Once you update the virus definitions follow these steps to clean the tracking cookie
A. Stop the viral process, or boot the computer to a state where the process is not loading:
i. End the task - some threats may prevent this.
ii. Start Windows in Safe Mode or Safe Mode Command Prompt only
iii. Newer versions of Symantec AntiVirus (version 10) and Symantec Endpoint Protection may be able to stop the process as part of a full system scan.
B. Remove the viral files:
i. Full system scan – Recommended
ii. Manually remove the files by finding and deleting them
iii. Check if there is a removal tool available for the particular threat variant.
C. Reverse the changes to system settings. It is important to make changes to the registry before rebooting the computer. Many viruses change boot setting so the user may be unable to log in once the virus is removed, if the registry changes are not undone.
i. Undo Registry Changes
ii. Undo changes to the following files – if necessary
1. hosts
2. win.ini
3. sfc.dll – may need to be replaced with new copy
4. Anti-virus and Firewall programs – may need to be reinstalled.
D. Reboot the computer into normal mode, before connecting it back to the network. This is to determine that no additional viruses are detected and the cleaning was successful.
E. If a rootkit or backdoor is detected it maybe necessary to re-image the computer to ensure security of the network.
Determine Infection Vector and Prevent Recurrence
This last step is often overlooked but may be considered the most important. Most network wide infections use two methods to propagate:
A. Known vulnerabilities: These are generally OS vulnerabilities, but may also include other software vulnerabilities that allow code to be remotely executed on the computer.
B. Open Shares: Because viruses often load at start up they may be running with the current user's credentials. This means that any share that a user can reach without providing a user name and password is vulnerable to this type of attack. This includes the Admin$ and IPC$ shares.
- To ensure security of the network going forward the Administrator password may need to be changed with a new “strong” password.
- Only after computers are patched and cleaned should they be reintroduced to the production network.