Finding And Removing Malware Traces
Services, Startup, Regedit... and more Services for WinXP.
SERVICES:
To see what services are running on your system right now click the Start button, choose Run, then type "msconfig" (Do not include quotation marks).
This will open the System Configuration Utility. Click the next to last tab marked Services. Here you can see the names of the services running or stopped, as well as the company they come from.
Near the bottom of the window is a check box with Hide All Microsoft Services next to it. Check this box and the list will get much shorter.
From here you can determine whether a rouge program has a running service.
The Service column gives a fairly decent idea of what program is running the service.
The Manufacturer column should also give you some insight, however, many programs, BitDefender for one example, will display Unknown under the Manufacturer column, in this event don't always assume that Unknown Manufacturer is necessarily a bad thing.
To disable any suspect service simply uncheck the box to the left of the service to disable it from loading when your computer starts.
Accidentally unchecking a needed service shouldn't have any catastrophic effects (just make sure you're not disabling a Microsoft service) and most likely the related program will refuse to run or function properly, in any case, if you disable something that is needed, just redo the above instructions and turn it back on.
STARTUP:
The last tab on the System Configuration Utility is the Startup tab.
Do you have a bunch of junk icons in your system tray? (next to the clock on the bottom right)
The Startup tab is where these programs store their references, many rouge programs also do the same.
If you believe a program to be suspect, look at the column marked Command, it should display the program's location, if the program is running from a temp folder, or other suspicious folder that you're not sure of, uncheck the box to the left of the startup item to disable it from loading when your computer starts.
Just like before, accidentally un checking a needed startup item shouldn't have any catastrophic effects.
Unchecking unneeded programs will free up some system resources too, i mean, really, do you need MSN Messenger to start every time your computer does?
Once you're done click OK and choose to reboot your computer. On reboot you'll get a confirmation dialog stating that you've altered the system configuration, just click OK and proceed as normal.
Okay, so let's say you found a rouge program in the Startup tab named "Trojan" for example, you unchecked it in the startup tab and hopefully it didn't find a way to startup again (sometimes they do... bastards!) but the reference to the file is still in the startup tab, here's how to remove it.
REGEDIT:
(Editing the registry can be detrimental, don't go messing with keys or values that you don't understand!).
Click the Start button, choose Run, then type "regedit" (Do not include quotation marks).
This will open the Registry Editor. In the left pane search
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\"
look for folders named "Run" and "RunOnce"
Both of them can contain startup references, in the event that you were to see the "Trojan" example as mentioned earlier you would then right click the reference under the Name column in the right pane then choose Delete, confirm
when prompted and that's it.
However, that's not all, there are more possible places for the reference to hide, so, in the
left pane search
"HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\"
look for folders named "Run", "RunOnce" and "RunOnceEx"
As mentioned above if the reference to the example is in any of these folders you would then right click the reference under the Name column in the right pane then choose Delete, confirm when prompted.
SERVICES:
(Disabling just a single service can cripple multiple programs, only disable the service(s) your sure aren't dire for the system, and again don't disable any Microsoft services)
Click the Start button, choose Run, then type "services.msc" (Do not include quotation marks).
This will open the Services window. Near the bottom click the Extended tab, this will allow you to single click a name to get a brief description of the service.
The Status column tells you if the service is running (Started) or not running (<Blank>).
The Startup Type column tells you how the service is started:
Manual (started by you through the Start menu or other means)
Automatic (Set in the registry to start with Windows)
Disabled (Windows and other programs disable services on their own).
If you click the Startup Type column tab it will sort the order for you making it easier to see what Startup Type each service is using.
For the most part, you need not alter any of these services but in the event you notice a rouge program, you would right click it's name and select Properties, from here you get a detailed view of the service and it's dependencies.
If for certain this service is not needed and the Startup Type list box displays Automatic you would click this and choose Disabled.
Once done click Apply and restart your computer.
OTHER TIPS:
Have a suspect file? Do a Google search with the file name and extension to see what comes up, alternatively you could upload the suspect file at www.virustotal.com this site will scan a file or files with multiple malware scanners then provide you with the results.
Keep up with Windows updates. Security holes can allow hackers and malware into your computer without your knowledge, in some cases just going to a rigged web site is all you have to do to get infected, even if you don't click any links, so keep up to date!
======================================================================
======================================================================
======================================================================
Thanks to:
This article was entirely written by one of the forum members, TheWatcher.
If you have any questions or comments about this article, please contact, through PM, the author of the article.
