|(67 intermediate revisions by 13 users not shown)|
= Identifying viruses == |+|
| || |
|−|A lot of problems are assumed to be virus problems but actually are hardware, software, or user issues. |+|
of are to be , , or .
| || |
|−|=== Symptoms of infection === |+|
of for with the , , '''on own''' . , too, is .
|−|Not all complaints mean that a computer is infected. Keep reading. | |
|−|* '''Pop-up ads''': Particularly watch out for popups from an unfamiliar program warning you that your computer is infected with viruses; the popup is fake and malicious. | |
|−|* Error messages mentioning filenames that look fake or suspicious. | |
|−|* Bluescreening, freezing, slowness, or crashes can be the result of hardware problems just as easily as viruses. Do some [[Hardware Diagnostics]] to determine whether your computer has a hardware problem. | |
|−|* ''' Mouse moves on its own''' : someone has infected and ''hijacked'' the computer. Ensure it's disconnected from the network before taking any other steps; then either do a ''very thorough'' clean, or just wipe the system. | |
|−|* '''Computer is slow''': When is it slow? Slowness can result from too many autostarted programs, old hardware, or even Windows updates. If a virus infection is causing slowness, it is severe enough that you will see other clear symptoms of an infection as well. | |
|−|* '''"Memory at <hex code> cannot be referenced"''': This is more likely a problem with a specific program (see [[Known Image Issues]]), a problem with the RAM or hard disk problem. Try switching out the memory card(s) or run diagnostics on the memory. | |
| || |
== Using Autoruns to detect malware === |+|
= What for?
|−|* Get autoruns from http://live.sysinternals.com/autoruns.exe | |
|−|* Run it and accept license agreement. | |
|−|* Hit escape to cancel initial scan | |
|−|* Under "View", select "Hide Microsoft Entries" (malware cannot sign itself as a Microsoft product). This cuts down the list to a manageable size. | |
|−|* Refresh (F5) to rescan | |
|−|* Look near the bottom, under WinLogon or WinNotify, or LSA. See something oddly named? Does it list a company? What does google say when you enter a search for the filename? | |
| || |
Understanding Viruses == |+|
|−|Dealing with malware (malicious software) and viruses is no easy task. Please read carefully to understand a little about how viruses work. | |
| || |
|−|=== Viruses can change their filenames to avoid detection === |+|
to computer and .;
|−|A programmer can design a virus (let's call the virus "trojan2k7") to do various things: infect computers, corrupt files, record user's keystrokes, display ads, et cetera. The virus is inside an .exe or .dll file ''whose name can change over time''. On one computer the file might be called <code>abc567.exe</code>, and on another it might be called <code>mra128. exe</code>. The virus merely needs to give instructions to the Windows registry to start the program when Windows starts; the program's name can be anything possible as long as the registry instructions reflect that. | |
| || |
|−|While we count on Symantec to find a lot of viruses, Symantec and other virus scan programs have a MAJOR weakness: they look for viruses by their filename. Antivirus programs are fighting an uphill battle because they rely on '' specific filenames'' to keep track of viruses . When the name changes, Symantec' s database needs to be updated, telling it to look for that virus, before it will detect new threats. So even if your security software is up to date, '' you are never fully protected'' and scanning an infected machine ''will always miss some viruses''. So if you're really bent on cleaning a machine without reinstalling the OS, you 'll need to put on your sleuth hat and do the work yourself. |+|
a of viruses, and by .
'''' of viruses, ', it , even your to
'''''' will . a , you to .
| || |
|−|The programs you use in the cleaning steps below basically give you a list of lots of programs on your computer. Your job is to go through the list and decide whether each item is valid or dangerous, spot the malware, and remove it. Some of the programs are obviously harmless (Yahoo Messenger, Intel drivers); others are unfamiliar but important (ctfmon.exe? ImScInst.exe?). Most of the ones you don't immediately recognize as safe, you'll search for by name on Google. If the name is associated with a valid program and there are millions of results, the exe is probably valid. If the name is associated with suspicious activity and there are less results, it's likely malware and should be removed. After going through this process a couple times, you get a sense of what programs are familiar and what might be dangerous. |+|
| || |
|−|=== An unorthodox parallel: The Mothership === |+|
that a of
|−|Ever notice that even when you delete an infectious EXE file, it reappears the next day? Read Petar's trippy metaphor to get a sense of how viruses reproduce. | |
| || |
The WinLogon and LSA sections can be thought of as the MOTHERSHIP (ever seen the move Independence Day?). |+|
So until you kill the mothership, it will keep sending nasty malware to the system. |+|
In the movie Independence Day, the nations of Earth sent nukes, conventional bombs, helicopters, fighters, etc at the malicious atackers, but none of the methods proved useful, as the MOTHERSHIP was protecting the attackers. Similarly, the malicious executables in the WinLogon and LSA sections protect the malware. You can try nuking them (with antivirus programs, spybot, adaware, malware bytes, and any other automated programs), but just trying to nuke rarely works. |+|
*, , , the of as . to .
