RCC World - Saint Mary's College ResNet

Special note: Viruses and malware change daily, and removal instructions are not a one-size-fits-all solution. Malwarebytes is always a great first step if the malware will allow you to install, update, and run it. Please check with the Associate Director of Technology Support Services before removing viruses and malware from a computer in case it needs special attention or instructions.

If this is an issue restricted to a web browser (redirects, unwanted web search page, toolbars, advertising), please start with the Browser Hijacker instructions to address the issue.

Procedure for Cleaning Viruses Off a Computer Running Windows 7/8/10

If a computer is suspected to have a virus, these steps should eliminate the problem. The steps below are lengthy, but they work. Shortcuts could result in the virus or malware not being removed, resulting in a return visit from the student with her computer.

If a computer has been blocked from the campus network for security issues (infections, lack of patches), you need to follow ALL of the steps listed below before the computer will be re-enabled.

Some computers may be blocked for reasons other than security issues. Please take the time to read the e-mails sent to you about blocked computers. Some messages may include detailed instructions other than what is listed below to have the computers re-enabled.

Failure to complete all of the steps will result in you having to meet with the student again and starting these steps from the beginning - a process neither you nor the student will enjoy.

It is strongly recommended that you copy these steps and paste them into the ResNet Problem Report Form that you are working on so you have a detailed record of what you have done with the computer. (This document is available at http://www.saintmarys.edu/rccs/removingviruses.html for you copy from, and will be updated as necessary.) This detailed record in the ResNet Problem Report Form will assist other RCCs, as well, if you have to end a shift in the ResNet Office and another RCC takes over the record you were working on.

If you have questions, please contact the Associate Director of Technology Support Services.

Part I: Setup

If the malware will permit:

Make sure that the student has her power supply with her computer. If not, she may fetch it after the Malwarebytes scan has started.

Check for anti-virus software on the computer. Uninstall the software that is on the computer (McAfee, Norton, AVG, Sophos, etc).

Run CleanUp! to clear temporary files from the computer. Every file deleted now will be a file you won't have to scan later.

Download and run RKILL.

http://www.bleepingcomputer.com/download/rkill/

When at the download page, click on the Download Now button labeled iExplore.exe. When you are prompted where to save it, please save it on your desktop. Once it is downloaded, double-click on the iExplore.exe icon in order to automatically attempt to stop any processes associated with the malware. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and a log file will open. You can review the log file and then close so you can continue with the next step.

If you have problems running RKill, please let us know.

Do not reboot your computer after running RKill as the malware programs will start again.

Part II: Installing and updating Malwarebytes

If Malwarebytes' Anti-Malware is already installed:

Launch Malwarebytes.
Click on the Update tab.
Click on the Check for Updates button.
Malwarebytes should download and install the latest definitions (and possibly a new version of the software).

If Malwarebytes won't update:

Open a web browser and make sure the computer is registered on ResNet. If it isn't, have the student complete the registration.
Check to see if a proxy server was set by the malware (Internet Explorer -> Tools -> Internet Options -> Connections -> LAN Settings. Uncheck "Use a proxy server. Check "Automatically detect settings.")

If Malwarebytes' Anti-Malware is not already installed:

Install the software from your USB Flash drive.
Launch Malwarebytes.
Click on the Update tab.
Click on the Check for Updates button.
Malwarebytes should download and install the latest definitions (and possibly a new version of the software).

If Malwarebytes won't update:

Open a web browser and make sure the computer is registered on ResNet. If it isn't, have the student complete the registration.
Check to see if a proxy server was set by the malware (Internet Explorer -> Tools -> Internet Options -> Connections -> LAN Settings. Uncheck "Use a proxy server. Check "Automatically detect settings.")

If Malwarebytes' Anti-Malware won't install:

Ask the Associate Director of Technology Support Services to assist with the computer. She has additional tools that will get a computer to the point of installing and running Malwarebytes' Anti-Malware.

Part III: Running Malwarebytes

Disconnect the computer from the network (pull the Ethernet cable out of the computer or wall, turn off wireless). You don't want the computer to become reinfected as soon as you clean it.

Run a full scan with Malwarebytes. (Malwarebytes' Anti-Malware -> Scanner -> Perform Full Scan -> Scan).

If the malware automatically launches on startup, you should restart the computer in safe mode and then start the Malwarebytes full scan.

