Stopping Malware


The onset of Malware Trojans on the Internet has become a problem. And, since I noticed there is a lot of misinformation on how best to handle it, this document was designed to cut through the emotional clutter and get to the real solution.

Hope it helps!


  1. Download, install (with no shortcuts) and run HiJackThis.org and clear all aberrant BHOs (browser helper object)
  2. Check the %windir%\system32\drivers\etc\hosts file isn’t corrupted with malware entries (like “??????” entries).
  3. Run cleanall.bat (cleansrv.bat or cleanwks.bat to clean remotely)
  4. Run “delprof /q /I /d:7”
  5. Download and run combofix
  6. Download, install and run with no “program files” shortcuts and or desktop/menu shortcuts MalwareBytes.org (Run update until it says you have the latest)
  7. Inform the users of the almost always required reboot and restart when ready.
  8. Rerun MalwareBytes just to be sure all is well.


In the never ending fight to stop Malware we all have our struggles. But the best way to handle it is to ensure your users are running with user permissions and not as an admin, have a good anti-virus software (Symantec or Avert is recommended) that updates itself and keep your malware tools ready.


Report all malware urls to your local ISP whenever possible.


Patrick James Burwell

Infrastructure Engineer

Parsippany, NJ


Cleanall.bat, cleansrv.bat and cleanwks.bat are attached


Cleanall.bat:
%systemroot%
cd /D C:\Documents and Settings
REM -Clean Temp Folder-
for /D %%a in (*.*) do DEL /F /Q "%%a\Local Settings\Temp\*.*"
for /D %%a in (*.*) do FOR /D %%b IN ("%%a\Local Settings\Temp\*.*") DO RMDIR /S /Q "%%b"
cd /D C:\Documents and Settings
REM -Clean IE Cache-
for /D %%a in (*.*) do DEL /F /Q "%%a\Local Settings\Temporary Internet Files\*.*"
for /D %%a in (*.*) do FOR /D %%b IN ("%%a\Local Settings\Temporary Internet Files\*.*") DO RMDIR /S /Q "%%b"
cd /D C:\Documents and Settings
REM -Clean Dr Watson Logs-
for /D %%a in (*.*) do DEL /F /Q "%%a\drwtsn32.log"
cd /D C:\Documents and Settings
REM -Clean Clean KB Logs-
DEL /Q /S /F %systemroot%\KB*.log
cd /D %windir%\softwaredistribution\Download\
REM -Clean SoftWareDistribution-
DEL /Q /S /F %windir%\softwaredistribution\Download\


Cleansrv.bat:
set /p server="What @file.txt or \\server to run Cleanall.bat on? " :
call psexec -accepteula -c -d %server% \\%userdomain%\netlogon\cleanall.bat
set server=


Cleanwks.bat:
set /p system="What @file or \\system to run Cleanall.bat on? ":
psexec -accepteula -d -s -c %system% -u %userdomain%\%username% \\%userdomain%\netlogon\cleanall.bat

Tags: ,