In the aforementioned movie, two individuals infiltrated the mothership and thus disabled the defenses. Similarly, you will need to infiltrate the WinLogon and LSA sections to disable the malware there. The easiest way to do this is to boot into Bart, or connect the infected hard disk through a USB adapter. Then look for the executables you saw in the Winlogon and LSA sections (typically in windows\system32). |+|
*and the . the do , or the .
A more advanced way to infiltrate the WinLogon and LSA sections is to boot in safe mode, use autoruns, write down the name and location of the BAD files in the WinLogon and LSA sections. Then use http: //live.sysinternals.com/procexp.exe to kill the smss.exe process, then the winlogon.exe process, then the lsass. exe process. After these are killed, open a command line window and use the del command to delete the files that you found were bad. You will need to hold down the power button to shut down the computer. After you've deleted the BAD files in the WinLogon and LSA sections, you can use Symantec, AdAware, Spybot, Malware Bytes, and whatnot to do a full system scan and NUKE any leftover malware. |+|
*is : , , . , that you will .
| || |
= Manually clean viruses and malware == |+|
| || |
|−|* Remember that we do not do malware cleanup for customers. |+|
that the .
|−|* The "supported" way of cleaning out malware is backing up files and reinstalling the OS (reimaging if possible). | |
| || |
|−|Nevertheless, if you NEED to remove malware from a machine without reinstalling Windows, this page explains how. I think you'll see why we've stopped supporting malware cleanup. Please be familiar with the "Understanding Viruses" section above. |+|
| || |
Basic steps === |+|
|−|This is guaranteed to ''not'' remove all viruses from a system. But these steps get ''most'' viruses, and if a user is unwilling to reimage a computer, you can direct them to take these steps to get some measure of safety. | |
| || |
|−|* Back up all documents & personal files. |+|
|−|* Install [http:/ /sav.middlebury.edu/sav/ SAV], [http://www.safer-networking.org/en/spybotsd/index.html Spybot], and [http://malwarebytes.org/ MalwareBytes]. Ensure these are all updated. | |
|−|* Reboot in Safe Mode (press F8 on boot). | |
|−|* Open SAV and do a full scan. SAV can miss some infections and focuses more on viruses than on spyware but it's a great place to start. | |
|−|* Run Spybot and do a full scan. | |
|−|* Run MalwareBytes and do a complete scan. | |
| || |
Uninstall unsafe programs === |+|
|−|Some programs are particularly linked to viruses and should be removed to avoid reinfection. | |
|−|* Uninstall AIM. Some viruses change the away messages; people click the malicious links in away messages and get reinfected. | |
|−|* Uninstall all P2P filesharing programs - including but not limited to Kazzaa, mIRC, LimeWire etc. People use P2P applications and get reinfected. | |
| || |
|−|=== Use HijackThis to find suspicious programs === |+|
to ''that your computer ''. 's , 's , , what they .
|−|HijackThis is an awesome program that '' lists every single program that starts up when your computer starts''. It's not a pretty program, it's actually pretty plain, and it just puts the programs in a long list showing just their name, what they are, and where they are located. | |
| || |
|−|# Download and install [http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis HijackThis] from Trend Micro. |+|
|−|# Restart in SAFE MODE (press F8 on boot), then open HijackThis. | |
|−|# In HijackThis, run a scan and save a logfile for future reference. | |
|−|# Go through and check each HijackThis entry. If it's an Internet Explorer item, ensure that the associated website or file is valid. If you are unsure about a strange filename, check it on Google. Look through the Google search results for information saying that the file is valid and what it is for. If you don't find any such explanation, the file is suspicious. Check it for deletion. | |
|−|# Once you've gone through the list, try to find the location of each suspicious file in Windows Explorer and change the file extension to .BAD or something other than .exe or .dll - that way the program is permanently paralyzed. Be aware that some programs also make backups / copies elsewhere; if the program reappears when you do a second scan, it may be because another copy of the program (or a "mother" program) helped it respawn. | |
|−|# Then delete the checked (suspicious) entries in HijackThis for good measure; HijackThis makes a backup of all entries deleted, so you can always get it back later. | |
|−|# (Optional) Locate the logfile you saved from earlier and submit it to one of the HijackThis online forums, such as [http://hijackthis.de hijackthis.de]. This will give a second opinion on what items are suspicious and what are safe. | |
|−|# Once you've gone through all items in the list, RESTART the computer again into safe mode. Then run HijackThis again and go through to make sure that the items you deleted did not ''reappear'' on the list. If they did reappear, you've probably missed an important file somewhere on the list. | |
| || |
|−|=== Manually check system folders === |+|
, , by the . , # the .
