Reading time 7
Virus Clean Up
This is my general process for cleaning up a malware-ridden computer. This is just my process and is not always the best way to do this, but it works for me.
Containment is always the first step in the game, then it is the investigation, followed by clean-up and education of the end-user. I have a USB drive that I build each time with the below software on it.
*** Do NOT trust any app that is installed on the computer until you can verify that the apps are clean ****
1. Isolate computer(s) and device(s) from the LAN – Unplug everything connected to the LAN
2. Shutdown computer(s) to take off-site
3. Once off-site, Boot into Safe Mode (Not connected to a LAN)
4. I manually review the host file and permissions on the host file, ensuring nothing has been tampered with.C:\windows\System32\
5. From my flash drive, I Install and run Rkill – RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable associations and fix policies that stop us from using certain tools. When finished it will display a log file that shows the processes that were terminated while the program was running.
I usually use the iExplorer.exe version as it tends to escape being detected by malware if there is a process running trying to protect itself. Once it has done it’s magic.
6. I will install MalwareBytes Offline Scanner – Malwarebytes Anti-Malware (MBAM) – Malwarebytes is a lightweight anti-malware program that is excellent at removing the latest detections. MBAM is also able to be used alongside any other security programs that you may have installed, which allows it to remove malware that was able to sneak through your normal anti-virus solution.
7. Update the MalwareBytes signature update
8. I will then run MalwareBytes.
9. If the computer is stable and is restarting as expected, then you will want to turn off Restore points and delete all the previous restore points that took place after when the malware was downloaded.
10. Install and run AdwCleaner a free program that searches for and deletes Adware, Toolbars, Potentially Unwanted Programs (PUP), and browser Hijackers from your computer. By using AdwCleaner you can easily remove many of these types of programs for a better user experience on your computer and while browsing the web
11. HijackThis – HijackThis is a program that can be used to quickly spot homepage hijackers and startup programs that you do not want to start automatically. This program is not an anti-virus program, but rather an enumerator that lists programs that are starting up automatically on your computer as well as other configuration information that is commonly hijacked.
12. I then run through manually to make sure that there are no programs that will autorun on reboot. First is to CTRL+ALT+DEL > Task Manager, Startup Tab. Run through here and verify each app should be running at startup. If unknown then let Google be your friend. Then I launch msconfig > services tab and run through services. Finally, I look at the registry in the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Once I’m comfortable with the computer(s) being safe enough to return to the online world
13. Connect computer(s) to an isolated segment of my network
14. Once online, some online scanners include Bitdefender QuickScan and the ESET Online Scanner, both require a small download to get started.
15. Depending on the incident, I may use Norton Power Eraser.
16. If I find something suspicious and I want to investigate, I will upload the suspicious file to Kaspersky Threat Intelligence Portal or Total Virus.
Once I’m convinced that everything is clean, I will reboot a few more times and run a dozen or so random apps.
I’m usually done at this point but really depends on what is going on and what kind of attack it was.
If it was a Rootkit or Ransomware, then there are different things that I would do.
I usually will uninstall the installed AV that the client was using, and either reinstall it as a clean version or upgrade them to one that works.
Depending on what type of malware it is, you may need to log on to the client’s email sites, and cloud storage locations to ensure that the malware either didn’t start there or is hiding out there.
Keep in mind that non of this is a hard and fast rule, much of this is very fluid, but this is the basic outline for my plan of attack.
Investigation
The entire part of the investigation is to figure out where the malware came from. That usually includes looking to see what apps were recently installed, reviewing browser history, and looking through log and audit files. This part can become really tricky and can take a lengthy time if you do not know what you are doing.
***DISCLAIMER*** Just about any of the above steps can be disastrous if you do no know what you are doing. It is always best to hire a professional when it comes to something like cleaning up a malware infection. This post is just a high-level overview and should not be treated as a roadmap. Also, this is the roadmap that I usually follow, I do however take detours when needed as well as this isn’t a complete roadmap. From time to time the tools and the steps change as well.
