First Response Recipe

This page is intended to document steps you can take to clean up a machine that is suspected to be infected.

NB: it is difficult to say with any certainty that a given machine has been fully cleaned up. A format and reinstall from known-good media is always preferred.

Note that product-specific details can be found here: https://www.cs.uwaterloo.ca/twiki/view/UW/SoftwareChart#Internet_and_Security

• eg: HijackThis

See also: IST's Security Howto page

Windows

Before you start

• Note many viruses will use the System Restore function to reinfect the system after a virus scan and reboot. Look in COntrol panel -> System -> System Restore
  • Note if you disable System Restore you will also delete all of the backup copies or the system registry

Without networking

If possible, checking the system without a network connection prevents any viruses or malware from doing anything "bad" while you're trying to clean it up. The disadvantage is that you can't download any updates first.

Disable the network

• unplug the network connection

Boot in "Safe Mode"

• reboot the PC into Windows Safe Mode, by pressing F8 as the machine starts up
• select "Safe Mode without networking"

run scans in Safe Mode

• with whatever software is installed (Symantec A/V or others), run a scan
• you won't be able to update at this point, or install new A/V software

With networking

• reboot the PC into Windows Safe Mode, by pressing F8 as the machine starts up
• select "Safe Mode with networking"

Linux

Without networking

With networking