|−|In Windows Explorer, check C:\WINDOWS and C:\WINDOWS\system32 for suspicious files: | |
|−|# In Details view, sort files by date modified. Look around the month that the problems started appearing. Generally, only DLL and EXE files are dangerous. | |
Show the Comments and Company Info columns. Malware often has no details entered in here (although they could easily do so). | |
|−|# Scan filenames for gibberish or "unprofessional" names. Much malware can be spotted by an obvious filename. | |
| || |
|−|=== Check what programs are running === |+|
are not . to the of the , the to the , the the .
|−|You need to restart into normal Windows, not Safe Mode, to do these steps effectively. | |
|−|# Download and run [http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx TCPView] from Sysinternals. TCPView will detect every application trying to access the internet. | |
|−|# Check through the list of processes listed in TCPView. As with HijackThis, google the filename of any unfamiliar or suspicious processes; if it looks like malware, search the computer to locate and delete or disable the file (by renaming the extension to .BAD). | |
|−|# Download and run [http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx Process Explorer] from Sysinternals. As before, go through the list checking for suspicious or unknown programs; remove any dangerous ones you find. | |
|−|# Check for rootkits: [http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx Sysinternals Rootkit Revealer] | |
|−|# DO A FINAL SCAN with HijackThis now. This is important because malware may have reproduced in the meantime. | |
| || |
Notes on specific viruses == |+|
| || |
|−|=== Phishing program: "Antivirus XP 2009" === |+|
| || |
|−|This program goes by multiple names, such as ''' Antivirus XP 2008''' and '''System Protect 2009'''. Symptoms: |+|
'''''' , and to you to the the of the .
|−|* The user did not voluntarily install it. | |
|−|* It pops up at random times looking like an authoritative virus scanner, rapidly detecting many serious threats and listing them for you. (The threats are made up names; they point to nonexistent files.) | |
|−|* It tells you your computer is seriously infected (which it is by this point) and offers to clean the threats for you if you upgrade to the full version of the program. | |
| || |
|−|Multiple people have been tricked into purchasing the full version of this program, which provides no real protection, actually ''installs'' more viruses on your system, and may possibly inject pop-up ads and keyloggers as well. This malware is '''very difficult to remove''' (MalwareBytes may be able to uninstall it) and it may be better just to reimage a system that has this infection on it. |+|
| || |
= Win32 Koobface === |+|
writeup.jsp ?docid=2008-080315-0217-99 |+|
Much better write up: http:// vil. nai.com/ vil/ content/ v_148955. htm |+|
Spreads through USB/ firewire/ flash drives. |+|
It's an unfortunate, but ever-present possibility: any time your computer is connected to the internet, there is the chance that malware or viruses can infect it. The Helpdesk receives dozens and dozens of calls per week requesting assistance with malicious software that is disrupting a computer's functionality. Right off the bat, we can tell you that, similar to the way regular checkups are the best way to maintain your health, the best countermeasures against malware are preventative: you should have both an anti-virus program and an anti-malware program installed on your computer, and you should be browsing the internet behind a firewall--either one that's installed on your computer, or one that network administrators install on the network, or both. Unfamiliar about what these terms mean, or how to go about installing these things on your machine? No worries. It's all explained below. (Or, if you're in a rush, you can check out a security checklist we are currently developing: Computer Security Checklist)
But before you go any further, take note: because of the high frequency of requests for assistance with malware-related issues, the Technology Helpdesk requires you, the user, to perform several steps on your own before you ask that we get involved. This, too, is explained below.
What should I be looking for?
Types of computer infection
There are many types of computer infection with varying levels of threat to your computer and personal data. Here is a brief breakdown:
- Malware — a combination of the terms "malicious" and "software" — is a catchall word used to describe threats such as viruses, worms, Trojan horses, spyware, adware, and software installed by hackers.
