Jump to content
TheSecret

Guide to detecting and removing malware

Recommended Posts

Introduction

 

Many atomicans post in here wondering if they are infected, if they have some unauthorised software running without their permission or not, and how to get rid of it and regain control over their PC. It is my goal with this thread to list many of the basic techniques, and places to obtain software to help people work out if they are infected, and have a go at removing malicious software themselves. Failing that, when they post in this forum, the people trying to help them will know they may have tried the techniques in this thread, or can direct them to it. Additionally, tools and instructions to collect relevant information when posting a question are provided. I will try to keep this thread updated as techniques change and tolls become replaced or updated. The techniques and tools listed should be valid for any version of Windows after and including XP.

 

Overview

 

Malware can be one of the most frustrating, confusing and dangerous things to plague less experienced computer users. Quite often they may not realise that they are infected, may wonder why their computer is suddenly acting a lot slower or may simple want to have peace of mind. The first thing to remember is, that if any malware is detected, DON'T PANIC. All malware can be removed, and can be contained, without risk to your data, or other computer users. You will likely never have to resort to a format and reinstall to restore your PC, and in some cases this would not be effective.

 

The first steps are to use the tools and instructions contained in the guide, to identify the malware, and then go about removing it, and repairing and collateral damage. More often than not, either one of the listed AV's or one of the listed anti-malware tools will be able to safely remove the malware. The AV's I have recommended are both completely free for home use, have very high detection rates, and a very low performance impact. I understand AVG is popular with a lot of people, however this should be removed immediately. It is inefficient, and somewhat untrustworthy, and will only lead to a false sense of security.

 

The anti-malware tools I have suggested will scan and detect malware that most AV software will generally not detect, nor is it designer to. This includes software such as browser toolbars, adware programs and updaters for certain browsers etc.

 

Tools to assist in detection and removal

 

Each of the following are completely free, and valuable to have. If I refer to a tool below, then you can obtain it from the direct link in this list. Alternatively, you may wish to keep some software, such as an AV permanently installed.

 

Malwarebytes Anti-Malware

 

Sysinternals Utilities

 

Spybot Search & Destroy

 

Avira AntiVir Free Version

 

avast! antivirus Home Edition

 

HijackThis

 

Restore Safe Mode

 

First steps

 

Step 1: The very first step you can try, is to use System Restore. If you have System Restore enabled, Windows will be restored to a known good point, before you were infected. You can then use the following steps to verify that your install is clean, and follow the instructions in the Good Practices section to make sure you stay clean.

 

Step 2: The next step is to install and run an AV scan, if you have not done so already. If you don't already have an AV installed, I recommend Avira, for the reasons mentioned above. You can set Avira to do a boottime scan, which will be able to scan certain files that the malware may block access to when Windows is running. If anything is found, you can safely delete and/or quarantine the file, which should keep malware under control.

 

Step 3: You can then download and install Malwarebytes anti-malware, which is linked above. You can run the scan, which is a bit lengthy, and if you have anything Malwarebytes will likely detect it. If it does not, and you are still sure that you are infected, you can install and run Spybot S&D, which may detect somethings Malwarebytes missed.

 

Step 4: If nothing is detected, and you are still certain you have malware on your machine, then one of the best things to do is to look for some telltale signs. You should looks for any processes running that should not normally be running. Google each process if you are unsure or don't recognise it. Many malware executables like to take the name of something that seems official, such as update.exe, so make sure you verify that a file with an official name is running from the right path. To check processes, I recommend using Process Explorer from the System Internals tools linked above, which may detect some processes hidden from Task Manager.

 

Step 5: Another basic step you can take is to inspect the Windows Hosts file. The Windows hosts file is used to resolve hostnames to IP addresses without using the DNS system, it will also override any DNS queries. This means, malware may take a malicious IP and make it resolve to say, microsoft.com. The windows hosts file is located in \Windows\system32\drivers\etc\, and is called Hosts, without a file extension. The only content by default should be an entry for 127.0.0.1, the local interface, or two entries if you are using Vista or later. If you have used antimalware software, there may be additional entries added a countermeasure to prevent malicious sites from being contacted.If there are entries for well known or good sites such as microsoft.com, mcafee.com or similar, then this may be a sign of infection. You can delete these and similar entries from this file aside from the entry for 127.0.0.1 if you have not used a malware program to aid with your hosts file. If you are unsure, you can ask for clarification in this forum.

 

Step 6: If you are using Internet Explorer 7 or above, you can run Internet Explorer in protected mode(right click, and Start in Protected mode), which will prevent any addons from loading. This will then allow you to see if the problem is isolated to Internet Explorer or not. If the problem is isolated to Internet Explorer, you can go into the addons section, and disable or remove any addons that are unknown to you, or that are unnecessary. Reenabling any you want to keep one at a time to isolate which is causing the problem.

 

Step 7: If you have a particular file that you think may be malware, of you have an infection but are not able to reliably detect what it is, then you can submit the file to the VirusTotal webpage, which will give a reliable identification. Once you have identified your malware, of if one of the anti malware programs identified but was unable to remove the malware, a quick search on google should produce detailed instructions or a tool for removing the malware.

 

Step 8: You can also prevent unknown software from loading at startup. To do this, I recommend the autoruns tool from the Systems Internals tools linked above. This tool will allow you to disable any processes, registry entries, DLL's etc that run at startup, so you will be able to isolate the issue. Once you have isolated a troublesome entry, you can take appropriate action, such as submiting to VirusTotal, or simply deleting the file.

 

Step 9: If some of the techniques listed above are not working, then you should attempt to do them in safe mode. Safe mode should prevent the malware from lading, and will give you a better chance to remove it. Some malware will disable the option to boot into safe mode, in which case you can use the registry fix above to restore the option to enter into safe mode.

 

Step 10: If you have trouble ending a process or deleting a file that you suspect is malicious, then you can use the Handle tool, from the Systems Internals utilities linked above. The handle tool will allow you to list and close the file handles a particular process has open, allowing you th then close the process. Alternatively, if you have found a suspicious file, you can see the name of the process that has a handle to that file to end it.

 

Finally, if none of the above techniques worked, or you had trouble at a certain point, feel free to post in the forum :)

 

Good practices

 

There are several good practices you can follow, which are quite simple, require minimum effort, and will greatly reduce the risk of reinfection. The first is to use a secure browser. This basically means Firefox with latest updates, or Internet Explorer 7 or 8. Any plugins you have installed should also be updated.

 

You can also do things like turn on file extensions and hidden files. This will allow you to recognise suspicious files a lot quicker.

 

Stay Updated

 

Vulnerabilities in software are on of, if not the main avenue of attack for malware to install. This can include placing files on your computer after visiting a website with an insecure browsers, by exploiting a browser plugin such as flash, or exploiting a vulnerability in Windows itself. Indeed, web browsers, and Adobe products are the major avenue of attacks these days. Generally, as a home user, there is no reason you should not be updated at all times. This is the best approach to prevent infection/installation of malware, and in some cases will fix an existing problem. It will certainly prevent the same problem from reoccurring. Generally, most programs have a facility to update automatically. If you don't want to enable this, then you should check the manufacturers website semi-regularly to keep a lookout for new versions.

 

Use Antivirus

 

If you have any doubts about your ability to detect malware at all, then you should definitely be running an AV. AV's have come a very long way, are lightweight and non intrusive, and can detect many types of known malware and remove it. The best AV for consumers is currently Avira AntiVir, which will run unobtrusively in the system tray. There are actually ad popups, but a quick google for "avira disable ads" can show how to remove these. Second to Avira is avast!, which has a slightly lower detection rate, but is more configurable, and just as fast. avast! requires registration, but is then free to use at home. Running an AV is an important step, because aside from protecting yourself from unknown risks, you can help to protect other users by being prevented from forwarding malicious files.

 

Backup any important files

 

This goes without saying. You should always regularly back up your files, so in the event you are infected, you can be sure that nothing valuable is lost. Personally, I just organise my files into directories and copy to a harddrive or DVD disc. If this does not work for you, then there are many other approaches, and may other atomicans will be able to recommend you a suitable backup program and/or approach.

 

Posting a question

 

If you were unsuccessfully after following the above steps, or need help at any point along the way, then feel free to post in these forums. To make it easier for people to answer your question and provide the help you seek, a few basic steps can be followed to make this process as painless as possible. Some of the things that you should include when asking for help are:

 

  • The version of Windows you are using, including any service packs
  • Any recent changes or software that has been installed
  • Whether or not you are up to date with security patches
  • What, if any of the above steps you have tried.

After this, you should post the complete log produced by running HijackThis within code tags. You can select the text within the post box, and click the rightmost icon that looks like a scroll, to enclose text in code tags. his will then preserver the formatting, and make the log easier to read. Above all else, it is important to be courteous in your post, and to indicate that you have made some effort, even if you don't completely understand the problem.

Edited by TheSecret

Share this post


Link to post
Share on other sites

BAM!

Awesome work there, so it's stickied.

 

 

(And it's also nice to see some of the old 'howto' threads making a slow come back)

Share this post


Link to post
Share on other sites

Nice work mate - and a great tip hidden in there about how to hide the popup ad after updating avira free edition. Thanks a lot.

Edited by discoInferno

Share this post


Link to post
Share on other sites

Step 5&6 should be together shouldn't they? Also you state that there should only be one entry in the hosts file - but Spybot puts in a bunch for things - are you recommending against this Spybot proactive protection?

Share this post


Link to post
Share on other sites

Updated

 

Thanks Catmosphere, good points.

 

I'm not sure why I kept those points as separate at the time, however I have merged them now.

 

Spybot only puts things into the host file if you tell it to, and the guide is assuming that people have not done this in order to try and remain as generic as possible, however I have now mentioned additional entries place by malware prevention programs as a possibility..

Edited by TheSecret

Share this post


Link to post
Share on other sites

Spybot redirects malicious sites to 127.0.0.1 anyway, so it's fine.

 

Yes but a point of explanation would help. :) I looked at all of these scary sites and went "eek!" and then realised what 127.0.0.1 and was cool...

Share this post


Link to post
Share on other sites

An EXCELLENT piece of work, congratulations!

I'm currently dealing with a mongrel which stops just about anything you've listed!

Even Taskmgr.exe is stopped. No error messages, just nothing happens. AV software and services are stopped and blocked. Changing the filename enables the sw to run, but most of the current systems are so modular that the actual scanning part of the package is not in the UI and won't launch by itself...

Downloading on-line scanners works - until you try to run them. Processmonitor won't unzip... Ditto HijackThis.

Transferred drive to another machine! Scanned with utd AVG Free 8.5 - nothing found after 3.5 hours! Now running Trend Micro System Cleaner over the sucker. Original machine running Vista from the infected drive, Current machine running XP Pro SP3 with utd updates and patches.

 

No obvious odd processes or services noted, nothing bizarre in registry ...currentversion\run in either HKCU or HKLM. Searched drive for instances of taskmgr in ANY files, returned only taskmgr.exe. Searched registry ditto - nothing odd.

 

I'll let you know.

Share this post


Link to post
Share on other sites

My cynical 0.02c:

 

From my experience in the industry, there is nothing that will fully patch up the damage given to you by viruses/malware/etcware. No matter how well you think you've removed this, there will _always_ be remnants of the damage, whether they be registry changes, holes poked open in your windows install, or executables that have been modified without your detection.

 

The only way to 100% free yourself from the damages of malware/blahblahblahware is to rebuild the system. I know I'll be shot down for this but from my experience this is the truth, and while it's a little more effort to rebuild, you start with a fresh machine. Always a relieving feel when you sit down and see that beautiful bliss.jpg staring you in the face.

Share this post


Link to post
Share on other sites

You can always fix a system. Advanced users can bring back there install back to 100% if they know what they are doing.

 

 

For the less advanced a rebuild is a good option. I always prefer to fix something though instead of just formatting a PC. Other wise I will be like the millions of so called technicians that just format after a smallest infection and not learn anything from the experience.

Share this post


Link to post
Share on other sites

You can always fix a system. Advanced users can bring back there install back to 100% if they know what they are doing.

 

 

For the less advanced a rebuild is a good option. I always prefer to fix something though instead of just formatting a PC. Other wise I will be like the millions of so called technicians that just format after a smallest infection and not learn anything from the experience.

My sincerest apologies. Remind me again how you confirm that a machine is 100% healthy?

 

[apologise -> apologies]

Edited by chrisbrownie

Share this post


Link to post
Share on other sites

You don't but if everything works and you no longer have any issues then who cares.

 

Soz bro we should all just format our computers eh.

Share this post


Link to post
Share on other sites

Just came across something eerily familiar.

all that is wrong with the world

 

Is it your site?

or

Or was this just a quick copy and paste?

look at the dates buddy. And considering this was copied from a V2 thread from 2008 its sure to be a copy and paste.

 

 

haha! I think hat is actually thesecret OP of this thread.

Edited by mudg3

Share this post


Link to post
Share on other sites

Just came across something eerily familiar.

all that is wrong with the world

 

Is it your site?

or

Or was this just a quick copy and paste?

look at the dates buddy. And considering this was copied from a V2 thread from 2008 its sure to be a copy and paste.

 

 

haha! I think hat is actually thesecret OP of this thread.

 

I did look at the dates buddy and that is why I asked.

I was wondering if it was not the OP's site or had someone just copied someone elses work without any recognition.

Did not mean to imply the copying was on the OP's part (my usual poor wording).

Share this post


Link to post
Share on other sites

This thread is rather old and very outdated, good idea to maybe make a new one that is current and a lot more effective. Half the tools and advice actually have a detrimental effect rather then positive.

Share this post


Link to post
Share on other sites

Well, my currrent run at these sort of things generally goes something like this:

 

Download CCleaner Slim, MBAM & Updates, Super Anti-Spyware Portable, Dr Web Cure It, rkill.com, hostsperm and the appropriate replacement hosts file (WinXP, WinVista, Win7).

 

If you can't download them on the PC that's infected, download them on another PC and throw them on a USB drive or CD. For the MBAM updates you can install MBAM on that other PC then copy the rules.ref file from:

WinVista/7: C:\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware

WinXP: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware

 

1. Boot the PC in to Safe Mode (no networking) and log in to an Administrator account.

2. Run rkill.com.

3. Install CCleaner and run a clean. If you've got more than one account on the computer this might be a waste of time as it only removes the internet temp files for the account it's run on and the sole purpose of running this clean is to reduce the scan times of the following programs.

4. Install MBAM, update (using the rules.ref you should have), and run and let it remove things. If it wants you to restart at the end, don't bother for now.

5. Run Super Anti Spyware Portable.

6. Run Dr Cure It.

7. Run hostsperm.bat.

8. Replace the systems hosts file with the one you downloaded. (location is C:\Windows\system32\drivers\etc on XP/Vista/7).

9. Restart into normal mode.

 

That'll take care of most things. If it doesn't, then you should follow the guide here and ask for help there, 'cause this forum isn't good for posting big logs. You do need an account on that website to view that guide. If you can't be bothered waiting, you can also try ComboFix if you're willing to take on the risk it does more harm than good.

 

Frankly, if you need this guide to try and remove malware and the above steps don't work your best bet is to wait 2-3 days, get the updated versions of the programs/defs and try again. The extra stuff is a matter of experience and waiting for responses on forums, so just waiting for MBAM or the like to get onto it is probably the way to go :P

 

It's also worthwhile running through Secunia PSI to plug up security holes.

Edited by tantryl

Share this post


Link to post
Share on other sites

This thread is rather old and very outdated, good idea to maybe make a new one that is current and a lot more effective. Half the tools and advice actually have a detrimental effect rather then positive.

 

Go for it then.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×