Instructions for Cleaning an Infected Windows NT/2000/XP/2003
Machine
SEASnet has provided the following instructions for cleaning your
machine. Failure to follow these instructions precisely will
result in your machine still showing as infected after being brought
back up on the network and we will once again disable your IP address.
Repeated infections will result in you having to pay our campus
approved labor rate for reconnection. If you do not wish to clean
your machine you may submit an
MSR and SEASnet will send someone to do these steps for you as
soon as we have staff available. Your only other option is to
reinstall your OS; making sure to follow SEASnet's guidelines for
securing your system.
These instructions require you to use the Windows registry. If you
are unfamiliar with the Windows registry we recommend you read the
Microsoft Knowledge Base articles linked below. You would only need
to read the Description of the Microsoft Windows
Registry article and the specific article that deals with your
particular OS.
Warning: If you use Registry Editor incorrectly, you may
cause serious problems that may require you to reinstall your
operating system. Microsoft does not guarantee that you can solve
problems that result from using Registry Editor incorrectly.
Description of the Microsoft Windows registry
HOW TO: Back up, Edit, and Restore the Registry in Windows XP and Windows Server 2003
HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
- Borrow a virus scanning CD from SEASnet.
- Go into Safe Mode by pressing F8 as your machine is booting up.
- Insert the CD and login to the Safe Mode.
- Use the command line scanning tool for sophos and do a full
scan for all files. This could take a few hours, so be warned.
- Go to Start -> Run -> "cmd" -> enter
- Go to the cdrom drive and then "cd sophos\sav32"
- Enter this command: "sav32cli -all -f -remove -nc -idedir=:\sophos\ides" - Or you can run ":\sophos\sav32\scan.bat" and follow the prompt
- Once the scan is complete, write down both the filenames and
virus/worm/trojan type of any infected files.
- For example, C:\WINDOWS\system32\iiexplorer.exe was
the infected file and the worm was W32/RBOT-KX
- Search the registry for these files using regedit and delete any
keys that are found.
- Start -> Run -> regedit -> enter ... Edit -> Find ->
- More often than not, the major locations (that may or
may not exist) are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Ole
HKEY_LOCAL_MACHINE\Software\Microsoft\Outlook Express
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Ole
HKEY_CURRENT_USER\Software\Microsoft\Outlook Express
- While you are in the registry at the above locations, look for
any weird/interesting programs listed.
- For example, there should NOT be a "Windows Update" item
within the "Run" folder - any obvious misspellings are also
bad ("microsofot" instead of "microsoft")
- Write down the program and the file associated with it
and do a search for them
- If they turn up to be virus/malware files, you will have
to do a file search and delete these files
- You can run stinger here if you like
- Next, look through the Services for anything strange
- Start -> Control Panel -> Administrative Tools -> Services
- Here are the official
Microsoft Windows XP Services list (some may not be
installed on your machine)
- Stop any weird services that are running (see NOTE below)
- they will not be running if you are in safe mode
- Disable the service if you know it is bad; set it to
manual if you are unsure - (do a search for the service if
you are unsure)
- As long as the service is disabled you should be safe
NOTE: For a clearer view of what are not Microsoft standard services go
to Start -> Run -> "msconfig" -> Services -> Click on "Hide All Microsoft
Services". The remaining services are the ones you want to look at
assuming your machine has not been severly hacked.
At this point, you can reasonably assume that the infection is
gone. However, it is possible that there are other things going on that
will cause another infection to occur. So here are further steps broken
up into groups:
- Change the password on ALL accounts on your machine.
- Control Panel -> Administrative Tools -> Computer
Management -> Local Users and Groups -> Users
- Right click and "Set Password" for "Administrator" and
all other user accounts - do not change passwords for machine
accounts and other accounts created by installed programs
- Make sure you use strong passwords: 6 characters with a
combination of capital, lowercase, and numbers - if you want,
also use the special characters such as !@#$%^&*()
- Install the Microsoft Baseline Security Analyzer and update the
mssecure.xml file.
- Copy from the CD to the installed location (default is
C:\Program Files\Microsoft Baseline Security Analyzer)
- Scan your machine and see what problems are found and
fix them
- Look for the windows update icon in the task tray to see if any
updates are ready to be applied.
- The report from the Baseline Security Analyzer should have said
if any updates were missing if there is no icon.
- Install any missing patches/updates (some are on the cd).
- Configure the automatic windows update to run and install
automatically.
- Control Panel -> Automatic Updates -> Set it to
Automatic and Daily and whatever time you know your
machine will be turned on
- Download and install Ad-Adware from lavasoft and then scan
the machine for any malware - fix any that show up.
- Do a full scan of your machine (do a google search for
"reconfigure ad-aware for full scan")
- uninstall ad-aware if you want
- Install spybot S&D (search and destroy) from Safer Networking
Limited and then scan the machine for any malware as well. Fix any
that show up.
- Uninstall spybot s&d if you want
- Remove any unnecessary shares and set security on needed shares
(IPC$, C$, and ADMIN$ are default shares and ok to have).
- Control Panel -> Administrative Tools -> Computer
Management -> Shared Folders -> Shares will list all the
shares on your machine
- Turn off simple file sharing.
- Double-click "My Computer" or open any folder explorer
- Tools -> Folder Options -> View -> In Advanced settings,
turn off (uncheck) "Use simple file sharing (Recommended)"
- If you need file sharing, consult this website
- Turn on the windows xp firewall or install a firewall on the
machine.
- Control Panel -> Network Connections -> Right-Click
"Local Area Connection" -> Properties -> Advanced -> Check
the "Protect my computer..." or Click "Settings" depending
on the Service Pack of Windows XP you have (if you hit
"Settings" click the "On" for the next screen
- Configure the Security Settings for IE above the default medium.
- Disable "Install On Demand" on the Advanced Tab in Internet
Options.
- Recommended: Use alternate web browser: firefox, mozilla, netscape,
opera (in that order).
- Configure Outlook Express
- Options->Security-> "Block images and other
external content in HTML e-mail"
- Options->Security-> "Do not allow attachments
to be saved or opened that could potentially be a
virus"
- Configure Outlook
- Turn off preview pane for all folders
- Recommended for Outlook 2002 and older:
install addon to make all emails viewed as text
only
- For Outlook 2003: Tools->Options->Security->Change
Automatic Download Settings-> turn on both "Don't
download pictures..." and "Warn me before..."
- Look for any installed programs/files of the following:
- firedaemon - this is a program that installs programs
silently
- mirc/irc - this is an internet relay chat client program
- cygwin - this is a unix environment/program for windows
- uftp - ftp server
- Uninstall or delete (if you can't uninstall) any of the above
listed programs.
- If a Service is running with those names stop it and disable it!
- The above programs may be signs that your machine has been
hacked. Please let SEASnet know if this has happened.
|