Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Have an infected machine?

syringe-graphic

Information for administrators on how to identify and clean up malware and bot-infected Windows computers


Procedure:

Step 1:

Disconnect the computer from the network and notify the user that the computer cannot be re-connected until all malware has been successfully removed

Step 2:

Find out if the user is familiar with the destination or action that the malware or bot is trying to access.

For example:

  • If the bot destination is irc.warez-bb.org - did the user use IRC or a similar application?
  • If the Malware is using NetBIOS - was any application installed recently that might cause this?

Step 3:

  • Make sure the infected machine has an antivirus application installed, running and updated. Check to see if any malware has been quarantined by the antivirus application
  • Remove all temporary files in Windows and in all installed browsers
  • Restart the computer in safe mode and run the antivirus application in full scan mode
  • Verify that the antivirus scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.

Step 4:

  • Download the latest version of TDSSKILLER and run it while in Windows safe mode.
  • Verify that the TDSSKILLER scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.

Step 5

  • Run the virus removal tool. There are 2 versions:
    • For encrypted drives (e.g. on laptops), run the Virus Removal Tool, which can be downloaded here.
    • For non-encrypted drives (e.g. on desktops), run the Rescue CD, which can be downloaded here.
  • Verify that the tool identifies and removes/quarantines the malware. If this is not the case, then continue with the next step.

Step 6

  • Download, install, and run the Malwarebytes Anti-Malware Free program
  • Verify that Malwarebytes tool identifies and removes/quarantines the malware

Advanced treatment:

  1. Run netstat --adn see what the outgoing connections are currently opened (internal and external traffic). Try to identify the resource/site that the malware is connecting to
  2. Identify the associated process that is running and remove the application causing it
  3. Run the Microsoft Autoruns utility to see what applications are configured to run at bootup or login. Verify that any unfamiliar applications are legitimate. 
  4. Run Process Explorer to see if there are any unsigned processes. Try to see what application is being run by the process.
  5. Review Windows System logs – are there any errors?
  6. Review Performance – processes are there any peaks?
  7. If all else fails, you will have to re-image the computer. If you can’t re-image and see suspicious behavior: run Wireshark and inspect outgoing traffic for anomalous behavior.
Third Party Software Disclaimer
We'd Like to Help!
Malware Resources