Have an infected machine?
 |
Information for administrators on how to identify and clean up malware and bot-infected Windows computers |
Procedure:
Step 1:
Disconnect the computer from the network and notify the user that the computer cannot be re-connected until all malware has been successfully removed
Step 2:
Find out if the user is familiar with the destination or action that the malware or bot is trying to access.
For example:
- If the bot destination is irc.warez-bb.org - did the user use IRC or a similar application?
- If the Malware is using NetBIOS - was any application installed recently that might cause this?
Step 3:
- Make sure the infected machine has an antivirus application installed, running and updated. Check to see if any malware has been quarantined by the antivirus application
- Remove all temporary files in Windows and in all installed browsers
- Restart the computer in safe mode and run the antivirus application in full scan mode
- Verify that the antivirus scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
Step 4:
- Download the latest version of TDSSKILLER and run it while in Windows safe mode.
- Verify that the TDSSKILLER scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
Step 5
- Run the virus removal tool. There are 2 versions:
- Verify that the tool identifies and removes/quarantines the malware. If this is not the case, then continue with the next step.
Step 6
- Download, install, and run the Malwarebytes Anti-Malware Free program
- Verify that Malwarebytes tool identifies and removes/quarantines the malware
Advanced treatment:
- Run netstat --adn see what the outgoing connections are currently opened (internal and external traffic). Try to identify the resource/site that the malware is connecting to
- Identify the associated process that is running and remove the application causing it
- Run the Microsoft Autoruns utility to see what applications are configured to run at bootup or login. Verify that any unfamiliar applications are legitimate.
- Run Process Explorer to see if there are any unsigned processes. Try to see what application is being run by the process.
- Review Windows System logs – are there any errors?
- Review Performance – processes are there any peaks?
- If all else fails, you will have to re-image the computer. If you can’t re-image and see suspicious behavior: run Wireshark and inspect outgoing traffic for anomalous behavior.
- Products A-Z
- Appliances
- Appliances Overview
- 2200 Appliances
- 4000 Appliances
- 12000 Appliances
- 21000 Appliance
- 61000 Security System
- DDoS Protector Appliances
- SecurityPower
- Secure Web Gateway Appliance
- Threat Prevention Appliance
- Series 80
- UTM-1 Edge
- IP Appliances
- Virtual Systems
- Safe@Office
- Smart-1
- Smart-1 SmartEvent
- Integrated Appliance Solution
- IAS Bladed Hardware
- Software Blades
- Software Blades Overview
- Security Gateway
- Firewall
- IPSec VPN
- IPS
- Mobile Access
- Application Control
- Identity Awareness
- DLP
- Web Security
- URL Filtering
- Anti-Bot
- Antivirus
- Anti-Spam & Email Security
- Advanced Networking & Clustering
- Voice over IP (VoIP)
- Threat Prevention
- ThreatCloud™
- Security Management
- Compliance
- Network Policy Management
- Endpoint Policy Management
- Logging & Status
- SmartWorkflow
- Monitoring
- Management Portal
- User Directory
- SmartProvisioning
- SmartReporter
- SmartEvent
- Multi-Domain Security Management
- Virtualization Security
- Security Gateway Virtual Edition
- Cloud Security
- Virtual Appliance for Amazon Web Services
- Security Systems
- Security Systems Overview
- Endpoint Security
- Endpoint Security
- Full Disk Encryption
- Media Encryption
- Anti-Malware & Program Control
- Remote Access VPN
- Firewall & Compliance
- Check Point WebCheck
- Check Point GO
- Solutions
- Remote Access
- Consumer Products
- ZoneAlarm Antivirus
- ZoneAlarm ForceField
- ZoneAlarm Internet Security Suite