Sunday, November 4, 2012

How to remove a Infection


NOTE: All example directories used in this tutorial are from Windows 7, so if you have an earlier version of Windows you may have a different file path to the ones used in this tutorial. In this event, please use http://www.google.com to find the file path for your Operating System.

Table of Contents~
  • How to check yourself for common infections.
  • What safety cautions to take if an infection is found.
  • What do I do if I think I'm infected?
  • What NOT to do.
  • Some important things you should know about computer security.
  • My recommendations on security software.
  • Conclusion.

--

How to Check Yourself For Common Infections



A)
Understanding the infection

The first thing you must understand is how viruses, trojans, adware, worms, etc. work. Generally, when you run a infected file, the first thing it will tend to do is create and drop other infected files in locations, such as:
  • Temp folder: C:\Users\%USERPROFILE%\AppData\Local\Temp
  • Windows folder: C:\Windows
  • Drivers folder: C:\Windows\System32\Drivers

And more, these are just common directories but they can be custom (like for example, a Cybergate RAT infection may drop a file in the C:\Windows\System32\Adobe folder, as RAT's and other infections can drop files in custom directories).

This does NOT mean however that you should go deleting everything in those folders, no never EVER EVERRR delete files unless you're SURE they are malicious. Deleting a windows system file could and will likely result in a computer that doesn't even boot up or work properly.

Next, the infected file will attempt to execute the new file(s) it has dropped, these files generally create registry keys. Understanding the registry is a must when it comes to knowing how computers and infections work.

For instance, if a file wants to be ran for all users when your computer starts, it will create a registry key in the following registry directory:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This means when any user starts the computer up and logs in, any file listed in this registry directory will be ran. However, in this registry (it looks similar but make note of the first folder it's in):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

All files here only execute on startup for the currently signed in user, not any other users on the computer. So when checking your startup files, don't forget to check BOTH registries.

To get to the registry editor/explorer, please do the following:

Press the Windows key (next to the left alt) + R to bring up Run > type in "regedit" and hit enter.

NOTE: Again, please for the love of God don't go deleting registry keys unless you're absolutely certain without a shadow of a doubt that it's connected to a malicious file. Deleting legit and protected registry keys can result in having to re-install your operating system. Please always make backups before working in regedit, to make a backup follow these steps:

To make a backup of the registry:
  • In regedit, click 'File' > 'Export'.
  • Navigate to a suitable folder, MAKE sure 'All' is checked down the bottom left.
  • Name it 'backup of registry.reg' and hit Save.

Lastly, files can do other things like inject themselves in to legit processes (which must run all the time) such as explorer.exe; or access your keyboard/disable your antivirus/alter your hosts file etc.

But we don't have time to get in to that. I just want to help you understand that infections usually spread, create registry keys, alter your system etc. and require a lot more than simply deleting one file. It's rare that an infection consists of just one file.

==
B)
So what signs should I look for?

If experiencing any of the following symptoms, you should assume you're infected:
  • You cannot access specific websites, like antivirus websites, paypal, gaming sites etc.
  • Antivirus is disabled, but not by you; or keeps warning you of attacks/infection.
  • You're getting weird popups like "Server.exe has stopped working, press end to end the program".
  • Fake antivirus scans keep popping up saying you're infected, prompting you to buy anti-virus software.
  • Your online accounts are compromised/hacked.
  • Your webcam turns on by itself, your mouse clicks by itself etc.
  • Porn/advertisement websites pop up by themselves.
  • You're seeing weird files pop up everywhere.
  • Control panel, task manager, command prompt or regedit are disabled, and not by you.
  • Your home page changes and you can't change it back.

If you notice any of these, or anything else suspicious, it may be cause for alarm.

--

What safety cautions to take if an infection is found


If you believe you have an infection, I'm afraid I have bad news.

Your personal information, details, passwords and banking credentials may be at risk.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation as soon as possible.

If you do not have access to a known clean computer, you will still need to change your passwords, and all other sensitive information, but only once your system is deemed clean.

--

What do I do if I think I'm infected?


First of all, if you have an antivirus, make sure it's up-to-date and then run a full system scan. Remove anything it finds. Next you could run these scans and remove anything they find:


MalwareBytes Anti-Malware 

Please download Malwarebytes' AntiMalware.

Double click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
    The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.
SuperAntiSpyware 

Download SuperAntiSpyware
  • Load SuperAntiSpyware and click the Check for updates button.
  • Once the update is finished click the Scan your computer button.
  • Check Perform Complete Scan and then next.
  • SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
  • Make sure that they all have a check next to them and press next.
  • Click finish and you will be taken back to the main interface.
ESET Online Security Scanner 

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to Yes, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish. Remove anything it finds.
Combofix (DO NOT use this unless you have no choice and are at least moderately educated with computers) 

Please download Combofix from one of the following locations:

LINK 1
LINK 2

**IMPORTANT! Save Combofix to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, 
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

[Image: RcAuto1.gif]

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

[Image: whatnext.png]

Click on Yes, to continue scanning for malware.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
If you used Combofix, please follow these instructions to remove it as it's a dangerous tool in the hands of a novice (Click to Hide)
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
If running these don't completely solve your issues, the infection is either FUD (Fully UnDetectable) or too deep for your level of skill; in this case you should let a more experienced user have a look.

--

What NOT to do


This applies to anybody who has no experience removing viruses. Even if you're well versed in computing, you should be careful. It's always better safe than sorry.

First of all, DO NOT delete files, folders, registry keys, anything; until you're positive what you're deleting is malicious. How do you do that? Well here's some easy things to try:

Secondly, if any pop ups come up saying you're infected and asking you to buy software to remove the infection, IGNORE THEM and DO NOT buy it. It's completely FAKE.

Instead, you likely have a Smitfraud infection so follow the steps in the spoiler.

Smitfraud fix instructions (Click to View)
Now, lastly, you're probably going to be on the lookout for tools/antiviruses that will help you remove the infection. But the reality is most of these tools are designed for experts and shouldn't be messed around with; because you'll probably end up having to re-install your operating system. Also, there's always the chance it's fake and actually infects you.

It's best you use the scans/tools I provided earlier on. Or seek help from an expert.

--

Some important things you should know about computer security


Here's some facts I think you should know:
  • Most infections do not damage your computer, rather they use it to advertise/steal information/attack websites/spread the infection.
  • A trojan is a file that attempts to appear like a legit Windows Process, but really is malicious.
  • A rootkit/RAT/infostealer/keylogger are all spyware which are capable of capturing screenshots, webcam, keystrokes, saved passwords and gain access to files.
  • Infections can use your hosts file, and DNS name servers to make it so visiting certain sites redirects you elsewhere (like from google to a bad site).
  • Never fix a winsock line in HJT, as it can damage your internet connection.
  • Only O2, O3, and O9 lines in HJT are definitely missing when it says (file missing), the rest can glitch.
  • Deleting a registry key will NOT delete the file it's associated with.
  • Capitalisation in file names or directories makes no difference in Windows.
  • If an infection is FUD, scanning will make no difference. Only analysing the computer can help you now.
  • More than one antivirus/firewall causes conflictions and can do more harm than good. Stick to just one.

--

My recommendations on security software


For good protection, I would advise you have each of the following:

1. Antivirus
2. Firewall
3. Antimalware
4. Antispyware

One of each will be a good amount without the risk of conflicts, as two or more AV's can conflict and do more harm than good. The following products I would advise to ANYBODY, but please use no more than one AV and firewall at a time:

Antiviruses:

Firewalls:

Anti-malware programs (for scans only, no real-time protection):

Anti-Spyware programs:

Other:
  • Ad-aware (free anti-adware).
  • Winpatrol (free program that monitors suspicious changes to your critial system resources, recommended by me)..
  • CCleaner (run this often to clean your registry and other temporary files etc. Is free.).
  • KeyScrambler (ultimate protection against keyloggers, costs money).
Credits to: N3w_2_H@Ck1n™
But remember, your best defense is simply being careful.

--

Conclusion


So in the end, the bottom line is unless you've had months of training, it's highly recommended you only use scans and the such to remove malware. Because any manual tools are almost always very dangerous for novices.

Also, remember, just deleting one file or registry key won't remove an infection.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)