- Viruses and worms (a type of self-replicating virus) usually spread very quickly and can cause a number of problems, including repeated computer crashes or the deletion of important files. Unlike traditional viruses, Trojan horses cannot spread on their own, but they are just as dangerous, tricking users into installing them by masquerading as a legitimate or useful program. Once it has infected your computer, a Trojan horse can even allow hackers to access your computer or force it to attack other networks.
- Adware will merely annoy you by occasionally (or frequently) subjecting you to pop-up ads. However, malignant forms of spyware can have more serious consequences. For example, a nasty piece of spyware could redirect your home page against your will or hog so much memory that your computer slows to a crawl. The worst spyware variants can even steal your personal data by installing a keylogger, a component that records every keystroke you make and sends a log back to a cyber-thief.
Symptoms of infection
Not all complaints mean that a computer is infected. Here are some common symptoms of infection:
- Pop-up ads: Particularly watch out for popups from an unfamiliar program warning you that your computer is infected with viruses; the popup is fake and malicious.
- Error messages mentioning filenames that look fake or suspicious.
- Bluescreening, freezing, slowness, or crashes can be the result of hardware problems just as easily as viruses. Do some Hardware Diagnostics to determine whether your computer has a hardware problem.
- Mouse moves on its own: someone has infected and hijacked the computer. Ensure it's disconnected from the network before taking any other steps; then either do a very thorough clean, or just wipe the system.
- Computer is slow: When is it slow? Slowness can result from too many autostarted programs, old hardware, or even Windows updates. If a virus infection is causing slowness, it is severe enough that you will see other clear symptoms of an infection as well.
My Computer is Quarantined or in the Penalty Box
If you get a message that your computer has been quarantined or in the penalty box, please follow these instructions Penalty_Box.
My computer might be infected! How do I fix it?
Helpdesk policy on malware support
The kind of support we can provide differs between faculty/staff and student computers, as detailed below.
Personally owned computers are not officially supported by the College. If a student with a non-College computer comes in for malware assistance, Helpdesk consultants may oversee and advise a student's efforts, but it is the student's responsibility to treat and remove the malware infection, even when it comes to re-imaging. If it comes down to a situation where you, a student with a non-College computer, need to re-image, we'll ask if you have the CD's that came with your computer, or if your computer has a special partition on its hard drive that contains the computer's image. If you don't have a special partition, but you do have CD's, except the CD's are at home, we'll suggest you have them shipped to you. If the CD's have been misplaced, or there were no CD's that came with the computer (which is increasingly common), we'll suggest contacting your vendor (Dell, HP, Toshiba, etc.) to see what they suggest or if you can purchase new ones.
Faculty and staff computers
All Middlbury faculty and staff computers, as well as all public workstations, are fully supported by the Technology Helpdesk. In general, if a machine has a Midd # on a blue tag somewhere on it, the Helpdesk covers it.
However, personal computers owned by faculty and staff are not covered. Those machines are subject to the same rules as student computers purchased independently of the College--which is to say, the Helpdesk can direct you to the proper resources, but the actual countermeasures are the user's responsibility.
Due to the increasing number and severity of viruses in the world, if you suspect that your College-owned computer may be infected, please remove it from the network by unplugging Ethernet cables and disabling the Wireless switch on the side of the computer if applicable, and contact the Technology Helpdesk using Web Helpdesk or at x2200. (For personal computers, see above.) If you have a laptop, we ask that you bring it in to our Walk-in center located on the main floor of the Main Library (room 202). After you drop off your laptop, you can walk across the lobby to the Circulation Desk to check out a loaner laptop while your personal laptop is being processed. If you have a desktop or tower computer then please contact the Technology Helpdesk at x2200 and ask for the unit to be picked up.
We can help you scan your College computer, clean viruses if possible, and If the system cannot be cleaned, it may be necessary to wipe and re-image it; this will be determined on a case-by-case basis. Because of this possibility, it is important to always keep your important documents on Middfiles so they will not be lost.
A re-image usually takes 2-3 business days from the time we receive your computer, so if you cannot make do with public workstations and need to use a personal laptop during that time, you will need to check-out a loaner from the Circulation Desk on the main floor of the Main Library. You should check with the Circulation Desk as soon as possible to see if there are any loaners available, either in person, on Midcat, or by calling ext. 5494.
Computer Security Checklist
We are currently compiling a cross-platform, comprehensive checklist of preventative anti-virus and anti-malware measures: Computer Security Checklist. The checklist is also a good resource if you suspect that a malicious program has infiltrated your security and you are actively being infected.
More resources to help you with protecting yourself and computer