about malware

8/11/2019 About Malware

1/18

Malware Removal Starter KitHow to Combat Malware Using Windows PE

Version 1.0

Published: July 2007

For the latest information, please see

microsoft.com/technet/ SolutionAccelerators


2/18

Copyright 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws isyour responsibility. By using or providing feedbac on this documentation! you agree to the license agreementbelow.

"f you are using this documentation solely for non#commercial purposes internally within $%&' company ororgani(ation! then this documentation is licensed to you under the Creative Commons Attribution#)onCommercial *icense. +o view a copy of this license! visit http,--creativecommons.org-licenses-by#nc-2. - orsend a letter to Creative Commons! / 1oward treet! th 3loor! an 3rancisco! California! 4/50 ! & A.

+his documentation is provided to you for informational purposes only! and is provided to you entirely 6A " 6.$our use of the documentation cannot be understood as substituting for customi(ed service and informationthat might be developed by Microsoft Corporation for a particular user based upon that user s particularenvironment. +o the e8tent permitted by law! M"C'% %3+ MA9: )% ;A''A)+$ %3 A)$ 9")': ! "M>*":< A)< +A+&+%'$ ;A''A)+": ! A)< A &M: )% *"AB"*"+$ +% $%& 3%' A)$: ") C%)):C+"%) ;"+1 +1: : MA+:'"A* %' A)$ ")+:**:C+&A* >'%>:'+$ ") +1:M.

Microsoft may have patents! patent applications! trademar s! or other intellectual property rights covering

sub@ect matter within this documentation. :8cept as provided in a separate agreement from Microsoft! youruse of this document does not give you any li cense to these patents! trademar s or other intellectual property.

"nformation in this document! including &'* and other "nternet ;eb site references! is sub@ect to changewithout notice. &nless otherwise noted! the e8ample companies! organi(ations! products! domain names! e#mail addresses! logos! people! places and events depicted herein are fictitious.

Microsoft! ;indows! Bit*oc er! "nternet :8plorer! ;indows *ive! and ;indows ista are either registeredtrademar s or trademar s of Microsoft Corporation in the &nited tates and-or other countries.

+he names of actual companies and products mentioned herein may be the trademar s of their respectiveowners.

$ou have no obligation to give Microsoft any suggestions! comments or other feedbac 63eedbac 6 relating tothe documentation. 1owever! if you do provide any 3eedbac to Microsoft then you provide to Microsoft!without charge! the right to use! share and commerciali(e your 3eedbac in any way and for any purpose. $oualso give to third parties! without charge! any patent rights needed for their products! technologies and servicesto use or interface with any specific parts of a Microsoft software or service that includes the 3eedbac . $ou willnot give 3eedbac that is sub@ect to a license that reDuires Microsoft to license its software or documentation tothird parties because we include your 3eedbac in them.


3/18

OverviewMany small- and medium-si ed or!ani ations use anti"irus soft#are, and yet ne#"iruses, #orms, and other forms of malicious soft#are $ malware % continue to infect lar!enumbers of computers in these or!ani ations. Mal#are proliferates at alarmin! speedand in many different #ays, #hich ma&es it particularly #idespread today.

'his !uide is intended for (' )eneralists #ho #ant information and recommendations thatthey can use to effecti"ely address and limit mal#are that infects computers in small- andmedium-si ed or!ani ations. 'his !uidance pro"ides a set of tas&s that licensed*indo#s+ users can perform at no cost to create the Mal#are emo"al tarter it.

ecommendations for free mal#are-scannin! tools are included. ou can use these toolsin combination #ith the &it to conduct scans, detect problems, and remo"e mal#are fromyour computer.

'his !uidance includes the follo#in! sections: "er"ie# Plannin! our esponse 1o# to etermine if ou 1a"e a Problem ealin! #ith an (nfection ummary

Note +he guidance for this it is intended for use with other anti#malware tools. +his it is not areplacement for other malware prevention methods.

Malware Threats 'he first step to#ard containin! the spread of mal#are is to understand the "arioustechnolo!ies and techni3ues that mal#are authors can use to attac& your computer.Mal#are threats directly tar!et both users and computers. 1o#e"er, it is also important to&no# that the ma4ority of threats come from mal#are that tar!ets the user rather than thecomputer. (f a user #ith administrator-le"el user ri!hts can be tric&ed into launchin! anattac&, the malicious code has more po#er to perform its tas&s. uch an attac& canfre3uently cause more dama!e than one that has to rely on a security hole or"ulnerability in an application or the operatin! system.

