Removing Malware

This is, essentially, a list for myself… sometimes I forget a step if I’m having trouble, or forget about an especially helpful resource!  I won’t provide a lot of explanation, but if you know what you’re doing, help yourself. I’m going to list anything and (eventually) everything I like to do/use, so not everything is useful or even necessary in all situations.

DISCLAIMER: I cannot be held responsible for anything bad that happens to your computer, car, cat, or stove while following these steps. I can, however, be help responsible if everything works out great!

Preparation

  • Remove computer from network
  • Delete temp files (CCleaner)
  • Remove programs that obviously shouldn’t be there
    • Toolbars
    • Antivirus scanners
    • Screensavers (which aren’t included in Windows)
    • Uhhh, other worthless stuff…. iTunes?
  • Enter Safe Mode (F8)
  • Use Hiren’s BootCD (from USB) to boot into mini WinXP.
    • This little guy pretty much takes care of anything else. I especially like using this boot CD as everything on it is portable, no local installs! The “bootcd” can be used as a traditional boot cd, or boot usb. It’ll boot into a menu with all kinds of tools, or you can use it to boot a extremely stripped down version of Windows XP (just enough to get done whatever you need; back up, file restorations, scanning, etc). Or, you can use it while Windows is running to, again, use almost all of the included utilities portably.
  • rkill.exe, rkill.com, rkill.scr, rkill.pif
    • rkill just kills processes, imports a reg file that restores HKEY_CLASSES_ROOT\exefile\shell\open\command, removes policies that disable regedit, taskmgr, hides your desktop icons, etc, and removes a key used by a malware protection process. Then it kills explorer so it will restart and enable some of the reg changes. Other than what is listed above, it does nothing else.
    • The multiple extensions are because some malware programs will block all EXEs from running
  • Kill all programs (system tray included)
    • C:\Windows\system32\taskkill.exe /F /FI “USERNAME eq %USERNAME%” /FI “IMAGENAME ne explorer.exe” /FI “IMAGENAME ne dwm.exe”

General Removal (sledgehammer approach)

  • Spybot S&D
  • Malware Bytes – MBAM

Internet hijack / Network issues

Either caused by the malware, or by removing the malware (whoops)

  • Reset WinSock (Windows XP)
    • Start>Run>cmd [enter]
    • netsh winsock reset catalog [enter]
  • Reset WinSock (Windows Vista / 7)
    • Windows key+R >  cmd [enter]
    • netsh winsock reset [enter]
  • Unable to reach Windows Updates
    • From command line:
      • net.exe stop wuauserv
      • regsvr32 wuaueng.dll
      • (if the above fails) %SYSTEMROOT%\SYSTEM32\REGSVR32.EXE %SYSTEMROOT%\SYSTEM32\WUAUENG.DLL
      • Regsvr32 QMGR.DLL
      • REGSVR32 WUAPI.DLL
      • REGSVR32 ATL.DLL
      • REGSVR32 WUCLTUX.DLL
      • REGSVR32 WUPS.DLL
      • REGSVR32 WUPS2.DLL
      • REGSVR32 WUWEBV.DLL
      • regsvr32.exe wucltui.dll
      • regsvr32.exe MSXML3.dll
      • regsvr32.exe qmgrprxy.dll
      • net.exe start wuauserv
    • Reinstall Windows update agent: http://support.microsoft.com/kb/949104

Finding the needle

After Disinfection

  • Defrag
  • Run Windows Updates (set them to automatically update)
  • Consider chastising client and banning them from using any other browser than Chrome (I hear IE 9, still in beta at this time, is pretty good, though)
  • Free Antivirus (because they were probably felt safe by using some trial software that’s 2 years out of date even though they clicked “remind me later” every time they booted the PC)

http://www.downloadsquad.com/2010/11/21/15-free-windows-apps-to-help-you-tackle-thanksgiving-tech-support/