Malware Guide: Quick Removal < [4/7] >
Most people do not have the patience or the care to read my entire malware guide, so this chapter should hopefully give you the answers you need. I link other parts of the guide for reference purposes. This chapter of the guide explains what the basic steps are for removing malware. This chapter is also a prelude to the detection and removal chapter, which goes into much more depth on the subject. The chapter of removal tools goes into detail on what programs can help you remove malware, and how to use them.
Malware Removal Steps
- Uninstall [help]: Try to uninstall the program normally first, as you would any other program through add/remove programs. They often will have vague names, or pretend to be Windows components. But, most of them that can be uninstalled like a typical program will be fairly obvious such as "bargain buddy" or "search companion". Worms will never be uninstallable, but it is possible that a trojan may be. This is because a worm is a custom written program, whereas a trojan could just be a rootkit made of various commercial and free programs. So it is possible that programs like WinVNC (remote control client), Remote Administrator (remote control client), mIRC (chat program used heavily for distributing warez), Cygwin (Unix shell for Windows), etc. could show up in your add/remove programs. The general rule is to remove stuff you don't recognize or that look suspicious. Use Google if you don't recognize something to verify what it is.
- Process Explorer [help]: Use Process Explorer to find and terminate suspicious programs.
Look up strange processes in Google to see if they're generally safe or not. Do be aware that just because a process is a known good one doesn't mean it is not malware, and just because a process is malware doesn't mean it couldn't be good, and just because there are no Internet posts about a process does not mean the process is malware.
- Irregular filenames: Look for things that look like system files but aren't. Be especially suspicious of programs that have the same names as other processes but have differences in other fields, such as location, version or company brand.
- Irregular directories: Look for programs running in strange folders, such as in the Windows folder, the Windows\system folder, the program files directory, in any of your temp directories, in the program files\common files directory, etc. Many times these programs will install to directories that they hope you won't search for them in, but sometimes it makes them even more obvious.
- No file version: You shouldn't rely on this solely, but the lack of a version shows that the company that made the program had bad programming techniques, and often suggests the program was rushed through development. This is sometimes a clue that the program is something you don't want. All official Microsoft built-in components have a program version that will be displayed.
- Hidden file: If the program executable is hidden then it could be a clue that the program is shady. Especially if the hidden file appears in the Windows or Windows\system32 folder. You may even have to turn on the ability to see the executable if it is hidden, which suggests the program could be trying to escape detection.
- Odd file dates: If you browse to the file and check the properties of it then the file date could provide clues to it. If the date is similar to system files then it was most likely installed with the system. But, if the date of the file is around the time you began noticing odd behavior then you may have located something you don't want. You should be aware that system updates or program updates could affect file dates.
- Lack of a company brand: Most Windows components are branded Microsoft Corporation. And most other reliable companies brand their programs too. This usually provides a pretty clear way to identify worms and trojans, but often spyware and adware will have a company brand, and you'll have to spot it's odd name. The companies that make spyware/adware shouldn't be recognizable as something you've installed, and they will often have proactive names such as "Information Association" or something equally silly.
- Startup: Eliminate all strange startup items in the start menu, the registry, and in INIs. I suggest using MSConfig to do this, but you could also do it with Windows Explorer, regedit and notepad too.
- INIs [help]: There is a pretty rare place for malware to be installed to. But, you should check it just in case, especially if you're worried about a worm or a trojan since they're more likely to show up in the win.ini.
- Registry [help]: The registry is the most typical location that a worm, trojan, spyware or adware program will use to startup. You should be familiar with how to remove things from here, or at least use a program like MSConfig to make it easier.
- Start Menu [help]:
- Services [help] : Disable all obviously fake services. This can be tricky, and it may require reading the services chapter of my Windows Component guide and using my services utility. These can be changed through services.msc.
- Hijackthis [help]: With Hijackthis remove all strange entries. This includes removing strange homepages and unknown plugin DLL references.
- Run Automatic Scans
- CWShredder [help] : Use CWShredder to eliminate a possible infection of CoolWWWSearch. Just run it and it gets rid of most CWS variants. These are sometimes very hard to remove, but with this program it is simple.
- Ad-Aware [help]: Scan with the latest version of Ad-Aware, but be sure to update your definitions before you scan. This will find most of the adware and spyware on your computer, but the steps preceeding this will assure that Ad-Aware can run uninterrupted.
- Spybot [help] : Scan with the latest version of Spybot - Seek & Destroy, but be sure to update your definitions before you scan. This will hopefully find whatever Ad-Aware did not. You could also run just Spybot or just Ad-Aware, but I recommend that you run both unless you're short on time for some reason.
- Virus Scanner [help]: Use your favorite virus scanner and perform a complete scan of the computer. Make sure that the virus definitions are up to date and that the scanner is functioning properly. The two most popular virus scanners are made by Mcafee and Symantec/Norton, but there are plenty of other good ones. My only warning about virus scanners is that you should only trust big names, otherwise they may be ineffectual or come equipped with spyware.
- Restart: Restart your computer and see if the symptoms have gone away that made you suspicious in the first place.
"A people's dream died there. It was a beautiful dream. And I, to whom so great a vision was given in my youth, you see me now a pitiful old man who has done nothing, for the nations hoop is broken and scattered. There is no center any longer, and the sacred tree is dead." --Nicholas Black Elk of the Oglala Sioux