Detect and remove Windows malware

Despite advanced antivirus programs and robust security systems, malware and hackers continue to find ways to bypass these lines of defense. In this article, we delve deeper into the world of malware to understand why traditional antivirus programs sometimes reach their limits and how you can become the guardian of your own digital security.

Antivirus programs play a critical role in preventing many types of malware, but they are not infallible. Modern malware, especially those that are considered “fileless,” do not leave traditional files on the hard drive. Instead, these malicious codes reside in memory or misuse legitimate operating system tools and processes to carry out their malicious activities. These tactics make it difficult for antivirus programs to detect them because there are no typical signatures to respond to.

Additionally, attackers often use a strategy that puts the malware into "sleep mode." It remains inactive until certain conditions are met, thereby avoiding initial detection by security software.

To effectively combat these sophisticated threats, it is important to have the tools and knowledge to detect unusual activity yourself. These include suspicious TCP connections to unknown IP addresses, unusual processes or changes in normally trusted applications, and the appearance of processes that use high resources or perform unexpected system activities.

In this article we explain how to follow the traces of the malware and remove it yourself. To do this, we use free tools such as TCPView, Process Monitor and Process Explorer to monitor and analyze network connections and process activities as well as to track suspicious system activities, which we can retrieve in the Windows process logs in order to detect the potential infection chain and in the best case to break through. These tools are available for free and are part of Microsoft's Sysinternals suite.

The subtext of this article is not to negate the need for antivirus software, but to increase our own vigilance and understanding to close the gaps that software alone cannot cover.

Installing the necessary tools

The tools required are part of the free Sysinternals from Microsoft.
Download the necessary tools as a zip archive and unzip the folder.
No further installation is necessary; you can simply start the respective tool with a double click. Sysinternals Suite Zip Archive

The following Sysinternals tools are used:

1. TCPView (TCPView.exe) - network analysis

2. Process Explorer (Procexp.exe) - System process analysis and tracking

3. Process Monitor (Procmon.exe) - trace system processes

4. RegDelNull (RegDelNull.exe) - Delete stubborn registry entries

5. Autoruns (autoruns.exe) - Lists all automatically starting programs

Phase 1: Analysis of system and network

Tip: If possible, close all applications that are not needed, this makes it easier to analyze the system

Identify suspicious IP addresses (TCP connections) with TCPView

1. Detecting unusual or foreign IP addresses:
Launch TCPView and look for connections to IP addresses or hostnames that seem unfamiliar, especially if they are registered in countries you don't normally connect to.

2. IP address or hostname verification:
Use online services such as VirusTotal , AbuseIPDB , or Whois to check the reputation of an IP address.
These services can give you information about the activity and reputation of an IP address.

3. Observation of connection frequency and duration
Frequent and prolonged connections to an unknown IP address may indicate unwanted or malicious activity.

Typical characteristics of suspicious connections

1. High network activity at unusual times

Activities that occur outside of normal usage hours may be suspicious.

2. Lots of outgoing connections

A large number of connections originating from your system, especially if they are directed to different IP addresses, could indicate malware.

3. Unexplained connections

Connections that serve no obvious purpose or cannot be explained by open programs deserve special attention.

Write down any IP addresses or connections that seem strange to you with as much information as possible, e.g. Process, PID, etc.

Phase 2: Investigating suspicious processes of TCP connections Process Explorer

The combination of TCPView Network Research and Strange Connections Process Explorer is a powerful way to detect, track, and understand suspicious activity and potentially malicious processes on your Windows system.

If you have identified unusual or suspicious connections in TCPView, you can use the Process ID (PID) of those connections to get more detailed information about the associated processes in Process Explorer.

Start Process Explorer and look in the process list for the PID that you previously noted in TCPView.
You can use Process Explorer's search function by entering the PID in the search field to find the process faster.

Carry out detailed analysis of the process

Click on the identified process to get detailed information.
In the lower half of the Process Explorer window you will now see the process details, including the loaded DLLs and the opened handles.
Make a note of the corresponding DLLs and handles, they could be useful later for tracing.

Check for irregularities

Look for anomalies such as unknown DLLs, unusual process file locations, or high resource usage that does not match normal operating conditions.
Check the digital signature status of the process.
Unsigned processes or processes signed by unknown publishers deserve special attention.

Typical storage locations:

These locations are common directories where programs and processes store their files. They are often the target of routine scans by security software:

Windows system directory: C:\Windows\System32 for 32-bit system files and C:\Windows\SysWOW64 for 64-bit system files on 64-bit systems.

Program files: C:\Program Files (or C:\Programme on German-speaking systems) and C:\Program Files (x86) for 32-bit applications on a 64-bit system.

User profiles: C:\Users\[username] , specifically the Application Data (AppData) folder, which contains local settings, configuration files, and temporary files.

Unusual storage locations

Malware can hide in unusual places to avoid detection. Some examples of such locations are:

Temporary directories: C:\Windows\Temp or the Temp folder in the user profile. While these directories contain legitimate temporary files, they can also be abused by malware.

