{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreicezqhllwr3bzz5sqzsmhyqnn5qurasjnv63p6jhw7zwzto4nlmjm",
    "uri": "at://did:plc:25rdn5elo5izoxrmtis34zuk/app.bsky.feed.post/3mpa5a3nsytq2"
  },
  "coverImage": {
    "$type": "blob",
    "ref": {
      "$link": "bafkreiajhwy5czsjbqntnoh3k5hmp5pbr46f5ifqf7bug7rafo2utyzhvu"
    },
    "mimeType": "image/webp",
    "size": 565740
  },
  "path": "/masilrg/malware-on-your-machine-a-developers-complete-incident-response-guide-4hph",
  "publishedAt": "2026-06-26T23:35:21.000Z",
  "site": "https://dev.to",
  "tags": [
    "productivity",
    "tutorial",
    "beginners",
    "webdev",
    "ID Ransomware",
    "NoMoreRansom.org"
  ],
  "textContent": "##  ๐Ÿ›ก๏ธ Your Computer Got Infected โ€” Now What? A Developer's Survival Guide to Malware Removal\n\n_A practical, no-BS walkthrough of detecting, containing, and eliminating malware โ€” with real scenarios and the commands that actually work._\n\nSo it happened. Your machine is acting weird. Maybe Chrome is opening tabs you didn't ask for. Maybe your CPU is pegged at 95% doing... nothing. Maybe your antivirus just screamed at you. Whatever it is, that sinking feeling in your stomach is valid โ€” but panic won't help. A methodical approach will.\n\nThis guide walks you through **exactly** what to do when your system is compromised, from initial triage to full recovery. I'll use real-world malware scenarios so you can match your situation to the right fix.\n\n##  ๐Ÿšจ First: Know the Signs of Infection\n\nBefore we dive into removal, let's confirm we're actually dealing with malware and not a failing hard drive or a runaway Chrome extension.\n\n**Common infection symptoms:**\n\n  * Browser homepage changed without your input\n  * Sluggish performance with abnormally high CPU/RAM/network usage\n  * New toolbars, extensions, or programs you didn't install\n  * Antivirus disabled or greyed out\n  * Ransom notes appearing on your desktop (yes, really)\n  * Your contacts receiving emails/DMs you never sent\n  * System logs showing processes connecting to unknown IPs\n\n\n\nIf two or more of these apply to you โ€” keep reading. You've got a problem.\n\n##  ๐Ÿ”ฌ Step 1: Don't Touch Anything Yet โ€” Observe First\n\n**Scenario:** You notice your system fan is running full blast at 2 AM while your computer is idle. You check Task Manager and see a process called `svchost32.exe` consuming 80% CPU.\n\n> ๐Ÿ”ด **Red flag:** Legitimate Windows processes don't have numbers in their name like that. `svchost.exe` is real; `svchost32.exe` is almost certainly a cryptominer or trojan.\n\n**What to do:**\n\nBefore you start killing processes or running scans, **document what you're seeing**. Take screenshots. Note the process names, PIDs, and any network connections.\n\n**On Windows (PowerShell, run as Admin):**\n\n\n\n    # List all running processes with their full file paths\n    Get-Process | Select-Object Name, Id, Path | Sort-Object Name | Format-Table -AutoSize\n\n    # Check network connections and which process owns them\n    netstat -b -n -o\n\n    # See scheduled tasks (a favorite malware persistence trick)\n    Get-ScheduledTask | Where-Object {$_.State -ne \"Disabled\"} | Select-Object TaskName, TaskPath\n\n\n**On macOS/Linux (Terminal):**\n\n\n\n    # Full process list with CPU usage\n    ps aux --sort=-%cpu | head -20\n\n    # Active network connections\n    sudo lsof -i -n -P | grep ESTABLISHED\n\n    # Cron jobs (persistence mechanism)\n    crontab -l\n    cat /etc/cron* 2>/dev/null\n\n\n##  ๐Ÿ”Œ Step 2: Isolate the Machine โ€” Cut the Network\n\n**Scenario:** You ran the `netstat` command above and see your machine making outbound connections to an IP in a country you've never visited. The process is `update_helper.exe` โ€” which you've never heard of.\n\nThis is classic **C2 (Command & Control) communication** โ€” your machine is \"phoning home\" to a remote attacker who may be exfiltrating your data right now.