hed by: hack1, on 2007-06-10 04:32:06
~ THe aRT AnD PRaCTiCe of MaLWaRe ReMoVaL ~
Hey all, I saw a post on this kind of an article before, except it was very basic and most of it was information only, not teaching. If you've had a virus before, and removed it successfully, good job. If you haven't had a virus before...go play around on the internet.
I'm not suggesting that you go download malware, but I am saying that if you truly are interested in computers, then you NEED to have some malware experience. If you consider yourself a professional malware remover because you run a load of antispyware and antivirus programs, firewalls, and never surf the web without any protection, I'll tell you right now, YOU ARE WRONG. I'm sorry if that was harsh, but that's how i roll :)
However, you SHOULD have antispyware and antimalware materials. These are especially for those annoying pesks that you find impossible to remove. They're also for those pieces of malware that always elude you, and which go by without your knowledge.
I suggest running AVG Free Antivirus. It's not what I use, but it's the best for non-commercial items in my opinion. Or, if you're into that kind of stuff, go download something illegally. But i wouldn't advise it, because your antivirus might be laden with viruses ;P
For a firewall, use Ashampoo (yes, weird name) Firewall. I find it to be a bit annoying at first, when it keeps asking you what you'd like to allow or disallow from the internet, but it is truly a useful tool.
Thirdly...I know McAfee..is just..bad. But one good tool they've created is McAfee SiteAdvisor, which tells you the nature of websites while you're browsing.
I also recommend Ad-Aware Personal, and Spybot Search & Destroy. These are known for picking up those pieces of malware that...hide behind the shadows.
NOTE: These are all free products, and can be downloaded from the internet without charge. They are state of the art for their $0.00 price, so use them well.
Next, we'll start talking about..your own removal style. This always gives me pleasure. I enjoy killing malware without tools designed by others, but with shrewd reasoning, and research.
Here is my generic way of removing malware, use it at your desire. Information wants to be free:
Step 1: The processes...
Press CTRL+ALT+DEL to bring up the task manager. Click on the processes tab. Sift through these, and try to find those that look suspicious. Remember, if you accidentally close a useful process, which only LOOKED suspicious, you can always click File --> New task --> enter process name. This temporarily ends the malware, so it won't disturb you when you're trying to remove it. Sometimes, Windows will tell you that these processes cannot be ended. This is fine. It is just because some other program is using them. Remember though, these processes could be malware! After ending suspicious processes, you've fought part of the battle.
Step 2: Removing them from startup...
Even if you stop a process, and then reboot, the process WILL be back. This is because the malware is configured to run at every startup of your computer. Some people prefer to use a method (which i think is bad) involving the Microsoft configuration utility, aptly known as msconfig. If you'd just like to play around with it (please,for god's sake, don't mess with your boot flags!), then go ahead to the "Run" menu, or press WINDOWS KEY + R. Type in 'msconfig' and explore it. However, I prefer to go hard-core. Now we'll get involved with the Windows Registry . This is a vital, vital, area, that if altered incorrectly...will have some bad effects. However, it is a great tool for exploration and playing around. Go to the registry by using, the "Run" menu, or WINDOWS KEY + R. If your registry had "been disabled by an administrator,"...and you are an administrator...you can guess that this is a bad thing...
If it has been disabled, bring up the "Run" menu, and copy and paste:
REG add HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem /v DisableRegistryTools /t REG_DWORD /d 0 /f
If you don't know, in binary, a 0 means false, while a 1 means true. This command is saying that set DisableRegistryTools to 0, or false. Therefore, the registry tools are enabled!
Go to the "Run" menu.
Type in 'regedit'. For now, our destinations will be:
HKCU (HKEY_CURRENT_USER)
and
HKLM (HKEY_LOCAL_MACHINE)
First, let's check out the HKCU key. Click on the button next to HKCU. Here, you'll find a lot of interesting stuff, and you can look through it if you'd like. But, we must go to the 'Software' key. Click the button beside 'Software'. Here's a REAL list of what's on your computer! Click the button beside 'Microsoft'. Here, you may not be able to make sense of much stuff, but you want to scroll down to the "Windows" key. Click the button next to it. Next, go to "Current Version", and click the button next to it. Click on the "Run" key. In the right-side pane, you will see the subkeys under the Run key. The subkeys here are a list of all the programs that will startup when you sign on to your Windows. Sometimes, the text under the "Name" area will look suspicious. To check it out, look under the "Data" column. Find the exact path that it is referring to. If that's one of those programs that you know is malicious, click on the key, remember or write down the path, and delete it. Now that you've removed the malware from startup, navigate to the path that you wrote down, and permanently delete the file. Make sure you empty your Recycle Bin! Congrats, you've removed some malware. If every time you turn on your computer, the malware keeps coming back, then you know that you've got a problem that may be out of your hands. Here comes the need for your horde of antispyware and antivirus programs. Let them run free, and wait for them to finish. Let them quarantine/delete any malware they find. A good strategy I use is after finishing running your AntiVirus, run Ad-Aware Pro and Spybot Search and Destroy. They often find left behind registry keys of the malware you just removed, that may be dangerous. Let them do their work, you will be rewarded justly.
Step 3: Handling the more malicious Worms and Trojans
Now if you're not running at least Windows XP, you're out of luck on this method. You'd do well trying more antispyware and antivirus programs, and taking some time to investigate some of those weird startup programs. Sometimes, you'll find malware loaded up in a folder called "System Volume Information". This is Windows' fancy way of saying, "The folder where i store all my system restore checkpoints and files." Since Windows will be difficult, and not let you access the directory, I find the best way to be the following:
click start.
right click my computer
in the system properties dialog box, click on the "System Restore" tab.
check the "turn off system restore" box.
This should wipe everything in the System volume information folder. After turning system restore off, you can go ahead and turn it back on. All that malware inside that folder is gone. I advise that you regularly create system restore points, by going to Start -> Accessories -> System Tools -> System Restore -> Create a restore point. This should provide you with plenty of backups in case your computer goes ballistic :(
Step 4: Safe Mode
Reboot your Windows. During bootup, press F8 or F12, or whatever button brings up the "one time boot menu". Here, select Safe Mode, and after booting up and signing in. Run your horde of antimalware programs once more. This time, they may be able to delete more files that weren't available for deletion when your normal Windows was running. In safe mode, almost ALL malware can be deleted. It's ok if your safe mode looks like it came from hell. The screen resolution will probably be messed up, along with a few other things. It will also display "Safe Mode" in all 4 corners of the screen. When you're done, go ahead and boot up into normal Windows.
Step 5: The Afterparty
So now that you've rid yourself of that malware, time to go online and get some good protection. Download a firewall, an antispyware program or two, an antivirus program, and some other interesting tools you find. One place where you can often get a lot of malware is through your "temp" folder. This could be filled with web exploits and trojans. To get to this, go to:
C:/Documents and Settings/Usernamehere/
Then click on the "tools" menu tab, "folder options", go to the "view" tab. Set it to show hidden files, and also unhide protected operating system files. Now when you go back to
C:/Documents and Settings/Usernamehere/
you should see a lot more files and folders, ones that look faded. Double Click on the "local settings" folder. Double click on the "temp" folder. Clear everything you can from here. Do this every few days or every week. Now that you've removed the malware, learn from it, so you don't have to go through the trouble of doing it all over.
Many thanks, and good luck!
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment