Difference between revisions of "Identifying viruses"

(Moved content to Viruses and malware page.)
Line 1: Line 1:
#REDIRECT [[Viruses and malware]]
A lot of problems are assumed to be virus problems but actually are hardware, software, or user issues. Let's discuss.
==Running hardware diagnostics==
See [[Hardware Diagnostics]]
==Likely signs of a virus==
* Pop-ups
* Error msgs mentioning filenames that reaaally don't sound valid
* Are programs like AIM and LimeWire installed? Does the user seem like a big media consumer? Without generalizing too much, I've found that these users are much more likely to have virus problems.
* User controls the mouse. You might have bigger problems than just viruses here.
--[[User:Chunt|Hunt, Christopher]] 18:14, 9 July 2008 (EDT)
==Ambiguous symptoms==
* Slow usage.
** Is it slow in general, or just slow on startup? Check what programs start automatically. (Autoruns, msconfig, HijackThis)
** Does the user complain about one particular program being slow? Check IE and Firefox for toolbars.
** What does the add/remove programs list look like?
** Check the computer specs. You can't expect Windows XP to run well on 128 MB RAM (or Vista to run well on 128GB RAM) no matter how many programs you might remove.
* Error messages re: a particular program - reinstall? Maybe a file is corrupt, which might be a sign to check for hard disk problems. (But if you're going to run HD diagnostics, ''back up crucial data first''...)
* Computer writes text randomly. The one time I've seen this, it was actually caused by a speech-to-text function that the user didn't know about!
--[[User:Chunt|Hunt, Christopher]] 18:14, 9 July 2008 (EDT)
==Symptoms that probably mean something else==
* "Memory at <hex code> cannot be referenced". More likely a problem with a specific program (see [[Known Image Issues]]), a problem with the RAM or hard disk problem. Try switching out the memory card(s) or run diagnostics on the memory.
--[[User:Chunt|Hunt, Christopher]] 18:14, 9 July 2008 (EDT)
==Using Autoruns to detect malware==
* Get autoruns from http://live.sysinternals.com/autoruns.exe
* Run it and accept license agreement.
* Hit escape to cancel initial scan
* Under "View", select "Hide Microsoft Entries" (malware cannot sign itself as a Microsoft product). This cuts down the list to a manageable size.
* Refresh (F5) to rescan
* Look near the bottom, under WinLogon or WinNotify, or LSA. See something oddly named? Does it list a company? What does google return when you lookup the filename?
An unorthodox parallel:
* The WinLogon and LSA sections can be thought of as the MOTHERSHIP (ever seen the move Independence Day?).
* So until you kill the mothership, it will keep sending nasty malware to the system.
* In the movie Independence Day, the nations of Earth sent nukes, conventional bombs, helicopters, fighters, etc at the malicious atackers, but none of the methods proved useful, as the MOTHERSHIP was protecting the attackers. Similarly, the malicious executables in the WinLogon and LSA sections protect the malware. You can try nuking them (with antivirus programs, spybot, adaware, malware bytes, and any other automated programs), but just trying to nuke rarely works.
* In the aforementioned movie, two individuals infiltrated the mothership and thus disabled the defenses. Similarly, you will need to infiltrate the WinLogon and LSA sections to disable the malware there. The easiest way to do this is to boot into Bart, or connect the infected hard disk through a USB adapter. Then look for the executables you saw in the Winlogon and LSA sections (typically in windows\system32).
* A more advanced way to infiltrate the WinLogon and LSA sections is to boot in safe mode, use autoruns, write down the name and location of the BAD files in the WinLogon and LSA sections. Then use http://live.sysinternals.com/procexp.exe to kill the smss.exe process, then the winlogon.exe process, then the lsass.exe process. After these are killed, open a command line window and use the del command to delete the files that you found were bad. You will need to hold down the power button to shut down the computer. After you've deleted the BAD files in the WinLogon and LSA sections, you can use Symantec, AdAware, Spybot, Malware Bytes, and whatnot to do a full system scan and NUKE any leftover malware.

Latest revision as of 15:56, 26 March 2009

Powered by MediaWiki