Windows Directory: Aside from System32 and SysWOW64, unusual or unknown files directly in the C:\Windows directory can be a sign of malware.

Restore points directory: System restore points can be manipulated by malware to store malicious files. These are typically located in a hidden folder within System Volume Information.

Registry: While this is not a physical "location", the registry can be used to store malicious scripts or commands that are executed at system startup.

Alternative Data Streams: NTFS , Windows' file system, allows data to be stored in alternative data streams of a file. These are often missed by antivirus programs and can be used by malware.

Validate your results with research

It is important to distinguish between normal system processes and harmful processes, which is why you should always research your assumptions to avoid falling for false positives.
If you identify a process as suspicious, it is advisable to obtain additional information about it. A quick online search of the process name and publisher can help you determine whether it is legitimate software or potential malware.

Phase 3: Tracing the malware using the Windows Event Viewer

Once you've determined that a process is harmful, we can now trace that process back to its origin.
The Windows Event Viewer stores logs of various system activities and can provide clues to the origin of a malicious process.

1. Access Event Viewer
Open the Event Viewer by searching for “Event Viewer” in the Start menu or typing “eventvwr.msc” in the Run window (Windows Key + R).

2. Review security logs
Focus on the security logs under Windows Logs. Search for events associated with the creation of new processes, especially events that coincide with the discovery of the suspicious process.

3. Search for anomalies
Watch for events involving unusual or unknown applications, especially those that started without user interaction.

Phase 3: Trace back to the original trigger using the Sysinternals Process Monitor

Process Monitor is an advanced monitoring tool that provides real-time file system, registry and process/thread activities.
It can be used to analyze the activities of a malicious process in more detail.

1. Filter events:
To reduce the amount of data displayed, set filters to only show the activity of the suspicious process. You can set filters for process ID (PID), process name, or other relevant criteria.

2. Analysis of process activities:
Examine the recorded activities to understand what actions the process performed. Pay particular attention to file operations, network activity, and registry changes.

3. Tracing the origin:
Search for information about the parent process of the suspect process.
This can help you identify the source of the execution, for example a legitimate application that was compromised or a malicious file that initiated the process.

Use the information collected to create a complete picture of activities and relationships.
Identify the origin of the malicious process and understand how it started.
This can help you break the chain of infection and prevent future attacks.

Phase 4: Cleanup and Prevention

Now that we have been able to identify the actual origin of the malicious process, the disinfection of the malicious files begins.

1. Remove the malicious software
Delete the malicious process's source files and all associated components.

2. Run a full system scan
Use an updated antivirus program to scan the system and make sure there are no other infections.

3. Strengthen security measures
Review your security settings and install updates for your operating system and all applications to address known security vulnerabilities.

In addition to these steps, you should consider the following practices to increase the security of your system and prevent reinfections:

Cleaning up null entries in the registry with RegDelNull

RegDelNull is another useful Sysinternals tool specifically designed to remove stubborn registry keys that bypass conventional deletion methods by inserting null characters into their names. Malware, including some variants of fileless malware, can use such techniques to protect their registry entries from detection and removal. With RegDelNull you can detect and remove these fraudulent entries to ensure a thorough clean of the system.

Using Autoruns to check startup entries

Autorun is one of the most comprehensive tools for viewing startup configurations. It allows users to see all programs that start automatically when the computer boots or the user logs in. This includes applications, drivers, services, and components in the Windows registry.

Autoruns provides the ability to identify and disable unwanted or malicious startup entries, which is a critical step in minimizing the risk of reinfection.

4. Restart your system in Safe Mode

Press the Windows logo key + I on the keyboard to open Settings. If that doesn't work, select the Start button and then Settings.

Select System > Recovery .

Open recovery settings

Under Recovery options, next to Advanced startup, select Restart now.

After your PC restarts, on the Choose an option screen, select the following:


Troubleshoot > Advanced options > Startup Settings > Restart .


You may be asked to enter the BitLocker recovery key if you have one set up.

Furthermore, these best practices should always be observed:

• Regularly update all security software and operating system to close security gaps.
• Use safe browser settings, including pop-up blockers and disabling JavaScript on untrustworthy sites.
• Awareness of phishing attacks and how to recognize them to avoid falling victim to scams.
• Using strong, unique passwords and, where possible, two-factor authentication.
• Regularly create backups of important data to enable rapid recovery in the event of an infection.
• Be careful when downloading and installing unknown software or opening email attachments.
• Use of network security tools such as firewalls and intrusion detection systems (IDS).
• Isolate infected systems from the network to prevent further spread of malware.
• Reporting security incidents to appropriate authorities, particularly ransomware attacks.
• Continuous education and training on current threats and cybersecurity best practices.

Tracing a malicious process to its source requires careful analysis and patience, but is a crucial step in keeping your system safe and preventing future infections.