Select Page

How to Clean an Infected Windows Machine (NT, 2000, 2003, XP, 7, 8, 8.1)

SEASnet has provided the following instructions for cleaning your Windows machine.  Failure to follow these instructions will result in your machine still showing as infected and we will once again disable your IP address.  Repeated infections will result in you having to pay our campus-approved labor rate for reconnection.  If you do not wish to clean your machine, you may submit a SEASnet Service Request and SEASnet will send someone to do these steps for you as soon as we have staff available.  Your only other option is to  reinstall your OS, making sure to follow SEASnet’s guidelines.

These instructions require you to use the Windows registry. If you are unfamiliar with the Windows registry, we recommend you read the Microsoft Knowledge Base articles linked below. You only need to read the What is the registry? article and the specific article that pertains to your particular OS.

Warning: If you use Registry Editor incorrectly, you can cause serious problems that may require you to reinstall your operating system. Microsoft does not guarantee that you can solve problems that result from using Registry Editor incorrectly.

Product Documentation: Windows Registry in Windows 10

HOW TO: Back Up, Edit, and Restore the Registry in Windows XP, 7, 8, and 8.1

HOW TO: Back Up, Edit, and Restore the Registry in Windows 2000

HOW TO: Back Up, Edit, and Restore the Registry in Windows NT 4.0

Instructions for Cleaning Your Windows Machine:

  • Borrow a virus-scanning CD from SEASnet.
  • Go into Safe Mode by pressing F8 as your machine is booting up.
  • Insert the CD and log in to Safe Mode.
  • Use the command line scanning tool for Sophos and do a full  scan for all files. This could take a few hours.
    • Go to Start -> Run -> “cmd” -> Enter
    • Go to the cdrom drive and then “cd sophossav32”
    • Enter this command: “sav32cli -all -f -remove -nc -idedir=:sophosides” – Or you can run “:sophossav32scan.bat” and follow the prompt
  • Once the scan is complete, write down both the filenames and virus/worm/trojan type of any infected files.
    • For example, C:WINDOWSsystem32iiexplorer.exe was  the infected file and the worm was W32/RBOT-KX
  • Search the registry for these files using regedit and delete any keys that are found.
    • Start -> Run -> regedit -> enter … Edit -> Find ->
    • More often than not, the major locations (that may or may not exist) are: 
      HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnceEx
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices
HKEY_LOCAL_MACHINESoftwareMicrosoftOle
HKEY_LOCAL_MACHINESoftwareMicrosoftOutlook Express
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunOnce
HKEY_CURRENT_USERSoftwareMicrosoftOle
HKEY_CURRENT_USERSoftwareMicrosoftOutlook Express
  • While you are in the registry at the above locations, look for any unusual/interesting programs listed.
    • For example, there should NOT be a “Windows Update” item within the “Run” folder – any obvious misspellings are also bad (“microsofot” instead of “microsoft”).
    • Write down the program and the file associated with it and do a search for them.
    • If they turn out to be virus/malware files, you will have to do a file search and delete these files.
  • You can run Stinger here if you would like.
  • Next, look through the Services for anything unusual.
    • Start -> Control Panel -> Administrative Tools -> Services
    • Here are the official Microsoft Windows 7 Default Services list (some may not be installed on your machine)
    • Stop any unusual services that are running (see NOTE below)
      • They will not be running if you are in Safe Mode
    • Disable the service if you know it is malicious; set it to manual if you are unsure (do a search for the service if you are unsure)
    • As long as the service is disabled, you should be safe

NOTE: For a clearer view of what services are not standard Microsoft services, go to Start -> Run -> “msconfig” -> Services -> Click on “Hide All Microsoft Services.” The remaining services are the ones you want to look at, assuming your machine has not been severely hacked.

At this point, you can reasonably assume that the infection is gone. However, it is possible that there are other things that may leave your machine susceptible to future infection. Below are further steps you can take to protect your machine:

  • Change the password on ALL accounts on your machine.
    • Control Panel -> Administrative Tools -> Computer Management -> Local Users and Groups -> Users
    • Right click and “Set Password” for “Administrator” and all other user accounts – do not change passwords for machine accounts and other accounts created by installed programs
    • Make sure you use strong passwords: 6 characters with a combination of capital, lowercase, and numbers – if you want, also use the special characters such as !@#$%^&*()
  • Install the Microsoft Baseline Security Analyzer and update the mssecure.xml file.
    • Copy from the CD to the installed location (default is  C:\Program Files\Microsoft Baseline Security Analyzer)
    • Scan your machine – see what problems are found and fix them
  • Look for the Windows Update icon in the task tray to see if any updates are available.
    • The report from the Baseline Security Analyzer should have said if any updates were missing if there is no icon.
  • Install any missing patches/updates (some are on the CD).
  • Configure the Automatic Windows Update to run and install automatically.
    • Control Panel -> Automatic Updates -> Set it to Automatic and Daily and whatever time you know your machine will be turned on
  • Download and install Ad-Adware from Lavasoft and scan the machine for any malware – fix any that show up.
    • Do a full scan of your machine (do a Google search for “reconfigure Ad-Aware for full scan”)
    • You can uninstall Ad-Aware afterwards
  • Install Spybot S&D (Search and Destroy) from Safer Networking Limited and scan the machine for any malware as well – fix any that show up.
    • You can uninstall Spybot S&D afterwards
  • Remove any unnecessary shares and set security on needed shares (IPC$, C$, and ADMIN$ are default shares and OK to have).
    • Control Panel -> Administrative Tools -> Computer Management -> Shared Folders -> Shares will list all the shares on your machine
  • Turn off simple file sharing.
    • Double-click “My Computer” or open any folder
    • Click Tools (hit Alt key if tools not showing) -> Folder Options -> View -> In Advanced settings, turn off (uncheck) “Use simple file sharing (Recommended)”
    • If you need file sharing, consult this page
  • Turn on the windows XP firewall or install a firewall on the machine.
    • Control Panel -> Network Connections -> Right-Click “Local Area Connection” -> Properties -> Advanced -> Check the “Protect my computer…” or Click “Settings” depending on the Service Pack of Windows XP you have (if you hit “Settings” click the “On” for the next screen
  • Configure the Security Settings for IE above the default medium.
  • Disable “Install On Demand” on the Advanced Tab in Internet Options.
  • Recommended: Use an alternate web browser, such as Firefox Mozilla, Google Chrome, Netscape, or Opera (in that order – the last 2 may be unavailable for higher Windows versions 7 and above).
  • Configure Outlook Express
    • Options -> Security -> “Block images and other external content in HTML e-mail”
    • Options -> Security -> “Do not allow attachments to be saved or opened that could potentially be a virus”
  • Configure Outlook
    • Turn off preview pane for all folders
    • Recommended for Outlook 2002 and older: Install addon to make all emails viewed as text only
    • For Outlook 2003: Tools -> Options -> Security -> Change Automatic Download Settings -> turn on both “Don’t download pictures…” and “Warn me before…”
  • Look for any of the following programs/files and uninstall or delete (if you can’t uninstall). If a Service is running with those names stop it and disable it! The programs below may be signs that your machine has been hacked. Please let SEASnet know if this has happened.
    • firedaemon – this is a program that installs programs silently
    • mirc/irc – this is an internet relay chat client program
    • cygwin – this is a unix environment/program for windows
    • uftp – ftp server