Malware Recognition and Removal

Huge area to cover, we have assembled and written tutorials that have proven helpful over time.
Post Reply
TheConfusedEgo
Otaku
Posts: 2629
Joined: Sat Sep 27, 2003 6:25 am

Malware Recognition and Removal

Post by TheConfusedEgo » Sun Oct 30, 2005 9:49 am

Got this tutorial from Tech Junkie a while ago, but life (teh real) got in the way of me posting it. So here ya go, full credit to him 8)
Tech Junkie wrote: Malware Basics

Introduction
This tutorial is about Malware recognition and removal at the noob level on computers using a Windows operating system. Malware is malicious software programs designed to either damage or do other unwanted actions on a computer system. Common examples of malware include viruses, worms, trojan horses, and spyware.

Recognizing Malware
There are many symptoms that may make you suspect you have some kind of malware on your machine. A software firewall may alert you to programs trying to connect to the internet. Your
internet service provider may send you an Email stating you're sending infected Emails or spamming.
You may suddenly be unable to connect to the internet or just be unable to browse with a web browser.
The most common symptom is the infected system slows down to a crawl and is inundated with popups.

Removing Malware

Virus Removal
When removing malware I feel it's a good idea to remove viruses first and then the spyware.
If you're running windows XP reboot into “Safe mode with networking”. If you are using Windows ME or older you will need to download programs and definitions and then use the offline scanners in safe mode.
If you are running a windows system and you will be connecting to the internet an antivirus solution is a must. If you have an antivirus installed update the definitions and run it first. If you do not have an antivirus solution, install one, update the definitions and run it. If you can't afford to run out and buy an antivirus solution Avast is available free for personal use at http://www.avast.com/eng/avast_4_home.html .
I'm not going to get into which antivirus is the best because they are all fallible. One of the things I like about Avast (besides the price) is it's boot time scan feature. On WinXP systems it can scan before windows boots all the way up initializing files you may need to clean or delete. After running your installed antivirus you should double-check it by using the free online scanners at http://housecall.trendmicro.com/ and
http://www.pandasoftware.com/products/a ... ncipal.htm. Because both the online scanners use ActiveX you will need to use the dreaded Internet Explorer to use them. You should also temporarily disable your installed antivirus to avoid false positives. It may detect the definitions of the online scanners as viruses themselves. If you normally use Internet Explorer may I suggest you stop immediately and find a more secure alternative. At the time I'm writing this Internet explorer is most widely used so most malware is written to exploit it's vulnerabilities to affect the most users. I'll suggest Mozilla Firefox because it's free and fast and I haven't had any problems with it. You can download it at http://www.mozilla.org/products/firefox/ . After running your installed scanner and the online scanners you should be virus free.

Spyware Removal
At the time I'm writing this the best spyware removal tools are Spybot Search & Destroy, Ad-AwareSE, and Microsoft's antispyware beta.

Spybot Search & destroy
Spybot search & destroy can be downloaded at http://www.spybot.info/en/download/index.html .
Download and install Spybot search & destroy. When running it for the first time it will ask you to set a system restore point, download the latest updates and immunize the system, click yes and download all available updates. Run the scanner and when it finishes let it remove everything found. If you are using Win2k,XP, 2k3, or newer skip this next step and go to the ad-Aware step. If you're using WinME or older or do not have a “Valid” copy of a newer version of windows go up to the top left of the spybot window and change mode to “advanced”. Select “tools” in the left pane then check the boxes next to “ActiveX” and “BHO's” in the right pane. They will now be in the tools menu in the left pane. Select “BHO's” in the left pane. This is a list of the “Browser Helper Objects” installed on your machine. If any of them do not have a green check next to them and you do not recognize their name, highlight them and click the remove button at the top of the window. Now click the “AxtiveX” button in the left pane. This is a list of the ActiveX controls on your machine. If any of them do not have a green check next to them and are not recognizable to you they will have to be removed. Unfortunately I've never been able to get this feature of spybot to work and it will have to be done manually. In Windows explorer open C:\(Windows or Winnt)\Downloaded program files. Find the offending program in the right pane, “right click” it and select “remove”. Close the program.

Ad-AwareSE Personal Edition
Next we will run Ad-AwareSe personal edtion which can be downloaded from http://www.lavasoft.de/support/download/. It will want to run when the install finishes and update automatically. Let it. Click start and under scanning options select “perform full system scan” and click next. When Ad-Aware is done scanning check all entries found and click next. It will automatically remove them. Close the program.

Microsoft's Antispyware Beta
If you are running a valid copy of Win2k,WinXP, or Win2K3 download and install Microsoft's Antispyware Beta. It can be found at http://www.microsoft.com/athome/securit ... fault.mspx.
At the end of the setup click “Run quick scan now”. Let it check for the latest definitions and scan.
If the program finds any spyware check the boxes next to them and remove them. Now click “Advanced tools” in the upper right hand corner. In the lower pane click “system explorers”. In the left pane click “Downloaded ActiveX”. This is a list of your installed “ActiveX” controls. If any are flagged “Unknown” or “Potentially Unwanted” and you do not recognize them by name or description, highlight it and click “Block this ActiveX” in the right pane. Go back to System explorers and now select “IE BHO's”. This is a list of your internet explorer browser helpers. If any are flagged “Unknown” or “Potentially Unwanted” and you do not recognize them by name or description, highlight them and click either “Block this BHO” or “Permanently remove this BHO”. You can now close the program. One of the nice things about this program is it has “real time” protection to stop infections and hijacks as they happen.

At this point you SHOULD be Malware free. Now go to windows update and get your Operating system up to date. The immunization feature of Spybot Search & Destroy, the real time protection of Microsoft's antispyware beta, an alternative browser solution, an Antivirus solution, and an “up to date”
Operating System should keep you from getting infected again. (Along with a little common sense. Don't open unknown email attachments and download everything in sight.) If you're wondering why all those linux guys are laughing...well....they never have this problem.

Post Reply