Have an infected machine?
Information for administrators on how to identify and clean up malware and bot-infected Windows computers
Disconnect the computer from the network and notify the user that the computer cannot be re-connected until all malware has been successfully removed
Find out if the user is familiar with the destination or action that the malware or bot is trying to access.
- If the bot destination is irc.warez-bb.org - did the user use IRC or a similar application?
- If the Malware is using NetBIOS - was any application installed recently that might cause this?
- Make sure the infected machine has an antivirus application installed, running and updated. Check to see if any malware has been quarantined by the antivirus application
- Remove all temporary files in Windows and in all installed browsers
- Restart the computer in safe mode and run the antivirus application in full scan mode
- Verify that the antivirus scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
- Download the latest version of TDSSKILLER and run it while in Windows safe mode.
- Verify that the TDSSKILLER scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
- Run the virus removal tool. There are 2 versions:
- Verify that the tool identifies and removes/quarantines the malware. If this is not the case, then continue with the next step.
- Download, install, and run the Malwarebytes Anti-Malware Free program
- Verify that Malwarebytes tool identifies and removes/quarantines the malware
- Run netstat --adn see what the outgoing connections are currently opened (internal and external traffic). Try to identify the resource/site that the malware is connecting to
- Identify the associated process that is running and remove the application causing it
- Run the Microsoft Autoruns utility to see what applications are configured to run at bootup or login. Verify that any unfamiliar applications are legitimate.
- Run Process Explorer to see if there are any unsigned processes. Try to see what application is being run by the process.
- Review Windows System logs – are there any errors?
- Review Performance – processes are there any peaks?
- If all else fails, you will have to re-image the computer. If you can’t re-image and see suspicious behavior: run Wireshark and inspect outgoing traffic for anomalous behavior.
- Products A-Z
- Appliances Overview
- 600 Appliances
- 1100 Appliances
- 2200 Appliances
- 4000 Appliances
- 12000 Appliances
- 21000 Appliance
- 61000 Security System
- DDoS Protector Appliances
- Secure Web Gateway Appliance
- Threat Prevention Appliance
- Series 80
- UTM-1 Edge
- Virtual Systems
- Smart-1 SmartEvent
- Integrated Appliance Solution
- Software Blades
- Software Blades Overview
- Security Gateway
- IPSec VPN
- Mobile Access
- Application Control
- Identity Awareness
- Web Security
- URL Filtering
- Anti-Spam & Email Security
- Advanced Networking & Clustering
- Voice over IP (VoIP)
- Threat Prevention
- ThreatCloud Emulation Service
- ThreatEmulator Portal
- Security Management
- Network Policy Management
- Endpoint Policy Management
- Logging & Status
- Management Portal
- User Directory
- Multi-Domain Security Management
- Virtualization Security
- Security Gateway Virtual Edition
- Cloud Security
- Virtual Appliance for Amazon Web Services
- Security Systems
- Security Systems Overview
- Endpoint Security
- Endpoint Security
- Full Disk Encryption
- Media Encryption
- Anti-Malware & Program Control
- Remote Access VPN
- Firewall & Compliance
- Remote Access
- Consumer Products
- ZoneAlarm Antivirus
- ZoneAlarm ForceField
- ZoneAlarm Internet Security Suite