Generic Instructions for Removing Malicious Software
Removing malware (malicous software) has become a fairly complex task. To better understand the removal process you need to be familiar with the methods by which malware spreads, so please read the following few paragraphs very carefully.
Malicious software will keep evolving and changing its methods of intrusion and naming. Almost all current anti-virus and anti-malware software (Symantec, Ad-Aware, SpyBot, etc.) rely on hard-coded file names to detect and remove malicious software. Let's take the following example: A programer designes some malicious software code-named trojan2k7. The programer may design the trojan with many purposes - displaying ads, posing as fake anti-virus software, keylogging, etc. No matter what the primary purpose is, all malware programs have one thing in common: they need to load when the operating system loads. Malware programs achieve this by writing their file names to specific places in the registry. These places in the registry are called "autorun locations", more on them later.
Here is the way engineers from an anti-malware company (such as Symantec) would approach the new malicious software:
- they would obtain an infected computer (they usually have PCs that they purposefully infect, let's call one TestPC1)
- they would find the malware by looking through the autorun locations of TestPC1 (say Symantec's engineers found that xkjasfg11.exe and aliwr77.dll are both part of the malware called trojan2k7)
- they would record the file name of the malware program and update Symantec's virus definitions so that it removes files with those names
The problem with this approach is that malicious programmers have begun designing malware that uses random, automatically generated file names. So, the trojan trojan2k7 may be present as abc123.exe and xyz123.dll on TestPC1, but on different computers it will be present under different file names. For example, TestPC1 will have abc123.exe and xyz123.dll but JoeAveragePC might have abc567.exe and xyz567.dll). Joe Average runs Symantec AV, Symantec AV scans the disk looking for abc123.exe and xyz123.dll , doesn't find them and reports no issues, while in fact trojan2k7 is still present on Joe's PC just with different file names: abc567.exe and xyz567.dll
If this is not clear just take this for granted: Anti-malware programs (such as Symantec, Ad-Aware, etc.) cannot currently detect all malware even if they are up to date. So no matter how many times you scan a customer's computer with Symantec or the Malware pack, if the computer is infected, Symantec and the pack will only remove a portion of the infection. It's your job to examine the computer using generic methods.
- Install the malware pack, http://community.middlebury.edu/~pmitrevs/ but don't run it.
- Restart in SAFE MODE and open the malware pack but don't run the autopilot, it's useless (this statement comes from Petar)
- What you do need to do is choose the first option ("Update then Run") and launch HijackThis.
- Do a scan with Hijackthis.
- If you are unsure about a hijackthis entry - use google to find more information, if still unsure - DELETE IT! - hijackthis makes a backup of everything you delete.
- When you think that you're done, restart in safe mode again, do a new scan and see if any suspicious items reappeared. If they did, you probably missed something. Repeat this procedure until no suspicious entries reappear.
- Before you take a computer out of the penalty box: Boot into normal mode
- You may need to uninstall AIM - some viruses change the away messages - people click the malicious links in away messages and get reinfected. Uninstall any and all P2P programs - including but not limited to Kazzaa, mIRC, LimeWire etc. People use P2P applications and get reinfected.
- Open TCPView (MalwarePack -> Advanced Section -> TCPView) (or www.sysinternals.org)
- Connect machine to CAMPUS MANAGER
- Observe if any unknown process appears in TCPView (REMEMBER: TCPView will detect every application trying to access the internet)
- Google the filename of the unknown process - if it is bad - search and delete per Owais' instructions, if it is simply not present anywhere in the google results - search and delete as well!
- Searching the Registry: Start -> Run "Regedit". In REGEDIT, go to Edit->Find and search for <filename.exe> (or any other suspect executable)
- Also search the hard drive for <filename.exe>. It has made backups on some computers. Remove them also. Make sure you enable viewing Hidden files and folders, and uncheck “hide protected operating system files”.
- Open Process Explorer (MalwarePack -> Advanced Section -> Process Explorer) (or www.sysinternals.org), look through the running processes, for every unknown process repeat step 8.
- Reboot, repeat steps 5-9 and check HIJACKTHIS AGAIN! <-- This is really important!
- If nothing shows up - THEN AND ONLY THEN remove machine from penalty.
- After a few machines you will learn what are the good processes and what are the bad ones, it will become easier. If you are really unsure - ask a collegue or simply put the machine on hold and mark it for someone more experienced to give it a try, just don't give it back to the user.