Note what infected files were found (path, name of file, name of infection) in the ResNet Problem Report Form.

Remove all infected files that had been found.

If a file cannot be removed, note the file's entire path. Report the information to the Associate Director of Technology Support Services. She can forcibly remove the file if necessary. THIS STEP SHOULD NOT BE TAKEN CASUALLY! MISUSE CAN CAUSE SERIOUS DAMAGE TO A COMPUER!

Restart computer (in regular mode).
Run another scan (Malwarebytes' Anti-Malware -> Scanner -> Perform Quick Scan -> Scan).
The scan should complete with no additional infected files found. If infections are still found, please contact the Associate Director of Technology Support Services for further instructions. The computer is likely infected with a rootkit or something in the registry that is causing reinfection.
Install McAfee Bitdefender:
1. http://www.saintmarys.edu/virus
Restart the computer.

Part IV: MSCONFIG

RCCs need to be granted permission to use MSCONFIG on students' computers. If you believe you are ready to work with MSCONFIG, please talk to the Associate Director of Technology Support Services BEFORE you start to use it.

MSCONFIG is optional for RCCs, but I would strongly recommend becoming familiar with it because it can help with startup issues on Windows computers. Microsoft System Configuration Utility is a tool designed to help you troubleshoot problems with your computer. MSCONFIG allows you to edit your start-up applications, among other things. Viruses, spyware, and other malware may be configured to launch at startup, and viewing the startup items via MSCONFIG and turning off unnecessary items can speed up the startup time of the computer.

(Kathy Hausmann prefers to use MSCONFIG in safe mode, but that is not required.)

To launch MSCONFIG, click on the Start button, type msconfig in the Start Seach field, and hit Enter. (Click Continue if prompted.)

When the MSCONFIG window opens, click on the Startup tab.

Some good MSCONFIG rules of thumb:

If there is a blank line next to a checked box, uncheck the box. All legitimate items will be listed with a name in the Startup Item list.
You can uncheck any really obvious items that don't belong, such as "EZ Mo' Money Maker." If you have any doubts at all, don't uncheck it - it could be legitimate.
Toolbars that the student does not use (Google, Yahoo, AIM) should be unchecked. They may stay checked if a student finds them useful.
If you see items you know are legitimate programs such as MusicMatch Jukebox, you can ask the student if she uses the program. If she doesn't, you can uncheck the item from startup. (This doesn't delete the program if she decides later she wants to use it.)
bleepingcomputer.com and processlibrary.com and liutilities.com are helpful sites to confirm a file is msconfig is good or bad. If you Google a filename and your search did not match any documents (and you double-checked to make sure you were spelling it correctly), it is a pretty good bet that the file is not a good one to have checked.
If you have questions about items (especially if there is a lengthy list), please ask the Associate Director of Technology Support Services to review the computer's MSCONFIG with you.

When you're done, click Apply.

Click OK.

When prompted, restart the computer.

Part V: Cleanup Tools

Download and run AdwCleaner.

http://www.malwarebytes.com/adwcleaner/

When AdwCleaner has finished downloading, please double-click on the AdwCleaner.exe icon that now appears on your desktop. Once you double-click on the icon the AdwCleaner program will open and you will be presented with its start screen as shown below. If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.

Scan button in AdwCleaner. The program will now start to search for known adware programs that may be installed on your computer. When it has finished it will display all of the items it has found in Results section of the screen above. Please look through the results and try to determine if the programs that are listed contain ones that you do not want installed. If you find programs that you need to keep, then uncheck the entries associated with them.

For most people, the contents of the Results section may appear confusing or as gibberish. Unless you see a program name that you know should not be removed, please continue with the next step.

To remove the adware programs that were detected in the previous step, please click on the Cleanbutton on the AdwCleaner screen. AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.

Please click on the OK button to let AdwCleaner reboot your computer.
Let the computer reboot, log in as normal.

AdwCleaner will automatically open a log file that contains the files, registry keys, and programs that were removed from your computer. You can review this log file and then close the Notepad Window.
Download and run Shortcut Cleaner.

http://www.bleepingcomputer.com/download/shortcut-cleaner/

Once the program has been downloaded, please double-click on the sc-cleaner.exe icon that will now be on your desktop. If Windows prompts you as to whether or not you wish to run Shortcut Cleaner, please allow it to run. Once the program starts, it will scan your computer for hijacked shortcuts and clean them. When it has finished it will display a log file that contains a list of all Windows shortcuts that were hijacked and disinfected.
CCleaner: RCCs need to be granted permission to use CCleaner on students' computers. If you believe you are ready to work with CCleaner, please talk to Kathy Hausmann BEFORE you start to use it.

