It’s that day you dread. The phone call from your friend.
"There’s all these things on my computer! I swear I didn’t do anything! They just magically appeared!"
They’ve gotten themselves infected.
Whether you classify it as a Virus, Malware/Spyware or a Rootkit; in a nutshell; it’s all the same thing. A Foreign application running in your system doing something it SHOULDN’T.
Today I’m not going to debate what is or isn’t a virus. My job is not politics. It’s to get you armed to recover from a problem.
Whether the problem is a friends computer, something cutting edge that slipped by your firewall or just dumb luck. Take a little relaxation. You’re not completely unarmed.
If you’re lucky you can update the Antivirus software and you’re off to the races. But today we’re going to assume safely you can’t. You’ve got a nest of vipers running in that system. You need a point of attack.
Let’s assume worst case scenario. It’s new. It’s nasty. It’s blocking you down.
What can you do?
Spyware/Malware can be scanned for with several free and decent Utilities. Windows Defender from Microsoft is free for Windows XP and catches many of them. There is also SpyBot Search and Destroy, Ad-aware, HijackThis and Malware Bytes Malware removal. None of them are truly 100% but usually a combination of all three will help.
If you’re Antivirus software is dead you’re not 100% out of the water. Kaspersky Antivirus is extremely effective on removals, gives you a free 30 day trial; and more importantly allows an AUTOMATED removal (This beats, clean, click, clean, click, hundreds of times).
Rootkits are particularly nasty. They sit at the Root, before Windows loads and really hide well. An excellent free utility from F-Prot called BlackIce Defender will scan and remove most of the Rootkits quite effectively and automatically.
The you’ve got your old good friends from SysInternals. Download ProcessExplorer. Think of it as TaskManager pumped up. You can really see a lot of what’s going on, can kill and pause processes. One feature I like is the ability to see what process is controlling what files.
If you can get access to the registry at all (either directly or by the "Mount Foreign Hive" technique) you have a few key locations to quickly dig into. They are actually many but this is "the basics"
Check HKCUSoftwareMicrosoftWindowsCurrentVersionRun and it’s ilk for any unusual entries. HKLMSoftwareMicrosoftWindowsCurrentVersionRun for similar entries. If you’re experienced with going into the registry you should be able to spot anything out of the norm. Rather than deleting, I like renaming. It’s safer and a little more effective. So if you see an entry trying to run "C:HPSuperFileCleaner.exe" rename the contents and add the word "not" to the end so it runs "C:HPSuperFileCleaner.exenot" which would fail that launch.
Another nasty spot are those pests that load with Winlogon. You’ll spot them at HKLMSoftwareMicrosoftWindows NTCurrrentVersionWinlogonNotify.
******* WARNING *********
You REALLY need to be comfortable with the entries here. These automatically load upon bootup. Even if safe mode. A trick I found that sometimes works is Using permissions on the registry keys in question and placing "DENY" permissions on all the groups and users in question on the keys. Any files they are launching I place those same permissions. IF YOU ARE NOT CAREFUL THE SYSTEM MAY FAIL TO BOOT. EDIT THESE WITH CAUTION. IF YOU ARE NOT AN EXPERT, PAUSE NOW and SERIOUSLY consider a re-install.
If it’s a truly cutting edge one, the other trick is to look for recently modified created files/directories and simply renaming them from "MALWAREFOLDER" to "NOTMALWAREFOLDER". The same with their files. Going to the command prompt and renaming all the temp folders (as well as temporary internet files) to something else can also cripple a lot of them. It also might point to where they’re running from if you CAN’T rename the folder.
Nothing is ever guaranteed. And wiping out the drive and re-installing the operating system will probably clean you up a lot better (Unless it’s sitting on the MBR of the hard drive in which case get some free data destruction software and kill it 100%, or just buy another hard drive and play it safe)
There is never a 100% guaranteed method to killing these pests. All this is, is a little ammunition to put under your hat and maybe de-hurt the computer enough to get the system back up and running. Sometimes you can be very successful. But sometimes it’s what you need to get the computer running enough to obtain needed settings.
Take note above all. If you’re not sure what you’re doing or not sure where data might be, back it all up first.
Remember you can replace the hardware. You can NEVER replace the data.
The Energized Tech
Dedication and Inspiration creating the new Generation