Malware removal

Posted on the NYSBS Yahoo Group earlier today, but of general interest to the community

Malware’s a bitch, ain’t it? Short of backing up the data and rebuilding the server, try this process.

1, Get a list of all the services that are running, and note them. Lots of tools out there that will list those for you. I don’t have any suggestions for that on a server, but have lots for workstations. (I'll edit this post later with links to services listing utilities)

2. Run msconfig and see if there are any suspicious startups and services starting there. If there are, uncheck the startups, and go to services and stop those, and then kill them in the Task Manager. Check the Start > Programs > Startup menu for suspicious items. Don’t just delete them – from Properties, find out where they live and trace back to their source directories. Then if it’s malware, delete the directory, and then delete Startup shortcut.

3. Download HijackThis http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html
and CleanUp 4.52 http://www.download.com/CleanUp/3000-2144_4-10727454.html?tag=lst-1&cdlPid=10727453

4. Restart the server in Safe Mode

5. Go to C:\Documents and Settings and delete the contents of the Temp and Temporary Internet Files folders in the Local Settings folder for Administrator and other folders (you’ll need to go to Folder Options and check “View Hidden files and folders” and “View protected system files” on the server). Also, delete everything in the C:\WINDOWS\Temp folder and c:\temp if it exists. Those folders are where a lot of the web hijackers live. After I do that, I run CleanUp to finish the job.

6. Then, run HijackThis
There are many HijackThis forums on the Internet that will help you decipher those results. I’ve used the tool so often that I pretty intuitively know which entries need to be removed, and if you’re pretty sharp, you’ll either search for the suspect entries and figure it out, or use the forums to get help from the experts. Before you uncheck any of those items, look at the path that is indicated and see if it leads you to some other folder that needs to be deleted.

Elapsed time, probably an hour or so, excluding potentially extensive research from the HijackThis results.