Silent Runners - Suggested Disinfection Procedure

Home Page

The Script

Download

Launch
Points

Terms
of Use

Procedures

Thanks

Contact

General Disinfection Procedure

Note: Any disinfection procedure is risky — you may change something that prevents your PC from rebooting. In a home environment, this would require an “in-place upgrade” of Windows. (For instructions, click here for Windows 2000 or here for Windows XP.) Such an install would leave programs and data intact, but would change many configuration settings. Hotfixes would need to be reapplied and, unless a “slipstream” installation method was used (see this for Windows 2000), the last service pack would also need to be reinstalled. IOW, this can get complicated in a hurry.

If you want my help, it's available for a fee. You can contact me here.

You use this procedure at your own risk!

Run the “Silent Runners.vbs” script. (Other excellent tools are HijackThis by Trend Micro and Autoruns by Sysinternals – Microsoft).
Compare programs to the lists at:
- Windows Startup
- Sysinfo.org (or its IAmNotAGeek mirror)
- ProcessLibrary
- CastleCops
If the program isn't listed on any of those sites, Google it and look for sources that positively identify it. Do not rely on appearances in “HijackThis” listings, since that program, like Silent Runners, does not discriminate between legitimate programs and malware. If you're still not sure about a certain program, plan to disable it in step 6. You can always re-enable it later.
Download and install Ad-Aware 6 Standard Edition (scroll down to “Choose a link below to download Ad-Aware” and click on one of the links below it) and Spybot Search & Destroy (under “Available Mirrors”, click on one of the “Download here” buttons on the right).
Reboot into Safe Mode.
Launch REGEDIT.EXE and delete the registry lines responsible for launching the adware programs. To disable a suspicious program, place the three letters REM anywhere in the executable name. (Microsoft's MSCONFIG.EXE can also be used. To disable a program, click on the “Startup” tab and clear the checkbox in the “Startup Item” column.)
Once the malware launch points are neutralized, rid the PC of any remnants with Ad-Aware and Spybot S&D. If the program suggests a reboot (it's unlikely), reboot back into Safe Mode and rerun each program until nothing further is identified.
While still in Safe Mode, run your anti-virus program.
Finally, reboot normally.

Once the PC is disinfected, keep it that way.

Two things are mandatory:
- An anti-virus program subscription.
- If you're connected to the Internet via broadband, a hardware router/firewall.
- A software firewall can also be useful to warn of unauthorized outgoing traffic.
Ensure that no users (you included!) are routinely logging in with administrator rights.
Replace Internet Explorer with Firefox or another alternative browser.
Use Windows Update to apply the latest hotfixes for your O/S, Internet Explorer, Outlook Express, and Windows Media Player.
Use Microsoft Baseline Security Analyzer 2.0 to check for additional hotfixes (for MDAC and XML, for example) and for configuration suggestions.
Teach users to click “No” when asked if they want to install something they didn't expressly visit a site to download.
Wean users away from ad-ware-supported products.
Show users where the “Del” key is located and demonstrate how to push it when they receive spam.
Explain to users that any file that comes from someone they don't know and any unexpected file that comes from someone they do know is probably infected. Show them again where the “Del” key is and point out that there are two of them on every keyboard. Demonstrate that any finger can be used to press either key.