Removing Malware Traces Etc.,

i wrote up this small doc in hopes it will help some of you out, if you have any questions just ask! :D

/applications/core/interface/file/attachment.php?id=1812" data-fileid="1812" rel="">ilivetogive.rtf

Comments

  • Unfortunatelly, no one except the moderators and/or virus researchers can download your help file. :)


    That`s why I attached only it`s content in this new post.


    Cheers, and thanks. Many users will find it useful.


    Services, Startup, Regedit... and more Services for WinXP.
    by TheWatcher

    SERVICES:
    To see what services are running on your system right now click the Start button, choose Run, then type "msconfig"
    (Do not include quotation marks).
    This will open the system configuration utility, click the next to last tab marked Services, here you can see the names of the services running or stopped, as well as the company they come from.
    Near the bottom of the window is a check box with Hide All Microsoft Services next to it, check this box and the list will get much shorter.
    From here you can determine whether a rouge program has a running service.
    The Service column gives a fairly decent idea of what program is running the service.
    The Manufacturer column should also give you some insight, however, many programs, BitDefender for one example, will display Unknown under the Manufacturer column, in this event don't always assume that Unknown Manufacturer is necessarily a bad thing.
    To disable any suspect service simply uncheck the box to the left of the service to disable it from loading when your computer starts.
    Accidentally un checking a needed service shouldn't have any catastrophic effects, (just make sure you're not disabling a Microsoft service) and most likely the related program will refuse to run or function properly, in any case, if you disable something that is needed, just redo the above instructions and turn it back on.

    STARTUP:
    The last tab on the system configuration utility is the startup tab.
    Do you have a bunch of junk icons in your system tray? (next to the clock on the bottom right).
    The startup tab is where these programs store their references, many rouge programs also do the same.
    If you believe a program to be suspect, look at the column marked Command, it should display the programs location, if the program is running from a temp folder, or other suspicious folder that your not sure of, uncheck the box to the left of the startup item to disable it from loading when your computer starts.
    Just like before, accidentally un checking a needed startup item shouldn't have any catastrophic effects.
    Un checking unneeded programs will free up some system resources too, i mean, really, do you need MSN Messenger to start every time your computer does?
    Once you’re done click ok and choose to reboot your computer, on reboot you'll get a confirmation dialog stating that you've altered the system configuration, just click ok and proceed as normal.

    Okay, so let's say you found a rouge program in the startup tab named "Trojan" for example, you unchecked it in the startup tab and hopefully it didn't find a way to startup again (sometimes they do... bastards!) but the reference to the file is still in the startup tab, here's how to remove it.

    REGEDIT:
    (Editing the registry can be detrimental, don't go messing with keys or values that you don't understand).
    Click the Start button, choose Run, then type "regedit"
    (Do not include quotation marks).
    This will open the registry editor, in the left pane click
    "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\" look for folders named "Run" and "RunOnce"
    both of them can contain startup references, in the event that you were to see the "Trojan" example as mentioned earlier you would then right click the reference under the name column in the right pane then choose Delete, confirm when prompted and that's it.
    However, that's not all, there are more possible places for the reference to hide, so, in the left pane click
    "HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\" look for folders named "Run" "RunOnce" and "RunOnceEx"
    As mentioned above if the reference to the example is in any of these folders you would then right click the reference under the name column in the right pane then choose Delete, confirm when prompted.

    SERVICES:
    (Disabling just a single service can cripple multiple programs, only disable the service(s) your sure aren't dire for the system, and again don't disable any Microsoft services).
    Click the Start button, choose Run, then type "services.msc"
    (Do not include quotation marks).
    This will open the Services window, near the bottom click the Extended tab, this will allow you to single click a name to get a brief description of the service.
    The Status column tells you if the service is running (Started) or not running (Blank).
    The Startup Type column tells you how the service is started. Manual (started by you through the start menu or other means). Automatic (Set in the registry to start with Windows). Disabled (Windows and other programs disable services on their own).
    If you click the Startup Type column tab it will sort the order for you making it easier to see what Startup Type each service is using.
    For the most part, you need not alter any of these services but in the event you notice a rouge program, you would right click it's name and select Properties, from here you get a detailed view of the service and it's dependencies.
    If for certain this service is not needed and the Startup Type list box displays Automatic you would click this and choose Disabled.
    Once done click apply and restart your computer.

    OTHER TIPS:
    Have a suspect file? Do a Google search with the file name and extension to see what comes up, alternatively you could upload the suspect file at www.virustotal.com this site will scan a file or files with multiple malware scanners then provide you with the results.

    Keep up with Windows updates, security holes can allow hackers and malware into your computer without your knowledge, in some cases just going to a rigged web site is all you have to do to get infected, even if you don't click any links, so keep up to date!

  • Unfortunatelly, no one except the moderators and/or virus researchers can download your help file. :)


    That`s why I attached only it`s content in this new post.


    Cheers, and thanks. Many users will find it useful.


    Really? i figured it was for all to see, thank you for the help!

  • How about posting your article on the How To's board, TheWatcher? That way, the topic won't be lost in the General section of Malware Talk, and anyone can find it easily. :)


    Also, on How To's everyone has the right to download anything (it's a non-secure area :P ), but please post the article as text, not as attachment, so it will be easier to read.


    Let me know if you agree. :)


    Cris.

  • How about posting your article on the How To's board, TheWatcher? That way, the topic won't be lost in the General section of Malware Talk, and anyone can find it easily. :)


    Also, on How To's everyone has the right to download anything (it's a non-secure area :P ), but please post the article as text, not as attachment, so it will be easier to read.


    Let me know if you agree. :)


    Cris.


    Sounds good to me, i'll do that now as a matter of fact, thanks!

  • Hey Cris, i gave the How To board a shot and kept getting "Sorry, you do not have permission to start a topic in this forum" am i doing something wrong... must be sleep deprivation :unsure:

  • Hmm... If you haven't done something wrong, my guess is that other members (besides the moderating team) are forbidden to post something in there. I'll ask the admin about it when I see him. :)


    Anyway, I posted your article there myself (of course, giving you full responsibility for it ;) ). I also took the liberty of formatting the text a little. Take a look and tell me if you like it. If you don't, I'll remove it ASAP. :)


    Cris.

  • Hmm... If you haven't done something wrong, my guess is that other members (besides the moderating team) are forbidden to post something in there. I'll ask the admin about it when I see him. :)


    Anyway, I posted your article there myself (of course, giving you full responsibility for it ;) ). I also took the liberty of formatting the text a little. Take a look and tell me if you like it. If you don't, I'll remove it ASAP. :)


    Cris.


    Beautiful job! Thank you!

  • AndreiASM
    edited May 2008

    Only moderators have privilege to create new topics on How to`s forum.


    Thanks again for your contribution. :)