How to identify and clean up Windows computers infected with malware and bots
Disconnect the computer from the network and notify the user that the computer cannot be re-connected until all malware has been successfully removed.
Find out if the user is familiar with the destination or action that the malware or bot is trying to access.
- If the bot destination is irc.warez-bb.org, did the user use IRC or a similar application?
- If the Malware is using NetBIOS, was any application installed recently that might cause this?
- Make sure the infected machine has an Anti-Virus application installed, running and updated. Check to see if any malware has been quarantined by the Anti-Virus application.
- Remove all temporary files in Windows and in all installed browsers.
- Restart the computer in Safe Mode and run the Anti-Virus application in full scan mode.
- Verify that the Anti-Virus scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
- Download the latest version of TDSSKiller, reboot Windows in Safe Mode, and run this tool.
- Verify that the TDSKiller scan identifies and removes/quarantines the malware. If this is not the case, then continue to the next step.
- Run the Virus Removal Tool. There are 2 versions:
- For encrypted drives (e.g., on laptops), run the Virus Removal Tool, which can be downloaded here.
- For non-encrypted drives (e.g., on desktops), run the Rescue Disk, which can be downloaded here.
- Verify that the tool identifies and removes/quarantines the malware. If this is not the case, then continue with the next step.
- Download, install, and run Check Point's ZoneAlarm Anti-Virus Free program.
- Verify that ZoneAlarm identifies and removes/quarantines the malware.
- In Windows Command Prompt, run the netstat -adn command to see what outgoing connections are currently opened (internal and external traffic). Try to identify the resource/site that the malware is connecting to.
- Identify the associated process that is running and remove the application causing it.
- Run the Microsoft Autoruns utility to see what applications are configured to run at bootup or login.
- Run Microsoft Process Explorer to see if there are any unknown to you / any unsigned processes.
- In Windows Event Viewer, check the Windows System logs for any errors.
- Using Windows Performance Monitor, check is there any load peaks caused by processes.
- If all else fails, you will have to re-image the computer. If you cannot re-image and see suspicious behavior: run Wireshark and inspect outgoing traffic for anomalous behavior.
Important: See Third-Party Software Disclaimer