Tuesday, November 29, 2011

Joe’s process for cleaning up malware in Windows

I felt like sharing my actual process for cleaning up malware on a computer, so here it is. This process will work for 90% of the viruses and malware that affects Microsoft Windows. Sadly, there are still occasions when I still need to wipe out a hard drive and reinstall Windows due to a really bad virus infection. Be sure to check out www.bleepingcomputer.com for detailed guides on how to clean up specific malware problems! Lets get to the process...
First, have a USB flash drive with the following files\apps on it:
RKILL - http://www.bleepingcomputer.com/download/anti-virus/rkill
UNHIDE - http://download.bleepingcomputer.com/grinler/unhide.exe
TDSSKiller - http://support.kaspersky.com/faq/?qid=208283363
Malwarebytes - http://www.malwarebytes.com
Microsoft Security Essentials - http://www.microsoft.com/security_essentials
Steps to perform in order:
1) Reboot the computer into Safe Mode with Networking.
3) Run TDSSKiller.EXE
4) Delete ALL FILES in %TEMP%
5) Delete all Internet Explorer cache data from the Internet Options applet.
6) Delete all Firefox cache data.
7) Delete all Google Chrome cache data.
8) Install Malwarebytes and update if prompted. Run a full system scan.
9) Delete all EXE files in C:\Documents and Programs\All Users\Application Data\
10) Launch the anti-virus program, update virus definitions, then run a full virus scan. Install Microsoft Security Essentials if there is no anti-virus app installed.
11) Open Internet Options. Verify that the Proxy settings are not set. "Auto detect network settings". Do the same in Firefox.
12) Open Add\Remove Programs. Remove all unncecessary software and toolbars.

**STOP HERE! Only continue to the next steps if you are missing Start Menu shortcuts or are missing all files in My Documents.

13) Reset NTFS permissions for the entire C: drive. - Run this command from the command line: secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose
14) If missing all program entries in the Start Menu, run UNHIDE.EXE.