Information for administrators on how to identify and clean up malware and bot-infected Windows computers.
Disconnect the computer from the network and notify the user that the computer cannot be re-connected until all malware has been successfully removed.Step 2:
Find out if the user is familiar with the destination or action that the malware or bot is trying to access.
- If the bot destination is irc.warez-bb.org – did the user use IRC or a similar application?
- If the Malware is using NetBIOS – was any application installed recently that might cause this?
- Make sure the infected machine has an antivirus application installed, running and updated. Check to see if any malware has been quarantined by the antivirus application
- Remove all temporary files in Windows and in all installed browsers
- Restart the computer in safe mode and run the antivirus application in full scan mode
- Verify that the antivirus scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
- Download the latest version of TDSSKILLER and run it while in Windows safe mode.
- Verify that the TDSSKILLER scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
- Run the virus removal tool. There are 2 versions:
- Verify that the tool identifies and removes/quarantines the malware. If this is not the case, then continue with the next step.
- Download, install, and run the Malwarebytes Anti-Malware Free program.
- Verify that Malwarebytes tool identifies and removes/quarantines the malware.
- Run netstat –adn see what the outgoing connections are currently opened (internal and external traffic). Try to identify the resource/site that the malware is connecting to.
- Identify the associated process that is running and remove the application causing it.
- Run the Microsoft Autoruns utility to see what applications are configured to run at bootup or login. Verify that any unfamiliar applications are legitimate.
- Run Process Explorer to see if there are any unsigned processes. Try to see what application is being run by the process.
- Review Windows System logs – are there any errors?
- Review Performance – processes are there any peaks?
- If all else fails, you will have to re-image the computer. If you can’t re-image and see suspicious behavior: run Wireshark and inspect outgoing traffic for anomalous behavior.