Malware Removal Starter Kit

How to Combat Malware Using Windows PE

Version 1.0
Published: July 2007
For the latest information, please see
microsoft.com/technet/SolutionAccelerators
Copyright 2007 Microsoft Corporation. All rights reserved. Complying with the applicable copyright laws is
your responsibility. By using or providing feedbac on this documentation! you agree to the license agreement
below.
"f you are using this documentation solely for non#commercial purposes internally within $%&' company or
organi(ation! then this documentation is licensed to you under the Creative Commons Attribution#
)onCommercial *icense. +o view a copy of this license! visit http,--creativecommons.org-licenses-by#nc-2..- or
send a letter to Creative Commons! ./0 1oward 2treet! .th 3loor! 2an 3rancisco! California! 4/50.! &2A.
+his documentation is provided to you for informational purposes only! and is provided to you entirely 6A2 "26.
$our use of the documentation cannot be understood as substituting for customi(ed service and information
that might be developed by Microsoft Corporation for a particular user based upon that user7s particular
environment. +o the e8tent permitted by law! M"C'%2%3+ MA9:2 )% ;A''A)+$ %3 A)$ 9")<! <"2C*A"M2
A** :=>':22! "M>*":< A)< 2+A+&+%'$ ;A''A)+":2! A)< A22&M:2 )% *"AB"*"+$ +% $%& 3%' A)$
<AMA?:2 %3 A)$ +$>: ") C%)):C+"%) ;"+1 +1:2: MA+:'"A*2 %' A)$ ")+:**:C+&A* >'%>:'+$ ") +1:M.
Microsoft may have patents! patent applications! trademars! or other intellectual property rights covering
sub@ect matter within this documentation. :8cept as provided in a separate agreement from Microsoft! your
use of this document does not give you any license to these patents! trademars or other intellectual property.
"nformation in this document! including &'* and other "nternet ;eb site references! is sub@ect to change
without notice. &nless otherwise noted! the e8ample companies! organi(ations! products! domain names! e#
mail addresses! logos! people! places and events depicted herein are fictitious.
Microsoft! ;indows! Bit*ocer! "nternet :8plorer! ;indows *ive! and ;indows Aista are either registered
trademars or trademars of Microsoft Corporation in the &nited 2tates and-or other countries.
+he names of actual companies and products mentioned herein may be the trademars of their respective
owners.
$ou have no obligation to give Microsoft any suggestions! comments or other feedbac B63eedbac6C relating to
the documentation. 1owever! if you do provide any 3eedbac to Microsoft then you provide to Microsoft!
without charge! the right to use! share and commerciali(e your 3eedbac in any way and for any purpose. $ou
also give to third parties! without charge! any patent rights needed for their products! technologies and services
to use or interface with any specific parts of a Microsoft software or service that includes the 3eedbac. $ou will
not give 3eedbac that is sub@ect to a license that reDuires Microsoft to license its software or documentation to
third parties because we include your 3eedbac in them.
Overview
Many small- and medium-sied or!aniations use anti"irus soft#are, and yet ne#
"iruses, #orms, and other forms of malicious soft#are $malware% continue to infect lar!e
numbers of computers in these or!aniations. Mal#are proliferates at alarmin! speed
and in many different #ays, #hich ma&es it particularly #idespread today.
'his !uide is intended for (' )eneralists #ho #ant information and recommendations that
they can use to effecti"ely address and limit mal#are that infects computers in small- and
medium-sied or!aniations. 'his !uidance pro"ides a set of tas&s that licensed
*indo#s+ users can perform at no cost to create the Mal#are ,emo"al -tarter .it.
,ecommendations for free mal#are-scannin! tools are included. /ou can use these tools
in combination #ith the &it to conduct scans, detect problems, and remo"e mal#are from
your computer.
'his !uidance includes the follo#in! sections:
0"er"ie#
Plannin! /our ,esponse
1o# to 2etermine if /ou 1a"e a Problem
2ealin! #ith an (nfection
-ummary
Note +he guidance for this it is intended for use with other anti#malware tools. +his it is not a
replacement for other malware prevention methods.
Malware Threats
'he first step to#ard containin! the spread of mal#are is to understand the "arious
technolo!ies and techni3ues that mal#are authors can use to attac& your computer.
Mal#are threats directly tar!et both users and computers. 1o#e"er, it is also important to
&no# that the ma4ority of threats come from mal#are that tar!ets the user rather than the
computer. (f a user #ith administrator-le"el user ri!hts can be tric&ed into launchin! an
attac&, the malicious code has more po#er to perform its tas&s. -uch an attac& can
fre3uently cause more dama!e than one that has to rely on a security hole or
"ulnerability in an application or the operatin! system.
'he 5Plannin! /our ,esponse5 section of this starter &it focuses on the #ays in #hich
your computer can be at ris& to mal#are attac&s, and ho# you can prepare to address a
mal#are attac& by usin! the *indo#s Preinstallation 6n"ironment $*indo#s P6% &it that
this !uidance recommends in combination #ith other free anti-mal#are pro!rams.