'he 5Plannin! our esponse5 section of this starter &it focuses on the #ays in #hichyour computer can be at ris& to mal#are attac&s, and ho# you can prepare to address amal#are attac& by usin! the *indo#s Preinstallation 6n"ironment $*indo#s P6% &it thatthis !uidance recommends in combination #ith other free anti-mal#are pro!rams.

Note +he recommendations and prescriptive information in this guidance are not intended forcomple8 environments that reDuire "nfrastructure pecialists. 3or more comprehensiveinformation about this sub@ect! see the Antivirus


4/18

2 Malware 'emoval tarter 9it

How Does Malware Get In? Mal#are uses many different methods to try and replicate amon! computers. 'he

follo#in! table lists common mal#are threats to or!ani ations and pro"ides e amples oftools that you can use to miti!ate them.

Table 1: Malware Threats and Mitigations

'hreat escription Miti!ation

6-mail 6-mail is the transport mechanismof choice for many mal#areattac&s.

pam filters eal-timeanti"irus andantispy#arescanners 8ser education

Phishin! Phishin! attac&s try to tric& peopleinto re"ealin! personal details suchas credit card numbers or otherfinancial or personal information.

9lthou!h these attac&s are rarelyused to deli"er mal#are, they are ama4or security concern because ofthe information that may bedisclosed.

pam filters Pop-up bloc&ers 9ntiphishin!filters 8ser education

emo"able media 'his threat includes floppy dis&s,- M or ; - M discs,


5/18

%verview

'hreat escription Miti!ation

Peer-to-peer $P2P%

net#or&s

'o start file sharin!, the user first

installs a client component of theP2P pro!ram throu!h an appro"ednet#or& port, such as port >0.?umerous P2P pro!rams arereadily a"ailable on the (nternet.

eal-timeanti"irus andantispy#arescanners estrictunauthori edpro!rams 8ser education

File shares 9 computer that is confi!ured toallo# files to be shared throu!h anet#or& share pro"ides anothertransport mechanism for maliciouscode.

eal-timeanti"irus andantispy#arescanners Personal fire#all 8ser education

o!ue *eb sites Malicious *eb site de"elopers canuse the features of a *eb site toattempt to distribute mal#are orinappropriate material.

=ro#ser security Pop-up bloc&ers 9ntiphishin!filters 8ser education

emote e ploit Mal#are mi!ht attempt to e ploit aparticular "ulnerability in a ser"iceor application to replicate itself.(nternet #orms often use thistechni3ue.

ecurity updates Personal fire#all

?et#or& scannin! Mal#are #riters use thismechanism to scan net#or&s for"ulnerable computers that ha"eopen ports or to randomly attac& (Paddresses.

oft#areupdates Personal fire#all

ictionary attac& Mal#are #riters use this method of!uessin! a user@s pass#ord bytryin! e"ery #ord in the dictionaryuntil they are successful.

tron! pass#ordpolicy 8ser education

From a security perspecti"e, it #ould seem best to bloc& all these mal#are transportmethods, but this #ould si!nificantly limit the usefulness of the computers in youror!ani ation. (t is more li&ely that you #ill need to allo# some or all of these methods, butalso to restrict them. 'here is no sin!le anti-mal#are solution that #ill fit all or!ani ations,so e"aluate the computer re3uirements and ris&s for your or!ani ation, and then decideho# best to defend a!ainst mal#are that attempts to e ploit them.


6/18

/ Malware 'emoval tarter 9it

Microsoft remains stron!ly committed to securin! its soft#are and ser"ices by #or&in!#ith partners to combat mal#are threats. ecent Microsoft efforts to reduce the impact ofmal#are threats include:

e"elopin! defense tools such as *indo#s efender, Microsoft Forefront,*indo#s Ai"eB ne are safety scanner, the Malicious oft#are emo"al 'ool,and other resources a"ailable throu!h the *indo#s ecurity enter. For moreinformation about these and other security tools, see the 'ech?et ecurity

enter or the ecurity at 1ome pa!e on Microsoft.com. 'he Microsoft Mal#are Protection enter that pro"ides the latest informationon top des&top and e-mail threats to computers runnin! *indo#s. 'he Microsoft ecurity esponse 9lliance , #hich pro"ides information aboutthe Microsoft ;irus (nitiati"e $M;(%, the ;irus (nformation 9lliance $;(9%, and othermember or!ani ations. upportin! le!islation to eliminate spam and #or&in! #ith la# enforcementofficials and (nternet ser"ice pro"iders $( Ps% to help prosecute spam operations.For information about an alliance dedicated to this effort, see 9merica nline,Microsoft and ahooC Join Forces 9!ainst pam .

Planning Your ResponsePlannin! cannot be considered complete until you ha"e planned for the #orst. (f all yourdefenses are compromised by an attac&, you need to ensure that the staff you #or& #ith&no# #hat to do. our ability to mount a rapid response can ma&e a bi! difference #henan attac& is se"ere.

9s you plan your response, it is important to understand that o"erreactin! to a mal#areproblem can cause almost as much disruption as dealin! #ith a real outbrea&C Plan your

response to be rapid but measured to minimi e its effect on co#or&ers.

Create an Incident Response Plan reatin! an incident response plan that describes #hat should happen in the e"ent of a

suspected mal#are outbrea& is an important preparation step for your or!ani ation. 'heplan should help instruct all affected staff on the best course of action #hen a mal#areoutbrea& occurs. (t should aim to minimi e the impact of the attac& and communicate adocumented incident response process that staff can follo#. For e ample, a #ell-desi!ned plan #ould be capable of mana!in! the se3uence of e"ents for a typicalincident such as the follo#in!:

D. 9 staff member calls an in-house support resource after noticin!somethin! stran!e appear on her computer screen.

2. 'he support resource chec&s the computer and calls a supportnumber.

E. 9 support technician responds to complete a short dia!nostictest, and then either cleans or rebuilds the system dependin! in these"erity of the problem.
http://www.microsoft.com/technet/security/default.mspxhttp://www.microsoft.com/technet/security/default.mspxhttp://go.microsoft.com/fwlink/?linkid=42641http://www.microsoft.com/security/portal/http://www.microsoft.com/security/msra/default.mspxhttp://www.microsoft.com/security/msra/default.mspxhttp://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.mspxhttp://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.mspxhttp://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.mspxhttp://www.microsoft.com/technet/security/default.mspxhttp://www.microsoft.com/technet/security/default.mspxhttp://go.microsoft.com/fwlink/?linkid=42641http://www.microsoft.com/security/portal/http://www.microsoft.com/security/msra/default.mspxhttp://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.mspxhttp://www.microsoft.com/presspass/press/2003/apr03/04-28JoinForcesAntispamPR.mspx


7/18

%verview

'he entire response process could ta&e hours to complete, so ha"in! a plan in place thathelps minimi e the ris& of the mal#are spreadin! further until the process is complete isimportant. For e ample, if the support resource is trained to run anti"irus soft#are on the

computer and then remo"e the net#or& cable from the suspect computer until a supporttechnician arri"es, this initial response eliminates the chance of the computer infectin!other computers.

*hen plannin! your incident response plan, there are typically t#o scenarios that youneed to consider:

Individual in ection . 'his scenario, #hich is by far the most common,occurs #hen mal#are infects a sin!le computer. Mass outbrea! . 'his scenario is than&fully much less common. 9 massoutbrea& has the potential to cause serious disruption in the or!ani ation.'ypically this scenario #ill only become apparent after the staff reports a numberof indi"idual infections that ha"e similar symptoms.

our incident response plan can co"er both of these scenarios because the responseprocess for an outbrea& is an e tension of the response to an indi"idual infection.'ypically the outbrea& response #ill re3uire you to temporarily isolate the or!ani ation@snet#or& to stop the attac& from spreadin! further, and to !i"e the support staff time toclean the infected systems. (n some cases, it may be necessary to notify the net#or&administrator or the person performin! that role to chan!e the fire#all or router settin!sbefore the computers in the or!ani ation can be reconnected to the net#or&. Fore ample, if the mal#are uses a specific net#or& port to infect computers, bloc&in! thisport at the fire#all can pre"ent re-infection #hile allo#in! other net#or& communicationsto continue.

Important "f you still detect the presence of malware after using the it to clean yourcomputer! we recommend turning the computer off and not using it for five to 50 business days!or until your antivirus provider issues a virus signature update. $ou can then use the it todownload the latest signature files and rescan your computer to more effectively address the

problem.For more information about ho# to or!ani e and de"elop an incident response plan, seethe follo#in! resources:

