Malware, Viruses, and Threats
Malware, Viruses, and Threats

Photo by Ann H on Pexels
Malware is any malicious software designed to harm, exploit, or compromise a computer system. IT support professionals must recognize different types of malware, understand how they spread, and know how to remove them.
Types of Malware
Viruses: Attach to legitimate programs and spread when the program runs. Require user action to activate. Example: email attachment that infects when opened.
Worms: Self-replicating malware that spreads without user action. Exploit network vulnerabilities. Example: WannaCry spread through SMB vulnerability in 2017, infecting 200,000 computers in 150 countries.
Trojan Horses: Malware disguised as legitimate software. User installs it voluntarily, not knowing it contains malware. Example: free game that also installs a keylogger.
Ransomware: Encrypts files and demands payment for decryption. Most destructive and profitable malware type. Examples: CryptoLocker, WannaCry, Ryuk, Conti. Average ransom: $50,000-$500,000. Many victims don't get data back even after paying.
Spyware: Secretly monitors user activity — keystrokes, browsing, screen captures. Sends data to attacker. Used for identity theft and corporate espionage.
Adware: Displays unwanted advertisements, redirects browser searches, slows down computer. Often bundled with free software. Not always malicious but always unwanted.
Rootkits: Deep system malware that hides itself and other malware from detection. Operates at kernel level. Very difficult to detect and remove — often requires a complete OS reinstall.
Keyloggers: Record every keystroke. Capture passwords, credit card numbers, confidential messages. Can be software-based (trojan) or hardware-based (USB device between keyboard and computer).
Cryptominers: Use the computer's CPU/GPU to mine cryptocurrency without consent. Cause high CPU usage, overheating, and slow performance. Often hidden in legitimate-looking software or websites.
Logic Bombs: Malware that activates on a specific date or condition. Example: code that deletes databases if an employee's name is removed from payroll (disgruntled insider).
How Malware Spreads
Email: #1 vector. Phishing emails with malicious attachments or links. 91% of cyberattacks start with a phishing email.
USB Drives: Found USB drives plugged in by curious employees. Autorun malware executes when drive is connected. Stuxnet spread this way.
Malicious Websites: Drive-by downloads — visiting a compromised site installs malware automatically. Exploit kits like Angler and RIG target unpatched browsers and plugins.
Software Downloads: Cracked software, pirated games, and 'free' tools often contain malware. Only download from official sources or verified repositories.
RDP Attacks: Attackers brute-force RDP credentials (port 3389) exposed to the internet. Once in, they deploy ransomware. Always use VPN + RDP, never expose RDP directly.
Supply Chain: Malware embedded in legitimate software updates. SolarWinds (2020) infected 18,000 organizations through a poisoned update.
Symptoms of Malware Infection
• Slow computer or high CPU usage (cryptominer)
• Pop-up advertisements (adware)
• Browser homepage changed, search redirected (browser hijacker)
• Files encrypted with ransom note (ransomware)
• Unknown programs running in Task Manager
• Network traffic when idle (data exfiltration)
• Antivirus disabled or won't update
• Browser opens to unfamiliar pages
• Emails sent from your account that you didn't send
• New browser toolbars or extensions you didn't install
• Computer fans running at full speed constantly
• Locked out of your accounts
Step-by-Step: Malware Removal Process
Step 1: Isolate — Disconnect from network immediately. Unplug Ethernet, turn off Wi-Fi. Prevents spread to other computers and stops data exfiltration.
Step 2: Boot in Safe Mode — Restart in Safe Mode (Shift + Restart > Troubleshoot > Advanced > Startup Settings > F4). Safe Mode loads minimal drivers — most malware doesn't run.
Step 3: Scan and Remove — Run Windows Defender Offline scan (Settings > Windows Security > Microsoft Defender > Run offline scan). This boots into WinPE and scans outside Windows. Also run Malwarebytes for a second opinion.
Step 4: Check for Persistence — Check Autoruns (Sysinternals) for unusual startup entries. Check Task Scheduler for unknown scheduled tasks. Check browser extensions.
Step 5: Clean Browser — Remove unfamiliar extensions. Reset browser settings. Clear cache and cookies. Check homepage and search engine settings.
Step 6: Update Everything — Run Windows Update. Update all applications (Java, Flash, browser, PDF reader). Update antivirus definitions.
Step 7: Change Passwords — Change all passwords stored in the browser. Use a password manager. Enable MFA on all accounts.
Step 8: Verify and Monitor — Run another full scan after 24 hours. Monitor for recurring symptoms. If malware returns: backup data, wipe drive, reinstall Windows.
Step 9: Document — Record what happened, how it was detected, how it was removed, and preventive recommendations.
Ransomware Response
If you detect ransomware:
1. Immediately disconnect from network — this is critical, ransomware spreads fast
2. Do NOT pay the ransom — no guarantee of recovery, funds criminal activity
3. Do NOT power off — some ransomware stores encryption keys in memory; powering off may lose them
4. Take a photo of the ransom note for evidence
5. Identify the ransomware variant (use nomoreransom.org or ID Ransomware)
6. Check if a free decryptor exists (nomoreransom.org/shieldingtools)
7. Restore from backups — the only reliable recovery method
8. If no backups: consider professional data recovery (expensive, not guaranteed)
9. Report to FBI/IC3 or local law enforcement
10. Rebuild the system from scratch — do not trust a system that was infected
Free Anti-Malware Tools
Windows Defender: Built-in, free, good baseline protection. Enable real-time protection and cloud-delivered protection.
Malwarebytes Free: Excellent on-demand scanner. Use as second opinion after Defender. Free version doesn't have real-time protection.
AdwCleaner: Removes adware, toolbars, PUPs. Quick scan, 2-3 minutes.
Sysinternals Autoruns: Shows all programs that start with Windows. Look for suspicious entries with 'Not verified' publisher.
NoMoreRansom.org: Free ransomware decryption tools. Check if your ransomware variant has a known decryptor.
Key Takeaways
• Phishing email is the #1 malware delivery method — train users to recognize and report
• Ransomware is the most destructive — always have offline backups
• Isolate infected machines immediately — disconnect from network
• Boot in Safe Mode and scan from outside Windows for stubborn malware
• Never pay ransom — no guarantee, and it funds future attacks
• After removal: update everything, change passwords, enable MFA, monitor for recurrence
Common Questions
Q: Do I need third-party antivirus if I have Windows Defender?
A: For most users, Windows Defender is sufficient. Malwarebytes free as a second-opinion scanner is a good addition. For businesses, consider endpoint protection (ESET, Bitdefender, SentinelOne).
Q: Can malware survive a factory reset?
A> Most malware won't survive a clean Windows reinstall from installation media. But rootkits and firmware-level malware can persist. For maximum safety, use DBAN or manufacturer secure erase on the drive, then reinstall.
Malware, Viruses, and Threats

Photo by Ann H on Pexels
Malware is any malicious software designed to harm, exploit, or compromise a computer system. IT support professionals must recognize different types of malware, understand how they spread, and know how to remove them.
Types of Malware
Viruses: Attach to legitimate programs and spread when the program runs. Require user action to activate. Example: email attachment that infects when opened.
Worms: Self-replicating malware that spreads without user action. Exploit network vulnerabilities. Example: WannaCry spread through SMB vulnerability in 2017, infecting 200,000 computers in 150 countries.
Trojan Horses: Malware disguised as legitimate software. User installs it voluntarily, not knowing it contains malware. Example: free game that also installs a keylogger.
Ransomware: Encrypts files and demands payment for decryption. Most destructive and profitable malware type. Examples: CryptoLocker, WannaCry, Ryuk, Conti. Average ransom: $50,000-$500,000. Many victims don't get data back even after paying.
Spyware: Secretly monitors user activity — keystrokes, browsing, screen captures. Sends data to attacker. Used for identity theft and corporate espionage.
Adware: Displays unwanted advertisements, redirects browser searches, slows down computer. Often bundled with free software. Not always malicious but always unwanted.
Rootkits: Deep system malware that hides itself and other malware from detection. Operates at kernel level. Very difficult to detect and remove — often requires a complete OS reinstall.
Keyloggers: Record every keystroke. Capture passwords, credit card numbers, confidential messages. Can be software-based (trojan) or hardware-based (USB device between keyboard and computer).
Cryptominers: Use the computer's CPU/GPU to mine cryptocurrency without consent. Cause high CPU usage, overheating, and slow performance. Often hidden in legitimate-looking software or websites.
Logic Bombs: Malware that activates on a specific date or condition. Example: code that deletes databases if an employee's name is removed from payroll (disgruntled insider).
How Malware Spreads
Email: #1 vector. Phishing emails with malicious attachments or links. 91% of cyberattacks start with a phishing email.
USB Drives: Found USB drives plugged in by curious employees. Autorun malware executes when drive is connected. Stuxnet spread this way.
Malicious Websites: Drive-by downloads — visiting a compromised site installs malware automatically. Exploit kits like Angler and RIG target unpatched browsers and plugins.