Note +he recommendations and prescriptive information in this guidance are not intended for
comple8 environments that reDuire "nfrastructure 2pecialists. 3or more comprehensive
information about this sub@ect! see the Antivirus <efense#in#<epth ?uide.
2 Malware 'emoval 2tarter 9it
How Does Malware Get In?
Mal#are uses many different methods to try and replicate amon! computers. 'he
follo#in! table lists common mal#are threats to or!aniations and pro"ides e7amples of
tools that you can use to miti!ate them.
Table 1: Malware Threats and Mitigations
'hreat 2escription Miti!ation
6-mail 6-mail is the transport mechanism
of choice for many mal#are
attac&s.
-pam filters
,eal-time
anti"irus and
antispy#are
scanners
8ser education
Phishin! Phishin! attac&s try to tric& people
into re"ealin! personal details such
as credit card numbers or other
financial or personal information.
9lthou!h these attac&s are rarely
used to deli"er mal#are, they are a
ma4or security concern because of
the information that may be
disclosed.
-pam filters
Pop-up bloc&ers
9ntiphishin!
filters
8ser education
,emo"able media 'his threat includes floppy dis&s,
:2-,0M or 2;2-,0M discs, <ip
dri"es, 8-= dri"es, and memory
$media% cards, such as those used
in di!ital cameras and mobile
de"ices.
,eal-time
anti"irus and
antispy#are
scanners
8ser education
(nternet do#nloads Mal#are can be do#nloaded
directly from (nternet *eb sites
such as social net#or&in! sites.
=ro#ser security
,eal-time
anti"irus and
antispy#are
scanners
8ser education
(nstant messa!in! Most instant messa!in! pro!rams
let users share files #ith members
of their contact list, #hich pro"ides
a means for mal#are to spread. (n
addition, a number of mal#are
attac&s ha"e tar!eted these
pro!rams directly.
,eal-time
anti"irus and
antispy#are
scanners
Personal fire#all
,estrict
unauthoried
pro!rams
8ser education
%verview 0
'hreat 2escription Miti!ation
Peer-to-peer $P2P%
net#or&s
'o start file sharin!, the user first
installs a client component of the
P2P pro!ram throu!h an appro"ed
net#or& port, such as port >0.
?umerous P2P pro!rams are
readily a"ailable on the (nternet.
,eal-time
anti"irus and
antispy#are
scanners
,estrict
unauthoried
pro!rams
8ser education
File shares 9 computer that is confi!ured to
allo# files to be shared throu!h a
net#or& share pro"ides another
transport mechanism for malicious
code.
,eal-time
anti"irus and
antispy#are
scanners
Personal fire#all
8ser education
,o!ue *eb sites Malicious *eb site de"elopers can
use the features of a *eb site to
attempt to distribute mal#are or
inappropriate material.
=ro#ser security
Pop-up bloc&ers
9ntiphishin!
filters
8ser education
,emote e7ploit Mal#are mi!ht attempt to e7ploit a
particular "ulnerability in a ser"ice
or application to replicate itself.
(nternet #orms often use this
techni3ue.
-ecurity updates
Personal fire#all
?et#or& scannin! Mal#are #riters use this
mechanism to scan net#or&s for
"ulnerable computers that ha"e
open ports or to randomly attac& (P
addresses.
-oft#are
updates
Personal fire#all
2ictionary attac& Mal#are #riters use this method of
!uessin! a user@s pass#ord by
tryin! e"ery #ord in the dictionary
until they are successful.
-tron! pass#ord
policy
8ser education
From a security perspecti"e, it #ould seem best to bloc& all these mal#are transport
methods, but this #ould si!nificantly limit the usefulness of the computers in your
or!aniation. (t is more li&ely that you #ill need to allo# some or all of these methods, but
also to restrict them. 'here is no sin!le anti-mal#are solution that #ill fit all or!aniations,
so e"aluate the computer re3uirements and ris&s for your or!aniation, and then decide
ho# best to defend a!ainst mal#are that attempts to e7ploit them.
/ Malware 'emoval 2tarter 9it
Microsoft remains stron!ly committed to securin! its soft#are and ser"ices by #or&in!
#ith partners to combat mal#are threats. ,ecent Microsoft efforts to reduce the impact of
mal#are threats include:
2e"elopin! defense tools such as *indo#s 2efender, Microsoft Forefront,
*indo#s Ai"eB 0ne:are safety scanner, the Malicious -oft#are ,emo"al 'ool,
and other resources a"ailable throu!h the *indo#s -ecurity :enter. For more
information about these and other security tools, see the 'ech?et -ecurity
:enter or the -ecurity at 1ome pa!e on Microsoft.com.
'he Microsoft Mal#are Protection :enter that pro"ides the latest information
on top des&top and e-mail threats to computers runnin! *indo#s.
'he Microsoft -ecurity ,esponse 9lliance, #hich pro"ides information about
the Microsoft ;irus (nitiati"e $M;(%, the ;irus (nformation 9lliance $;(9%, and other
member or!aniations.
-upportin! le!islation to eliminate spam and #or&in! #ith la# enforcement
officials and (nternet ser"ice pro"iders $(-Ps% to help prosecute spam operations.
For information about an alliance dedicated to this effort, see 9merica 0nline,
Microsoft and /ahooC Join Forces 9!ainst -pam.
Planning Your Response
Plannin! cannot be considered complete until you ha"e planned for the #orst. (f all your
defenses are compromised by an attac&, you need to ensure that the staff you #or& #ith
&no# #hat to do. /our ability to mount a rapid response can ma&e a bi! difference #hen
an attac& is se"ere.
9s you plan your response, it is important to understand that o"erreactin! to a mal#are
problem can cause almost as much disruption as dealin! #ith a real outbrea&C Plan your
response to be rapid but measured to minimie its effect on co#or&ers.
Create an Incident Response Plan
:reatin! an incident response plan that describes #hat should happen in the e"ent of a
suspected mal#are outbrea& is an important preparation step for your or!aniation. 'he
plan should help instruct all affected staff on the best course of action #hen a mal#are
outbrea& occurs. (t should aim to minimie the impact of the attac& and communicate a
documented incident response process that staff can follo#. For e7ample, a #ell-
desi!ned plan #ould be capable of mana!in! the se3uence of e"ents for a typical
incident such as the follo#in!:
D. 9 staff member calls an in-house support resource after noticin!
somethin! stran!e appear on her computer screen.
2. 'he support resource chec&s the computer and calls a support
number.
E. 9 support technician responds to complete a short dia!nostic
test, and then either cleans or rebuilds the system dependin! in the
se"erity of the problem.
%verview .
'he entire response process could ta&e hours to complete, so ha"in! a plan in place that
helps minimie the ris& of the mal#are spreadin! further until the process is complete is
important. For e7ample, if the support resource is trained to run anti"irus soft#are on the
computer and then remo"e the net#or& cable from the suspect computer until a support
technician arri"es, this initial response eliminates the chance of the computer infectin!
other computers.
*hen plannin! your incident response plan, there are typically t#o scenarios that you
need to consider:
Individual inection. 'his scenario, #hich is by far the most common,
occurs #hen mal#are infects a sin!le computer.
Mass outbrea!. 'his scenario is than&fully much less common. 9 mass
outbrea& has the potential to cause serious disruption in the or!aniation.
'ypically this scenario #ill only become apparent after the staff reports a number
of indi"idual infections that ha"e similar symptoms.
/our incident response plan can co"er both of these scenarios because the response
process for an outbrea& is an e7tension of the response to an indi"idual infection.
'ypically the outbrea& response #ill re3uire you to temporarily isolate the or!aniation@s
net#or& to stop the attac& from spreadin! further, and to !i"e the support staff time to
clean the infected systems. (n some cases, it may be necessary to notify the net#or&
administrator or the person performin! that role to chan!e the fire#all or router settin!s
before the computers in the or!aniation can be reconnected to the net#or&. For
e7ample, if the mal#are uses a specific net#or& port to infect computers, bloc&in! this
port at the fire#all can pre"ent re-infection #hile allo#in! other net#or& communications
to continue.
Important "f you still detect the presence of malware after using the it to clean your
computer! we recommend turning the computer off and not using it for five to 50 business days!
or until your antivirus provider issues a virus signature update. $ou can then use the it to
download the latest signature files and rescan your computer to more effectively address the
problem.
For more information about ho# to or!anie and de"elop an incident response plan, see
the follo#in! resources:
'he 9nti"irus 2efense-in-2epth )uide.
'he ,espondin! to (' -ecurity (ncidents pa!e on Microsoft 'ech?et.
:hapter E, 58nderstandin! the -ecurity ,is& Mana!ement 2iscipline5 of the
-ecurin! *indo#s 2000 -er"er )uide for incident response information only.
'he -er"ice Mana!ement Functions (ncident Mana!ement section of the
Microsoft 0perations Frame#or& $M0F%.
'he *indo#s -ecurity ,esource .it, -econd 6dition from Microsoft Press.
E Malware 'emoval 2tarter 9it
Prepare a Kit or Oline !canning
'his section pro"ides recommendations, support specifications, and a short set of tas&s
and instructions that you can use to prepare a *indo#s Preinstallation 6n"ironment
$*indo#s P6% &it. /ou can then combine the &it #ith a set of tools to conduct offline
scans for mal#are on the computers in your or!aniation.
*indo#s P6 pro"ides po#erful preparation and installation tools for *indo#s operatin!
systems. *ith *indo#s P6, you can start *indo#s from a remo"able dis&, #hich
pro"ides resources to troubleshoot *indo#s on the client computer. For more information
about *indo#s P6, do#nload the *indo#s Preinstallation 6n"ironment 'echnical
0"er"ie#.
"nsu##orted Tools and Technologies
*indo#s P6 does not support the follo#in! tools and technolo!ies:
(nternet 67plorer+ 7.
9pplications that use Microsoft *indo#s (nstaller $.msi files%.
$rere%uisites
'he follo#in! are operatin! system and feature re3uirements for preparin! a
*indo#s P6 &it:
*indo#s ;ista+ or *indo#s FP+ #ith -er"ice Pac& 2 $-P2%.
2;2 burner and soft#are to #rite to a :2-,0M.
GG2 M= of free space on the computer@s hard dri"e dis& to do#nload the
*indo#s P6 .im! file.
Note An additional F00 MB of space is reDuired for the boot image on drive C of the
computer when using the default script for the it.
Microsoft .?6' Frame#or& "ersion 2.0 and M-FMA to run *indo#s (nstaller.
/ou can use the follo#in! resources to meet these re3uirements:
Microsoft .?6' Frame#or& ;ersion 2.0 ,edistributable Pac&a!e $7>H%.
Microsoft :ore FMA -er"ices $M-FMA% H.0.
For more information about E2-bit and HI-bit system re3uirements, see the:
*indo#s Preinstallation 6n"ironment 0"er"ie#.
%verview 7
Tas! &verview
:omplete the follo#in! tas&s to prepare your Mal#are ,emo"al -tarter .it to conduct
offline scans:
'as& D: (nstall the *indo#s 9utomated (nstallation .it $9(.%
'as& 2: 2o#nload the mal#are-scannin! tools and utilities
'as& E: :reate the Mal#are ,emo"al -tarter .it :2-,0M
'as& I: 8se the Mal#are ,emo"al -tarter .it to scan your computer
Task 1: Install the Windows Automated Installation Kit AIK!
'he first tas& in this process is to obtain the *indo#s 9utomated (nstallation .it $9(.%.
'his &it includes *indo#s P6 and other files for you to install on your computer. 'he &it
installs by default as an ima!e $J.im!% file on any system dri"e that you choose.
Note +he A"9 supports both ;indows Aista and ;indows => 2>2.
To install the AIK on 'our com#uter:
D. 2o#nload the 9(. from the *indo#s 9utomated (nstallation .it
$9(.% pa!e on the Microsoft 2o#nload :enter.
Note +he si(e of .img file for the A"9 is 442 megabytes BMBC. 3or this reason! you may
reDuire e8tended time to download the file! depending on your connection speed to the
Microsoft <ownload Center.
2. =urn the .im! file for the 9(. to a 2;2.
Note "f your <A<#burning software does not recogni(e 6.img6 files! in the Save As dialog
for the download! e8pand the Save as type drop#down list! change the file type to All Files
and the file name e8tension from .img to .iso and then retry burning the information to a
<A<.
E. 0n the 9(. 2;2 that you created, double-clic& Start().e*e to
install the 9(. on your computer.
Task ": #ownload the Malware$%&anning Tools and Utilities
/ou #ill need to identify the tools that you #ant to use #ith *indo#s P6 to perform
mal#are scans on your computer. *indo#s P6 does not support tools that use .msi
pac&a!es to install on your computer. (n addition, the amount of random access memory
$,9M% on your computer can constrain #hat scannin! tools you can use.
'here are a number of anti-mal#are tools a"ailable for free that re3uire no installation
that you can run as pro!ram files in the *indo#s P6 en"ironment. /ou can also run
these tools from a 8-= de"ice.
2o#nload the mal#are-scannin! tools that you #ant to use to a temporary location on
your computer.
Important 2ome anti#malware tools reDuire networ access to run. 3or this reason! only use
anti#malware tools that are available to use offline when you use this guidance to create your
Malware 'emoval 2tarter 9it C<#'%M. ;e recommend reading the installation instructions for all
F Malware 'emoval 2tarter 9it
of the offline scanning tools that you choose to use. 2ome tools may not be compatible with all
;indows operating systems.
9t the time this !uidance #as #ritten, the follo#in! tools ran #ith *indo#s P6 on a
computer runnin! *indo#s FP -P2 or *indo#s ;ista #ith at least KD2 M= of ,9M:
a"astC ;irus :leaner from 9l#il -oft#are. 'his tool is a"ailable for offline use.
'he si!nature files for the tool #ill be as current as the do#nload date listed.
Mc9fee 9;6,' -tin!er, a stand-alone "irus scanner from Mc9fee. 'his tool
is a"ailable for offline use. 'he si!nature files for the tool #ill be as current as the
do#nload date listed.
Malicious -oft#are ,emo"al 'ool from Microsoft. 'his tool is a"ailable for
offline use. 'he si!nature files for the tool #ill be as current as the do#nload date
listed.
-pybot - -earch L 2estroy from -pybot -earch and 2estroy.
Note Before you can use this tool! you must first install it on the computer you want to
scan! and then download the latest signature file detection updates from 2pybot. After the
tool is installed! it will start by default from =,G>rogram 3ilesG2pybot H 2earch I
<estroyGspybotsd unless you specified a different path during the installation. +he signature
files for the tool will be as current as the download date listed. 3or more information about
using this tool! see the +utorial page of the 2pybot ;eb site.
'he follo#in! utilities are desi!ned to help you mana!e your computer #hile you are in
the process of remo"in! mal#are from it:
2ri"e Mana!er from the Free#are 8tilities by 9le7 ?olan *eb site. 'his tool
identifies different dri"e types, such as hard dri"es, :2/2;2 dri"es, 8-= dri"es,
net#or& dri"es, and lists their properties for analysis. 'his tool is a"ailable for
offline use.
-ystem -pec from the Free#are 8tilities by 9le7 ?olan *eb site pro"ides
information about the current hard#are on the computer. 'his tool may be useful
if you are re3uired to pro"ide detailed information about the hard#are #hile the
computer is bein! ser"iced. 'his tool is a"ailable for offline use.
Task ': Create the Malware (emo)al %tarter Kit C#$(*M
:reatin! the Mal#are ,emo"al -tarter .it :2-,0M re3uires you to produce a
*indo#s P6 ima!e for the &it, modify the base *indo#s P6 ima!e by addin! the tools to
it, chan!e the sie of the dis& cache to pro"ide some additional space for ,9M, and then
build an .iso ima!e file to burn the chan!ed ima!e to a :2-,0M. Periodically, you #ill
need to do#nload the latest "irus si!nature updates for the offline scannin! tools on the
:2-,0M to &eep them as effecti"e as possible to detect mal#are.
Important After you start creating the ;indows >: image! it is important to complete all of the
steps in this tas without interruption. "f you have already downloaded the tools you plan to use!
this process should tae about 00 minutes to complete! depending on your systemJs performance
and if you follow the steps in this tas e8actly as prescribed. $ou will need about F00 MB of free
space on your C drive to complete this procedure. :nsure that you update all drive letter
references as needed.
%verview 4
To create the Malware Removal Starter Kit ()+R&M:
D. Ao! on to the computer as an administrator, clic& Start, clic& All
$rograms, clic& Microsot ,indows AIK, and then clic& ,indows
$- Tools (ommand $rom#t.
Note +his step applies to ;indows =>. "f you are running ;indows Aista on your computer!
right#clic Windows PE Tools Command Prompt! clic Run as administrator! and then
clic Continue.
2. 9t the command prompt, type the follo#in! and then press
6?'6, to create a copy of the 7>H ima!e of *indo#s P6 and set up
a #or&in! folder directory on your computer:
co#'#e *./ c:0,in$-
E. 9t the command prompt in the ne# directory c:M*inP6, type the
follo#in! and then press 6?'6, to mount the *inP6.#im ima!e so
that you can chan!e it:
image* 1mountrw win#e.wim 1 c:0,in$-0Mount
I. 9t the command prompt, type the follo#in! and then press
6?'6, to access the follo#in! re!istry sub&ey:
reg load 2K3M04,in$-4S5ST-M
c:0,in$-0Mount0windows0s'stem670conig0s'stem
K. 9t the command prompt, type the follo#in! and then press
6?'6, to create a GH M= dis& cache of ,9M:
reg add 2K3M04,in$-4S5ST-M0(ontrolSet0010Services089,8 1v
,in$-(acheThreshold 1t R-:4),&R) 1d ;/ 1
H. 9t the command prompt, type the follo#in! and then press
6?'6, to e7it this re!istry &ey:
reg unload 2K3M04,in$-4S5ST-M
7. :reate a directory for the mal#are-scannin! tools under the
Mount folder $for e7ample, you could use the name N'oolsO for this
folder%.
m!dir c:0,in$-0mount0Tools
>. :opy the tool files that you do#nloaded in 'as& 2 to the tools
directory that you 4ust created. 67ample:
co#' Ptools from the Task 2 directoryQ c:0,in$-0mount0Tools.
G. 9t the command prompt, type the follo#in!, press 6?'6,, and
then type 5es and press 6?'6, a!ain to continue the process:
#eimg 1#re# c:0,in$-0Mount
D0. 9t the command prompt, type the follo#in! and then press
6?'6, to sa"e your chan!es:
image* 1unmount c:0,in$-0Mount 1commit
50 Malware 'emoval 2tarter 9it
DD. 9t the command prompt, copy the follo#in!, press 6?'6,, and
then type 5es to o"er#rite the e7istin! file:
co#' c:0,in$-0,in$-.wim c:0win#e0IS&0sources0boot.wim
D2. 9t the command prompt, type the follo#in! and then press
6?'6, to create an .iso file of the *indo#s P6 ima!e:
oscdimg +n +bc:0,in$-0etsboot.com c:0,in$-0IS& c:0,in$-0,in$-4Tools.iso
DE. =urn the .iso file located at c:M*inP6M*inP6R'ools.iso to a :2-
,0M and test the *indo#s P6 ima!e to "erify that it runs all of the
mal#are-scannin! tools correctly.
Note $ou also can use Microsoft Airtual >C 2007 to test the image.
'he :2-,0M for your Mal#are ,emo"al -tarter .it is no# ready. (f you re3uire more
fre3uent "irus si!nature updates for your en"ironment, #e recommend maintainin! the
scannin! tools you choose to use on a 8-= de"ice to obtain the latest updates.
Task +: Use the Malware (emo)al %tarter Kit to %&an ,our Com-uter
?o# you are ready to use the *indo#s P6 ima!e and the tools you selected to scan
your computer for mal#are.
To use the ,indows $- ()+R&M and tools to scan 'our com#uter:
D. Place the ne# :2-,0M in the computerSs :2 dri"e or 2;2 dri"e
and then ensure that you start the computer from this dri"e accordin!
to your computer@s startup order.
