Disinfecting Windows

5/2005

Removing all the malware (viruses, trojans, worms, spyware, adware, etc.) from Windows is not an easy task. This effort should not be undertaken by the inexperienced as it takes time, patience, knowledge, and the correct tools. Current versions of the software mentioned on the following list should be downloaded and burned to a "Cleaner" CD to be used with the "infected" PC. Most of the software mentioned below is freeware (for personal use), but can be purchased as shareware. If you use these programs regularly, please pay the authors for their work.

Items that you will need:
Most of these programs can also be found on Slug's Download Page. Again, I must stress the difficulty of the process that follows. It should not be undertaken by the inexperienced user as the results could be the total loss of all data (files, folders, documents, etc.) on the infected PC. This process is not fool-proof and there are times when the PC's hard drive must be erased and Windows re-installed.
  1. Backup the Data! - This step cannot be over-stressed. All critical data (files, folders, etc) should be archived to a network folder or to portable media such as DVD or CD. Windows built in Backup (Start Menu->Programs->System Tools) or Syncback can help. After the PC has been disinfected, be sure to scan all archived files before restoring them. This will help prevent a re-infection.
  2. Create a new folder on the infected PC and copy the contents of the "Cleaner" CD to that folder.
  3. Reboot in safe mode. Just before Windows starts you must hit F8 to enter into Safe Mode. Unplug the Ethernet Cable!


  4. Clean out unnecessary files with iISystemWiper. Click on Load and select "All.iis". Click on Netscape and uncheck "Cookies." Do the same for IE/AOL. Select the Options tab and uncheck "Run at Startup." Click "Start." This will greatly speed up the disinfecting process.

  5. Run Xcleaner. At minimum select "Quickly scan for Malware" and "Verify/fix network Layered Service Provider Settings." Do not allow it to set a System Restore Point (this can keep malware alive after a reboot). Do not allow it to erase your "Cookies." Click on Start Cleaning. Reboot into Safe Mode if necessary.

  6. Run Microsoft's Malicious Software Removal Tool.
  7. Run Stinger and open the Preferences. Check "Boot Sectors." Click on Scan Now. Reboot into Safe Mode if necessary.

  8. Update the installed antivirus program and do a full system scan. If an antivirus program is not installed, install one. Update it and do a full system scan. If you encounter a virus that cannot be removed by the software, look for specialized removal tools at Bitdefender, SARC, and Sophos. Write down the names, locations, and infected files of any viruses found. If you are still unable to remove a virus using a provided software tool, you may have to boot using Windows Recovery Console command line mode and manually erase the files.

    1. Reboot the PC with the Windows CD in the drive. Press the anykey when "Press any key to boot from CD" message appears.
    2. When the "Welcome to Setup" screen is displayed, press R to start the Recovery Console.
    3. Select the Windows you want to work on. Usually this is 1. (Assuming there is more than one installed.)
    4. Enter the Admin password.
    5. Erase the stubborn files.

  9. Run RootKit Revealer. This is a difficult step that could lead to severe (re-install required) damage to your Windows install (it will not damage your PC's hardware). If you are not confident in your abilities, skip this step or get an expert to help. If a Rootkit is detected, it may be impossible to remove. You may have to reinstall Windows if your PC is infected with a Rootkit.

  10. Install Spybot (allow it to install SDHelper) and update its definition file. Run it. Do not allow it to set a System Restore Point. Clean out anything it finds. Immunize the PC using Spybot.

  11. Run CWShredder.

  12. Install Adaware SE and update its definitions. Run it. Remove everything it finds. This step can only be done on home PCs as use on UTC computers violates the license agreement.
  13. Run HiJackThis. Removing nasty BHOs and other problems with HiJackThis is very difficult. If you are not confident in your abilities, skip this step or get an expert to help. Look for directories/files found during the virus scan and remove them using HiJackThis.

  14. Install Zonealarm if you are running any other version than Windows XP w/Service Pack 2. If you are running Windows XP w/o Service Pack 2, install it now.
  15. Reboot into normal Windows mode with the network cable unplugged.
  16. Open up XP's Security Center (Start->Control Panels->Security Center) and make sure all the "lights" are green. It is critical that the firewall be enabled to prevent re-infection. Once you are sure the firewall is enabled, reconnect the network cable and reboot.

  17. Visit Windows Update using Internet Explorer. Continue to patch the system (and reboot) until no Critical patches are found.

  18. Install Windows AntiSpyware. You may have to register your copy via the "Genuine Windows Advantage" program online. Run the program. Let it update itself, install the realtime protection agent, and participate in Spynet. Quick Scan the PC and let it remove any spyware found. Click on Advanced Tools and then System Explorers. Look at "IE BHOs", "Startup Programs", "Downloaded Active X", and "IE Toolbars". Remove any entry that is identified as spyware or that is a file/folder identified in any previous step as a virus/trojan/spyware. You should also verify your "Start Page" and "Search" settings found under "IE Settings".

  19. Install SpywareBlaster. Download the latest updates and enable all protections.

  20. Maintain your protection. SpywareBlaster, Microsoft's AntiSpyware, Spybots, Adaware, and all known antivirus programs must be updated on a routine basis and I suggest a weekly schedule (at least). You need to set aside 15 minutes per week to update and run these programs without fail to protect your "clean" PC.
  21. Surf Safe.