'he 9nti"irus efense-in- epth )uide . 'he espondin! to (' ecurity (ncidents pa!e on Microsoft 'ech?et. hapter E, 58nderstandin! the ecurity is& Mana!ement iscipline5 of the

ecurin! *indo#s 2000 er"er )uide for incident response information only. 'he er"ice Mana!ement Functions (ncident Mana!ement section of theMicrosoft perations Frame#or& $M F% . 'he *indo#s ecurity esource it , econd 6dition from Microsoft Press.
http://go.microsoft.com/fwlink/?linkid=28732http://www.microsoft.com/technet/security/guidance/disasterrecovery/responding_sec_incidents.mspxhttp://go.microsoft.com/fwlink/?LinkId=14837http://go.microsoft.com/fwlink/?LinkId=14837http://go.microsoft.com/fwlink/?LinkId=76321http://go.microsoft.com/fwlink/?LinkId=76321http://go.microsoft.com/fwlink/?LinkId=42590http://www.microsoft.com/MSPress/books/6815.aspxhttp://www.microsoft.com/MSPress/books/6815.aspxhttp://go.microsoft.com/fwlink/?linkid=28732http://www.microsoft.com/technet/security/guidance/disasterrecovery/responding_sec_incidents.mspxhttp://go.microsoft.com/fwlink/?LinkId=14837http://go.microsoft.com/fwlink/?LinkId=76321http://go.microsoft.com/fwlink/?LinkId=42590http://www.microsoft.com/MSPress/books/6815.aspx


8/18

E Malware 'emoval tarter 9it

Prepare a Kit or O line !canning

'his section pro"ides recommendations, support specifications, and a short set of tas&sand instructions that you can use to prepare a *indo#s Preinstallation 6n"ironment$*indo#s P6% &it. ou can then combine the &it #ith a set of tools to conduct offlinescans for mal#are on the computers in your or!ani ation.

*indo#s P6 pro"ides po#erful preparation and installation tools for *indo#s operatin!systems. *ith *indo#s P6, you can start *indo#s from a remo"able dis&, #hichpro"ides resources to troubleshoot *indo#s on the client computer. For more informationabout *indo#s P6, do#nload the *indo#s Preinstallation 6n"ironment 'echnical

"er"ie# .

"nsu##orted Tools and Technologies*indo#s P6 does not support the follo#in! tools and technolo!ies:

(nternet 6 plorer+ 7. 9pplications that use Microsoft *indo#s (nstaller $.msi files%.

$rere%uisites'he follo#in! are operatin! system and feature re3uirements for preparin! a*indo#s P6 &it:

*indo#s ;ista+ or *indo#s P+ #ith er"ice Pac& 2 $ P2%. ; burner and soft#are to #rite to a - M. GG2 M= of free space on the computer@s hard dri"e dis& to do#nload the*indo#s P6 .im! file.

Note An additional F00 MB of space is reDuired for the boot image on drive C of thecomputer when using the default script for the it.

Microsoft .?6' Frame#or& "ersion 2.0 and M MA to run *indo#s (nstaller.

ou can use the follo#in! resources to meet these re3uirements: Microsoft .?6' Frame#or& ;ersion 2.0 edistributable Pac&a!e $ >H% . Microsoft ore MA er"ices $M MA% H.0 .

For more information about E2-bit and HI-bit system re3uirements, see the: *indo#s Preinstallation 6n"ironment "er"ie# .
http://www.microsoft.com/whdc/system/winpreinst/windowspe_tech.mspxhttp://www.microsoft.com/whdc/system/winpreinst/windowspe_tech.mspxhttp://go.microsoft.com/fwlink/?LinkId=79533http://go.microsoft.com/fwlink/?LinkId=79533http://go.microsoft.com/fwlink/?LinkId=76343http://www.microsoft.com/whdc/system/winpreinst/WindowsPE_over.mspxhttp://www.microsoft.com/whdc/system/winpreinst/WindowsPE_over.mspxhttp://www.microsoft.com/whdc/system/winpreinst/windowspe_tech.mspxhttp://www.microsoft.com/whdc/system/winpreinst/windowspe_tech.mspxhttp://go.microsoft.com/fwlink/?LinkId=79533http://go.microsoft.com/fwlink/?LinkId=76343http://www.microsoft.com/whdc/system/winpreinst/WindowsPE_over.mspx


9/18

%verview 7

Tas! &verviewomplete the follo#in! tas&s to prepare your Mal#are emo"al tarter it to conduct

offline scans: 'as& D: (nstall the *indo#s 9utomated (nstallation it $9( % 'as& 2: o#nload the mal#are-scannin! tools and utilities 'as& E: reate the Mal#are emo"al tarter it - M 'as& I: 8se the Mal#are emo"al tarter it to scan your computer

Task 1: Install the Windows Automated Installation Kit AIK!

'he first tas& in this process is to obtain the *indo#s 9utomated (nstallation it $9( %.'his &it includes *indo#s P6 and other files for you to install on your computer. 'he &itinstalls by default as an ima!e $ .im!% file on any system dri"e that you choose.

