General Disinfection Procedure
Note: Any disinfection procedure is risky — you may change something
that prevents your PC from rebooting. In a home environment, this would require an “in-place upgrade”
(Instructions are available for Windows XP,
and Windows 7.)
Such an install would leave programs and data intact, but would change many configuration
settings. Hotfixes would need to be reapplied and, unless a
installation method was used, the last service pack would also need to be reinstalled. IOW, this can get complicated in a hurry.
You use this procedure at your own risk!
- Reboot into Safe Mode, under which most malware doesn’t launch.
- Run the “Silent Runners.vbs” script. (Other excellent
tools are HijackThis, now open source, and
Autoruns by Sysinternals, now part of Microsoft).
- Research dubious entries via a Google Search on another PC.
- Do not rely solely on appearances in “HijackThis” listings,
since that program, like Silent Runners, does not discriminate between legitimate programs and malware.
If you’re not sure about a certain program, plan to disable it in the next step. You can always re-enable it later.
- Launch Regedit.exe and delete the registry lines responsible for launching the malware programs. To disable
a suspicious entry, place the three letters
REM anywhere in the executable name.
(Microsoft’s MSCONFIG.EXE can also be used. To disable a program, click on the “Startup” tab
and clear the checkbox in the “Startup Item” column.)
- If suspicious files were identified in a startup folder, delete the shortcuts/executables or move them to another folder.
- Reboot normally.
- Run your anti-virus program.
- If symptoms persist, the malware is probably running stealthily in Safe Mode. The PC can still be disinfected, but
that procedure will not be described here.
Once the PC is disinfected, keep it that way.
- An anti-virus program is mandatory, but it will not protect against many adware or spyware programs (which are not viruses).
- Ensure that no users are routinely logging in with administrator rights. (Under Vista and Windows 7, the UAC prompt
was introduced to substitute for a limited-user account, but they are not the same.)
- Replace Internet Explorer with Firefox, Chrome or another alternative browser.
- Use Windows Update to apply the latest
hotfixes for your Windows version.
- Teach users to click “No” when asked if they want to install something they didn’t
expressly request to download.
- Teach users to close the browser tab when warned about errors found in their registry or somewhere on their PC.
- Show users where the “Del” key is located and demonstrate how to push it when they receive spam.
- Explain to users that any file that comes from someone they don’t know and any unexpected file that comes
from someone they do know is probably infected. Show them again where to find the “Del” key and point
out that there are two of them on most keyboards. Demonstrate that any finger can be used to
press either key.