\n\n**Act immediately:**\n\n  1. **Disconnect from Wi-Fi** โ€” turn off the Wi-Fi adapter, don't just click disconnect\n  2. **Unplug the ethernet cable** if wired\n  3. **Do NOT shut down yet** โ€” live memory may contain forensic evidence (encryption keys, attacker IPs, etc.) you'll want if this is a serious breach\n  4. **On Windows:** Disable the NIC via Device Manager to be certain\n\n\n\n\n    # Disable a specific network adapter (replace \"Ethernet\" with your adapter name)\n    Disable-NetAdapter -Name \"Ethernet\" -Confirm:$false\n    Disable-NetAdapter -Name \"Wi-Fi\" -Confirm:$false\n\n\n##  ๐Ÿ’พ Step 3: Back Up โ€” But Be Careful What You Back Up\n\n**Scenario:** You have a ransomware infection (you'll know because your files now have extensions like `.locked`, `.encrypted`, or `.ryuk` and there's a `README_DECRYPT.txt` on your desktop).\n\n> โš ๏ธ **Critical warning:** Do NOT back up encrypted files as your only copy. Do NOT pay the ransom until you've checked for free decryptors (more on this later).\n\n**What to back up NOW (before any cleanup):**\n\n  * Uninfected documents, photos, and project files (check that they open correctly)\n  * Browser bookmarks (export them manually)\n  * SSH keys, `.env` files, API credentials โ€” rotate these immediately after\n  * Any database dumps or code repositories not already on GitHub/GitLab\n\n\n\n**What NOT to back up:**\n\n  * Executable files (`.exe`, `.bat`, `.ps1`, `.sh`) from your system โ€” they may be infected\n  * Your system restore points (may be compromised)\n  * Browser extension data (could carry adware)\n\n\n\nUse an **external drive or a clean cloud upload** โ€” not another partition on the same disk.\n\n##  ๐Ÿงน Step 4: Boot into Safe Mode and Run Your Scans\n\nMost malware is clever enough to defend itself while the OS is running normally โ€” it hides its processes and blocks antivirus updates. Safe Mode loads the bare minimum, making the malware easier to kill.\n\n**Boot into Safe Mode with Networking:**\n\n  * **Windows 10/11:** Hold Shift โ†’ click Restart โ†’ Troubleshoot โ†’ Advanced Options โ†’ Startup Settings โ†’ Restart โ†’ Press F5\n  * **macOS:** Hold Shift during startup (Apple Silicon: hold power button โ†’ select startup disk โ†’ hold Shift โ†’ Continue in Safe Mode)\n  * **Linux:** At GRUB menu, select recovery mode or add `single` to kernel boot parameters\n\n\n\n**Now run these โ€” in this order:**\n\n###  4a. Malwarebytes (Free Tier is sufficient)\n\nDownload from a clean device if needed. Malwarebytes is excellent at catching PUPs (Potentially Unwanted Programs), adware, trojans, and rootkits that traditional AV misses.\n\n\n\n    # After install, run a Threat Scan โ€” it targets the most common infection locations:\n    # - Running processes\n    # - Startup entries\n    # - Registry keys\n    # - File system hotspots (%AppData%, %Temp%, %ProgramData%)\n\n\n###  4b. Windows Defender Offline Scan (Windows only)\n\nThis runs **before** Windows loads, catching bootkits and rootkits that hide at the OS level:\n\n\n\n    # Run this from PowerShell as Admin โ€” it will schedule a pre-boot scan\n    Start-MpWDOScan\n\n\n###  4c. RKill (Windows) โ€” Kill Malicious Processes First\n\nIf your scanner keeps getting blocked or your AV won't open, use RKill from BleepingComputer to terminate known malicious processes before scanning:\n\n\n\n    # Run rkill.exe as Administrator\n    # It will generate a log of everything it killed โ€” save this for later\n\n\n##  ๐Ÿ” Step 5: Manual Investigation โ€” Go Deeper\n\nAutomated scanners miss things. Here's how developers should manually investigate.\n\n###  Check Startup Entries\n\n**Scenario:** Your browser keeps opening a casino website every time Windows starts, even after you've reset your homepage.\n\n\n\n    # Windows: Check all autorun locations\n    # Sysinternals Autoruns is the gold standard โ€” download it from Microsoft\n    autoruns.exe  # Run as Admin, look for entries highlighted in red or yellow\n\n    # Via PowerShell:\n    Get-CimInstance -Class Win32_StartupCommand | Select-Object Name, Command, Location\n\n\n\n    # macOS โ€” LaunchAgents are a common persistence location\n    ls -la ~/Library/LaunchAgents/\n    ls -la /Library/LaunchAgents/\n    ls -la /Library/LaunchDaemons/\n\n    # Linux โ€” systemd services\n    systemctl list-units --type=service --state=running\n    ls /etc/systemd/system/\n\n\n###  Inspect the Hosts File\n\nMalware often hijacks your `hosts` file to redirect legitimate sites (like your bank) to phishing clones.