Identifying and Removing Malware: A Practical Detection and Removal Guide

• Performance: Sudden CPU spikes, fans running constantly, programs slow to open.
• Network: Constant outbound traffic when idle, new firewall prompts, blocked connections in logs.
• Browser: New homepage/search engine, intrusive ads, unknown extensions, frequent redirects.
• Files & OS: New startup entries, unknown services/tasks, disabled Defender/updates, ransom notes.
• Account/Security: Password prompts failing, MFA spam, logins from unknown locations.

Tip: One symptom alone isn’t proof. Multiple signals across performance, browser, and security increase suspicion.

Click to expand...

• Disconnect from the network: Pull Ethernet / disable Wi-Fi. Prevents data exfiltration and command-and-control.
• Stop using passwords/banking: Don’t log in to sensitive accounts from the suspected machine.
• Preserve clues: Don’t mass-delete yet; you may erase what helps identify the threat.
• Back up critical files (documents, photos) to an external drive—do not copy executables or installers.

SystemPropertiesProtection.exe

msconfig

• Microsoft Defender Full Scan: Windows Security → Virus & threat protection → Scan options → Full scan.
• AdwCleaner (portable): Targets adware/PUPs, browser junk, resets policies.

• Malwarebytes Threat Scan (non-resident if you use another AV).
• ESET Online Scanner (on-demand cloud signatures).
• Optional: Kaspersky Virus Removal Tool (KVRT) or Dr.Web CureIt! (portable removers).

• RKill: Terminates known malicious processes that protect other malware. Run RKill first if tools won’t launch.
• HitmanPro: Good at catching leftovers and rootkit-style persistence.

• Windows Defender Offline: Windows Security → Scan options → Microsoft Defender Offline scan. Reboots into a trusted environment.
• Optional: Bootable rescue media (e.g., from your AV vendor) for heavy infections.

Run scans until two different tools in a row report clean. Reboot between major removal steps.

Click to expand...

• Task Manager → Startup: Disable unknown/high impact entries.
• Autoruns (Sysinternals): Run as admin → Options: Hide Microsoft Entries + Verify Signatures. Check tabs: Logon, Scheduled Tasks, Services, Drivers, Explorer. Uncheck suspicious items (non-destructive).
• Task Scheduler: Library + vendor folders. Disable unknown At log on tasks (note names/paths).
• Services (services.msc): Sort by Manufacturer/Status; set shady third-party services to Disabled (record names).

• Remove unknown extensions in all browsers.
• Reset search engine/homepage; clear policies:
  
  Code:

  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome
  Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Google\Chrome
  Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge
  Computer\HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Edge

  Delete forced policy keys you did not set (after export/backup).

• Code:

  %SystemRoot%\System32\drivers\etc\hosts

  → should be minimal. Remove shady entries.
• Internet Options → Connections → LAN settings → ensure Proxy is off (unless corporate).
• Check custom root CAs (certmgr.msc) added recently—remove unknowns (with care).

• Windows Security → ensure Real-time protection, Tamper Protection, and SmartScreen are ON.
• Group Policy / Registry for disabled Defender/Updates. Re-enable defaults if altered.

Get-ChildItem "$env:USERPROFILE\Downloads","$env:TEMP" -Recurse -Include .exe,.dll,.js,.vbs -ErrorAction SilentlyContinue |
Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } |
Select-Object LastWriteTime, Length, FullName | Sort-Object LastWriteTime -Descending

Get-CimInstance Win32_StartupCommand |
Where-Object { $_.Command -notmatch 'Microsoft|Windows Defender' } |
Select-Object Name, Command, Location, User | Sort-Object Name

Get-ScheduledTask | Where-Object {
($.Triggers | Where-Object {$.TriggerType -eq 'Logon'}) -ne $null
} | Select-Object TaskName, TaskPath, State

Get-Process | ForEach-Object {
try {
$path = $.Path
if ($path) {
$sig = Get-AuthenticodeSignature -FilePath $path
if ($sig.Status -ne 'Valid') { "{0,-28} {1}" -f $.ProcessName,$path }
}
} catch {}
}

• Isolate immediately (network off). Do not delete notes/keys.
• Identify the strain by note filename/extension; search for reputable free decryptors (many variants have none).
• Remove the malware first (run the layered scans above).
• Restore from backups (offline/cloud version history). Never restore over encrypted originals—copy to new locations.
• Change passwords from a clean device (email, banking, workplace SSO).
• Report the incident to local authorities where appropriate.

• System files are heavily modified or system tampering persists after cleanup.
• Credential theft suspected (banking, enterprise SSO, password managers).
• Re-infection occurs after multiple “clean” scans.

• Back up data only (no executables). Verify backups with an AV scan on a different machine.
• Reinstall Windows from a fresh official ISO.
• Patch Windows fully, then restore data.
• Reinstall apps from official vendors only.

• Keep Defender (or one AV) active; avoid dual AV.
• Enable SmartScreen, Exploit Protection, and Controlled Folder Access (test with your apps).
• Use a standard user account for daily work; reserve admin for maintenance.
• Turn on automatic updates for Windows and apps.

• Install minimal, trusted extensions only.
• Use built-in tracking protection; block third-party cookies.
• Consider a separate browser profile for banking.

• Keep 3-2-1 backups: 3 copies, 2 media, 1 off-site (versioned cloud helps defeat ransomware).
• Test restore quarterly.

• Be skeptical of “urgent” messages, attachments, and cracked software.
• Verify downloads via vendor sites; avoid search-ads for installers.
• Use MFA on email, banking, and password manager.

• Defender: Review Protection history; run a Full scan.
• Autoruns: Re-check Logon/Tasks/Services for re-added entries.
• Browsers: Audit extensions; reset unwanted changes.
• Event Viewer: Windows Defender/Operational for detections; Security for unusual logons.
• Updates: Patch Windows + apps; update Java/.NET/runtimes if you use them.