Monday, February 25, 2013

Removing Viruses (and other types of malware)

To put it simply getting hit by malware (e.g. viruses, Trojan horses, worms, etc.) sucks.  Sometimes it can be caused by doing something simple or not very obvious or other times it can be caused by doing something dumb.  As the old cliche goes, "There is no use crying over spilt milk because it only makes it sour for the cat".

All you can do is try to clean up what you can.  Modern malware can be virulent depending on the strain that attacked your machine.  Try to figure out how you were hit, did you open an email attachment, click a link on a website, download a file from the Internet and run it, etc.?  Try to learn from the mistake if you can.

Warning: Follow the advice in this article at your own risk, the author is not responsible for any type of damage (or other type of consequences) that can be caused by following the advice in this document.  Make sure you have a good backup of your data before proceeding with any of the information below.

Cleaning Up From a Malware Attack
The problem with modern malware, is its designed to be difficult to remove.  In most cases you have two choices.  One, if you're extremely paranoid and have lots of time you can format your hard drive and re-install your operating system (warning: before doing this make sure that you have a good backup of your data, and have product keys, OS media disk, any special drivers you need, and copies of your applications).  Two, if you're not extremely paranoid or don't have you lots of time, you can try some of the following things:
  • Make sure your reputable real-time anti-malware application (beware of rouge and fake versions of these products, if you have never heard of the company before then you might not want to trust it) is working, and up-to-date, then run a scan of your computer and see if its detect anything. 
  • You can also download and run a stand-alone anti-malware scanner to get a second opinion such as: Microsoft Safety Scanner, or Malwarebytes (note: its sometime better to use scanner from a different vendor to get an accurate second opinion.).
    • When utilizing these tools, its advisable to reboot your computer into Safe Mode (press F8 several times during start-up, and select "Safe Mode") and run them.
  • Change web site passwords that have been effected or are critical accounts (e.g. work, financial related, etc.).
  • Run Windows Update and make sure your operating system software and applications are up-to-date.
  • I would also recommend uninstalling All versions of Java and Adobe Acrobat reader
    • Malware often utilizes vulnerabilities in these applications.  
    • There are some applications you may need that utilize Java.  If you must keep it, uninstall all the old versions, and make sure you're using the most up-to-date version 
  • Make sure your Flash plug-in is up-to-date.
    • If your Flash plug-in is not up-to-date, download and install the latest version
  • Its also a good idea to make sure that you have a good backup of all your data.
  • For more advanced user, you might want to check your HOST file and DNS settings (see below) to make sure that they were not modified.
    • Checking your DNS configuration settings
      • In the Start menu search field, type Network Connections and select View network connections.
      • In the Network Connections window, right-click a connection that needs an alternate IP address configuration (e.g., Local Area Connection) and select Properties.
      • In the Properties dialog box, on the Networking tab, scroll down and click Internet Protocol Version 4 (TCP/IP v4) and press the Properties button.
      • In the General tab, enter the information for the main network you use (such as a static IP, subnet mask, default gateway and DNS server information).
    • I would also recommend setting up an alternate trusted DNS provider, such as OpenDNS and Google Public DNS.
  • Sometimes malware can also install applications that auto-start when your system boots, use System Internals Autoruns to view all programs that are executed at start-up.  Review all the applications for suspicious entries.
  • Sometimes malware will also install applications to get executed under certain conditions by the Task Scheduler.  From the Start menu search field type: Task Scheduler, and review all the task for suspicious entries.
  • Malware is getting smart enough to leverage web site settings in Twitter (e.g. Twitter Oauth) and Facebook (e.g. Facebook Login) because of their support for authentication and setting up application trust for third party web sites. To prevent this from happening to you, review the settings in your profile and unauthorized any site or application that you don't trust.
    • Utilizing this technology malware can log into other sites, and even post entries in other people's news streams.  Recently some malware was posting malicious links on a friend's Facebook profile from Twitter.  If someone clicked the link and their system was vulnerable their Facebook account would have been taken over too.
  • There are going to be times where conventional malware removal techniques will not work, and will require the computer to be booted into safe mode or utilize a special boot media (e.g. flash drive or optical media) that can remove the virus from the operating system while its not active. One example of this type of tool is Windows Defender Offline.
This might not help the situation, but hopefully it will purge any copies of the malware that might be in temporary areas.
  • Delete your browser cache (Internet Explore and Firefox, press Ctrl-Shift-Del)
  • You might considering dumping your Restore Points, sometimes infected files can get backed up by this system process.
    • Open the System control panel, click the System protection link. Select a drive, press the Configure button, then press the Delete button.
  • Run the Disk Cleanup (Start menu > All programs > Accessories > System Tools), this will purge temporary file locations on the system.
    • Even after cleaning your computer with these methods there are no guarantees that its malware free.
    • The links to the products in this document are for reference only, and they're not recommended or endorsed by the author.

No comments: