I know from experience how difficult tracking down unwelcome system guests can be. Once an infection takes root, it invites other "guests" and before you know it there are several of them residing on your hard drive. They are becoming more difficult to remove due to the increasing prowess of malware programmers. In fact, I have experienced many infections that could not be resolved due to the number of malicious files or a single program continually reinstalling itself. One can speculate as to how these programs may operate, but the only sure way of cleaning your system is a wipe down and reinstallation of the operating system. There are cases where infection hasn't reached critical mass and the critters can be removed with reasonable certainty. I'm going to give you some pointers on where to look, and what tools to use.
If you suspect infection, turn off system restore. It's located in the Start >> All Programs >> System Tools menu. Chances are the malware has already been saved and any attempts to use the restore function will only reinstall the software on your PC. This is one "feature" of Windows that is both very good, and very bad. For obvious reasons. Backup your bookmarks, passwords, user directory, or any other files you wish to keep. Crank up the browser and delete all temporary files and cookies. Turn off all plugins and helper applications. If any helper objects were recently installed, uninstall them.
If you have access to the internet, visit Trend Micro's Housecall and do a scan. Any existing antivirus program may have been disabled or compromised. A scan from a clean machine needs to be performed. Most malware resides in either the User directories or the Windows directory, unless a malicious program has been installed. If an entire program has been installed, try uninstalling it. if it will not uninstall, remove the program's files from the Programs directory and remove it from the menu. After the scan is finished, and the changes have been accepted, don't restart your computer right away.
If you don't have internet access, or your machine becomes unresponsive in normal mode, reboot into safe mode (F8 >> Choose safe mode). Make sure you are logged in as Administrator. Uninstall any recently installed software, including browser plugins and helpers. Check the hosts file located in the C:\Windows\System32\Drivers\etc folder. Open the file in notepad and examine. If it doesn't look like the one pictured below, and there are a lot of entries, remove them until the file looks exactly like the picture below. BTW, those are tab spaces between the IP and domain addresses. Save and close. Open a command prompt (Start >> All Programs >> Accessories >> Command Prompt, or Start >> Run enter cmd) and type in netsh int ip reset c:\resetlog.txt, and hit enter. This resets the TCP/IP stack and places the log in the root directory. Check connection. If you still don't have internet, you need a professional, sorry.
Click Start >> All Programs >> Accessories >> Run (or Start >> Run for older Windows versions), type in msconfig, and hit enter. A window will pop up resembling the one below. Click the Startup tab. This is where startup can be customized. Exercise caution and DO NOT uncheck anything that your computer manufacturer has loaded, ESPECIALLY on a laptop. You should have a pretty good idea of what programs are running on your system, like AV, Roxio, Nero, Java, etc. A tell is an entry with no manufacturer name, but legit files don't always show a manufacturer. It's always a good idea to research something before removing it from the start routine. Stay away from entries with "key", "touchpad", "smartpad", "mouse", or any variation thereof especially if the computer manufacturer loaded it onto the system or else when the system reboots, there may no way of controlling it.
Go back to the Run dialog, type in prefetch, hit enter. Select every file in this directory and delete it. Check the hosts file as outlined above. Check your firewall for any unauthorized open ports. Now reboot and rescan. If all is clear, double check msconfig, turn Windows Restore back on. If not, repeat until everything is gone or you get ready for other measures.
Additional Steps:
If you are comfortable editing the Windows registry, Autoruns is an excellent tool for checking and editing registry entries. Entries ending in \Run or \Startup need to be checked as well as Browser Helper Objects and Task Scheduler. File creation times and knowing the location of legitimate files is extremely helpful. Backup your registry (and save it to the root drive) before editing or you may toast your entire Windows installation. Autoruns also displays the path to the file for easy removal. You may have to remove files from safe mode.
If a reinstallation of the OS is necessary, don't do an "over the top" install. Format your disk (better yet, wipe it with DBAN) beforehand.
If there is access to another PC with AV on it, remove the drive from the infected machine and slave it to the other PC in lieu of an online scan. Many Linux live CD's have clam AV installed. That could be used to scan the infected drive from the Optical drive without having to remove anything. Check it out here.
Try getting some help at PC Mech Forums. They have friendly and knowledgeable admins (and users) that may be able to help.
Getting rid of these critters is not fast or easy. Sometimes it takes a professional to track it down on the fly. Malware can hide anywhere on your system, and has the ability to masquerade as legitimate processes. The easiest option is always a format and install after a thorough backup. it could take even the most seasoned tech hours to remove, or to reach the realization that a format and install is the only way to go. These steps are a good starting point for removal, but far from a comprehensive guide. As you can see it is a time consuming and involved process.
No comments:
Post a Comment