How to Remove Malware

If you are sure that you are infected by a malware follow these steps to clean it.
Disconnect from your network to prevent the malware from spreading to other computers.
Lock Internet traffic with your firewall:
If you're using a third-party firewall program such as ZoneAlarm or Comodo, then you can stop
all Internet traffic in its path, preventing the offending program from spreading or reaching out
across the Internet for help and updates. Even if you don't have a dedicated firewall program,
disable your network connections or you can just unplug the Ethernet cable. The downside is
that, with no Internet, there is no updating of your anti-virus program, so make sure you've
installed the latest updates before locking your system down completely.
Update your Operating System:
Blocking a pesky virus could be as simple as running updates on your OS. While updating your
OS won't necessarily clear the infection out, it may plug up any security holes that allow the virus
to spread and cause disorder on your PC.
Use efficient and up-to-date Anti-Virus program and run a full system scan.
If the antivirus can’t remove try to identify and remove using tools discussed below.

Removing malware using Process Explorer and Autoruns tools

Steps to remove
Identify malicious processes and drivers

Terminate identified processes

Identify and delete malware autostarts

Delete malware files

Reboot and repeat

Tel: +251-11-371-71 14 P.O. Box: 124498 E-mail: siteadmin@insa.gov.et

Fax: +251-11-320 65 76 Addis Ababa, Ethiopia Website: www.insa.gov.et
Process Explorer

When we look processes running on the machine using process explorer mostly malware processes are
processes that:

have no icon

have no description or company name

have no version information

uses totally random or pseudo-random names

unsigned Microsoft or other company images

live in Windows directory

are packed

include strange URLs in their strings

have open TCP/IP endpoints

hide themselves using Svchost and Rundll32

host suspicious DLLs or services

Tel: +251-11-371-71 14 P.O. Box: 124498 E-mail: siteadmin@insa.gov.et

Fax: +251-11-320 65 76 Addis Ababa, Ethiopia Website: www.insa.gov.et
To get more information about a process right click on it and look the properties or search online. In the
following example the bottom svchost.exe is fake svchost.exe. It is a malware process.

If you are sure that a process is malware process follow these steps to terminate it. Be careful that if you
terminate a process that is not malicious your software or operating system will fail to operate.

Don’t kill the processes. They are often restarted by watchdogs.

Instead, suspend them record the full path to each malicious EXE and DLL.

After they are all asleep then kill them. Watch for restarts with new names.

Tel: +251-11-371-71 14 P.O. Box: 124498 E-mail: siteadmin@insa.gov.et

Fax: +251-11-320 65 76 Addis Ababa, Ethiopia Website: www.insa.gov.et
Autoruns

Autoruns shows every place in the system that is configured to run something at boot and logon.
Malwares which run at system boot are found in autostarts list.
Here Yahoo Messengger is a malware autostart.

To remove malware autostarts:

Delete suspicious autostarts. You can disable them if you’re not sure

After you delete or disable do a full refresh

If they come back, run process (right click on it and run process explorer) to see which process is
putting them back.

Tip:

Use http://technet.microsoft.com/en-us/sysinternals/default.aspx to get process explorer and autoruns.

Tel: +251-11-371-71 14 P.O. Box: 124498 E-mail: siteadmin@insa.gov.et

Fax: +251-11-320 65 76 Addis Ababa, Ethiopia Website: www.insa.gov.et