General Disinfection Procedure
Note: Any disinfection procedure is risky — you may change something
that prevents your PC from rebooting. In a home environment, this would require an “in-place upgrade”
(For instructions, click here for Windows 2000
or here for Windows XP.)
Such an install would leave programs and data intact, but would change many configuration
settings. Hotfixes would need to be reapplied and, unless a
installation method was used (see
this for Windows 2000),
the last service pack would also need to be
reinstalled. IOW, this can get complicated in a hurry.
If you want my help, it's available for a fee. You can contact me here.
You use this procedure at your own risk!
- Run the “Silent Runners.vbs” script. (Other excellent
tools are HijackThis by Trend Micro and
Autoruns by Sysinternals – Microsoft).
- Compare programs to the lists at:
- If the program isn't listed on any of those sites, Google it and look for sources that positively identify it.
Do not rely on appearances in “HijackThis” listings,
since that program, like Silent Runners, does not discriminate between legitimate programs and malware.
If you're still not sure about a certain program, plan to disable it in step 6. You can always re-enable it later.
- Download and install
Ad-Aware 6 Standard Edition (scroll down to “Choose a link below to download Ad-Aware” and
click on one of the links below it) and
Spybot Search & Destroy (under “Available Mirrors”, click on one of the “Download here”
buttons on the right).
- Reboot into Safe Mode.
- Launch REGEDIT.EXE and delete the registry lines responsible for launching the adware programs. To disable
a suspicious program, place the three letters
REM anywhere in the executable name.
(Microsoft's MSCONFIG.EXE can also be used. To disable a program, click on the “Startup” tab
and clear the checkbox in the “Startup Item” column.)
- Once the malware launch points are neutralized, rid the PC of any remnants with
Ad-Aware and Spybot S&D.
If the program suggests a reboot (it's unlikely), reboot back into Safe Mode and rerun each program
until nothing further is identified.
- While still in Safe Mode, run your anti-virus program.
- Finally, reboot normally.
Once the PC is disinfected, keep it that way.
- Two things are mandatory:
- An anti-virus program subscription.
- If you're connected to the Internet via broadband, a hardware router/firewall.
- A software firewall can also be useful to warn of unauthorized outgoing traffic.
- Ensure that no users (you included!) are routinely logging in with administrator rights.
- Replace Internet Explorer with Firefox or another alternative browser.
- Use Windows Update to apply the latest
hotfixes for your O/S, Internet Explorer, Outlook Express, and Windows Media Player.
Microsoft Baseline Security Analyzer 2.0 to check for additional hotfixes (for MDAC and XML, for example)
and for configuration suggestions.
- Teach users to click “No” when asked if they want to install something they didn't
expressly visit a site to download.
- Wean users away from ad-ware-supported products.
- Show users where the “Del” key is located and demonstrate how to push it when they receive spam.
- Explain to users that any file that comes from someone they don't know and any unexpected file that comes
from someone they do know is probably infected. Show them again where the “Del” key is and point
out that there are two of them on every keyboard. Demonstrate that any finger can be used to
press either key.