing." Malicious software developers can write programs that can slip past some anti-malware programs, so be sure to have as many removal tools running as possible to maintain a malware-free system. If product A can only find and remove 90% of your system's malware, you need a way to remove the remaining 10%. So download every free tool available to you, just to be sure that all of your bases are covered. "My main piece of advice is to use all of the tools at your disposal," Russinovich said.

Perhaps as the founder of Sysinternals, he is a little biased, but he suggested (and demonstrated) the use of freeware tools like Process Explorer, Autoruns, and TCPView to identify malware on your system.

STEP 3: Clean autostarts

When booting up your system, some programs start automatically. These programs include those in your startup folder, Run, RunOnce, and other Registry keys, and some of these programs may in fact be malicious software. After you have removed malware and restarted your computer, Autoruns will show you a list of these programs. Running Process Explorer will identify what you need to remove.

Russinovich warned of these tell-tale signs that you have malware:

  • File found in Windows32 or Windows directory
  • Suspicious DLL
  • No source for file found
  • Process explorer highlights file pink
  • Process begins immediately after you kill it

When using Process Explorer to terminate identified processes and files, you may notice other processes (usually randomly named, for example ytsfctrl.exe or arwaxite.exe) begin immediately after another process is terminated. This means that the malware on your system is being watched by a "watchdog". The watchdog starts the same process by another name when the first process is killed. Process Explorer gives you the option to "suspend" the process rather than kill it. This typically prevents the watchdog from recognizing that a process has stopped running.

STEP 4: Run a full refresh

After you have removed malware and malicious autostarts, Russinovich recommends repeating the entire process; just to be sure you have removed 100% of your system infection.

If malware issues persist, particularly on the enterprise level, you are advised to completely reinstall Windows. This is the only way to totally ensure that you have removed every piece of infected software.


Rootkits are a particularly nasty form of malware that Russinovich defines as "software such as files, processes or registry keys that hides itself from view of standard diagnostic and administrative tools". Repeating the steps listed above and running Rootkit Revealer can prove an effective way to keep your system malware free. Visit for up-to-date information on rootkits and rootkit removal tools.

In some instances, rootkits avoid detection by not hiding themselves. If a file or registry key is not hidden, Rootkit Revealer will not report it as a threat and thus it will remain on your system. This is where running every tool at your disposal comes into play. While such an infection will not be detected by Rootkit Revealer, another program like Process Explorer or Autoruns can catch those threats.

While Russinovich focused his discussion on Sysinternals' tools, there are other antirootkit tools available, like F-Secure's Blacklight.

David Nielson is the Assistant Editor of

Be sure to listen to next week's podcast interview with Mark Russinovich, where he will give his opinions on Microsoft security, Vista and rootkits.

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.