A Windows computer is suspected to be infected with malware, or the computer behaves abnormally, with some common symptoms - unusual slowness, application errors regularly pop up, some programs are crashing and freezing, files or folders become hidden, new files have been created
Edit me

How to clean a malware-infected Windows machine

This article lists some guidelines on how to fix malware-infected Windows computers

Problem

Malware is malicious software that is used to gain control of a device to perform surveillance functions such as recording keystrokes, stealing passwords, taking screenshots, recording audio, video and more. While most malware is designed for and utilized by criminals, state-sponsored actors have increasingly adopted malware as a tool for surveillance, espionage and sabotage.

Malware can be used to send out spam, seize banking, email or social media credentials, shut down websites and collect vital information from journalists, human rights defenders, NGOs, activists and bloggers. Malware can destroy, damage or infect the information in a computer, including data on external drives. It can also take control of a computer and use it to attack other computers.


Solution

Please note that the guides listed in this article may only apply to general cases of malware infection, but may not be applicable to some circumstances. For the full workflow we should follow when suspecting a malware infection, a must-read article is Article #258: Advanced Threats Triage Workflow.

Initial assessment

When the client suspects their Windows machine is infected, we should ask them to describe the symptoms and make sure that there are clear indicators of compromise and that what they’re experiencing is not due to other causes (e.g. account hijacking).

Possible indicators of compromise:

  • The client opened an attachment or link that they think may have been malicious
  • The client’s webcam LED turns on when they are not using the webcam
  • The client’s accounts have been compromised multiple times, even after they changed the password

Other reasons to suspect the client’s device is infected with malware can be:

  • The client’s device was seized and then returned
  • Someone broke into the client’s home or office and may have tampered with devices
  • Some of the client’s confidential data has been made public and it could only come from their personal or work computer
  • The client’s group is being targeted by a government, law enforcement, or an actor with equivalent capabilities

Also see the Digital First Aid Kit “My device is acting suspiciously” workflow.

Malware analysis

After confirming that the client is not a victim of account hijacking and there are clear indicators of compromise, if we suspect the malware is targeted we should ask for the client’s permission to gather data necessary for malware analysis before we start the cleanup process.

We should explain that an analysis would help us find out what has happened and if someone is targeting them, which might help them gain understanding of their adversary, their technical capabilities and whether or not the potential attacker is known to use internet surveillance technology.

If the client is willing to wait that steps are taken for malware analysis before the cleanup, follow the instructions in Article #258: Advanced Threats Triage Workflow for initiating a malware analysis.

Also see Security Without Borders’ Guide to Quick Forensics.

Clean the device

There are several approaches to deal with computers infected with malware, depending on the level of infection.

Important notes before proceeding:

  1. Before performing any removal process, ensure to back up all important data. Do not back up any system files, programs (.exe), or screen savers (.scr) because they may be infected with malware.
  2. Make sure the antivirus software the client is using is up to date.
  3. During the scan, the computer should not be used for other activities.
  4. Recommend the client to not run more than one scan at a time.
  5. If a virus is detected, instruct the client to take a screenshot of the message and send it to us through an encrypted message before they proceed to the removal of the malware.
Antivirus software

Antivirus software can be an effective first response to protecting a device from a significant percentage of malware. However, antivirus software is generally considered ineffective against targeted attacks, especially by state-sponsored actors. Nevertheless, it remains a valuable defensive tool against non-targeted, but still dangerous, malware. Below is a non-exhaustive list of options:

Other antiviruses that can be used on Windows are:

For adware

Also see Article #134: Removing adware from a Windows machine.

Advanced malware removal

For some types of malware, like rootkit or targeted spyware, antivirus software is often ineffective, but if the malware is known there are some tools we can use to detect it.

  • On Windows, the default choice is Windows Defender Offline, which runs from a trusted environment, without starting the infected operating system. Instructions for Windows 7 and 10 can be found here.

Alternative tools:

In some cases, the only way to recover from malware infection is to reformat and reinstall Windows.

Sometimes, a damaged operating system can still be recovered using Windows RE:

In some instances, Windows can be restored to its previous healthy state (you must exert extra diligence on choosing a trusted and clean restore point) using Windows System Restore. Important: do not perform System Restore if your are not sure of what restore point can be used.

Bootable external devices for malware removal

Consider using a bootable CD/USB/DVD for the scan, especially in the following situations:

  1. You cannot scan the computer using standard antivirus software (AV) because the AV got corrupted and the infection won’t allow you to repair or install new AV.
  2. Running an antivirus within Windows allows the malware to interact with the antivirus program and makes it less likely to be successfully removed.
  3. Booting to Windows is not possible because malware has already damaged system files required to boot.

Antivirus vendors normally provide recovery tools or rescue disks. These are software images that can be burned into a CD/USB/DVD and make it bootable. Booting from any of these devices will allow you to run scans.

  • On Windows, the default choice is Windows Defender Offline, which runs from a trusted environment, without starting the infected operating system. Instructions for Windows 7 and 10 can be found here.

The following link can serve as a guide for creating a recovery tool or rescue disk:

Another option is to scan the PC using a Linux Live CD or USB stick. This requires that you install a Linux live distribution on a CD or USB stick. You can use any Linux distributions, for example Ubuntu or Linux Mint.

Instructions for creating a bootable USB stick:

Once you have booted Linux from your bootable CD or USB, you can install antivirus software like ClamAV for Linux and scan the drive.

  • Instructions for Ubuntu with ClamAV can be found in this tutorial

  • Other scanning techniques that can be applied from outside Windows are described in this guide. This includes scanning from safe mode, or removing the hard drive to scan from a different PC. This guide also contains detailed information on how to use an antivirus bootable rescue disc and on how to scan a Windows system from a Linux live CD.

Things to consider after the removal process

  1. Remove Temporary Files. For this purpose, we can use CCleaner.
  2. Recommend the client to change all passwords in their computer
  3. Clean up System Restore. Restore points can be infected with malware

Perform Additional steps as necessary:

  1. Check Windows Update settings - this must be set to “Automatic”
  2. Check for new OS updates and install as necessary
  3. Ensure that Windows Firewall is turned on; inbound and outbound rules should be properly set up
  4. Ensure that Windows Defender is turned on and up-to-date
  5. Ensure that User Account Control is enabled
  6. Check Windows startup and log-on scripts, remove suspicious scripts
  7. Remove unnecessary programs listed on Windows startup (using msconfig.exe)
  8. Check Windows Action Center to make sure that no issue is detected
  9. Ensure that installed third-party software is up-to-date 10.Ensure that working antivirus software is installed and has up-to-date virus definition
  10. Provide the client with recommendations on how to limit the risk of new attacks following the Security in a Box guide on malware and phishing.

Comments