All that is wrong with the world…

October 19, 2009

Guide to detecting and removing malware

Introduction

Many people make posts wondering if they are infected with a virus or some kind of malware, or if they have some unauthorized software running without their permission or not, and how to get rid of it and regain control over their PC. It is my goal with this text to list many of the basic techniques, and places to obtain software to help people work out if they are infected, and have a go at removing malicious software themselves. Failing that, when they post in a forum, the people trying to help them will know they may have tried the techniques in this text, or can direct them to it. Additionally, tools and instructions to collect relevant information when posting a question are provided. I will try to keep this entry updated as techniques change and toos become replaced or updated. The techniques and tools listed should be valid for any version of Windows after and including XP.

Overview

Malware can be one of the most frustrating, confusing and dangerous things to plague less experienced computer users. Quite often they may not realize that they are infected, may wonder why their computer is suddenly acting a lot slower or may simple want to have peace of mind. The first thing to remember is, that if any malware is detected, DON’T PANIC. All malware can be removed, and can be contained, without risk to your data, or other computer users. You will likely never have to resort to a format and reinstall to restore your PC, and in some cases this would not be effective.

The first steps are to use the tools and instructions contained in the guide, to identify the malware, and then go about removing it, and repairing and collateral damage. More often than not, either one of the listed AV’s or one of the listed anti-malware tools will be able to safely remove the malware. The AV’s I have recommended are both completely free for home use, have very high detection rates, and a very low performance impact. I understand AVG is popular with a lot of people, however this should be removed immediately. It is inefficient, and somewhat untrustworthy, and will only lead to a false sense of security.

The anti-malware tools I have suggested will scan and detect malware that most AV software will generally not detect, nor is it designer to. This includes software such as browser toolbars, adware programs and updaters for certain browsers etc.

Tools to assist in detection and removal

Each of the following are completely free, and valuable to have. If I refer to a tool below, then you can obtain it from the direct link in this list. Alternatively, you may wish to keep some software, such as an AV permanently installed.

Malwarebytes Anti-Malware

Sysinternals Utilities

Spybot Search & Destroy

Avira AntiVir Free Version

avast! antivirus Home Edition

Microsoft Security Essentials

HijackThis

Restore Safe Mode

First steps

Step 1: The very first step you can try, is to use System Restore. If you have System Restore enabled, Windows will be restored to a known good point, before you were infected. You can then use the following steps to verify that your install is clean, and follow the instructions in the Good Practices section to make sure you stay clean.

Step 2: The next step is to install and run an AV scan, if you have not done so already. If you don’t already have an AV installed, I recommend Avira, for the reasons mentioned above. You can set Avira to do a boottime scan, which will be able to scan certain files that the malware may block access to when Windows is running. If anything is found, you can safely delete and/or quarantine the file, which should keep malware under control.

Step 3: You can then download and install Malwarebytes anti-malware, which is linked above. You can run the scan, which is a bit lengthy, and if you have anything Malwarebytes will likely detect it. If it does not, and you are still sure that you are infected, you can install and run Spybot S&D, which may detect somethings Malwarebytes missed.

Step 4: If nothing is detected, and you are still certain you have malware on your machine, then one of the best things to do is to look for some telltale signs. You should looks for any processes running that should not normally be running. Google each process if you are unsure or don’t recognise it. Many malware executables like to take the name of something that seems official, such as update.exe, so make sure you verify that a file with an official name is running from the right path. To check processes, I recommend using Process Explorer from the System Internals tools linked above, which may detect some processes hidden from Task Manager.

Step 5: Another basic step you can take is to inspect the Windows Hosts file. The Windows hosts file is used to resolve hostnames to IP addresses without using the DNS system, it will also override any DNS queries. This means, malware may take a malicious IP and make it resolve to say, microsoft.com. The windows hosts file is located in \Windows\system32\drivers\etc\, and is called Hosts, without a file extension. The only content by default should be an entry for 127.0.0.1, the local interface, or two entries if you are using Vista or later. If you have used antimalware software, there may be additional entries added a countermeasure to prevent malicious sites from being contacted.If there are entries for well known or good sites such as microsoft.com, mcafee.com or similar, then this may be a sign of infection. You can delete these and similar entries from this file aside from the entry for 127.0.0.1 if you have not used a malware program to aid with your hosts file. If you are unsure, you can ask for clarification in this forum.

Step 6: If you are using Internet Explorer 7 or above, you can run Internet Explorer in protected mode(right click, and Start in Protected mode), which will prevent any addons from loading. This will then allow you to see if the problem is isolated to Internet Explorer or not. If the problem is isolated to Internet Explorer, you can go into the addons section, and disable or remove any addons that are unknown to you, or that are unnecessary. Reenabling any you want to keep one at a time to isolate which is causing the problem.

