Hi malware fighters,
There are several manuals for general malware removal.
This link is for a general rule of thumb:
page2: http://www.elephantboycomputers.com/page2.html#Removing_Malware
There is another way to start, and then go back to the general removal
procedures. Of course you run the risk of losing data.
When this malware removal is over, create and implement a good backup strategy.
Disconnect your machine/all machines from the network and clean each one up.
You can retrieve the data first with a Linux distro running from a live CD (see
below). Then go through the malware removal steps systematically on each
machine. Do not connect any of the machines to the network until you are
100% sure they are all clean. If you can’t do any of this - and there is
no shame in admitting this isn’t your cup of tea since we all have our
areas of expertise - you ask for the help of a malware fighter…
Do not wait to disconnect the machines from the
network - do it now! Get all necessary tools, rescue systems, etc. from
a different and known-clean machine that was not ever connected to your
network.
A. Data retrieval
Boot the target computer with either a Bart’s PE or a Linux live cd such
as Knoppix and retrieve the data that way. Here is general information
on using Knoppix for this:
You will need a computer with two cd drives, one of which is a cd/dvd-rw
OR a usb thumb drive with enough capacity to hold your data OR an
external usb/firewire hard drive formatted FAT32 (not NTFS). To get
Knoppix, you need a computer with a fast Internet connection and
third-party burning software. Download the Knoppix .iso and create your
bootable cd. Then boot with it and it will be able to see the Windows
files. If you are using the usb thumb drive or the external hard drive,
right-click on its icon (on the Desktop) to get its properties and
uncheck the box that says “Read Only”. Then click on it to open it. Note
that the default mouse action in the window manager used by Knoppix
(KDE) is a single click to open instead of the traditional MS Windows’
double-click. Otherwise, use the K3b burning program to burn the files
to cd/dvd-r’s.
http://www.knoppix.net
http://www.nu2.nu/pebuilder/ - Bart’s PE Builder
B. Malware removal
Go through these general malware removal steps systematically -
http://www.elephantboycomputers.com/...moving_Malware
Now you start scanning with a Multi-Scanner etc.
You can also check to see if there are targeted removal steps for your
malware here:
Bleeping Computer removal how-to’s -
http://www.bleepingcomputer.com/forums/forum55.html
Here is a good tutorial on preliminary removal instructions:
http://www.techspot.com/vb/topic58138.html
When all else fails, run HijackThis and post your log in one of the
specialty forums, for instance like this one…
Not all tools used will work in Vista and you will need to run them
elevated. Since Vista is so new, it will be a while before removal
techniques and tools are developed. If you are unable to remove the
infection by following the general steps, register at one of the
HijackThis forums as suggested.
The only alternative to going through the malware removal tediously and
systematically, possibly with online help from an HJT forum/anti-malware forum,
and having the machines handled by a real professional is to back
up your data and do a clean install of Windows. It’s your call.
polonus
P.S. Click picture for firework-animation…