\n\n\n\n    # Windows\n    notepad C:\\Windows\\System32\\drivers\\etc\\hosts\n\n    # macOS/Linux\n    cat /etc/hosts\n\n\nA clean hosts file should only have `127.0.0.1 localhost` and `::1 localhost` entries. Anything pointing to external IPs is suspicious.\n\n###  Check Browser Extensions\n\n**Scenario:** Your colleague clicked a \"free PDF converter\" Chrome extension and now everyone in the office is seeing ads injected into every website.\n\n\n\n    Chrome:  chrome://extensions/\n    Firefox: about:addons\n    Edge:    edge://extensions/\n\n\nRemove anything you don't recognize or haven't intentionally installed. Even legitimate-looking extensions (e.g., \"Grammar Checker Pro\") can be malicious if they were silently installed.\n\n##  ๐Ÿ” Step 6: Ransomware โ€” Specific Response Plan\n\nRansomware deserves its own section because the response is different.\n\n**Before paying anything:**\n\n  1. **Identify the ransomware strain** โ€” upload the ransom note and a sample encrypted file to ID Ransomware\n  2. **Check for free decryptors** at NoMoreRansom.org โ€” law enforcement has cracked keys for dozens of strains including Ryuk, WannaCry variants, and Dharma\n  3. **Preserve the encrypted files** โ€” even if there's no decryptor today, one may exist in 6 months\n  4. **Report to authorities** โ€” in the US: IC3.gov, in the EU: your national CERT\n\n\n\n**If you have Volume Shadow Copies enabled (Windows):**\n\n\n\n    # Check if shadow copies exist (ransomware often deletes these โ€” check anyway)\n    vssadmin list shadows\n\n    # If they exist, you can restore individual files via:\n    # Right-click file โ†’ Properties โ†’ Previous Versions tab\n\n\n##  ๐Ÿ”„ Step 7: Remove and Remediate\n\nOnce you've identified the malware, it's time to remove it cleanly.\n\n###  Registry Cleanup (Windows)\n\n\n    # Always back up the registry before editing\n    reg export HKLM\\SOFTWARE backup_HKLM_SOFTWARE.reg\n\n    # Common malware persistence locations to inspect:\n    # HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\n    # HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\n    # HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\n\n    regedit  # Navigate manually and delete suspicious entries\n\n\n###  Reset DNS Settings\n\nMalware often changes your DNS to a rogue server that intercepts your traffic.\n\n\n\n    # Windows โ€” reset DNS to automatic (DHCP)\n    netsh interface ip set dns \"Ethernet\" dhcp\n    netsh interface ip set dns \"Wi-Fi\" dhcp\n    ipconfig /flushdns\n\n    # Or set to a trusted public DNS\n    netsh interface ip set dns \"Wi-Fi\" static 1.1.1.1  # Cloudflare\n\n\n\n    # macOS\n    networksetup -setdnsservers Wi-Fi 1.1.1.1 8.8.8.8\n\n    # Linux\n    echo \"nameserver 1.1.1.1\" | sudo tee /etc/resolv.conf\n\n\n###  Reset Browser Settings\n\n\n    Chrome: Settings โ†’ Reset and clean up โ†’ Restore settings to original defaults\n    Firefox: Help โ†’ More Troubleshooting Information โ†’ Refresh Firefox\n\n\n##  ๐Ÿงฑ Step 8: Rebuild Trust โ€” Rotate Everything\n\n**Scenario:** You found a keylogger on your machine. It's been running for 3 weeks.\n\nAssume **every password you typed is compromised.** Assume **every SSH session you opened is compromised.** Act accordingly.\n\n**Immediate credential rotation checklist:**\n\n  * [ ] Change your email password (from a clean device first)\n  * [ ] Enable 2FA on all accounts if not already on\n  * [ ] Rotate all SSH keys: `ssh-keygen -t ed25519 -C \"post-incident-$(date +%Y%m%d)\"`\n  * [ ] Revoke and regenerate all API keys (AWS, GitHub, Stripe, etc.)\n  * [ ] Rotate database credentials and connection strings\n  * [ ] Invalidate all active sessions (GitHub: Settings โ†’ Sessions โ†’ Revoke all)\n  * [ ] Check your GitHub/GitLab for any unauthorized commits or OAuth apps\n  * [ ] Notify your team if you share any services\n\n\n\n##  โœ… Step 9: Verify and Harden\n\nYou've cleaned up. Now let's make sure it doesn't happen again.\n\n###  Verify the Cleanup\n\n\n    # Run a final Malwarebytes scan\n    # Run Windows Defender Full Scan\n    # Recheck netstat for unexpected connections\n    netstat -b -n | findstr ESTABLISHED\n\n    # Verify no new scheduled tasks appeared\n    Get-ScheduledTask | Where-Object {$_.Date -gt (Get-Date).AddDays(-7)}\n\n\n###  Harden Going Forward\n\n\n    # Windows: Enable Controlled Folder Access (blocks ransomware from encrypting your files)\n    Set-MpPreference -EnableControlledFolderAccess Enabled\n\n    # Enable audit logging\n    auditpol /set /subcategory:\"Process Creation\" /success:enable /failure:enable\n\n\n\n    # Linux: Install and configure fail2ban\n    sudo apt install fail2ban\n    sudo systemctl enable fail2ban\n\n    # Enable automatic security updates\n    sudo apt install unattended-upgrades\n    sudo dpkg-reconfigure unattended-upgrades\n\n\n**Universal hardening tips:**\n\n  * Use a password manager โ€” stop reusing passwords\n  * Keep your OS and apps updated (most infections exploit known, patched vulnerabilities)\n  * Use a standard (non-admin) user account for daily use\n  * Enable full-disk encryption: BitLocker (Windows), FileVault (macOS), LUKS (Linux)\n  * Run a DNS-level blocker like Pi-hole or use NextDNS to block malicious domains before they load\n\n\n\n##  ๐Ÿงจ Nuclear Option: When to Just Reinstall\n\nSometimes the malware is too deeply embedded โ€” rootkits that survive OS reinstalls by hiding in the bootloader or firmware, for instance. Here's when to wipe and start fresh:\n\n  * You found a **bootkit** or **UEFI malware** (rare, but it exists โ€” tools like `chkrootkit` or `rkhunter` on Linux can detect these)\n  * The infection is **more than a few weeks old** and you can't determine the full scope\n  * You found a **Remote Access Trojan (RAT)** โ€” assume total compromise\n  * You're a **high-value target** (developer with production access, finance, healthcare) and you can't be 100% certain of a clean state\n\n\n\n\n    # If reinstalling Windows, use the \"Remove everything\" option with \"Remove files and clean the drive\"\n    # This does multiple overwrite passes โ€” more thorough than a quick format\n\n    # On Linux, reinstall from a verified ISO (check the SHA256 hash)\n    sha256sum ubuntu-24.04-desktop-amd64.iso\n    # Compare against the hash published on ubuntu.com\n\n\n##  ๐Ÿ“‹ Quick Reference: Incident Response Checklist\n\n\n    DETECT\n      [ ] Identify symptoms\n      [ ] Document process names, PIDs, network connections\n\n    CONTAIN\n      [ ] Disconnect from network\n      [ ] Do NOT shut down (preserve forensics)\n      [ ] Photograph/screenshot everything\n\n    COLLECT\n      [ ] Back up clean data to external drive\n      [ ] Export browser bookmarks\n      [ ] Note all installed software\n\n    ANALYZE\n      [ ] Boot into Safe Mode\n      [ ] Run Malwarebytes + Windows Defender Offline\n      [ ] Check startup entries, hosts file, browser extensions\n      [ ] Identify malware strain (ID Ransomware for ransomware)\n\n    REMOVE\n      [ ] Delete malicious files/registry entries\n      [ ] Remove suspicious extensions and software\n      [ ] Reset DNS, reset browser settings\n\n    RECOVER\n      [ ] Rotate all credentials from a clean device\n      [ ] Revoke SSH keys, API keys, OAuth tokens\n      [ ] Notify team if shared services were affected\n      [ ] Report to authorities if data was exfiltrated\n\n    HARDEN\n      [ ] Enable full-disk encryption\n      [ ] Enable Controlled Folder Access / equivalent\n      [ ] Set up automatic OS updates\n      [ ] Deploy DNS-level filtering\n      [ ] Review and tighten user privileges\n\n\n##  ๐Ÿง  Final Thoughts\n\nGetting hit with malware is frustrating, but it's survivable if you stay calm and methodical. The biggest mistakes people make are:\n\n  1. **Panicking and shutting down immediately** โ€” you lose volatile forensic data\n  2. **Trusting a single scanner** โ€” layer your tools\n  3. **Stopping at \"virus removed\"** โ€” the malware got in somehow; find and close that door\n  4. **Skipping credential rotation** โ€” this is how one infection turns into an account takeover six weeks later\n\n\n\nThe developers who handle incidents best treat them like debugging sessions: gather data, form a hypothesis, test it, repeat. Your machine is just another system to troubleshoot โ€” and you're good at troubleshooting.\n\nStay safe out there. ๐Ÿ”\n\n_Have a specific malware scenario that isn't covered here? Drop it in the comments โ€” I read everything._\n\n_Tags:`#security` `#cybersecurity` `#tutorial` `#devops`_",
  "title": "Malware on Your Machine: A Developer's Complete Incident Response Guide"
}