Bored and randomly checking out threads. Figured I could contribute to this thread. Below is a copy of some notes I keep out there for our new techs, these steps have cleaned about 98% of the machines I have run into. As for the other 2%... lets just ponder how unfun multiple rootkits are to clean.
1. Copy all necessary software to desktop or folder easily accessible.
2. If possible, update any malware removal tools (malwarebytes, superantispyware, etc). Some malicious code prevents these from running, if you have one of those, dont worry for now.
3. Unplug machine from network
4. Rename Process Explorer's (http://technet.microsoft.com/en-us/sysi ... s/bb896653
) exe to iexplore.exe.
5. Run 'iexplore.exe' from step 5. Kill any obvious malicous processes. Leave this running while continuing, check it periodically and kill the processes if they respawn.
6. Run Hijackthis. Remove anything obvious. After removing it, scan again, knowing if it came back can help later.
7. Run rkill (http://www.bleepingcomputer.com/downloa ... irus/rkill
). If you cant run the normal rkill.exe/.com/etc rename it explorer.exe or iexplore.exe (in a different location from the process explorer one).
8. Run malwarebytes / superantispyware / etc. "Quick" scans are usually sufficient initially. Run more then one utility to be safe.
9. Run tdsskiller (http://support.kaspersky.com/viruses/so ... =208280684
). Pray it doesnt find anything (god I HATE this rootkit some days). Have it nuke anything it finds. If it finds something, repeat steps 9 and 10 until you are 101% sure nothing is left. Usually it only takes 1-2 loops as long as you followed step 4.
11. Repeat from Step 5 just to be sure. As a last resort you can run combofix (http://www.bleepingcomputer.com/downloa ... s/combofix
), I only run this as a last resort because it has destroyed IE on me many times. If it does, you get to install IE again!
12. Connect machine to network again.
13. Go deal with other ridiculous user requests for a bit.
14. Scan machine again. Hope you didnt miss anything.
This may not help most, but hopefully it helps someone