Note +he A"9 supports both ;indows ista and ;indows => >2.

To install the AIK on 'our com#uter:

D. o#nload the 9( from the *indo#s 9utomated (nstallation it$9( % pa!e on the Microsoft o#nload enter.

Note +he si(e of .img file for the A"9 is 442 megabytes MB . 3or this reason! you mayreDuire e8tended time to download the file! depending on your connection speed to theMicrosoft


10/18

F Malware 'emoval tarter 9it

of the offline scanning tools that you choose to use. ome tools may not be compatible with all;indows operating systems.

9t the time this !uidance #as #ritten, the follo#in! tools ran #ith *indo#s P6 on a

computer runnin! *indo#s P P2 or *indo#s ;ista #ith at least KD2 M= of 9M: a"astC ;irus leaner from 9l#il oft#are. 'his tool is a"ailable for offline use.'he si!nature files for the tool #ill be as current as the do#nload date listed. Mc9fee 9;6 ' tin!er , a stand-alone "irus scanner from Mc9fee. 'his toolis a"ailable for offline use. 'he si!nature files for the tool #ill be as current as thedo#nload date listed. Malicious oft#are emo"al 'ool from Microsoft. 'his tool is a"ailable foroffline use. 'he si!nature files for the tool #ill be as current as the do#nload datelisted. pybot - earch L estroy from pybot earch and estroy.

Note Before you can use this tool! you must first install it on the computer you want toscan! and then download the latest signature file detection updates from pybot. After thetool is installed! it will start by default from =,G>rogram 3ilesG pybot H earch I


11/18

%verview 4

To create the Malware Removal Starter Kit ()+R&M:

D. Ao! on to the computer as an administrator, clic& Start , clic& All$rograms , clic& Microso t ,indows AIK , and then clic& ,indows$- Tools (ommand $rom#t .

Note +his step applies to ;indows =>. "f you are running ;indows ista on your computer!right#clic Windows PE Tools Command Prompt ! clic Run as administrator ! and thenclic Continue .

2. 9t the command prompt, type the follo#in! and then press6?'6 to create a copy of the >H ima!e of *indo#s P6 and set upa #or&in! folder directory on your computer:

co#'#e * / c: ,in$-

E. 9t the command prompt in the ne# directory c: *inP6, type thefollo#in! and then press 6?'6 to mount the *inP6.#im ima!e sothat you can chan!e it:

image* mountrw win#e.wim 1 c: ,in$- MountI. 9t the command prompt, type the follo#in! and then press6?'6 to access the follo#in! re!istry sub&ey:

reg load 2K3M 4,in$-4S5ST-Mc: ,in$- Mount windows s'stem67 con ig s'stem

K. 9t the command prompt, type the follo#in! and then press6?'6 to create a GH M= dis& cache of 9M:

reg add 2K3M 4,in$-4S5ST-M (ontrolSet001 Services 89,8 v,in$-(acheThreshold t R- 4),&R) d ;/

H. 9t the command prompt, type the follo#in! and then press6?'6 to e it this re!istry &ey:

reg unload 2K3M 4,in$-4S5ST-M

7. reate a directory for the mal#are-scannin! tools under theMount folder $for e ample, you could use the name N'oolsO for thisfolder%.

m!dir c: ,in$- mount Tools

>. opy the tool files that you do#nloaded in 'as& 2 to the toolsdirectory that you 4ust created. 6 ample:

co#' tools from the Task 2 directory Q c: ,in$- mount Tools .

G. 9t the command prompt, type the follo#in!, press 6?'6 , andthen type 5es and press 6?'6 a!ain to continue the process:

#eimg #re# c: ,in$- MountD0. 9t the command prompt, type the follo#in! and then press6?'6 to sa"e your chan!es:

image* unmount c: ,in$- Mount commit


12/18


DD. 9t the command prompt, copy the follo#in!, press 6?'6 , andthen type 5es to o"er#rite the e istin! file:

co#' c: ,in$- ,in$-.wim c: win#e IS& sources boot.wim

D2. 9t the command prompt, type the follo#in! and then press6?'6 to create an .iso file of the *indo#s P6 ima!e:

oscdimg +n +bc: ,in$- et sboot.com c: ,in$- IS& c: ,in$- ,in$-4Tools.iso

DE. =urn the .iso file located at c: *inP6 *inP6R'ools.iso to a -M and test the *indo#s P6 ima!e to "erify that it runs all of the

mal#are-scannin! tools correctly.

