Support Center > Search Results > SecureKnowledge Details
How to identify and clean up Windows computers infected with malware and bots
Solution

Step 1:

Disconnect the computer from the network and notify the user that the computer cannot be re-connected until all malware has been successfully removed.

 

Step 2:

Find out if the user is familiar with the destination or action that the malware or bot is trying to access.

For example:

  • If the bot destination is irc.warez-bb.org, did the user use IRC or a similar application?

  • If the Malware is using NetBIOS, was any application installed recently that might cause this?

 

Step 3:

  1. Make sure the infected machine has an Anti-Virus application installed, running and updated. Check to see if any malware has been quarantined by the Anti-Virus application.

  2. Remove all temporary files in Windows and in all installed browsers.

  3. Restart the computer in Safe Mode and run the Anti-Virus application in full scan mode.

  4. Verify that the Anti-Virus scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.

 

Step 4:

  1. Download the latest version of TDSSKiller, reboot Windows in Safe Mode, and run this tool.

  2. Verify that the TDSKiller scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.

 

Step 5:

  1. Run the Virus Removal Tool. There are 2 versions:

    • For encrypted drives (e.g., on laptops), run the Virus Removal Tool, which can be downloaded here.

    • For non-encrypted drives (e.g., on desktops), run the Rescue Disk, which can be downloaded here.

  2. Verify that the tool identifies and removes/quarantines the malware. If this is not the case, then continue with the next step.

 

Step 6:

  1. Download, install, and run Check Point's ZoneAlarm Anti-Virus Free program.

  2. Verify that ZoneAlarm identifies and removes/quarantines the malware.

 

Advanced treatment:

  1. In Windows Command Prompt, run the netstat -adn command to see what outgoing connections are currently opened (internal and external traffic). Try to identify the resource/site that the malware is connecting to.

  2. Identify the associated process that is running and remove the application causing it.

  3. Run the Microsoft Autoruns utility to see what applications are configured to run at bootup or login.

  4. Run Microsoft Process Explorer to see if there are any unknown to you / any unsigned processes.

  5. In Windows Event Viewer, check the Windows System logs for any errors.

  6. Using Windows Performance Monitor, check is there any load peaks caused by processes.

  7. If all else fails, you will have to re-image the computer. If you cannot re-image and see suspicious behavior: run Wireshark and inspect outgoing traffic for anomalous behavior.

 

Important: See Third-Party Software Disclaimer

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment