{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreicezqhllwr3bzz5sqzsmhyqnn5qurasjnv63p6jhw7zwzto4nlmjm",
"uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mpa5a3nsytq2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiajhwy5czsjbqntnoh3k5hmp5pbr46f5ifqf7bug7rafo2utyzhvu"
},
"mimeType": "image/webp",
"size": 565740
},
"path": "/masilrg/malware-on-your-machine-a-developers-complete-incident-response-guide-4hph",
"publishedAt": "2026-06-26T23:35:21.000Z",
"site": "https://dev.to",
"tags": [
"productivity",
"tutorial",
"beginners",
"webdev",
"ID Ransomware",
"NoMoreRansom.org"
],
"textContent": "## ๐ก๏ธ Your Computer Got Infected โ Now What? A Developer's Survival Guide to Malware Removal\n\n_A practical, no-BS walkthrough of detecting, containing, and eliminating malware โ with real scenarios and the commands that actually work._\n\nSo it happened. Your machine is acting weird. Maybe Chrome is opening tabs you didn't ask for. Maybe your CPU is pegged at 95% doing... nothing. Maybe your antivirus just screamed at you. Whatever it is, that sinking feeling in your stomach is valid โ but panic won't help. A methodical approach will.\n\nThis guide walks you through **exactly** what to do when your system is compromised, from initial triage to full recovery. I'll use real-world malware scenarios so you can match your situation to the right fix.\n\n## ๐จ First: Know the Signs of Infection\n\nBefore we dive into removal, let's confirm we're actually dealing with malware and not a failing hard drive or a runaway Chrome extension.\n\n**Common infection symptoms:**\n\n * Browser homepage changed without your input\n * Sluggish performance with abnormally high CPU/RAM/network usage\n * New toolbars, extensions, or programs you didn't install\n * Antivirus disabled or greyed out\n * Ransom notes appearing on your desktop (yes, really)\n * Your contacts receiving emails/DMs you never sent\n * System logs showing processes connecting to unknown IPs\n\n\n\nIf two or more of these apply to you โ keep reading. You've got a problem.\n\n## ๐ฌ Step 1: Don't Touch Anything Yet โ Observe First\n\n**Scenario:** You notice your system fan is running full blast at 2 AM while your computer is idle. You check Task Manager and see a process called `svchost32.exe` consuming 80% CPU.\n\n> ๐ด **Red flag:** Legitimate Windows processes don't have numbers in their name like that. `svchost.exe` is real; `svchost32.exe` is almost certainly a cryptominer or trojan.\n\n**What to do:**\n\nBefore you start killing processes or running scans, **document what you're seeing**. Take screenshots. Note the process names, PIDs, and any network connections.\n\n**On Windows (PowerShell, run as Admin):**\n\n\n\n # List all running processes with their full file paths\n Get-Process | Select-Object Name, Id, Path | Sort-Object Name | Format-Table -AutoSize\n\n # Check network connections and which process owns them\n netstat -b -n -o\n\n # See scheduled tasks (a favorite malware persistence trick)\n Get-ScheduledTask | Where-Object {$_.State -ne \"Disabled\"} | Select-Object TaskName, TaskPath\n\n\n**On macOS/Linux (Terminal):**\n\n\n\n # Full process list with CPU usage\n ps aux --sort=-%cpu | head -20\n\n # Active network connections\n sudo lsof -i -n -P | grep ESTABLISHED\n\n # Cron jobs (persistence mechanism)\n crontab -l\n cat /etc/cron* 2>/dev/null\n\n\n## ๐ Step 2: Isolate the Machine โ Cut the Network\n\n**Scenario:** You ran the `netstat` command above and see your machine making outbound connections to an IP in a country you've never visited. The process is `update_helper.exe` โ which you've never heard of.\n\nThis is classic **C2 (Command & Control) communication** โ your machine is \"phoning home\" to a remote attacker who may be exfiltrating your data right now.\n\n**Act immediately:**\n\n 1. **Disconnect from Wi-Fi** โ turn off the Wi-Fi adapter, don't just click disconnect\n 2. **Unplug the ethernet cable** if wired\n 3. **Do NOT shut down yet** โ live memory may contain forensic evidence (encryption keys, attacker IPs, etc.) you'll want if this is a serious breach\n 4. **On Windows:** Disable the NIC via Device Manager to be certain\n\n\n\n\n # Disable a specific network adapter (replace \"Ethernet\" with your adapter name)\n Disable-NetAdapter -Name \"Ethernet\" -Confirm:$false\n Disable-NetAdapter -Name \"Wi-Fi\" -Confirm:$false\n\n\n## ๐พ Step 3: Back Up โ But Be Careful What You Back Up\n\n**Scenario:** You have a ransomware infection (you'll know because your files now have extensions like `.locked`, `.encrypted`, or `.ryuk` and there's a `README_DECRYPT.txt` on your desktop).\n\n> โ ๏ธ **Critical warning:** Do NOT back up encrypted files as your only copy. Do NOT pay the ransom until you've checked for free decryptors (more on this later).\n\n**What to back up NOW (before any cleanup):**\n\n * Uninfected documents, photos, and project files (check that they open correctly)\n * Browser bookmarks (export them manually)\n * SSH keys, `.env` files, API credentials โ rotate these immediately after\n * Any database dumps or code repositories not already on GitHub/GitLab\n\n\n\n**What NOT to back up:**\n\n * Executable files (`.exe`, `.bat`, `.ps1`, `.sh`) from your system โ they may be infected\n * Your system restore points (may be compromised)\n * Browser extension data (could carry adware)\n\n\n\nUse an **external drive or a clean cloud upload** โ not another partition on the same disk.\n\n## ๐งน Step 4: Boot into Safe Mode and Run Your Scans\n\nMost malware is clever enough to defend itself while the OS is running normally โ it hides its processes and blocks antivirus updates. Safe Mode loads the bare minimum, making the malware easier to kill.\n\n**Boot into Safe Mode with Networking:**\n\n * **Windows 10/11:** Hold Shift โ click Restart โ Troubleshoot โ Advanced Options โ Startup Settings โ Restart โ Press F5\n * **macOS:** Hold Shift during startup (Apple Silicon: hold power button โ select startup disk โ hold Shift โ Continue in Safe Mode)\n * **Linux:** At GRUB menu, select recovery mode or add `single` to kernel boot parameters\n\n\n\n**Now run these โ in this order:**\n\n### 4a. Malwarebytes (Free Tier is sufficient)\n\nDownload from a clean device if needed. Malwarebytes is excellent at catching PUPs (Potentially Unwanted Programs), adware, trojans, and rootkits that traditional AV misses.\n\n\n\n # After install, run a Threat Scan โ it targets the most common infection locations:\n # - Running processes\n # - Startup entries\n # - Registry keys\n # - File system hotspots (%AppData%, %Temp%, %ProgramData%)\n\n\n### 4b. Windows Defender Offline Scan (Windows only)\n\nThis runs **before** Windows loads, catching bootkits and rootkits that hide at the OS level:\n\n\n\n # Run this from PowerShell as Admin โ it will schedule a pre-boot scan\n Start-MpWDOScan\n\n\n### 4c. RKill (Windows) โ Kill Malicious Processes First\n\nIf your scanner keeps getting blocked or your AV won't open, use RKill from BleepingComputer to terminate known malicious processes before scanning:\n\n\n\n # Run rkill.exe as Administrator\n # It will generate a log of everything it killed โ save this for later\n\n\n## ๐ Step 5: Manual Investigation โ Go Deeper\n\nAutomated scanners miss things. Here's how developers should manually investigate.\n\n### Check Startup Entries\n\n**Scenario:** Your browser keeps opening a casino website every time Windows starts, even after you've reset your homepage.\n\n\n\n # Windows: Check all autorun locations\n # Sysinternals Autoruns is the gold standard โ download it from Microsoft\n autoruns.exe # Run as Admin, look for entries highlighted in red or yellow\n\n # Via PowerShell:\n Get-CimInstance -Class Win32_StartupCommand | Select-Object Name, Command, Location\n\n\n\n # macOS โ LaunchAgents are a common persistence location\n ls -la ~/Library/LaunchAgents/\n ls -la /Library/LaunchAgents/\n ls -la /Library/LaunchDaemons/\n\n # Linux โ systemd services\n systemctl list-units --type=service --state=running\n ls /etc/systemd/system/\n\n\n### Inspect the Hosts File\n\nMalware often hijacks your `hosts` file to redirect legitimate sites (like your bank) to phishing clones.\n\n\n\n # Windows\n notepad C:\\Windows\\System32\\drivers\\etc\\hosts\n\n # macOS/Linux\n cat /etc/hosts\n\n\nA clean hosts file should only have `127.0.0.1 localhost` and `::1 localhost` entries. Anything pointing to external IPs is suspicious.\n\n### Check Browser Extensions\n\n**Scenario:** Your colleague clicked a \"free PDF converter\" Chrome extension and now everyone in the office is seeing ads injected into every website.\n\n\n\n Chrome: chrome://extensions/\n Firefox: about:addons\n Edge: edge://extensions/\n\n\nRemove anything you don't recognize or haven't intentionally installed. Even legitimate-looking extensions (e.g., \"Grammar Checker Pro\") can be malicious if they were silently installed.\n\n## ๐ Step 6: Ransomware โ Specific Response Plan\n\nRansomware deserves its own section because the response is different.\n\n**Before paying anything:**\n\n 1. **Identify the ransomware strain** โ upload the ransom note and a sample encrypted file to ID Ransomware\n 2. **Check for free decryptors** at NoMoreRansom.org โ law enforcement has cracked keys for dozens of strains including Ryuk, WannaCry variants, and Dharma\n 3. **Preserve the encrypted files** โ even if there's no decryptor today, one may exist in 6 months\n 4. **Report to authorities** โ in the US: IC3.gov, in the EU: your national CERT\n\n\n\n**If you have Volume Shadow Copies enabled (Windows):**\n\n\n\n # Check if shadow copies exist (ransomware often deletes these โ check anyway)\n vssadmin list shadows\n\n # If they exist, you can restore individual files via:\n # Right-click file โ Properties โ Previous Versions tab\n\n\n## ๐ Step 7: Remove and Remediate\n\nOnce you've identified the malware, it's time to remove it cleanly.\n\n### Registry Cleanup (Windows)\n\n\n # Always back up the registry before editing\n reg export HKLM\\SOFTWARE backup_HKLM_SOFTWARE.reg\n\n # Common malware persistence locations to inspect:\n # HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n # HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\n # HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\n\n regedit # Navigate manually and delete suspicious entries\n\n\n### Reset DNS Settings\n\nMalware often changes your DNS to a rogue server that intercepts your traffic.\n\n\n\n # Windows โ reset DNS to automatic (DHCP)\n netsh interface ip set dns \"Ethernet\" dhcp\n netsh interface ip set dns \"Wi-Fi\" dhcp\n ipconfig /flushdns\n\n # Or set to a trusted public DNS\n netsh interface ip set dns \"Wi-Fi\" static 1.1.1.1 # Cloudflare\n\n\n\n # macOS\n networksetup -setdnsservers Wi-Fi 1.1.1.1 8.8.8.8\n\n # Linux\n echo \"nameserver 1.1.1.1\" | sudo tee /etc/resolv.conf\n\n\n### Reset Browser Settings\n\n\n Chrome: Settings โ Reset and clean up โ Restore settings to original defaults\n Firefox: Help โ More Troubleshooting Information โ Refresh Firefox\n\n\n## ๐งฑ Step 8: Rebuild Trust โ Rotate Everything\n\n**Scenario:** You found a keylogger on your machine. It's been running for 3 weeks.\n\nAssume **every password you typed is compromised.** Assume **every SSH session you opened is compromised.** Act accordingly.\n\n**Immediate credential rotation checklist:**\n\n * [ ] Change your email password (from a clean device first)\n * [ ] Enable 2FA on all accounts if not already on\n * [ ] Rotate all SSH keys: `ssh-keygen -t ed25519 -C \"post-incident-$(date +%Y%m%d)\"`\n * [ ] Revoke and regenerate all API keys (AWS, GitHub, Stripe, etc.)\n * [ ] Rotate database credentials and connection strings\n * [ ] Invalidate all active sessions (GitHub: Settings โ Sessions โ Revoke all)\n * [ ] Check your GitHub/GitLab for any unauthorized commits or OAuth apps\n * [ ] Notify your team if you share any services\n\n\n\n## โ
Step 9: Verify and Harden\n\nYou've cleaned up. Now let's make sure it doesn't happen again.\n\n### Verify the Cleanup\n\n\n # Run a final Malwarebytes scan\n # Run Windows Defender Full Scan\n # Recheck netstat for unexpected connections\n netstat -b -n | findstr ESTABLISHED\n\n # Verify no new scheduled tasks appeared\n Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}\n\n\n### Harden Going Forward\n\n\n # Windows: Enable Controlled Folder Access (blocks ransomware from encrypting your files)\n Set-MpPreference -EnableControlledFolderAccess Enabled\n\n # Enable audit logging\n auditpol /set /subcategory:\"Process Creation\" /success:enable /failure:enable\n\n\n\n # Linux: Install and configure fail2ban\n sudo apt install fail2ban\n sudo systemctl enable fail2ban\n\n # Enable automatic security updates\n sudo apt install unattended-upgrades\n sudo dpkg-reconfigure unattended-upgrades\n\n\n**Universal hardening tips:**\n\n * Use a password manager โ stop reusing passwords\n * Keep your OS and apps updated (most infections exploit known, patched vulnerabilities)\n * Use a standard (non-admin) user account for daily use\n * Enable full-disk encryption: BitLocker (Windows), FileVault (macOS), LUKS (Linux)\n * Run a DNS-level blocker like Pi-hole or use NextDNS to block malicious domains before they load\n\n\n\n## ๐งจ Nuclear Option: When to Just Reinstall\n\nSometimes the malware is too deeply embedded โ rootkits that survive OS reinstalls by hiding in the bootloader or firmware, for instance. Here's when to wipe and start fresh:\n\n * You found a **bootkit** or **UEFI malware** (rare, but it exists โ tools like `chkrootkit` or `rkhunter` on Linux can detect these)\n * The infection is **more than a few weeks old** and you can't determine the full scope\n * You found a **Remote Access Trojan (RAT)** โ assume total compromise\n * You're a **high-value target** (developer with production access, finance, healthcare) and you can't be 100% certain of a clean state\n\n\n\n\n # If reinstalling Windows, use the \"Remove everything\" option with \"Remove files and clean the drive\"\n # This does multiple overwrite passes โ more thorough than a quick format\n\n # On Linux, reinstall from a verified ISO (check the SHA256 hash)\n sha256sum ubuntu-24.04-desktop-amd64.iso\n # Compare against the hash published on ubuntu.com\n\n\n## ๐ Quick Reference: Incident Response Checklist\n\n\n DETECT\n [ ] Identify symptoms\n [ ] Document process names, PIDs, network connections\n\n CONTAIN\n [ ] Disconnect from network\n [ ] Do NOT shut down (preserve forensics)\n [ ] Photograph/screenshot everything\n\n COLLECT\n [ ] Back up clean data to external drive\n [ ] Export browser bookmarks\n [ ] Note all installed software\n\n ANALYZE\n [ ] Boot into Safe Mode\n [ ] Run Malwarebytes + Windows Defender Offline\n [ ] Check startup entries, hosts file, browser extensions\n [ ] Identify malware strain (ID Ransomware for ransomware)\n\n REMOVE\n [ ] Delete malicious files/registry entries\n [ ] Remove suspicious extensions and software\n [ ] Reset DNS, reset browser settings\n\n RECOVER\n [ ] Rotate all credentials from a clean device\n [ ] Revoke SSH keys, API keys, OAuth tokens\n [ ] Notify team if shared services were affected\n [ ] Report to authorities if data was exfiltrated\n\n HARDEN\n [ ] Enable full-disk encryption\n [ ] Enable Controlled Folder Access / equivalent\n [ ] Set up automatic OS updates\n [ ] Deploy DNS-level filtering\n [ ] Review and tighten user privileges\n\n\n## ๐ง Final Thoughts\n\nGetting hit with malware is frustrating, but it's survivable if you stay calm and methodical. The biggest mistakes people make are:\n\n 1. **Panicking and shutting down immediately** โ you lose volatile forensic data\n 2. **Trusting a single scanner** โ layer your tools\n 3. **Stopping at \"virus removed\"** โ the malware got in somehow; find and close that door\n 4. **Skipping credential rotation** โ this is how one infection turns into an account takeover six weeks later\n\n\n\nThe developers who handle incidents best treat them like debugging sessions: gather data, form a hypothesis, test it, repeat. Your machine is just another system to troubleshoot โ and you're good at troubleshooting.\n\nStay safe out there. ๐\n\n_Have a specific malware scenario that isn't covered here? Drop it in the comments โ I read everything._\n\n_Tags:`#security` `#cybersecurity` `#tutorial` `#devops`_",
"title": "Malware on Your Machine: A Developer's Complete Incident Response Guide"
}