Monday 2 January 2012

Monday's Tech Tip - Malware Removal

This is a very, very, very, very broad topic. This post doesn't serve to solve all Malware issues, but what I'm about to post has helped me a lot.

If you suspect you have Malware on your PC, you probably do you'll usually get pops saying you're infected with tens or even hundreds of viruses. However, quite often you'll get redirected to a site that looks like Windows Explorer or even Finder if you are on a Mac, that is trying to trick you into thinking you have a virus.In this instance I would recommend opening a command prompt and typing or copying and pasting the following line for Internet Explorer:

taskkill /f /im iexplore.exe

If you are using Chrome:

taskkill /f /im chrome.exe

If you are using Firefox:

taskkill /f /im firefox.exe

/f = force kill the program
/im = image name, in other words the executable name to kill, it kills ALL programs with that name.

Notes: If you're on a Mac, Force Quit your web browser, the likely hood of you getting a virus is slim but you should still make sure Apple's built-in anti-malware program is up to date and use a third party AV/Malware tool to check your machine anyway. That's as far as my Mac Malware cleaning knowledge goes to date as there haven't been many cases and it's usually easy to clean because it's a Mac and it gets lots of attention and detailed study on how the Malware works.

You'll get message back like this:

SUCCESS: The process "IEXPLORE.EXE" with PID #### has been terminated.

Notes: #### is the Process ID for each Internet Explorer instance killed:

If for some reason taskill can't find the iexplore.exe,chrome.exe or firefox.exe processes it'll display something like this:

ERROR: The process "iexplore.exe" not found.

Double check your speelings.

If there are any lines indicating a process could not be terminated, I would try again after a few seconds, maybe even wait a minute. If you can't get the process killed with this command then almost certainly nothing will. I say to use this command instead of Task Manager because taskkill doesn't care about the process. Task Manager isn't always able to kill a task even with "End Process Tree". Also I don't trust the prompts you see from the malware site when trying to close your browser.

Now scan your PC using your AV product after making sure it's up to date and follow the steps below.

Step 1: Reboot into Safe  Mode with Networking.
Download, this file unzip it and run the file that was inside (at time of writing the file inside should be called xp_exe_fix and have a .reg file extension).
You may want to save the website for use later if you have problems opening other file types after cleaning the malware:
Reveal Hidden Files and Folders whilst there also clear the check boxes for "Hide extensions for known file types" and "Hide protected operating system files", we'll need these disabled later.

Reasons: This in most cases stops the Malware from loading at Windows boot time, allows you to still get on the internet to download Malware removal tools. I'll list a some later on.

Step 2: Open a command prompt and type "CD %userprofile%" press Return/Enter.
            Type "dir/s/a *.exe > c:\Executables.txt

Reasons: This produces a list of executables in your profile, there shouldn't be many unless you have lots of downloads that are .exe instead of .msi's.

Step 3: Open the file in the root of C: called Executables.exe in  Notepad (double click the text file).
start trawling through the list of Executables listed and the locations. Start by eliminating the files in your Downloads folder, make sure you know what each and every file in your downloads folder is, if you don't know it rename it to .old, same goes for the rest of the .exe's though I caution you to make a note of the files you've renamed so that if a legit application doesn't work later on you can undo the damage. Research the .exe names if you are not familiar with them.

Reasons: Malware usually hides in the userprofile's temporary internet files\content.ie5\ or %userprofile%\Local settings\Application Data\   and we're manually hunting the darn thing now. Yup, we are now Malware Hunters! Awesome and glorious, isn't it?! Not really, it become tedious.

Step 4: Copy all the .exe.old's you have to a folder on your desktop called MALWARE or something obvious, create the folder if needed. Then open your browser, or an alternative if you are having difficulties getting to webpages and go to and upload each of the files you've found. Chances are most will come back clean, but for those that don't you know you've got a problem and potentially solved it. now by renaming the source file to .old so it can't be called upon and run.

Reasons: We need to not only identify which are potentially infected but also which are legit so you can go back and remove the .old from the file name (Skype & Facebook's webcam chat are silly programs that stores exe's in the profile!), there may be some strange executable names in some people's profiles depending on the the software installed. I've come across some corkers, check them all.

