June 28, 2012, 1:35 PM — Mark Russinovich, Windows icon, Sysinternals creator, and technical fellow at Microsoft, went on stage at TechEd Europe to a crammed full hall. In this session, Russinovich explained his best practices for removing malware manually -- using just a few Sysinternals tools.
Russinovich advises you to take the three following steps:
1. Disconnect from the network
Let's not spend any time on that. Obviously, once you think you're infected, disconnect the connection and immediately start with identifiying the process.
2. Investigate suspicious processes
Windows Task Manager doesn't deliver a lot of information on processes so Russinovich recommends his own Process Explorer to effectively identify malware processes. The first step to identify a suspicious task is to right click on the process and select "Search online."
Unfortunately, malware these days often uses randomly generated names so a search online might not be helpful at all.
Here is where the Process Explorer's highlighting feature is great. As you can see above, WinHost.exe looks very legitimate with its Windows-ish sounding name, a Microsoft icon, and appears to be developed by Microsoft. What gives it away as malware, however, is the blue color: Only official Windows services and processes are highlighted in pink, which indicates that they're running with system privileges.
By double clicking on the suspicious file, users will get additional details. The first thing that doesn't really match with Windows is the "Build Time." Here’s an example:
Usually, Windows files have the date of the RTM build. Only files that have been updated through Windows Update do have more recent "Build Time" values so make sure that they match with a patch Tuesday.
Switching to the "TCP/IP tab." Here you can easily figure out if it's accessing any sort of weird server:
Next, go to the "Strings" and head over to the "Memory" view.