The following is a quick and dirty guide to virus/malware removal. These are simple, proven steps to clean out malware and get a PC back and running as quick as possible.  No attempt is made to do any sort of forensics nor are there any techniques included for measuring or controlling the propagation to other machines or networks.  The assumption is that the damage has already been done and you are just cleaning up the mess.

Arming Yourself

The following is a list of tools you will need to have handy.  It is highly recommended that you download these on uninfected machine before hand! There are many types of malware out there that are known to detect file names/ signatures of popular cleaning tools and infect them.  You have been warned!

• Autoruns – http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
• Combofix – http://www.bleepingcomputer.com/combofix/how-to-use-combofix
• Malwarebytes – http://www.malwarebytes.org/
• Process Explorer – http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx
• Revo Uninstaller – http://www.revouninstaller.com/

Kill Everything That Moves

• Alt-F4 any obvious pop-ups, don’t take the risk of click on the window even if the border “looks like a window”, it could easily be an imagemap
• Launch process explorer and look through all of the running processes. Look very closely, do any of the names look out of place?  Eating up too much memory?  Pay special attention to the “Company Name”
• Once you have killed any running processes, double check for open ports. Got to the command prompt and run netstat -an | find /i "listening" This will show you all ports that are being listened on.

Stop It From Spawning

• Launch Autoruns and look through all of the start-up items.  There is a feature in the latest version to hide Microsoft signed entries, this will make your life much easier. Save the current settings in Autoruns before removing any items. That way if you remove something you shouldn’t you can replace it, Check all start-up items, also pay attention to drivers and service. Again there are many obvious telltale signs of malware – misspellings, invalid directories, etc.
• Check Start->Program Files->Startup

Destroy the Source

Run Combofix. This can take up to 40 minutes complete.  For part it will need to be connected to the network to update.  During its run Combofix launches many small utilities that clean various malware. For part of its network cleaning/repair the machine will lose network connection for up to 10 mins.  If you are running Combofix remotely, don’t panic. Seriously, even when you think “God what have I done, I’ve killed the network connection!”, it will come back.

Clean Up the Mess

• Run Malwarebytes quick scan
• Visit Add/Remove programs and remove any “junk” programs.  Use Revouninstaller for stubborn ones

Sanity Check

• Launch IE and verify functionality by going to a few websites.  Also do a search on Yahoo, Bing and Google.  Verify that the search result links actually take you to the correct site (not redirected).
• Review c:\windows\system32\drivers\etc\hosts

Share your tips

Do you have any tips or tricks, any hand software that you use to defeat the ever growing scourge that is malware?

No related posts.