Mark Russinovich, Windows icon, Sysinternals creator, and technical fellow at Microsoft, went on stage at TechEd Europe to a crammed full hall. In this session, Russinovich explained his best practices for removing malware manually -- using just a few Sysinternals tools.
Russinovich advises you to take the three following steps:
1. Disconnect from the network
Let's not spend any time on that. Obviously, once you think you're infected, disconnect the connection and immediately start with identifiying the process.
2. Investigate suspicious processes
Windows Task Manager doesn't deliver a lot of information on processes so Russinovich recommends his own Process Explorer to effectively identify malware processes. The first step to identify a suspicious task is to right click on the process and select "Search online."
Unfortunately, malware these days often uses randomly generated names so a search online might not be helpful at all.
Here is where the Process Explorer's highlighting feature is great. As you can see above, WinHost.exe looks very legitimate with its Windows-ish sounding name, a Microsoft icon, and appears to be developed by Microsoft. What gives it away as malware, however, is the blue color: Only official Windows services and processes are highlighted in pink, which indicates that they're running with system privileges.
By double clicking on the suspicious file, users will get additional details. The first thing that doesn't really match with Windows is the "Build Time." Here’s an example:
Usually, Windows files have the date of the RTM build. Only files that have been updated through Windows Update do have more recent "Build Time" values so make sure that they match with a patch Tuesday.
Switching to the "TCP/IP tab." Here you can easily figure out if it's accessing any sort of weird server:
Next, go to the "Strings" and head over to the "Memory" view.
This is where you'll spot suspicious URLs or text strings that might identify the process as malicious.
Last but not least, one of the most important features that helps you identify malware is the file verifiction view. Go to "View/Verify Image Signatures." When it says "Unable to Verify," it's not really an official Microsoft process.
3. Terminating Malicious Services
Identified the process? Fine! Next step: Kill it. Unfortunately, malware often comes follows the buddy system and immediately launches another instance of the process when you try to close it. However, instead of killing them using Process Explorer, you should simply "Suspend" them (right click) to stop their process duplication and then kill them. Quick and dirty.
4. Autostart locations
Forget msconfig, even forget the new Startup Manager in Windows 8. Sysinternals "Autoruns" helps you identify malware fairly easily. Mark recommends hiding all other vendors than Microsoft and perform a signature check. To do that, go to "Options" and "Filter Options." Check the "Verify code signatures" as well as "Hide Microsoft entries."
And, finally, once you've identified, suspended and turned off the autostart of malicious apps, you'll be able to easily get rid of them.