0ption: (nsert the 8-= de"ice in a slot on the computer to ensure that the de"ice is
loaded #hen you start the operatin! system.
Note 3or more information about starting your computer from a ;indows >: C<#'%M
startup dis! see the ;indows >reinstallation :nvironment %verview on Microsoft.com. +his
resource provides information about configuring your basic input-output system BB"%2C
settings for the startup order of the computer! and other B"%2 settings that may prevent you
from starting the computer from the C< drive.
2. ,un the mal#are-scannin! tools that you selected. (f you used
the default confi!uration information in 'as& E to build the *indo#s
P6 ima!e, you #ill find the tools located at F:M'ools. /ou can run the
listed tools by typin! the name of the pro!ram file for each one at the
command prompt.
0ption: (f you inserted a 8-= de"ice to pro"ide updated si!natures or tools, and you
are unsure of the dri"e letter that the 8-= de"ice is usin!, you can determine the
dri"e letter usin! 2ri"e Mana!er, #hich is located at F:M'ools.
Note +o run 2pybot! refer to 2pybotJs installation instructions! and ensure that the
definition program file runs after you install this tool on the computer.
Caution 'unning malware#scanning tools on an infected computer may damage the computerJs
ability to start properly. "f ey boot files are infected by malware! the cleaning process may
prevent the operating system from woring. 3or this reason! it is important to regularly bac up
all important information files on your computer. "n addition! after restoring these files to the
computer from your bacup resource! we recommend rescanning the computer to detect any
malware that may be present in your bacup files.
%verview 55
How to Deter"ine i You Have a
Pro#le"
Mal#are #ill often tar!et a computerSs operatin! system. 'he *indo#s operatin! system
has been a si!nificant tar!et for a number of years due to its popularity. 1o#e"er, more
recently malicious soft#are that specifically tar!ets other operatin! systems has been on
the rise. (n addition, many mal#are pro!rams also tar!et Microsoft and third-party
applications, and in some cases e"en anti"irus soft#are. For these reasons, it is
important to &eep both the operatin! system and the applications that you use up to date.
9lthou!h most mal#are attac&s are aimed at personal computers, they are not the only
tar!ets. Mobile de"ices such as personal di!ital assistants $P29s%, portable !ame
systems, and e"en cell phones ha"e become tar!ets.
-ome mal#are re3uires the installation of a particular application on the tar!et computer
before it can #or&. 9 hu!e number of (nternet scams and phishin! attac&s ha"e made the
user of the computer a tar!et to install such applications. (n many cases it is easier to
tric& a user into runnin! a piece of mal#are than it is to de"elop an automatic
mechanism. For this reason it is important to in"est time in trainin! staff and mana!ers to
reco!nie li&ely (nternet scams and phishin! attempts.
Chec$ or Peror"ance Issues
/our computer should already ha"e real-time anti"irus and antispy#are pro!rams runnin!
on it to alert you #ith a messa!e if they detect an infection. 1o#e"er, if you notice
unusual beha"ior or your system slo#s do#n, at any time you can run a full system scan.
'he follo#in! are a fe# primary performance issues that could indicate that your
computer mi!ht be infected:
/our computer runs more slo#ly than normal.
/our computer often stops respondin! to pro!ram or system commands.
/our computer fails and re3uires you to restart it fre3uently.
/our computer restarts on its o#n and then fails to run normally.
/ou cannot correctly run applications on your computer.
/ou cannot access dis&s or dis& dri"es on your computer.
/ou cannot print correctly.
/ou recei"e unusual error messa!es or popup #indo#s.
/ou see distorted menus and dialo! bo7es.
/our (nternet bro#serSs home pa!e une7pectedly chan!es.
/ou cannot access administrator shares on the computer.
/ou notice an une7plained loss of dis& space.
9lthou!h this is not a complete list, it describes the types of unusual beha"ior that mi!ht
su!!est that mal#are is present on your computer. (f you encounter any of these
52 Malware 'emoval 2tarter 9it
performance issues, you can run a full scan to better determine if you ha"e a mal#are
problem.
Note )ot every computer that e8periences these issues may have a malware problem.
Misconfigured applications or software bugs can also cause such issues. +o avoid false indications
of a malware attac! ensure that your operating system and applications have the latest security
updates and service pacs! and that the computer has adeDuate 'AM to run your applications.
Dealing with an Inection
(n any or!aniation, malicious soft#are is an e"er present threat. 'his section of the
!uide assumes that you ha"e !ood reason to belie"e that an infection is present in your
computer or other computers in your or!aniation. /ou can use the I-sta!e process that
this section describes to help determine the nature of the problem, limit its spread,
remo"e it usin! free mal#are-scannin! tools from Microsoft and other third-party sources,
"erify that the mal#are is remo"ed, and proceed #ith ne7t steps as re3uired.
