How to Remove Malware
Content
How to Remove Malware
If you are sure that you are infected by a malware follow these steps to clean it. Disconnect from your network to prevent the malware from spreading to other computers. Lock Internet traffic with your firewall: If you're using a third-party firewall program such as ZoneAlarm or Comodo, then you can stop all Internet traffic in its path, preventing the offending program from spreading or reaching out across the Internet for help and updates. Even if you don't have a dedicated firewall program, disable your network connections or you can just unplug the Ethernet cable. The downside is that, with no Internet, there is no updating of your anti-virus program, so make sure you've installed the latest updates before locking your system down completely. Update your Operating System: Blocking a pesky virus could be as simple as running updates on your OS. While updating your OS won't necessarily clear the infection out, it may plug up any security holes that allow the virus to spread and cause disorder on your PC. Use efficient and up-to-date Anti-Virus program and run a full system scan. If the antivirus can’t remove try to identify and remove using tools discussed below.
Removing malware using Process Explorer and Autoruns tools
Steps to remove Identify malicious processes and drivers Terminate identified processes Identify and delete malware autostarts Delete malware files Reboot and repeat
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
Process Explorer
When we look processes running on the machine using process explorer mostly malware processes are processes that:
have no icon have no description or company name have no version information uses totally random or pseudo-random names unsigned Microsoft or other company images live in Windows directory are packed include strange URLs in their strings have open TCP/IP endpoints hide themselves using Svchost and Rundll32 host suspicious DLLs or services
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
To get more information about a process right click on it and look the properties or search online. In the following example the bottom svchost.exe is fake svchost.exe. It is a malware process.
If you are sure that a process is malware process follow these steps to terminate it. Be careful that if you terminate a process that is not malicious your software or operating system will fail to operate. Don’t kill the processes. They are often restarted by watchdogs. Instead, suspend them record the full path to each malicious EXE and DLL. After they are all asleep then kill them. Watch for restarts with new names.
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
Autoruns
Autoruns shows every place in the system that is configured to run something at boot and logon. Malwares which run at system boot are found in autostarts list. Here Yahoo Messengger is a malware autostart.
To remove malware autostarts: Delete suspicious autostarts. You can disable them if you’re not sure After you delete or disable do a full refresh If they come back, run process (right click on it and run process explorer) to see which process is putting them back. Tip: Use http://technet.microsoft.com/en-us/sysinternals/default.aspx to get process explorer and autoruns.
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
If you are sure that you are infected by a malware follow these steps to clean it. Disconnect from your network to prevent the malware from spreading to other computers. Lock Internet traffic with your firewall: If you're using a third-party firewall program such as ZoneAlarm or Comodo, then you can stop all Internet traffic in its path, preventing the offending program from spreading or reaching out across the Internet for help and updates. Even if you don't have a dedicated firewall program, disable your network connections or you can just unplug the Ethernet cable. The downside is that, with no Internet, there is no updating of your anti-virus program, so make sure you've installed the latest updates before locking your system down completely. Update your Operating System: Blocking a pesky virus could be as simple as running updates on your OS. While updating your OS won't necessarily clear the infection out, it may plug up any security holes that allow the virus to spread and cause disorder on your PC. Use efficient and up-to-date Anti-Virus program and run a full system scan. If the antivirus can’t remove try to identify and remove using tools discussed below.
Removing malware using Process Explorer and Autoruns tools
Steps to remove Identify malicious processes and drivers Terminate identified processes Identify and delete malware autostarts Delete malware files Reboot and repeat
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
Process Explorer
When we look processes running on the machine using process explorer mostly malware processes are processes that:
have no icon have no description or company name have no version information uses totally random or pseudo-random names unsigned Microsoft or other company images live in Windows directory are packed include strange URLs in their strings have open TCP/IP endpoints hide themselves using Svchost and Rundll32 host suspicious DLLs or services
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
To get more information about a process right click on it and look the properties or search online. In the following example the bottom svchost.exe is fake svchost.exe. It is a malware process.
If you are sure that a process is malware process follow these steps to terminate it. Be careful that if you terminate a process that is not malicious your software or operating system will fail to operate. Don’t kill the processes. They are often restarted by watchdogs. Instead, suspend them record the full path to each malicious EXE and DLL. After they are all asleep then kill them. Watch for restarts with new names.
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
Autoruns
Autoruns shows every place in the system that is configured to run something at boot and logon. Malwares which run at system boot are found in autostarts list. Here Yahoo Messengger is a malware autostart.
To remove malware autostarts: Delete suspicious autostarts. You can disable them if you’re not sure After you delete or disable do a full refresh If they come back, run process (right click on it and run process explorer) to see which process is putting them back. Tip: Use http://technet.microsoft.com/en-us/sysinternals/default.aspx to get process explorer and autoruns.
Tel: +251-11-371-71 14 Fax: +251-11-320 65 76
P.O. Box: 124498 Addis Ababa, Ethiopia
E-mail: [email protected] Website: www.insa.gov.et