Note $ou also can use Microsoft irtual >C 2007 to test the image.

'he - M for your Mal#are emo"al tarter it is no# ready. (f you re3uire morefre3uent "irus si!nature updates for your en"ironment, #e recommend maintainin! thescannin! tools you choose to use on a 8 = de"ice to obtain the latest updates.

Task +: Use the Malware (emo)al %tarter Kit to %&an ,our Com-uter ?o# you are ready to use the *indo#s P6 ima!e and the tools you selected to scanyour computer for mal#are.

To use the ,indows $- ()+R&M and tools to scan 'our com#uter:

D. Place the ne# - M in the computerSs dri"e or ; dri"eand then ensure that you start the computer from this dri"e accordin!to your computer@s startup order.

ption: (nsert the 8 = de"ice in a slot on the computer to ensure that the de"ice isloaded #hen you start the operatin! system.

Note 3or more information about starting your computer from a ;indows >: C


13/18

%verview 55

How to Deter"ine i You Have aPro#le"Mal#are #ill often tar!et a computerSs operatin! system. 'he *indo#s operatin! systemhas been a si!nificant tar!et for a number of years due to its popularity. 1o#e"er, morerecently malicious soft#are that specifically tar!ets other operatin! systems has been onthe rise. (n addition, many mal#are pro!rams also tar!et Microsoft and third-partyapplications, and in some cases e"en anti"irus soft#are. For these reasons, it isimportant to &eep both the operatin! system and the applications that you use up to date.

9lthou!h most mal#are attac&s are aimed at personal computers, they are not the onlytar!ets. Mobile de"ices such as personal di!ital assistants $P 9s%, portable !amesystems, and e"en cell phones ha"e become tar!ets.

ome mal#are re3uires the installation of a particular application on the tar!et computerbefore it can #or&. 9 hu!e number of (nternet scams and phishin! attac&s ha"e made the

user of the computer a tar!et to install such applications. (n many cases it is easier totric& a user into runnin! a piece of mal#are than it is to de"elop an automaticmechanism. For this reason it is important to in"est time in trainin! staff and mana!ers toreco!ni e li&ely (nternet scams and phishin! attempts.

Chec$ or Per or"ance Issues our computer should already ha"e real-time anti"irus and antispy#are pro!rams runnin!

on it to alert you #ith a messa!e if they detect an infection. 1o#e"er, if you noticeunusual beha"ior or your system slo#s do#n, at any time you can run a full system scan.

'he follo#in! are a fe# primary performance issues that could indicate that yourcomputer mi!ht be infected:

our computer runs more slo#ly than normal. our computer often stops respondin! to pro!ram or system commands. our computer fails and re3uires you to restart it fre3uently. our computer restarts on its o#n and then fails to run normally. ou cannot correctly run applications on your computer. ou cannot access dis&s or dis& dri"es on your computer. ou cannot print correctly. ou recei"e unusual error messa!es or popup #indo#s. ou see distorted menus and dialo! bo es.

our (nternet bro#serSs home pa!e une pectedly chan!es. ou cannot access administrator shares on the computer. ou notice an une plained loss of dis& space.

9lthou!h this is not a complete list, it describes the types of unusual beha"ior that mi!htsu!!est that mal#are is present on your computer. (f you encounter any of these


14/18


performance issues, you can run a full scan to better determine if you ha"e a mal#areproblem.

Note )ot every computer that e8periences these issues may have a malware problem.

Misconfigured applications or software bugs can also cause such issues. +o avoid false indicationsof a malware attac ! ensure that your operating system and applications have the latest securityupdates and service pac s! and that the computer has adeDuate 'AM to run your applications.

Dealing with an In ection(n any or!ani ation, malicious soft#are is an e"er present threat. 'his section of the!uide assumes that you ha"e !ood reason to belie"e that an infection is present in yourcomputer or other computers in your or!ani ation. ou can use the I-sta!e process thatthis section describes to help determine the nature of the problem, limit its spread,remo"e it usin! free mal#are-scannin! tools from Microsoft and other third-party sources,"erify that the mal#are is remo"ed, and proceed #ith ne t steps as re3uired.

ue to the chan!in! nature of mal#are, no sin!le anti"irus or antispy#are solution can!uarantee to protect a!ainst all attac&s. (f, after follo#in! the sta!es in this section, youneed more help #ith mal#are-related issues, contact Microsoft Product upport er"ices:

For support #ithin the 8nited tates and anada, call toll-free $>HH%P 9F6' $>HH% 727-2EE>. For support outside the 8nited tates and anada, "isit the 5 ecurity 1elpand upport for (' Professionals 5 *eb pa!e.

