Cleaning and Securing a Computer Procedure
Symptoms of malware infection range from being nearly undetectable (as seen in keyloggers) to crippling (tempermental rootkits).
Security applications such as the users antivirus and firewall are disabled or refuse to update.
New programs that the user doesn’t remember installing
A generic antivirus program claiming the system is infected and asking for money.
Foreign toolbars in the browser.
A failure to boot in the form of either a black screen with a message about a corrupt file or the blue screen of death (BSOD)
The computer is slow, processor and memory usage are near full even with no applications open.
The user tries to browse or make a search query and is rerouted to a suspicious site.
Malware Cleaning Procedure
Step 1: Prepping the system
Boot into a Ubuntu Linux live disc to manually remove infected files first. You should look for suspicious files in the following directories:
%UserProfile%\Local Settings\Application Data
%UserProfile%\Application Data\Microsoft\Internet ExplorerUse the detailed file view and sort the files by modification date; this way you can look for malicious files that have recently been added or changedMake sure files are not hidden or you'll miss malware.
Boot into Safe Mode with Networking by pressing F8.
Run rKill to remove any active malware processes.
Run CCleaner to remove temporary files.
Run mbr (in the GMER folder) and check if there is a master boot record infection (if there is, use the XP recovery console (Vista/7 command line from the install disk) and type “fixmbr”).
Under any window, go to Tools > Folder Options > Show hidden files and folders. Also select to show protected operating system files.
Step 2: Use Process Explorer
In both Process Explorer and Autoruns, you will be looking for suspicious entries that don't have a coherent name, blank company and description, and aren't verified. Not all unverified processes are malicious.
Verify that there aren’t any malicious processes running and any DLL hooks. Malicious processes utilize the buddy system; if one process is terminated and the other isn't, the other will bring back the terminated process. Suspend both processes to prevent a whack-a-mole situation.
Green = New processes
Red = Processes that are exiting. When you start Pex you may see malware entries turn red and disappear.
Blue processes are running in the same security context as Process Explorer
Pink processes host Windows services (we’ll look at services shortly)
Purple highlighting indicates an image is “packed”
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult
Packing and encryption also hides strings from view
Step 3: Using Autoruns
DANGER: Autoruns modifies the Registry. The registry may break the operating system. Be careful of what you remove.
Comb through and look for entries that do not belong (no description)
Verify signatures for suspicious entries (Options > Verify Digital Signatures > F5)
Uncheck suspicious entries, delete any entries that are for sure malicious.
Autoruns removes the registry entries associated with malware and will point you to the malware location but may not necessarily remove the file.
Use Killbox to remove the file, and if it is unable to, schedule a file deletion after reboot.
Step 4: Use automated tools
Up until publication of this manual, infections appearing on 64-bit systems have had limited impact in their attempt to modify core operating system files due to digital signature checking, however malware will inevitably adapt and new tools will arise to counter them. In the meantime, automated tools for the 64-bit OS are limited to Malwarebytes Anti-Malware (MBAM) and the standard Antivirus.
Step 6: Use .txt logs of automated tools to manually remove malware
.txt log files when you finish showing what files were created in the last 30 days, and which files were removed in the cleaning process. It's important to use Killbox to go through the of created files and delete the ones that are malware.
Remember anything in Catroot folders in System 32 are windows update files and may break the OS' genuine advantage check if they are deleted.
Step 7: Verify with Autoruns and Process Explorer again
Make sure you note this on the form.
Step 8: Secure the Computer
Make sure Windows Update is run and the latest service packs are installed, the Firewall is on, the Antivirus is updating and not expired, Check in Ccleaner and make sure Firefox/Java/Adobe/Flash are updated, if not, run the individual installers or Ninite.