Uh oh - I've got malware on my system that my Antivirus program won't kill! What now?According to Wikipedia, the term 'Malware' is defined as:
THE most annoying thing about getting this stuff is how hard it is to remove. I have been very successful in cleaning systems of malware, so I figured it was time to share. :)Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. It is a portmanteau of the words "malicious" and "software". The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
...Software is considered malware based on the perceived intent of the creator rather than any particular features. It includes computer viruses, worms, trojan horses, spyware, dishonest adware, and other malicious and unwanted software. In law, malware is sometimes known as a computer contaminant, for instance in the legal codes of California, West Virginia, and several other U.S. states.
Malware should not be confused with defective software, that is, software which has a legitimate purpose but contains harmful bugs.
Here is a list useful tips I've used/compiled/discovered over the years that I go by when trying to clean my system. Some are snippets of info I gleaned from Mark Russinovich's presentation (linked at the end of the post):
Disclaimer: I do not take responsibility for the results of your actions on your PC. Always have a backup of your system before trying any of these steps. If you don't know or are unsure of what you are doing, contact a professional to assist you!
If you find a suspicious file, always research it first before deleting!
- Disconnect from the network. This will prevent the malware/virus from downloading more malicious code from a website or other location.
- Safe Mode is your friend. When cleaning up malware or viruses, this is probably the best place to start. Boot up your computer in Safe Mode and try some of the other steps listed below.
- Delete your temp files ('Start'> 'Run'> "%temp%"), do the same for your Internet Temp Files. Empty the recycle bin. Disable System Restore, viruses love to hang out here - and darn it, System Restore really isn't that handy.
- Use tools like Avast!, Panda Antirootkit and Spyware Terminator to assist you with system cleanup. If your AV allows it, configure it to run a complete AV scan at boot, and also during idle time (i.e. your screensaver - Avast! does allow this).
- Typically, malware exe's like to reside in the following locations (physically), because no special paths need to be set up to run them:
- Windows folder
- Windows\System32 folder
- Temporary folder (Get to it by typing %temp% at your run prompt)
- Temporary Internet Files folder
- Default user profile folder (i.e. the 'Startup' folder)
- System Volume Information folder
- Common files folder (program files\common files)
- If you think you have some hidden processes running (i.e. rootkit), try connecting to the computer's c$ share and deleting it from a secured workstation - of course, using an isolated hub/networked connection. Also, try using Rootkit detection programs to discover and remove these if you don't have any other workstations...the previously mentioned Panda Anti-Rootkit works wonderfully.
- Use a bootable CD solution like BartPE to boot from a non-writable volume. Clean up files on the hard disk using the included utilities (Use the included A43 File Management tool, for example).
- In Windows, run sigcheck -e -u -s c:\ to check for files without signatures.
- This one requires some knowledge of how the Windows system32 folder is constructed (and what files look legit or not). If you check this folder and set your Explorer view to 'Details', you'll notice that most of your files are dated at least a year old (typically older, since this is when many of the Windows files were compiled originally). However, if you are indeed infected and you sort the files by date, showing newest files first, suspicious entries will start to show themselves (since they usually are copied to your system32 folder most recently). This can be of great help when you want to track down that tricky malware.
- When browsing your folders for malicious files, set your Explorer view to 'Details', and enable the 'Company' column. Typically, suspicious files have no company name associated with them. This can raise a red flag (.dll, .ocx, .exe files only). Again, research the file before you delete/rename!
- If a nasty file keeps coming back after reboot, even after you delete it, try deleting the file again, but before you reboot, create a new text file and name it the same as the targeted exe or dll (or whatever file type it is). Try to set read-only permissions on the file. That way, you'll have a dummy file that is totally harmless if it is called again at startup (verify that you are showing all file extensions first!).
- If you are unsure of a filename, search for it via Google, using the exact filename, including the extension. You can gather a LOT of information from other folks who have gone through a similar experience. See the previous tip regarding enabling the showing of all file extensions. A word of warning, though - some malware processes are named randomly, so you may not have luck finding others that have run across it. However, randomly named processes should immediately raise your suspicions.
- Use a tool like Sysinternals AutoRuns or Hijack This! to list and delete any startup nasties...preferably, check items that are called at Logon and Browser Helper Objects for suspicious items (but don't limit your search to these two categories). My personal favorite is AutoRuns. These tools show the registry entries and physical startup locations in a nice GUI. A nice feature of Autoruns is the ability to hide signed Microsoft entries, making it easier to weed out the malware from the legit processes.
- Use another SysInternals tool called Process Explorer which can allow you to kill malicious processes on the fly...you may not have too much luck with this, however, as many malicious programs just restart themselves once you close it. But, it is still useful to determine what processes are spawning other processes (and, it shows you a path from where the process is running). Also, you can use it to suspend a process, which keeps the watchdog process from restarting a malicious executable, since technically it is still running.
- Use Unlocker or FileAssassin to get rid of an annoying malicious file if it is locked, keeping you from deleting it.
See a great presentation about how to use Sysinternals tools to detect and remove malware, presented by Mark Russinovich, or download the presentation for offline viewing. It is a must-watch!
See another post about creating your own mini-toolset to combat malware: Build a malware fightin' USB drive.
3 comments:
Thanks. Nice writeup.
I've been doing cleanups myself for about five years. Only thing I'd add is about Process Explorer: while a lot of malware will automatically restart itself when it detects it's been killed (sometimes in a very indirect manner, to make it harder to ferret out), PE's suspend feature lets you effectively disable a process without killing it, thereby preventing the respawning. Suspend only works on XP (possibly 2K, not 98 or ME, no data on Vista).
Also, bootable linux (live-CD's) is your friend when you need to get at the hard drive bypassing Windows. Make sure the linux version knows how to write to 2K/XP file system (NTFS).
Keep up the good work!
Priceless Advice!!
I am keeping a copy Just in case...
I have not been malware affected for a while now. I usually end up buying a new PC when I cannot successfully emove Malware! This article is a FanfreakinTastic Summary of what you need to do to Win back your PC.
But these hints and tips are very very very very useful. Thanks for posting them.
Unlocker is awesome!!Though you must be sure what you are deleting.
Post a Comment