| CyberDefenseGuide A How-To Guide To Internet Security and Windows Repair |
Antivirus scanning is not enough to make sure your pc is thoroughly virus-free. You can only find viruses that the scanners have definitions of so you will need to run some system analysis tools in order to find unknown malware. Unknown malware can be found using the Heuristic detection function of Avira AntiVir and Comodo Antivirus. This will detect suspicious programming code inside files and may find previously unreported malware that matches the behaviour of known viruses. More often though your scan results will find legitimate programs that aren't viruses but just trigger the scanner's suspicions - these are called 'False Positive' results and you should make sure the file is legitimate by Googling its filename to see if it is from a legitimate company and whether other users have reported the file as malware.. In Avira rightclick its taskbar/tray icon, click Configure AntiVir, tick Expert Mode, select Scanner, select Scan, click Heuristic, tick Macrovirus Heuristic, tick enable AHeAD and select High Detection Level. In Comodo doubleclick its tray icon, click Antivirus, click Scanner Settings. Under Heuristic Scanning/Level select High. You can set this under each tab for Realtime, Manual and Scheduled Scanning. System Analysis To make sure your pc is clean of undiscovered hidden malware you should study the programs, services and drivers running on your pc using Autoruns. DOWNLOAD SysInternals Autoruns When you run Autoruns it scans your system for every piece of software installed and lists everything with an auto-start configuration. To use it effectively you need to research every entry that you think is suspicious BEFORE you take any action. Always make a restore point before using Autoruns because deleting the wrong thing can break Windows. If you delete something and your pc doesn't reboot then you will only be able to undo your mistake if you have made a restore point. There is so much legitimate software that it can be almost impossible to tell what is malware. Thankfully Microsoft run a database of legitimate software and by using 'Verify Code Signatures' under Options, refresh by pressing F5, now legitimate programs will show up as 'Verified'. To check anything 'Not Verified' and suspicious you can use 'Search Online' under 'Entry'. The most suspicious entries will be ones without a Description or Publisher, unfortunately a lot of legitimate programs also fail to provide a description or give their publisher's name. Research of entries using the search engines is necessary. A certain amount of cleaning is possible if you find lots of entries where the Image Path displays 'File Not Found'. Obviously this is for the adventurous only and anyone with complete backups and a restore point. Most 'File Not Found' entries are under the Drivers tab. These are remnants of software that had above average interaction with the system, in some cases virus remnants. To save your pc the time dealing with these entries simply untick the box on the left. If it's unticked Windows won't try to run it. It is possible to rightclick an entry and Delete, BUT this will break Windows if you get it wrong.. To increase your pc's performance you can untick legitimate program entries to stop them running. Autoruns is a handy way of controlling the access new software installations have on your system. If you don't need certain programs constantly running in the background simply untick the box. Of course if you want to use that software in the future you will have to remember to tick the box, and probably reboot, to make it run again. Important tabs to check: Logon lists what runs when you switch your pc on. Services lists what runs when the desktop appears. Explorer lists everything hooked in to the Windows interface. Internet Explorer lists what is hooked in to your IE browser. Anything under Scheduled Tasks that isn't antivirus updates or anything you've set up yourself. To help you check up on suspicious entries in Autoruns you can use other tools from SysInternals to monitor for suspicious activity by programs. DOWNLOAD SysInternals Process Explorer to see what programs are running, it's like Windows Task Manager but with more information and is able to read the memory of programs for suspicious code (search the code for words like 'connect' 'IP' 'IRC' etc). Visit Microsoft Technet for this malware removal video showing how to use Process Explorer to track down viruses. DOWNLOAD SysInternals TCPView to see what programs are using your internet connection. Research the IP addresses your programs are connecting to and if they look suspicious block that IP or IP range using your firewall. For example in Comodo you would click Firewall then My Blocked Network Zones, then Add and insert the suspicious IP addresses. Rootkit Removal A rootkit is a sophisticated type of malware designed to keep itself hidden. To find any on your system run each of these rootkit scanners: DOWNLOAD McAfee Rootkit Detective DOWNLOAD Norman TDSS Cleaner DOWNLOAD Norman Sinowal Cleaner DOWNLOAD Norman Vundo Cleaner DOWNLOAD Sophos Anti-Rootkit (requires registration) DOWNLOAD Userland rootkit detector DOWNLOAD GMER A standard scan with GMER will show any malware in red under the main Rootkits/Malware tab. Under the Services tab look for anything that has no File Name or Description, search for its name online to see if it is a service related to a legitimate application, is an element of Windows or is otherwise 'safe'. If you cannot find out what it is then leave it and move on to the next service in the list. If you do find any service widely described online as a virus or malware then you should right click its entry and Delete. Be very careful that you don't delete any legitimate services, also make sure you have made a new restore point before you try this. GMER is a last resort for malware that cannot be removed by malware scanning but that you know is there from analysis with Process Explorer and TCPView. You should pay special attention to services that are listed with a Start state of AUTO, BOOT or SYSTEM and special attention to services that don't appear in your Windows Services list from Control Panel/(Performance and Maintenance)/Administrative Tools/Services. Also scan your pc with MBR rootkit detector on the GMER download page. Online Tech Help If your pc still has an unfixable problem post the symptoms and scan reports to these tech-help sites and forums for a possible solution: WildersSecurity ComputerHope Annoyances.org Bleeping Computer ATTENTION - some of these are public forums so beware false prophets, scams and deception (don't click on links in posts from people who aren't moderators or highly ranked, don't download and run software before scanning it with several antivirus scanners, don't give people your email address or any details that could compromise your identity or security e.g. your IP address, sensitive log entries from antivirus scanning programs you may be asked to run and post up, etc) ©Helptree Services 2010 |