2ue to the chan!in! nature of mal#are, no sin!le anti"irus or antispy#are solution can
!uarantee to protect a!ainst all attac&s. (f, after follo#in! the sta!es in this section, you
need more help #ith mal#are-related issues, contact Microsoft Product -upport -er"ices:
For support #ithin the 8nited -tates and :anada, call toll-free $>HH%
P:-9F6'/ $>HH% 727-2EE>.
For support outside the 8nited -tates and :anada, "isit the 5-ecurity 1elp
and -upport for (' Professionals5 *eb pa!e.
!tage %& Initiate Your Response
9s soon as you arri"e at the computer that has the mal#are problem, if you cannot run
anti"irus soft#are on the computer, disconnect the computer from the net#or&, turn the
computer off, and refer directly to 5-ta!e E, ,un an 0ffline -can 8sin! the .it.5
:ather inormation. (f possible, !ather ans#ers from the user #ho disco"ered the
problem by as&in! the follo#in! 3uestions:
*hat happened #hen the problem startedT
1o# #as the computer bein! used 4ust prior to the problemT
*hat $if anythin!% did the local anti"irus pro!ram reportT
2oes the computer contain any important data that is not bac&ed upT
*hat *eb sites did the system recently "isitT
9re there processes runnin! on the computer that are different from the
standard processesT
9fter you ha"e !athered as much information as you can about the infection, the ne7t
sta!e is to start the cleanin! process.
Note "t can be very helpful to obtain a list of suspicious process or file names that you can then
research on the "nternet to determine if they are malware.
%verview 50
!tage '& !can the Co"puter or Malware
8se the follo#in! steps in the prescribed order to most effecti"ely use anti-mal#are
soft#are installed on the computer, and run online and offline scans for mal#are:
D. ,un anti"irus and antispy#are soft#are on the computer.
2. ,un an online scan tool.
E. ,un an online scan tool usin! the net#or&ed option in safe
mode.
Ste# 1: Run Antivirus and Antis#'ware Sotware on the
(om#uter
'he method for launchin! a full scan of a computer for "irus infections depends on the
anti"irus application. :hec& the pro!ramSs 1elp resources to learn ho# to conduct a full
"irus scan.
-cannin! for spy#are is similar to scannin! for "iruses. /our computer should ha"e real-
time spy#are-scannin! soft#are runnin! on it. *indo#s 2efender is a"ailable free of
char!e for computers runnin! *indo#s FP. (f you are runnin! *indo#s ;ista, *indo#s
2efender is included #ith the operatin! system. 'o launch *indo#s 2efender, clic& Start,
clic& All $rograms, clic& ,indows )eender to open the pro!ram, and then clic& Scan.
9llo# the pro!ram to perform a full scan.
For more information about ho# *indo#s 2efender #or&s, see the *indo#s 2efender
'echnical 0"er"ie# on 'ech?et.
Ste# 7: Run an &nline Scan Tool
,un an online scan, usin! a tool such as the *indo#s Ai"e 0ne:are safety scanner, to
ensure that the computer has been chec&ed a!ainst the latest anti"irus and antispy#are
si!natures, as #ell as other potentially un#anted soft#are.
0ther online scan soft#are pro"iders include:
.aspers&y 0nline -canner
Mc9fee Free-can
-ymantec -ecurity :hec&
'rend Micro 1ouse:all
(n addition, se"eral online soft#are tools pro"ide specialty scannin!, such as
;(,8-'0'9A, #hich you can use to scan indi"idual files for mal#are.
5/ Malware 'emoval 2tarter 9it
Ste# 6: Run an &nline Scan Tool "sing the <etwor!ed
&#tion in Sae Mode
9fter completin! an online scan, if you still suspect that mal#are is present on the
computer, restart your computer in safe mode, and run the online scan a!ain. 9fter
completin! another online scan in safe mode, you can use offline scannin! tools such as
those that the !uidance recommends usin! #ith this &it.
For more information about ho# to start your computer in safe mode, see:
59 description of the -afe Mode =oot options in *indo#s FP5: Microsoft
.no#led!e =ase article EDK222.
9d"anced startup options $includin! safe mode% for *indo#s ;ista.
!tage (& Run an Oline !can )sing the Kit
'o use the Mal#are ,emo"al -tarter .it, you start the computer from the :2-,0M, and
then use offline scannin! tools to repair the primary hard dis& dri"e #hile it is 5offline.5 (n
this #ay, you do not use the hard dis& dri"e on the computer to start the computer or scan
it. ,unnin! an online scan re3uires you to start the computer usin! the normal boot
se3uence, #hich loads files from the computer@s hard dis& dri"e that the operatin! system
loc&s durin! this se3uence. 'o access and remo"e mal#are that has altered or corrupted
these normally loc&ed system files re3uires usin! an offline process li&e the one this
!uidance prescribes.
Important $ou cannot scan a dis for malware if it has been encrypted with a tool such as
Bit*ocerK! if the dis is managed as part of a 'A"< volume! or if the dis is damaged. "n these
cases or if you are unsure of the state of the dis! consult a specialist to determine its state.
