Thursday, November 26, 2009

When it comes to malware removal use a shotgun not a rifle.

Cleaning an infected computer is a challenge, unfortunately the malware writers are getting talented which translates to real trouble if your machine gets infected. Many computers ship with large all in one security suites. These all in one programs look good on a checklist comparison in PC Magazine but I prefer to use a variety of programs from different vendors, each using a slightly different method of cleaning your machine to give you the best chance of finding all the of the bad files.

Recently I had to deal with a Lenovo Thinkpad my daughter had been using. The laptop was recently given a clean install of Windows XP and is a spare machine I use only occasionally. After my daughter had finished using it, I did a routine scan using Malwarebytes a very good free anti-spyware program. The scan found 15 infections including some Rootkits, which can be very difficult to remove. So Malwarebytes told me I needed to reboot the computer to finish the removal, I complied and rescanned. Same results, same Trojans, same Rootkits, so I scanned with Microsoft's Security Essentials, a new free anti-virus Microsoft recently released. Security Essentials found nothing at all, so I tried a new (to me) website, virustotal.com. Virustotal allows you to upload suspicious files to scan to determine if they are a threat or possibly a false positive. I uploaded the file that was showing up the most frequently on the quick scans, virustotal scans the file using over 40 different malware removal engines, only one McAfee Virus scan found the file to be suspicious so I was beginning to think I might have a false positive. The fact that the file kept reappearing was very suspicious so I needed to get serious.

The next step was to run CCleaner a very good registry, and temporary file cleaner. CCleaner will make virus scans faster and may delete files that are allowing a possible payload to reload when you restart the computer. After using CCleaner I installed Superantispyware, a program I always install as one as my primary tools to combat spyware. The fact that this computer was a fresh rebuild was the only reason I hadn't installed it yet. Installing and running Superantispyware goes very fast, it's a great program that is the favorite of many computer technicians. Super lived up to it reputation and found a number of problems including one Trojan with multiple registry entries. Rebooting the machine after Superantispyware finally yielded some results. Additional scans from Superantispyware and Malwarebytes came up clean. My next test is to run a HijackThis. HijackThis is a very powerful tool which must be handled with care. Installing HijackThis is simple, using it effectively is another story. The best way for most people is to run HijackThis which will create a log file. Next post this file to a web site where experts can parse your results and determine if you still have any suspicious files remaining. My preferred site is http://www.hijackthis.de/ the site is primarily in German, don't let that deter you though, they have a scanner that will scan your log file in real time and give you a good idea right away if HijackThis has found anything.

If you have run and re-run your scanning tools run a HijackThis and everything comes up looking okay, you're probably malware free. But for the next few reboots you should continue to make sure your anti-malware programs are up to date and keep rescanning periodically. Most malware these days wants to hide in the background. You may be infected and never know your machine is stealing your passwords and draining your bank account. So stay safe, keep your data backed up and if you get infected use as many tools as it takes to get secure again.

http://www.malwarebytes.org/

http://www.microsoft.com/Security_Essentials/

http://www.superantispyware.com/

http://www.virustotal.com/

http://free.antivirus.com/hijackthis/

1 comment:

Anonymous said...

thank you for the article, found a few tips there (never used ccleaner for this before, but you are actually right).
you can also get the full version of malwarebytes anti-mailware with a malwarebytes coupon code shared by other people - some save you up to 40%.