There are some similar pages on the Internet but so far none put together quite as much information in one place as this document. Not everything listed below pertains to every version of Windows, but there is information here for every version of Windows. Most of what is here is very concise and meant to be enough only for people that are quite familiar with Windows and DOS. If you can't understand this material or it seems to vague, you probably shouldn't be trying to use it.
Remember that prevention is the best medicine. Preach this as well as practice it. Never open email attachments without careful scrutiny, if at all. Treat downloads from peer-to-peer software and the Usenet newsgroups with utmost caution. Be careful what you click on while you surf the web. Keep all your software up to date with the latest patches and updates, Microsoft's in particular, install anti-virus software AND keep it current with the publisher's latest virus signature database. Weekly signature updates are good, daily is best. It also helps to use anti-spyware software such as Ad-Aware Pro or SpyBot, to get rid of the annoying, resource-hogging [bleep] that so many people naively pick up from web sites as as they surf the Internet.
Once the machine has a virus or worm...
Now that you have an infected machine, it may be impossible to install anti-virus software and/or update it properly. Sometimes you may not even be able to run REGEDIT or the Task Manager, nor even start the machine in safe mode! If you're really well-equipped, you have a bootable floppy or CD with any NTFS and RAID drivers you may need, and a very up-to-date DOS version of some anti-virus software. This will run slowly on a large drive with many files, but a time consuming remedy is a remedy just the same.
If you are not quite so well equipped (or if there are problems with the boot devices) you very often end up with a catch-22, which is that the viruses tend to interfere with the installation of anti-virus software, either intentionally or coincidentally. If you suffer this problem...
Follow this checklist!
Disconnect the machine from your LAN or broadband modem/router until the machine is clean. This protects you and everyone else and may even prevent the virus, worm or trojan from loading at all.
SAFE MODE IS YOUR FRIEND. It keeps many things from loading automatically, hopefully one of them being the virus you're trying to get rid of. They are often impossible to delete when they're running! The method for reaching Safe Mode varies a little. In all cases pressing and/or holding [F8] during startup will bring you the boot menu. In 98 and ME, you can also reach the boot menu by pressing/holding [Ctrl]. In NT 4 there is no true Safe Mode; start the system in VGA mode and hope for the best. Some viruses and other malicious software are so tenacious that the "Safe Mode Command Prompt Only" option is required.
This is a good time to try installing or updating your anti-virus and anti-adware software. If you still can't get it going in safe mode, you're going to have to do some thorough detective work and house-cleaning!
Some initial clean-up will probably delete many intruding programs and will make virus and malware scanning run faster too, giving them less files to chew on. Empty the web browser caches for all users, then find all the TEMP folders and empty them out too, and empty the wastebasket.
In Windows XP it may be helpful to disable the System Restore feature. Many malicious programs find their way in there and keep coming back after you delete them.
Configure Windows Explorer for a "details" view and set it to show hidden and system files and not to hide extensions for known file types.
Use the Windows Task Manager to look for suspiciously named processes. Check the properties of EXE's you find there to confirm or allay your suspicions. Be particularly wary of executables that lack a Version tab in the Properties page. If you're not sure, plug the filename into Google and see what comes up.
Use NETSTAT to look for suspicious ports and processes. Use the -a switch, and speed things up with -n. In XP, the new -o switch reveals which processes have which ports open (by PID only, then refer to Task Manager). Third-party shareware and freeware utilities such as Foundstone's FPORT or SysInternals' TCPVIEW can reveal more details via a single interface.
Check for suspicious executable files in the root of your hard drive, and be aware of search path precedence and .exe filename conflicts. An innocently named but destructive file in the volume root could precede the use of a similarly named file in the Windows folder.
Check for suspicious files in the %WINDIR%, SYSTEM and SYSTEM32 folders. Do a directory listing and sort by creation date (DIR /OD /TC) to turn up the latest files planted there. Many nasties have one or more of the Hidden and System bits set, so also combine the /AH or /AS switches on the DIR commands. Also check the IOSUBSYS and VMM32 folders. More recently I've found things buried under DRIVERS too.
Check for suspicious files in all the temporary folders, including the ones under Documents and Settings, or under Profiles. And don't forget the Recycler.
Check the "Run" keys in the registry for suspicious startup processes:
Check the shell association keys in the registry - should look like:
HKCR\exefile\shell\open\command = "%1" %*
HKCR\scrfile\shell\open\command = "%1" /S
HKCR\comfile\shell\open\command = "%1" %*
HKCR\batfile\shell\open\command = "%1" %*
HKCR\htafile\shell\open\command = "%1" %*
HKCR\piffile\shell\open\command = "%1" %*
HKCR\cmdfile\shell\open\command = "%1" %*
Check similarly named keys under HKLM\Software\Classes\...
Check for rogue running services and their keys:
Check for anything suspicious in the following keys:
HKLM\Software\Microsoft\Active Setup\Installed Components
If you delete or fix a suspicious registry key and it re-appears or reverts to a suspicious form after a reboot, you've almost surely found at least one virus that was running!
Check the following files for suspicious startup code:
%WINDIR%\WIN.INI: load=, run=
Check the Autostart directory and its contents:
"Common Startup"="C:\windows\start menu\programs\startup"
HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders
"Common Startup"="C:\windows\start menu\programs\startup"
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Check the common and user-specific Startup groups in Windows.
Check for suspicious installations of GINA DLL's or unusual, non-standard Windows shells here:
Should normally be no GinaDLL key or may refer to MSGINA.DLL, but some legitimate remote-control software do implement their own, i.e. AWGINA.DLL for PCAnywhere.
Many trojans exploit otherwise non-viral software such as ICQ, which anti-virus software won't bother to report. Watch out for evidence of chat or peer-to-peer software on your system, particularly if it's in your Windows folder structure rather than in its own folder under Program Files.
If ICQ is installed, check this key for apps that start when ICQ auto-detects a connection:
Radmin is another legitimate program that many virus and worm authors like to deliver and exploit to gain complete control over your computer.
Check HKLM\Software\Classes for instances of "NeverShowExt", which in the Windows GUI can obfuscate the true extension of a full filename in the given class.
If you are dealing with a boot sector virus (increasingly rare!), available RAM memory shown may not correspond precisely to the installed physical RAM. Do the math!
When the machine is finally clean, change ALL passwords (in XP don't forget Administrator, even though it's often obscured) and fully review system security setting
Edited by Koretek, 06 February 2005 - 07:45 PM.