2ue to the e"er-chan!in! nature of mal#are, no process can be considered D00 percent
effecti"e for cleanin! mal#are from a computer. 'he process described in the section,
5Prepare a .it for 0ffline -cannin!,5 has been tested at Microsoft and should be
considered a best effort solution. 'he tas&s in the 5Plannin! /our ,esponse5 section of
this !uidance pro"ide instructions about ho# to create a *indo#s P6 &it that uses free
tools you can obtain online so that you can scan for mal#are on computers runnin!
*indo#s FP -P2 or *indo#s ;ista in your or!aniation.
!tage *& +e,t !teps
(f, after usin! the !uidance in this &it, mal#are appears to still be compromisin! the
computer, you may choose to use -ystem ,estore to return the computer to a &no#n
!ood state. -ystem ,estore ta&es a 5snapshot5 of critical system files and some pro!ram
files, and sa"es this information at a ,estore Point on the computer@s hard dis& dri"e. /ou
can then use the ,estore Point to return the operatin! system to a pre"ious state. For
more information about -ystem ,estore, see the follo#in! resources:
1o# to restore the operatin! system to a pre"ious state in *indo#s FP.
*indo#s =ac&up and ,estore :enter for *indo#s ;ista.
%verview 5.
(f, at this point, the computer still sho#s si!ns of malicious soft#are-related issues, you
ha"e t#o options:
)et specialied help.
,ebuild the computer.
(f the malicious soft#are has mana!ed to a"oid the mal#are-scannin! capabilities of the
*indo#s P6 &it that this !uide prescribes, it is "ery li&ely that you #ill need to see&
specialied help to remo"e the mal#are. =ecause specialied help is li&ely to re3uire time
and money, a 3uic&er and cheaper option is usually to delete the files on the hard dri"e of
the computer, and then reinstall the operatin! system and soft#are pro!rams.
(f you choose to rebuild the computer, ensure that you only use trusted media for that
process. ,ebuild the computer, and ensure that all updates and anti"irus soft#are is
applied to the computer before brin!in! it bac& on to the net#or& in case a "irus is still
propa!atin!.
!u""ar-
'his aim of the Mal#are ,emo"al -tarter .it is to pro"ide reacti"e !uidance and
prescripti"e steps to help you reco"er a computer that has been e7posed to malicious
soft#are. (t is important to understand that no process can !uarantee a full reco"ery from
the dama!e that malicious soft#are can do. For this reason, there is no substitute for
solid defenses and reliable bac&up and reco"ery processes. (n this #ay, if the #orst does
happen and you ha"e to rebuild the computer, the impact #ill be minimied.
(f you do use the reco"ery steps in this !uide, #e recommend spendin! some time after
the computer is fi7ed to in"esti!ate ho# the malicious soft#are #as introduced to it. 'his
effort should attempt to learn ho# the problem #as introduced rather than tryin! to find
somethin! or someone to blame. (f the #ea&ness #as #ith a technical defense measure,
such as a fire#all or anti"irus pro!ram, you can re"ie# it and update the measure as
re3uired. (f the problem #as introduced because of the actions of staff, additional trainin!
may be re3uired to ensure the problem is not repeated. ,emember the !olden rule:
NPre"ention is better than cure.O
Finally, #hile this !uide is specifically #ritten to help (' )eneralists repair computers
attac&ed by mal#are in small- to medium-sied or!aniations, much of this information is
"aluable for protectin! the home computers that belon! to you and your staff. For more
information about protectin! home computers, "isit the Microsoft -ecurity at 1ome *eb
site.
.eed#ac$
Please direct 3uestions and comments about this !uidance to -ecurity -olutions
Uuestions L Feedbac&.
5E Malware 'emoval 2tarter 9it
/c$nowledg"ents
'he -olution 9ccelerators V -ecurity and :ompliance !roup $-9--:% #ould li&e to
ac&no#led!e and than& the team that produced the Mal#are ,emo"al -tarter .it. 'he
follo#in! people #ere either directly responsible or made a substantial contribution to the
#ritin!, de"elopment, and testin! of this solution.
Authors= (ontributors= and ,riters
John :obb - Wadeware LLC
Mi&e 2anse!lio
:harles 2enny
,ichard 1arrison V Content Master Ltd
Fran& -imor4ay
-ditor
Jennifer .erns - Wadeware LLC
$roduct Managers
9lain Meeus
Jim -tuart
$rogram Manager
=omani -i#atu
Release Manager
.arina Aarson
Testers
)aura" -in!h =ora
-aurabh )ar! - Infosys Technologies Ltd
-umit Pari&h - Infosys Technologies Ltd
Reviewers
:indy 9!ne# - Fife School District, 2r. =arbara 6ndicott-Popo"s&y, Joseph .essler,
'hom ?esbitt, -terlin! ,easor
Reviewers >Microsot?
,ebecca =lac&, 9nthony =lumfield, 2eric& :ampbell, :hase :arpenter, -hiroy :ho&sey,
=ret :lar&, -te"e :lar&, Jeremy :roy, Fidelis 6&eue, Joe Faulhaber, .arl )run#ald,
.umi 1il#a, =ashar .achachi, Jimmy .uo, )re! Aenti, Mar& Miller, 9dam 0"erton, Ma7
8rits&y, Jeff *illiams, Aee /an