Keep the infection local.
Disconnect from the network/internet. I mean physically pull out your RJ45/RJ11 plug. This stops the virus from progating throughout your network or over the internet (worms/viruses), stop your data from leaving (calling home) your compromized system (trojans) through backdoors and stops your machine from participating in a zombie mob DOS attack.
Perform a Virus Scan.
This is the first attempt to determine if your system is truly infected. Do a deep scan of every single file and folder on the system. This may take several hours but it is necessary. Make sure your virus definition(Database) is updated. Many of them can update the database locally via a update file you can grab off the offical website.
Grab the prescribed removal tool. Once you've identified the virus infecting your system. you can now better deal with the particular infection by administering the proper "vaccine". You can go to any of the known antivirus companies website and grab a removal tool. This tool will delete any of the known virus-infected files and registry entry made by the virus. Take not of the virus "version" and download the corresponding tool. It will require you to do a scan and then reboot into safe mode and perform the scan again.
I also suggest downloading McAfee's Stinger and PC-Cilin's Virus Cleanup template (and their respective virus definition files) which are standalone/install-less virus removal engine.
• McAfee Stinger
• PC-Cilin VCT
Additionally, you can scan your PC online with
• PC-Cilin Trendmicro's Housecall
• Panda Antivirus Active Scan
• Kaspersky Online Scanner
• McAfee File Scan
• Norton Fee Online Virus Scanner
It is very important that you place any media you're using to trasfer the Removal tool, virus database update file or when performing a scan to read-only-mode until you are certain that your system is no longer infected. If you're media does not have read-only option then don't use it. If you have no choice, once it is put in the system, assume that it is also infected and treat it accordingly. These devices can be put into read-only mode by the sliding button on your device. Read your manual. Any portable media not on read-only mode are susceptible to being infected by the virus.
Check for unusual applications and processes.
A virus is just like a regular application and need to be running in order to work. It should also have a way to start itself up again when the system is rebooted (taking advantage of many of the ways programs automatically start-up in Windows). There are typically five ways that programs start-up automatically in windows and we need to look at these five ways to look for the virus.
1. The most rudimery is the Startup folder. Any application or shortcut that is located in the Startup folder will automatically start-up each time the system is booted into Windows. There are several of these folders located throughout the system notebly each user’s profile
• C:\Documents and Settings\<username>\Start Menu\Programs\Starup
(this includes Default and All Users profiles as well)
• C:\Documents and Settings\Default User\Start Menu\Programs\Startup and;
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup
and Windows system files such as;
• Windows\win.ini, wininit.ini, system.ini
• Windows\system\autoexec.nt, config.nt
more reading: http://www.aumha.org/a/loads.php
2. The most typically is from the Registry. Several locations in the registry that controls auto-startup of applications are contained. The HKEY_USERS and HKEY_CURRENT_USER run when the user logs in while settings under HKEY_LOCAL_MACHINE run when the system starts up. Some of the registry keys that you need to look it include:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
a more extensive list of launch point can be found here:
3. The current favorite is as a Service. Just like running from the registry, any viruses that installs itself as a service can run without user intervention upon start-up. It can also start back up when when you kill it because the service control has the option to restart the service upon a failure (in which case, manually killing it constitutes a failure).
4. Less common is from a Script. The GPO is an enterprise-wide feature that enables the network administrator to write a script to perform certain tasks upon start-up/shutdown on multiple computers in a network/domain using scripting language such as VB, JS,etc. Your computer also has a local GPO and you need to launch the GPO editor console and to check if there are any suspicious scripts running on your system.
Running Scripts are located in
• Local Computer Policy\Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup for programs that run when the computer is started and;
• Local Computer Policy\User Configuration\Windows Settings\Scripts (Logon/Logoff)\Logon for programs that run when the user logs in.
If you don't do any scripting, aren't on a domain, then anything in here is considered highly suspicious.
5. Possibly, but rarely, from a Scheduled Task. A scheduled task has the ability to run applications on start up and on log in of a user. They also have the ability to run a program as a different user or as the system itself. The Scheduled Tasks can be found under the Control Panel.
it is very common to see virus writers use a combination of these steps so you need to cover all these basics.
The Microsoft System Configuration Utility or simply MSCONFIG is a tool built into Windows that is designed to help you troubleshoot problems with your computer. You can see some of the programs that run in the background upon startup here together with some registry entries and it's a good place to start. To check your services you need to use Services.msc and to check scripts, as mentioned before, Gpedit.msc. All are run from Start > RUn >
for a more extensive utitily I would recommend AutoRuns from Sysinternals.
Turn off System Restore.
There is some debate about whether to turn off system restore or not when during an infection. The reason why we need to be concerned with system restore is because system restore can at certain times cache a virus which will be restored with the other windows system state files during a system restore operation. Often times you will also get the AV complaining that it is unable to clean one or more files in the System Volume Information data store. The downside is that when you purge the restore points, you will be unable to restore your system to a previous system state if anything goes wrong.
If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.
Notes: When you turn off System Restore, you remove all the restore points. When you turn on System Restore again, new restore points are created as the schedule and events require. Verify that all the signature or the definition files are current. Make sure that your antivirus program is configured to exclude the System Volume Information (SVI) folder (a hidden computer folder that is located in the computer root, or %SYSTEMDRIVE%).
To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, and then double-click System.
3. Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box.
4. Click OK, and then click Yes to initiate the restore point deletion.
Get familiar with process running in the background on your own PC. once you're familiar with all the usual process then anything out of the ordinary will stand out like a sore thumb. most (not all) viruses tend to have weird filenames like Age_of_empire.exe (huh? i didn't play that game) and some try to look legitimate by taking similar names to common Windows processes. eg. svchost.exe instead of scvhost.exe.
Once you're comfortable with processes, you can opt to use Process Explorer from Sysinternal. Downloadable from here: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx
this are normal processes
"System" The Windows System Process
"SMSS.EXE" Session Manager Subsystem
"CSRSS.EXE" Client Server Runtime Subsystem
"WinLOGON.EXE" The Windows Logon process
"SERVICES.EXE" Services Control Manager
"LSASS.EXE" Local Security Authentication Server Service
"svchost.exe" Service Host
"spoolsv.exe" The print spooler service
"explorer.exe" Windows Explorer
"TASKMGR.EXE" The Task Manager
"regsvc.exe" Remote Registry Service
as a general rule, take extra interest in any processes don't have a company name (with the exception of DPCs, Interrupts, System, SMSS, Services, System Idle Process and things mentioned above), verification signer (Process explorer auto verifies images) and version number attached to it. you can kill the process by right-clicking on it selecting Kill. process explorer also allows you to search for a specific process. you should also be interested in purple threaded processes.
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult
Packing and encryption also hides strings from view
If you're unsure what a process is responsible for you can check it out here:
This post has been edited by AsenDURE: Jun 20 2007, 02:53 PM