Basic malware cleanup
From Provider Wiki
Basic Malware Cleanup
Spyware. Adware. Without the proper precautions, every user succumbs to being infected at some point (unless that user is using something other than IE and is judicious in their downloading practices) and may not know how to recover. The following document contains a brief overview of how most basic malware can be gotten rid of.
- Download and install the proper tools.
- Spybot Search & Destroy is a freeware/dedicationware program that is excellent for cleaning up malware. It is updated on a regular basis, and has a number of useful tools that can make detecting and cleaning up after malware a much easier process. The software itself is quite free (dedicated to the creator's girlfriend), but donations are accepted and appreciated.
- Ad-aware is another useful tool, free to use but available in a paid version. Ad-Aware will find some things that Spybot does not (and Spybot will find some things that Ad-aware will not), especially cookies.
- Process Explorer is a tool that dramatically improves upon the Windows Task Manager. It allows an in-depth view of system processes, how much memory they are taking up, where they are running from, etc. Also allows you to kill processes as well as process trees. Very configureable, has LOTS of options if you click on the column toolbar. Some of the most useful: "Image Path" under "Process Image" and "Private Bytes" as well as "CPU History" under Process Performance. Process Explorer does not need installed, it is just an executeable. If Spybot and Ad-Aware will not install in Safe Mode, you can use Process Explorer to kill any suspicious processes before installation of the other two programs.
- Update both Spybot, Ad-Aware, and your antivirus software. Spybot can be updated by clicking Search for Updates. Detection Rules and Immunization Database are the only important updates to check. You will have the option of choosing which server to download updates from. Safer Networking is the most reliable. Ad-Aware can be updated by clicking the Check for updates now button.
- Boot into Safe Mode. Safe Mode can be accessed one of two ways.
- Reboot the computer. After the Dell/IBM/Toshiba/etc BIOS screen flashes, press the F8 key. If you time this properly (it can be tricky, and you may need to press more than once), you will be brought to a menu that allows you to start in Safe Mode, Safe Mode with Networking, or normal mode. You want to start in Safe Mode.
- Use MSConfig to specify "Boot into Safe Mode." This is done by clicking Start, Run, then, in the Run prompt, typing msconfig and hitting Enter. Once the MSConfig window has been brought up, click the BOOT.INI tab and, under the Boot Options section, check the /SAFEBOOT option. Reboot your computer. Keep in mind that your system will continue to reboot into Safe Mode until you run MSConfig again and disable booting into Safe Mode.
- While in Safe Mode, disable System Restore (Right click on My Computer, then click Properties, System Restore, Turn off System Restore. This will delete all of your System Restore points. This is a good step to take, as many malware applications like to hide in System Restore, and several will be backed up there as a normal process of Windows. Also take this opportunity to do a Disk Cleanup. If the Disk Cleanup button does not show up while in the System Restore tab, it can be accessed by clicking Start, All Programs, Accessories, System Tools, Disk Cleanup. Here you can clean up downloaded program files, temporary internet files, the Recycle Bin, temporary files, offline files, and a few other sets of impermanent temporary data. These are also places where malware likes to hide. This step will also free up valuable space!
- Now that many typical hiding places are cleaned up, run Spybot Search & Destroy. While Spybot is running, take the opportunity to go into Advanced Mode ("Mode", "Advanced") and go into the Tools section. This will show you a number of useful tools for tracking malware and limiting it's influence. Check the "Hosts File" box and see if there are entries on your Hosts file. Some entries may be ok, blocking ads and malicious websites, but if antivirus websites, Windows Update, and others are blocked, your system may be compromised. Once Spybot is finished running, go ahead and clean up anything it may have found. Now run Ad-Aware, doing a full system scan, and clean up everything that it finds as well. Do the same with your Antivirus software. Don't forget to run MSConfig again and disable starting in Safe Mode if that's how you got into Safe Mode initially.
- Reboot into normal Windows. Things should be much cleaner now. If you haven't downloaded and installed Firefox, now would be a good time. Ideally, Internet Explorer should only be used for Windows Updates (You ARE doing Windows Updates regularly, aren't you?) and the occasional site that does not view well in Firefox. Also make sure your firewall is enabled. In Windows XP, this is done by going into Network Connections, right clicking on your network connection, and going into the Advanced tab.
- If you are still having troubles at this point, Google is an amazing resource. You are not the only person experiencing this sort of problem. You may want to try running Hijack This!, but be cautious, as you can seriously damage your computer if you are not careful. An introduction is located here (bleepingcomputer.com) and helpful people will be of assistance you if you post on any number of forums, one of which being here (geekstogo.com).