Cleaning a bad infestation of malware, virii, trojans, rootkits etc

[Muck]

Since I seem to be on a security kick lately I thought I might as well post some detailed directions I put together for a friend on another board who's having severe issues with all the little nasties...

(Feel free to comment, ask questions or add to the guide)



1. Update your anti-spyware & antivirus programs to the newest versions available.

2. Run Disk Cleanup (If you have a third party app like CCleaner, Clean Up!, ATF Cleaner or Advanced Windows Care run that instead).

3. Download HijackThis from Trend Micro.

- Run a scan and save the logfile (be sure to change the name from "hijackthis.log" something you will remember like "hijackthisbefore.log").

4. Open "Add/Remove Programs" and check to see if there is anything weird that needs to be uninstalled (unknown toolbars, search utilities etc)

5. Turn off the real time monitoring of all your security programs (any antispyware, antivirus, firewalls)

6. Download & run McAfee Stinger.

7. Download & run the newest version of Microsoft's Malicious Software Removal Tool

8. Go to eset Nod 32, F-Secure, BitDefender or TrendMicro and run an online scan (these all use ActiveX so you must use IE).

9. Reboot the computer and start up in safe mode.

10. Do a full scan with your primary anti-spyware program. Once the scan is complete & repairs made make sure the program is completely closed. If there is an icon in the system tray that means it is still running. Right click on the icon and select “exit” (or “close”, “shutdown” etc).

- Repeat with your secondary anti-spyware program.

- Finally do a full scan with your anti-virus program.

11. Reboot normally

12. Again turn of real time monitoring and completely close any of your antispy/virus programs that install on start up.

13. Run your anti-spyware scanners & anti-virus again as you did while in safe mode.

14. Run HijackThis a final time and again give the log file a unique name to distinguish it (ie “hijackthisafter.log”.

15. If you are still having problems you can copy & paste your HijackThis logfiles into the analyzer at I Am Not A Geek which will help you find files that may be causing problems. Google anything listed as bad to find specific methods of removing the problem files. (Be careful as the analyzer does give false positives at times.)

- You can also paste the logs at the Castle Cops, Hijack This Logs forum. Start a new thread with a title describing the problem you are having and then paste your logfiles into the main body of the post. The members of the forum will be happy to help you figure out what the problem is through your log file.

[3074326]

Quite the list. Thanks for it. It'll help those of us who aren't great with things like this.

[martinss01]

step 16. format C:/
step 17. install linux

great doc muck. most internet providers have free security software that they update daily or weekly. once you get things cleaned up, do yourself a favor and at the very least use those. if you do have an infection of sorts. be patient, its possible you may have to repeat these steps over and over to get rid of it.

[Muck]

Quote:

Originally Posted by martinss01

step 16. format C:/
step 17. install linux

You can keep your bloated, buggy, insecure OS to yourself; thank you very much.


Open-BSD pwns linux

[Hodge]

Can't resist....

YouTube - Mac Spoof: Security

Now back to the topic on hand. Does anybody have a good solution for when no .exe's can run (even in safe mode)? On top of that, I 'fixed' one recently that had implemented the built in security policies to prevent explorer.exe from ever running (ran a boot-time scan, virus took some system files with it. Had to re-format their box).

[leroyjenkins]

I assumed from the thread name, that I would only need some penicillin to get rid of that stuff.......

[sandgk]

Quote:

Originally Posted by leroyjenkins

I assumed from the thread name, that I would only need some penicillin to get rid of that stuff.......

When it comes to your data accept no substitutes ...



Cipro ....

[Muck]

Quote:

Originally Posted by Hodge

Now back to the topic on hand. Does anybody have a good solution for when no .exe's can run (even in safe mode)? On top of that, I 'fixed' one recently that had implemented the built in security policies to prevent explorer.exe from ever running (ran a boot-time scan, virus took some system files with it. Had to re-format their box).

---Check to see if run32.dll is missing or corrupted.

---Try the system file checker:

c: sfc/scannow

...it will check all the system files to see if they need replacing (you'll need an XP CD).

---If you just want to try and run an antivirus scan than boot off of a live CD.
knoppix and the like will work fine or you can use BartPE to build an XP live CD.

There is also the Ultimate Boot CD for Windows which already has just about every tool imagineable already slipstreamed in (you'll need a valid COA for the UBCD4W).

Finally there's Windows XP Ultimate Edition which will let you build a full XP install disk (with a [censored]load of software preloaded). Again it was built using BartPE and requires a valid COA.

There is also the older DOS based Ultimate Boot CD which is the spiritual predecessor to the UBCD4Win.

FWIW BartPE, UBCD4Win & XPUltEd have been among the most important & usefull tools available to me from a support standpoint.

[OCBucksFan]

I use Malware bytes at work to clean up really jacked up machines. It does a pretty good job, Malwarebytes.org