!tage %& Initiate Your Response 9s soon as you arri"e at the computer that has the mal#are problem, if you cannot runanti"irus soft#are on the computer, disconnect the computer from the net#or&, turn the

computer off, and refer directly to 5 ta!e E, un an ffline can 8sin! the it.5ather in ormation . (f possible, !ather ans#ers from the user #ho disco"ered the

problem by as&in! the follo#in! 3uestions: *hat happened #hen the problem startedT 1o# #as the computer bein! used 4ust prior to the problemT *hat $if anythin!% did the local anti"irus pro!ram reportT oes the computer contain any important data that is not bac&ed upT *hat *eb sites did the system recently "isitT 9re there processes runnin! on the computer that are different from thestandard processesT

9fter you ha"e !athered as much information as you can about the infection, the ne tsta!e is to start the cleanin! process.

Note "t can be very helpful to obtain a list of suspicious process or file names that you can thenresearch on the "nternet to determine if they are malware.
http://support.microsoft.com/gp/securityitprohttp://support.microsoft.com/gp/securityitprohttp://support.microsoft.com/gp/securityitprohttp://support.microsoft.com/gp/securityitpro


15/18

%verview 5

!tage '& !can the Co"puter or Malware 8se the follo#in! steps in the prescribed order to most effecti"ely use anti-mal#are

soft#are installed on the computer, and run online and offline scans for mal#are:D. un anti"irus and antispy#are soft#are on the computer.

2. un an online scan tool.

E. un an online scan tool usin! the net#or&ed option in safemode.

Ste# 1: Run Antivirus and Antis#'ware So tware on the(om#uter 'he method for launchin! a full scan of a computer for "irus infections depends on theanti"irus application. hec& the pro!ramSs 1elp resources to learn ho# to conduct a full"irus scan.

cannin! for spy#are is similar to scannin! for "iruses. our computer should ha"e real-time spy#are-scannin! soft#are runnin! on it. *indo#s efender is a"ailable free ofchar!e for computers runnin! *indo#s P. (f you are runnin! *indo#s ;ista, *indo#s

efender is included #ith the operatin! system. 'o launch *indo#s efender, clic& Start ,clic&All $rograms , clic& ,indows )e ender to open the pro!ram, and then clic& Scan .

9llo# the pro!ram to perform a full scan.

For more information about ho# *indo#s efender #or&s, see the *indo#s efender'echnical "er"ie# on 'ech?et.

Ste# 7: Run an &nline Scan Toolun an online scan, usin! a tool such as the *indo#s Ai"e ne are safety scanner , to

ensure that the computer has been chec&ed a!ainst the latest anti"irus and antispy#aresi!natures, as #ell as other potentially un#anted soft#are.

ther online scan soft#are pro"iders include: aspers&y nline canner Mc9fee Free can ymantec ecurity hec& 'rend Micro 1ouse all

(n addition, se"eral online soft#are tools pro"ide specialty scannin!, such as;( 8 ' '9A , #hich you can use to scan indi"idual files for mal#are.
http://technet2.microsoft.com/WindowsVista/en/library/94d9603c-91ef-4a7a-8811-4904a1fb540c1033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsVista/en/library/94d9603c-91ef-4a7a-8811-4904a1fb540c1033.mspx?mfr=truehttp://onecare.live.com/site/en-us/default.htmhttp://www.kaspersky.com/kos/eng/partner/default/kavwebscan.htmlhttp://us.mcafee.com/root/mfs/default.asp?affid=294http://security.norton.com/sscv6/default.asp?langid=ie&venid=symhttp://housecall.trendmicro.com/http://www.virustotal.com/en/indexf.htmlhttp://technet2.microsoft.com/WindowsVista/en/library/94d9603c-91ef-4a7a-8811-4904a1fb540c1033.mspx?mfr=truehttp://technet2.microsoft.com/WindowsVista/en/library/94d9603c-91ef-4a7a-8811-4904a1fb540c1033.mspx?mfr=truehttp://onecare.live.com/site/en-us/default.htmhttp://www.kaspersky.com/kos/eng/partner/default/kavwebscan.htmlhttp://us.mcafee.com/root/mfs/default.asp?affid=294http://security.norton.com/sscv6/default.asp?langid=ie&venid=symhttp://housecall.trendmicro.com/http://www.virustotal.com/en/indexf.html


16/18

5/ Malware 'emoval tarter 9it

Ste# 6: Run an &nline Scan Tool "sing the


17/18

%verview 5

(f, at this point, the computer still sho#s si!ns of malicious soft#are-related issues, youha"e t#o options:

)et speciali ed help. ebuild the computer.

