Clean PDF

Download as pdf or txt
Download as pdf or txt
You are on page 1of 7

clean-pdf

Cleaning Your Windows Computer


This document contains the following sections: Symptoms of Infection or Compromise Steps to Clean

For information related to this topic refer to: Secure Computing Overview (http://www.cmu.edu/computing/security/index.html) Symantec Endpoint Protection (http://www.cmu.edu/computing/doc/software/index.html) System Restore (http://www.cmu.edu/computing/doc/security/restore/index.html) Information Security Office (http://www.cmu.edu/iso/) Last Updated: 12/9/09

-1-

clean-pdf

Symptoms of Infection or Compromise


How can you tell if your computer is infected or compromised? The following is a list of symptoms you may have noticed: Popup ads increase in frequency Popup ads appear even when not browsing the web Web browser home page changes without authorization Computer seems less responsive Persistently slower than usual Internet access Programs fail to start because Windows is low on "resources" Regedit, Task Manager, or Control Panels fail to start with "permission denied" errors when you have administrative rights Windows Firewall cannot start Antivirus software cannot be updated or fails to enable System Restore tab disappears from the System control panel (XP only) Crashing or blue screening often

You should also refer to Computing Services' Security News (http://www.cmu.edu/computing/news/security/index.html) page for information about recent infections or compromises. Last Updated: 8/4/09

-2-

clean-pdf

Steps to Clean Your Windows Computer


Important Note: Due to the wide variety of malware and the constantly changing tactics employed, completing the steps below does not guarantee your computer will be clean. Additional steps may be required for your specific situation that are beyond the scope of this guide. In some cases the damage done by the compromise may be so extensive that it may be more practical to backup your data and reinstall Windows.

Before you Begin


Before you begin to use this document, take note of the following: Faculty, staff or students employed by the university who suspect that the security or privacy of their work-related computing resources has been compromised, should follow the Procedure for Responding to a Compromised Computer (http://www.cmu.edu/iso/governance/procedures/compromised-computer.html) . This is especially important if the computing resource stores data that the University defines as restricted (http://www.cmu.edu/iso/governance/guidelines/data-classification.html#appendixa) . If your computer is managed by a departmental administrator or DSP consultant, you should refer to them for help with cleaning your computer.

Step 1: Change Passwords


If your computer has been compromised by a malware attack, any passwords you may have typed on this computer should be CHANGED. This is an important precaution since: malware may include a keystroke logger which records what you type malware may search your computer for saved passwords any passwords found may be sent to the people who compromised your computer Change passwords for your online accounts (e.g. administrative work accounts, Andrew accounts, other email accounts, financial accounts for online banking & credit cards, Facebook, MySpace, Instant Messenging, Netflix, iTunes, etc.).

Step 2: Download, Install and Run Malwarebytes' Anti-Malware


Malwarebyte has developed a tool that can identify and remove malicious software from your computer. Follow these steps to download and install Malwarebytes' Anti-Malware: 1. Visit the cnet website (http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_410804572.html) and download Malwarebytes Anti-Malware. 2. Once the download is complete, double-click the Malwarebyte icon to run the installer.

-3-

clean-pdf

3. Through the installation process, accept the default responses. When you click Finish, make sure that the options to Update and Launch the software are checked. 4. Once Malwarebytes launches and the Malwarebytes' Anti-Malware screen appears, select the Update tab and then click the Check for Updates button. 5. Once any updates are loaded, select the Scanner tab, select the Perform quick scan radio button and then click Scan. The scan may take a few minutes. 6. When the scan is complete, it will show you all of the potentially harmful files on your computer. Click the Remove Selected button to remove them automatically. Malwarebytes' Anti-Malware creates a log file of the results. For more detailed information on Malwarebytes' Anti-Malware, visit the following web sites: Malwarebytes (http://helpdesk.malwarebytes.org/login) Note: Support requires online registration; a support forum (http://www.malwarebytes.org/forums/) is also available Help2Go (http://www.help2go.com/Tutorials/Protect_Your_PC/Malwarebytes_Antimalware_Tutorial.html) Using Malwarebytes Tutorial (http://library.dickinson.edu/Technology/Training/Tutorials/General/malware.pdf) Note: More advanced users may also want to download and run ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) .

Step 3: Check Your Computer


Walk through some of the processes that had been causing problems and do one of the following: if the problems seem to have been corrected, proceed to Step 4: Uninstall AntiVirus if the problems HAVE NOT been corrected, chances are that you need to backup whatever files you can, wipe out your hard drive and reinstall your operating system. This can be a lengthy process that is NOT geared to the novice user. For a fee, this service is available through SARCOM (http://www.cmu.edu/stores/computer/ComputerRepair/index.html) via the Computer Sales desk in the University Store.

Step 4: Uninstall/Remove AntiVirus


Malware infections tend to damage antivirus software. Assuming that you were running an antivirus program, follow the appropriate steps below to uninstall it: 1. Select Start > Control Panel. 2. Do one of the following: On Windows 7 and Vista, under Programs, select Uninstall a program. On Windows XP in Category View, select Add or Remove Programs.
-4-

clean-pdf

1. Scroll down through the list until you find the antivirus program (e.g., Symantec AntiVirus, McAfee, etc.) select it and then click Remove or Uninstall. 2. Next, verify that the removal worked by following the appropriate steps below: Windows 7: o start Control Panel o under System and Security, select Review your computer's status o if the name of an antivirus software program appears, (e.g., Symantec AntiVirus, McAfee, etc.) the removal DID NOT work completely; there may be a fragment of the program left. Make note of the antivirus software name. Windows Vista: o start Control Panel o double-click the Security icon o double-click the Security Center icon o click Malware Protection o if the name of an antivirus software program appears, (e.g., Symantec AntiVirus, McAfee, etc.) the removal DID NOT work completely; there may be a fragment of the program left. Make note of the antivirus software name. Windows XP: o select Start > Control Panel o double-click the Security Center icon o click the down arrow for Virus Protection o if the name of an antivirus software program appears, (e.g., Symantec AntiVirus, McAfee, etc.) the removal DID NOT work completely; there may be a fragment of the program left. Make note of the antivirus software name. 1. If removal fails, refer to the following vendor sites for addtional help with uninstalling it: Symantec (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/ 2005033108162039?Open&docid=2005092709200113&nsf=sharedtech.nsf&view=docid) McAfee (http://service.mcafee.com/FAQDocument.aspx?id=TS100507) Kapersky (http://support.kaspersky.com/faq/?qid=208279463) AVG (http://free.avg.com/faq) Note: The uninstall for AVG is not as complex as other programs. Select your version in the FAQ and follow the instructions. Trend Micro (General) (http://esupport.trendmicro.com/4/How-do-I-remove-Trend-Micro-InternetSecurity-Pro-and-Trend-Micro-Inte.aspx) or Trend Micro (Dell) (http://esupport.trendmicro.com/6/How-do-I-uninstall-Trend-Micro-PCcillin-Internet-Security-14-for-Dell.aspx)
-5-

clean-pdf

Step 5: Download, Install Symantec Endpoint Protection


1. Download Symantec Endpoint Protection (http://www.cmu.edu/computing/software/all/symantec/download.html) to your desktop. 2. Once downloaded, double-click the Symantec icon to run the installer. As you progress through the installation, accept the default responses. 3. If Symantec fails to install, repeat the processes in Step 4 to remove any fragments of the program, and then try the install again.

Step 6: Run Live Update


Once Symantec is properly installed, launch the program and click the LiveUpdate button to download the latest virus definition files. For more information, refer to Running Live Update Manually (http://www.cmu.edu/computing/doc/software/virus-windows/live-update/manual.html) .

Step 7: Boot into Safe Mode


Follow these steps to boot your computer into Safe Mode. Note: You will be unable to boot into Safe Mode if Windows required system files are corrupted. While in Safe Mode, you will only have access to very basic drivers, mouse, monitor, keyboard, etc. 1. Click Start > Shut Down. 2. Select Restart. 3. Depending on whether you have multiple operating systems loaded on your computer, follow the appropriate step below: If your computer offers only one operating system, begin tapping the F8 key before your machine reaches the Microsoft Window's display screen. If your computer offers multiple operating systems, select the appropriate operating system from the list, then begin tapping the F8 key. 1. Use your up or down arrow keys to select and highlight Safe Mode with Networking. Press Enter. Note: NUM LOCK must be off before the arrow keys on the numeric keypad will function. 2. Select the appropriate operating system. Your computer boots into Safe Mode.

Step 8: Run Symantec Full Scan


1. While in Safe Mode, launch Symantec Endpoint Protection. 2. Select Scan for Threats and then select Run Full Scan. 3. The scanning process begins. The duration of the scan depends on the total size of the files on your computer and may take hours to complete. Once complete, the software will display any problems that it has found and will provide further instructions. 4. To exit Safe Mode, restart your computer as your normally would.
-6-

clean-pdf

Step 9: Enable the Firewall


A firewall restricts network access to your computer. All network data entering or leaving passes through the firewall, which examines each message and blocks those that do not match the specified policies (exceptions). Firewalls can also make your computer "invisible" to the outside world so that it does not become an easy target for a malicious attacker. To configure Windows Firewall, visit the FirstConnect (http://www.cmu.edu/computing/firstconnect/) site and follow the appropriate "Configure Firewall" steps: Windows 7 & Vista (https://www.cmu.edu/computing/firstconnect/os/win7-vista/firewall.html) Windows XP (https://www.cmu.edu/computing/firstconnect/os/xp/firewall.html)

Step 10: Verify/Change Passwords


Verify Adminstrator Password
Verify that an Administrator account and password has been established.

Change Passwords
Change your local Windows user account (password used to log onto your computer) and/or Windows administrator account passwords (password to install software). For steps, visit the FirstConnect (http://www.cmu.edu/computing/firstconnect/) site and follow the appropriate "Secure Accounts" steps: Windows 7 & Vista (https://www.cmu.edu/computing/firstconnect/os/win7-vista/account.html) Windows XP (https://www.cmu.edu/computing/firstconnect/os/xp/account.html) Consider purchasing an external backup drive and doing regular backups. If you have problems in the future, rather than working through all of these cleaning processes, you can restore from backup. IMPORTANT: Passwords should ALWAYS be changed if your computer is compromised, even if you just restore from a backup.

Clean? Keep it that way


Once your computer is free from infection, keep it that way! Visit the FirstConnect (http://www.cmu.edu/computing/firstconnect/) site and follow the Secure Registration (https://www.cmu.edu/computing/firstconnect/connect/index.html) steps. Last Updated: 5/19/11

-7-

You might also like