Step 5: Reboot into Windows normal mode and see if there are any 'normal' signs of infection, ie pop-ups saying you've got a gazillion infections. If not, great! We've got one of the culprits. Get a cup of your favourite beverage, try not to mix alcohol with virus removal, it never ends well. If you still have signs of Malware it's time to move directly on to Step 6, do not pass GO!, do not collect your beverage, Move directly to Step 6.

Reasons: Alcohol is bad for you, makes you sleepy and you won't concentrate. FACT.

Step 6: Download the list of anti-malware applictions listed below:
Malwarebytes - I suggest the free version and use the Trial of the Full version after installing it, if you are impressed by it feel free to buy the full version.
Microsoft's Malicious software removal tool You should get the latest version with Automatic updates.
Microsoft's Safety scanner - I've never used it yet, but worth using as part of your arsenal.
Microsoft's Security Essentials - Free AV, without the crap. I use this and prefer it's 'light weight' compared to other AV suites so doesn't slow machines down as much, though it's virus detection rate is probably the same as most others.
ComboFix - Saved me a few times where others had failed. (see below guide for the download)
RUBOTTED - checks to see if you've got a bot infection.
Sysinternals - Grab Autoruns, RootkitRevealer and ProcessMonitor.

A guide spefic to using ComboFix:
Check the Bleeping Computers Virus Removal pages, the may have a guide for the Malware you have.

netstat - brilliant tool built into most OS's. Read Here and Here for tips on how to use it for virus removal. Once you have the PID use taskkill /PID  to kill the program.

Rightly or wrongly these are some of the methods I use. Obviously a full reinstall is always the best solution if you're unsure about the existence of malware on your computer. Remember, viruses change often in some cases less than every couple hours to avoid detection by new AV definitions and there is no single virus proof AV product.

EDIT: 14th June 2013
Lately I've noticed Viruses using different extensions so they're not as noticeable as an executable. Hey what's that <.dll, .ocx, .ini & other 'inert' files> doing in there? Meh, it must be from some innocent program with a sloppy developer, right?

NO! It's probably your virus ! Rename it (using your other local admin account) I bet you'll match it up with a registry entry in the following places, which calls on this 'inert' file, executing it with rundll32.exe, explorer.exe or the shell:
HKCU\Software\Microsoft\Windows\Windows NT\CurrentVersion\Winlogon\

Keep safe, browse well and be vigilant on the web.

Sunday 1 January 2012

Sunday's Tech tip - Don't use registry cleaners.

I'll repeat that, don't use registry cleaners.
They seriously suck and can often do more damage to your PC than they resolve.

Instead when removing software, look on the software vendors website for a clean-up tool that either removes the program and any unnecessary components, DLL's, OCX's etc that were installed with the program. Also make sure the clean-up tool is for the version of the application you're removing, using a clean-up tool for a different version will often not remove anything. Usually the uninstallers remove everything, but you can check for a clean-up tool if you are reinstalling the application and having difficulties.

This isn't a fault of Microsoft's, but rather the fault of sloppy programmers. If they kept their files in one location and used an INI files instead of writing to the registry removal would be a lot less painful and would require no more than deleting their Program Folder where they were installed. Here's hoping Windows 8 and Windows Phone 7/8 do this with their metro apps. (Apologies if they do, I currently use Android and haven't invested much time into looking at WinPhone7 yet, though this is to change soon)

I've come across more and more people that are using them and are recommended these tools by their friends who work in IT or are computer geeks... and the number one reason I'm talking to these people is that the registry cleaner has broke something. Badly.

I'm not the only person to think this either and have held this opinion since the early days of Windows ME, when I first got online properly (with ADSL speeds, not clunky dial-up) and discovered them for myself and how awful they were and first hand saw the damage when I kept getting BSOD's after using one.

Here's a link to prove my point:

Mark Russinovich knows his stuff, otherwise Microsoft wouldn't have bought Winternals & Sysinternals, would they? ;-)

Thank you and good night!