CCleaner, originally referred to as "Crap Cleaner," is a tool that can be used to remove unnecessary files on Windows computers. ResNet uses the Registry Cleaner - the tool removes old registry items left behind from installers, uninstallers, and deleted items. It is good housekeeping for computers, but should only be done by those familiar with the tool. Used incorrectly, it could prevent a computer from booting.

Part VI: "An ounce of prevention is worth a pound of cure."

Make sure there is a password on all computer accounts. Start -> Control Panel -> User Accounts. Make sure that every active account that appears says "Password protected" next to it. If you need to add a password, click on the account name, and add a password. Have the student enter her password twice as requested. She should not add a password hint.

Make sure the computer has all critical updates installed. To check, go to Start -> Control Panel -> Windows Update and check when updates were last installed and whether any additional updates are available. You can also check the Update History. If the computer has not been blocked, install available updates and make sure the computer is up-to-date and the student is aware that installing updates is important.

Make sure that Windows is set to automatically install new updates on a daily basis (time determined by student - it does not have to be the default of 3:00am, especially if she doesn't leave her computer on overnight).

Make sure the firewall is enabled for both the wired and wireless network.

Wired network: Start -> Control Panel -> (Classic View) -> Windows Firewall -> Change Settings -> Advanced tab -> Local Area Connection should be checked.
Wireless network: Start -> Control Panel -> (Classic View) -> Windows Firewall -> Change Settings -> Advanced tab -> Wireless Network Connection should be checked.
All connections in that windows should be checked.

If you can't enable the firewall, please let Kathy Hausmann know. There could be residual malware on the computer.

Check the Sharing Settings: Start -> Control Panel -> (Classic View) -> Network and Sharing Center.

These settings will provide a computer with the most network security.
1. Turn ON Network discovery (and make sure the computer is in the SMC Workgroup).
2. Turn OFF File sharing.
3. Turn OFF Public folder sharing.
4. The Printer sharing option can be on or off - it is the student's choice. If the student does not have a printer, the option should be turned off.
5. Turn ON Password protected sharing.
6. Turn OFF Media sharing.
Confirm the Computer Name and make sure it is studentusername-pc.
1. Click on the Start button in the lower left corner of your screen.
2. Move the mouse over Computer to highlight it, then click the right mouse button and select Properties.
3. In the Computer name, domain, and workgroup settings area of the window, click Change settings.
4. Click Continue if prompted.
5. In the Computer description box, type in studentusername-pc (e.g., msmith01-pc). (If a student has more than one PC on the network, they should be listed as -pc1 and -pc2.)
6. Click the Change... button.
7. In the Computer name box, type in studentusername-pc (e.g., msmith01-pc). (If a student has more than one PC on the network, they should be listed as -pc1 and -pc2.)
8. Click on the Workgroup radio button and type SMC (all capital letters) in the box.
9. Click OK.
10. Restart the computer when prompted.
Confirm that Bitdefender is installed. If you're working on a computer because of ANY virus and our software is not installed, INSTALL IT (http://www.saintmarys.edu/virus/). You may remove any existing anti-virus software on the computer. As a part of our ResNet policy, we don't care what anti-virus software is installed on a student's computer as long as it is working. Once the software fails and the computer is infected, the student's computer must have our software installed to have network access restored. If the student (or parent) has an issue with this policy, send them to me.

Update the ResNet Problem Report Form with what was done to the computer.

If the computer was not blocked from the network, the student can take it back to her room and connect it to the network.

Part V: If the computer has been blocked from the network:

E-mail Kathy Hausmann with a DETAILED description of viruses that were found, and the steps you followed on the computer. Based on your e-mail, Kathy will either re-enable the computer or require the student to bring it in for additional attention.

After Kathy has given the go-ahead, the student can physically reconnect her computer to the campus network. If a student reconnects her computer before the OK is given, it may be discovered that her computer is still missing critical patches and could become immediately re-infected simply by being connected to the network, and the process has to start over.

As soon as the computer has been re-enabled, the student needs to manually run Windows Update by visiting http://windowsupdate.microsoft.com from her computer and following the instructions.

Last Modified August 7, 2017