Software Downloads: Cracked software, pirated games, and 'free' tools often contain malware. Only download from official sources or verified repositories.
RDP Attacks: Attackers brute-force RDP credentials (port 3389) exposed to the internet. Once in, they deploy ransomware. Always use VPN + RDP, never expose RDP directly.
Supply Chain: Malware embedded in legitimate software updates. SolarWinds (2020) infected 18,000 organizations through a poisoned update.
Symptoms of Malware Infection
• Slow computer or high CPU usage (cryptominer)
• Pop-up advertisements (adware)
• Browser homepage changed, search redirected (browser hijacker)
• Files encrypted with ransom note (ransomware)
• Unknown programs running in Task Manager
• Network traffic when idle (data exfiltration)
• Antivirus disabled or won't update
• Browser opens to unfamiliar pages
• Emails sent from your account that you didn't send
• New browser toolbars or extensions you didn't install
• Computer fans running at full speed constantly
• Locked out of your accounts
Step-by-Step: Malware Removal Process
Step 1: Isolate — Disconnect from network immediately. Unplug Ethernet, turn off Wi-Fi. Prevents spread to other computers and stops data exfiltration.
Step 2: Boot in Safe Mode — Restart in Safe Mode (Shift + Restart > Troubleshoot > Advanced > Startup Settings > F4). Safe Mode loads minimal drivers — most malware doesn't run.
Step 3: Scan and Remove — Run Windows Defender Offline scan (Settings > Windows Security > Microsoft Defender > Run offline scan). This boots into WinPE and scans outside Windows. Also run Malwarebytes for a second opinion.
Step 4: Check for Persistence — Check Autoruns (Sysinternals) for unusual startup entries. Check Task Scheduler for unknown scheduled tasks. Check browser extensions.
Step 5: Clean Browser — Remove unfamiliar extensions. Reset browser settings. Clear cache and cookies. Check homepage and search engine settings.
Step 6: Update Everything — Run Windows Update. Update all applications (Java, Flash, browser, PDF reader). Update antivirus definitions.
Step 7: Change Passwords — Change all passwords stored in the browser. Use a password manager. Enable MFA on all accounts.
Step 8: Verify and Monitor — Run another full scan after 24 hours. Monitor for recurring symptoms. If malware returns: backup data, wipe drive, reinstall Windows.
Step 9: Document — Record what happened, how it was detected, how it was removed, and preventive recommendations.
Ransomware Response
If you detect ransomware:
1. Immediately disconnect from network — this is critical, ransomware spreads fast
2. Do NOT pay the ransom — no guarantee of recovery, funds criminal activity
3. Do NOT power off — some ransomware stores encryption keys in memory; powering off may lose them
4. Take a photo of the ransom note for evidence
5. Identify the ransomware variant (use nomoreransom.org or ID Ransomware)
6. Check if a free decryptor exists (nomoreransom.org/shieldingtools)
7. Restore from backups — the only reliable recovery method
8. If no backups: consider professional data recovery (expensive, not guaranteed)
9. Report to FBI/IC3 or local law enforcement
10. Rebuild the system from scratch — do not trust a system that was infected
Free Anti-Malware Tools
Windows Defender: Built-in, free, good baseline protection. Enable real-time protection and cloud-delivered protection.
Malwarebytes Free: Excellent on-demand scanner. Use as second opinion after Defender. Free version doesn't have real-time protection.
AdwCleaner: Removes adware, toolbars, PUPs. Quick scan, 2-3 minutes.
Sysinternals Autoruns: Shows all programs that start with Windows. Look for suspicious entries with 'Not verified' publisher.
NoMoreRansom.org: Free ransomware decryption tools. Check if your ransomware variant has a known decryptor.
Key Takeaways
• Phishing email is the #1 malware delivery method — train users to recognize and report
• Ransomware is the most destructive — always have offline backups
• Isolate infected machines immediately — disconnect from network
• Boot in Safe Mode and scan from outside Windows for stubborn malware
• Never pay ransom — no guarantee, and it funds future attacks
• After removal: update everything, change passwords, enable MFA, monitor for recurrence
Common Questions
Q: Do I need third-party antivirus if I have Windows Defender?
A: For most users, Windows Defender is sufficient. Malwarebytes free as a second-opinion scanner is a good addition. For businesses, consider endpoint protection (ESET, Bitdefender, SentinelOne).
Q: Can malware survive a factory reset?
A> Most malware won't survive a clean Windows reinstall from installation media. But rootkits and firmware-level malware can persist. For maximum safety, use DBAN or manufacturer secure erase on the drive, then reinstall.
There are no comments for now.