Operations > Computing > FAQ
Removing Malicious Security ThreatsThis page explains common methods on removing malicious security threats such as viruses, spyware, malware, worms, and trojans. It is intended as a "Best Practice" guide and does not guarantee removal of security threats since all compromised systems will have different variants of security issues. Please make sure that all data has been backed up before proceeding with any recovery operations.
Security Threat Removal Tools
Below is a list of commonly used freeware application that we use in the EE department to remove security threats. Please download the following applications to a CD/DVD or Flash Drive from another computer.
Depending on the severity of the security threat, you may only need to run Sophos Anti-Virus or all of the applications. This FAQ will detail the procedures for running all of the mentioned applications listed above.
- Reboot the computer in Safe Mode with Networking by pressing F8
as soon as the computer starts up (press it a few times).
- Login with an another administrator account if possible (not the one you were using when computer got compromised).
- Copy the downloaded applications to the Desktop.
- Delete all temp files for the user profile that was used when
computer got compromised (make sure no programs are open and skip
files you can't delete)
- Windows XP - C:\Documents and Settings\username\Local Settings\Temp
- Windows 7 - C:\Users\username\AppData\Local\Temp
- Empty the Recycle Bin
- Disable the System Restore function if it is enabled (lot of malicious software and files are saved into previous System Restore points). You can enable it again after following the removal procedures.
- Follow the procedures below for running each of the application in the listed order.
- Install Spybot with all default options
- Start Spybot if it isn't already started
- Click 'Create registry backup'
- Click 'Next'
- Click 'Search for updates' and select the closest location (Mirror) to you to download the updates and click 'Continue'
- Click 'Download' to download and apply the updates and click 'OK' then click 'Exit'
- Start Spybot and click 'OK' to the legal message
- Click 'Check for problems'
- Click 'Yes' if asked to scan temporary files
- Wait until scan is finished
- Click 'Fix selected problems' if threats were detected and click 'Yes' to confirm threat removal
- Start HiJackThis
- Click 'Do a system scan and save a logfile'
- Leave HijackThis opened and close the log file after scan finishes
- Go to HijackThis Log Analyzer website to analyze the log for security threats
- Click 'Browse' and select the log file that was saved (should be on the Desktop if you saved HijackThis application there)
- Click 'Analyze'
- Review the analyzed log and appropriately check the items in HijackThis that it recommends on removing
- Click 'Fix checked' and click 'Yes' to confirm fixing the items checked
- Click 'OK' if you receive a pop-up dialogue box
- Install Malwarebytes with all default options
- Start Malwarebytes if it isn't already started
- Select "Perform full 'Scan'
- No further actions is required if no infected objects were found. However, if infected objects were found, please follow the below steps
- Click 'OK' for the pop-up dialogue box to view results of infected objects
- Click 'Remove Selected'
- You may get a pop-up dialogue box that asks you to restart the computer to complete the removal process (make sure to boot into Safe Mode with Networking again)
- Install Sophos Anti-Virus with all default options
- Start Sophos Anti-Virus
- Click 'Scan my computer'
You can uninstall and delete the programs after completing all the steps, but I strongly recommend leaving Sophos Anti-Virus running. If you still continue to experience malicious behavior on your computer, you can continue following the "Advanced User Tips" below and try remedying the security threat.
Advanced User Tips
The following tips are for advanced users who are comfortable in the additional manual removal process of security threats. In most cases, the above mentioned procedures using the third-party application should suffice. However, manual removal procedures may be necessary in some cases. Below are some common foundational guidelines to perform:
- Use the msconfig utility to disable any abnormal startup
processes from starting when computer starts up
- Follow-up with deleting the associated Run registry values for the items that you have disabled in HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- Manually delete the executable files that the startup processes are using (you may have to restart the computer or kill the service in task manager and also research that the file/process is in fact malicious)
- Confirm that the disabled startup processes aren't running in task manager and that the manually deleted files didn't recreate itself
- Look for and delete malicious executables based on research.
Common areas of malicious executables exist in the following
- Windows 7 - C:\Users\username\AppData\Local\Microsoft
- Windows 7 - C:\Users\username\AppData\Local\Temp
- Windows 7 - C:\Users\pkim\AppData\Roaming\Microsoft
- C:\Documents and Settings\username\Local Settings\Temp
- Check for Proxy settings in your Internet browsers and make sure that it is disabled if you don't use a Proxy server (EE does not use a Proxy server). A lot of spyware injects Proxy settings.
- Uninstall any software that is unrecognized (especially ad generators, toolbars, desktop utilities)