Step 7: If you have a particular file that you think may be malware, of you have an infection but are not able to reliably detect what it is, then you can submit the file to either VirusTotal or Jotti’s Malware Scan, which will give a reliable identification by scanning the file with several(30 or more) AV products. Once you have identified your malware, of if one of the anti malware programs identified but was unable to remove the malware, a quick search on google should produce detailed instructions or a tool for removing the specific malware.

Step 8: You can also prevent unknown software from loading at startup. To do this, I recommend the autoruns tool from the Systems Internals tools linked above. This tool will allow you to disable any processes, registry entries, DLL’s etc that run at startup, so you will be able to isolate the issue. Once you have isolated a troublesome entry, you can take appropriate action, such as submiting to VirusTotal, or simply deleting the file.

Step 9: If some of the techniques listed above are not working, then you should attempt to do them in safe mode. Safe mode should prevent the malware from lading, and will give you a better chance to remove it. Some malware will disable the option to boot into safe mode, in which case you can use the registry fix above to restore the option to enter into safe mode.

Step 10: If you have trouble ending a process or deleting a file that you suspect is malicious, then you can use the Handle tool, from the Systems Internals utilities linked above. The handle tool will allow you to list and close the file handles a particular process has open, allowing you th then close the process. Alternatively, if you have found a suspicious file, you can see the name of the process that has a handle to that file to end it.

Good practices

There are several good practices you can follow, which are quite simple, require minimum effort, and will greatly reduce the risk of reinfection. The first is to use a secure browser. This basically means Firefox with latest updates, or Internet Explorer 7 or 8. Any plugins you have installed should also be updated.

You can also do things like turn on file extensions and hidden files. This will allow you to recognize suspicious files a lot quicker.

Stay Updated

Vulnerabilities in software are on of, if not the main avenue of attack for malware to install. This can include placing files on your computer after visiting a website with an insecure browsers, by exploiting a browser plugin such as flash, or exploiting a vulnerability in Windows itself. Indeed, web browsers, and Adobe products are the major avenue of attacks these days. Generally, as a home user, there is no reason you should not be updated at all times. This is the best approach to prevent infection/installation of malware, and in some cases will fix an existing problem. It will certainly prevent the same problem from reoccurring. Generally, most programs have a facility to update automatically. If you don’t want to enable this, then you should check the manufacturers website semi-regularly to keep a lookout for new versions.

Use Antivirus

If you have any doubts about your ability to detect malware at all, then you should definitely be running an AV. AV’s have come a very long way, are lightweight and non intrusive, and can detect many types of known malware and remove it. The best AV for consumers is currently either Avira AntiVir or Microsoft Security Essentials, both of which will run unobtrusively in the system tray. Avira is more configurable although has ad popups, but a quick google for “avira disable ads” can show how to remove these. Second to Avira/MSE is avast!, which has a slightly lower detection rate, but is more configurable, and just as fast. avast! requires registration, but is then free to use at home. Running an AV is an important step, because aside from protecting yourself from unknown risks, you can help to protect other users by being prevented from forwarding malicious files.

Backup any important files

This goes without saying. You should always regularly back up your files, so in the event you are infected, you can be sure that nothing valuable is lost. Personally, I just organise my files into directories and copy to a harddrive or DVD disc. If this does not work for you, then there are many other approaches, and may other atomicans will be able to recommend you a suitable backup program and/or approach.

Posting a question

If you were unsuccessfully after following the above steps, or need help at any point along the way, then feel free to make a post asking for help. To make it easier for people to answer your question and provide the help you seek, a few basic steps can be followed to make this process as painless as possible. Some of the things that you should include when asking for help are:

  • The version of Windows you are using, including any service packs
  • Any recent changes or software that has been installed
  • Whether or not you are up to date with security patches
  • What, if any of the above steps you have tried.

After this, you should post the complete log produced by running HijackThis within code tags. You can select the text within the post box, and click the rightmost icon that looks like a scroll, to enclose text in code tags. his will then preserver the formatting, and make the log easier to read. Above all else, it is important to be courteous in your post, and to indicate that you have made some effort, even if you don’t completely understand the problem.

I hope that this has been a helpful and informative post. If you liked it, or have some suggestions or feedback, please feel free to leave a comment. I plan on expanding it at a later point, or perhaps following up with a subsequent post to explain how to use System File Checking in Windows, and how to check for and remove rootkits.

1 Comment »

  1. I use AVG Pro and it will pick up items repeatedly that I know are not viruses. I was wondering if there is any way to tell the program to ignore such in future followup scans?

    Comment by Claude Chepil — March 17, 2012 @ 12:48 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: