Malware Removal

Click for free download HiJackthis

It is always a pleasure to help others when it comes to the issues of the day I.E., Malware, Spyware, and Viruses.  I know it seems like a never ending battle, and it really doesn’t look good for the future, but there are some really simple things that can be done to help slow down the progress .  Also with a little technical expertise and help from others you can rid a computer of those nasties.

You’ll find HiJackthis to be an excellent tool in your arsenal. But keep in mind that it can also be a very dangerous tool since you can remove items necessary to the normal operation of the computer. HiJackthis will create for you a list of all files making calls to the ports on your computer. Understanding this report can be difficult at first.

However there is a web site that will assist you in analyzing the HiJackthis log file.  http://www.hijackthis.de/

Just copy and paste the log file into the dialog box on this web site, or upload a copy of the log file and click the analyze button.  A page will appear with information about most of the entries in the log, the really nasty ones will be marked in red, the questionable items will be marked with yellow, and the safe items in green. 

After awhile you will probably not require this analyzer as you’ll learn what is good and what is really bad.

The steps that we take when a computer is infected are as follows: 

 

  1. Install  SpyBot and AdAware.  If you can, update their reference files at this time, but do not attempt to run the applications at this time.  Many of the spyware programs will recognize the presence of these applications and either prevent their operation, or modify their scanning areas to prevent capture.
  2.  Run HiJackthis from the hard drive if you have this tool on the CD first copy it to the hard drive so they can create the necessary backup files say that copy of the log file if you still have Internet access than have it analyzed either pronounced the analyze results or make note of the bad software do not try to remove any items at this time.
  3. Hard power down the computer here by flipping the switch or holding the power button until it’s down. This usually takes about four seconds. And this prevents any of the Malware from writing its exit routines and/or startup routines.
  4. Power the computer back on and use the F8 key to get to the safe mode command. Use the safe mode /command prompt only. This is critical since it will not start the explorer shell and possibly start any of the bad software. Many of the  Malware applications have registry entries for the explorer shell.
  1. Once you are at the command prompt run HiJackthis from the hard drive again. Now select the bad items and purge them from the system it will also help if you make note of any file locations of the bad software, because you’ll want to delete them next.
  1. From the command prompt navigate to the different file folder locations noted at the end of number five above, and start removing the items from the computer this can be a tedious task but if you can delete the files prior to scanning with Spybot or AdAware then things will go much faster. To navigate to the directories remember these DOS tips. CD (change directory) CD \ (go to the root of the drive).  Use of the asterisk will help you change directories without typing in the complete folder name i.e. CD \ pro** will go to the program files the asterisk will only work with windows 2000 or later.
  2. Remove directories by using the RD (remove directory) command. RD also has a great feature that allows you to remove the entire folder, sub folders, and files in one shot. To delete the folder “Web Rebates” you would use this command RT / S / Q . You must use quotes when the folder name as a space in it and the / S is to remove all sub folders and the / Q. will do it quietly without asking for permission. Be very careful when doing this, as it is irreversible and you do not want to delete the wrong folder. Files and folders deleted with the RD command do not end up in the recycle bin.
  3. After you have removed as many obvious software applications as you can, you will now want to run Spybot and AdAware. You can navigate to their respective folders on the hard drive and run them from the command prompt you do not want to start the explorer shell until after you’ve completed these scans.

 

Hopefully after completing the scans, removing as many nasties as possible you will re-gain access to the computer. It is highly recommended that you get some sort of firewall software installed on the computer, along with a very good Anti-Virus, Anti-Spam or Anti-Spyware application. One application that works well on all fronts is Symantec Internet Security. I have heard of this applications selling for as low as $35.00 on the internet and up to $65.00 in stores. 

If you have a high speed connection, or broadband connection, it is also recommended that a hardware router be installed, to help reduce the immediate vulnerability that is associated with being connected directly to the Internet. These can be had for as low as $50.00 in stores like Wal-Mart, Office Max, Office Depot, or  Fry’s electronics etc.

By Kevin Svec ASCIi Computer Club President