Malware removal guide

Since malware writers constantly improve techniques to evade detection and expand methods to spread malicious programs, the following list of malware removal tools and methods is by no means complete.

If, despite all precautions, malware is installed on your computer, we suggest that you perform the following actions on all computers in network:

Run an antivirus program to check your computer. Remember to check both the "c:" partition and other local and removable drives.

Additional checks can be made online via the following antivirus programs:

• https://virusdesk.kaspersky.com/
• https://www.eset.com/us/home/online-scanner/

Then, check your computer(s) for adware/Trojans:

• Spybot-S&D – http://www.safer-networking.org/en/mirrors/index.html (update to latest version before you run the program)
• Malwarebytes – http://www.malwarebytes.org, free version & update
• ComboFix – http://download.bleepingcomputer.com/sUBs/ComboFix.exe and http://www.bleepingcomputer.com/combofix/how-to-use-combofix – guide

Sort files by date in c:\windows, c:\windows\system32 and c:\windows\system32\drivers and look for any .dll and .exe files with a recent date and/or an unusual name. Then go to www.google.com and look up all suspicious program/file names. Read user comments about suspicious files in order to identify them as possible viruses or Trojans. Finally, upload said files to a free online scan service (such as VirSCAN at http://virscan.org) to check them for malware.

Make sure to change all your passwords for online services you use.

It is recommended that you occasionally run start –> run –> cmd:

• In console, type netstat -o

Entering this command should get you a result similar to this:

Proto	Local Address	Foreign Address	State	PID
TCP	127.0.0.1:1890	127.0.0.1:1891	ESTABLISHED	3160
TCP	127.0.0.1:1891	127.0.0.1:1890	ESTABLISHED	3160
...

If there is ": 25" (or "SMTP") in the Foreign Address column, this indicates that the computer sends email messages without your knowledge.

Last column (PID) indicates the process (program) responsible.

Use the command "tasklist/svc" to see list of services running in process. This way you can easily determine which PID (program) is infected.

If the PID is 0 or 4, the virus is located in the boot sector and can only be cleaned if you boot the system from the installation CD. Boot sector viruses are usually located in c:\windows\system32\drivers\somethingstrange.sys and must be cleaned manually.

Perform a WLAN environment check for the possibility of a virus in a wireless network with an infected computer.