(f the malicious soft#are has mana!ed to a"oid the mal#are-scannin! capabilities of the*indo#s P6 &it that this !uide prescribes, it is "ery li&ely that you #ill need to see&speciali ed help to remo"e the mal#are. =ecause speciali ed help is li&ely to re3uire timeand money, a 3uic&er and cheaper option is usually to delete the files on the hard dri"e ofthe computer, and then reinstall the operatin! system and soft#are pro!rams.

(f you choose to rebuild the computer, ensure that you only use trusted media for thatprocess. ebuild the computer, and ensure that all updates and anti"irus soft#are isapplied to the computer before brin!in! it bac& on to the net#or& in case a "irus is stillpropa!atin!.

!u""ar-'his aim of the Mal#are emo"al tarter it is to pro"ide reacti"e !uidance andprescripti"e steps to help you reco"er a computer that has been e posed to malicioussoft#are. (t is important to understand that no process can !uarantee a full reco"ery fromthe dama!e that malicious soft#are can do. For this reason, there is no substitute forsolid defenses and reliable bac&up and reco"ery processes. (n this #ay, if the #orst doeshappen and you ha"e to rebuild the computer, the impact #ill be minimi ed.

(f you do use the reco"ery steps in this !uide, #e recommend spendin! some time afterthe computer is fi ed to in"esti!ate ho# the malicious soft#are #as introduced to it. 'hiseffort should attempt to learn ho# the problem #as introduced rather than tryin! to findsomethin! or someone to blame. (f the #ea&ness #as #ith a technical defense measure,

such as a fire#all or anti"irus pro!ram, you can re"ie# it and update the measure asre3uired. (f the problem #as introduced because of the actions of staff, additional trainin!may be re3uired to ensure the problem is not repeated. emember the !olden rule:NPre"ention is better than cure.O

Finally, #hile this !uide is specifically #ritten to help (' )eneralists repair computersattac&ed by mal#are in small- to medium-si ed or!ani ations, much of this information is"aluable for protectin! the home computers that belon! to you and your staff. For moreinformation about protectin! home computers, "isit the Microsoft ecurity at 1ome *ebsite.

.eed#ac$ Please direct 3uestions and comments about this !uidance to ecurity olutionsUuestions L Feedbac& .
http://go.microsoft.com/fwlink/?LinkId=42641http://go.microsoft.com/fwlink/?LinkId=42641http://go.microsoft.com/fwlink/?LinkId=42641mailto:[email protected]?subject=Malware%20Removal%20Starter%20Kitmailto:[email protected]?subject=Malware%20Removal%20Starter%20Kithttp://go.microsoft.com/fwlink/?LinkId=42641mailto:[email protected]?subject=Malware%20Removal%20Starter%20Kitmailto:[email protected]?subject=Malware%20Removal%20Starter%20Kit


18/18

5E Malware 'emoval tarter 9it

/c$nowledg"ents

'he olution 9ccelerators V ecurity and ompliance !roup $ 9- % #ould li&e toac&no#led!e and than& the team that produced the Mal#are emo"al tarter it. 'hefollo#in! people #ere either directly responsible or made a substantial contribution to the#ritin!, de"elopment, and testin! of this solution.

Authors= (ontributors= and ,riters

John obb - Wadeware LLC

Mi&e anse!lio

harles enny

ichard 1arrison V Content Master Ltd

Fran& imor4ay

-ditor Jennifer erns - Wadeware LLC

$roduct Managers

9lain Meeus

Jim tuart

$rogram Manager

=omani i#atu

Release Manager

arina Aarson

Testers

)aura" in!h =ora

aurabh )ar! - Infosys Technologies Ltd

umit Pari&h - Infosys Technologies Ltd

Reviewers

indy 9!ne# - Fife School District , r. =arbara 6ndicott-Popo"s&y, Joseph essler,'hom ?esbitt, terlin! easor

Reviewers >Microso t?

ebecca =lac&, 9nthony =lumfield, eric& ampbell, hase arpenter, hiroy ho&sey,

=ret lar&, te"e lar&, Jeremy roy, Fidelis 6&e ue, Joe Faulhaber, arl )run#ald,umi 1il#a, =ashar achachi, Jimmy uo, )re! Aenti, Mar& Miller, 9dam "erton, Ma

8rits&y, Jeff *illiams, Aee an

about malware

Documents