Saturday, December 12, 2009

Manually Removing Computer Viruses

Warning:

This article will assist anyone struggling with a computer virus, spyware or malware from a computer. This type of problem can affect any computer running some version of windows. The screenshots were taken from Windows XP, but the techniques also apply to Vista and Windows 2000. This article is aimed at advanced users who are confident at the keyboard, and know how to reinstall Windows.

Disclaimer:

Please remember to backup any important work or data, if possible, before attempting any repair. Please see this sites Disclaimer. The freeware programs mentioned here will serve you well, but must be used with respect, a cavalier attitude usually ends up in loss of data, so if unsure ask either a more experienced computer user or post a question on one of the many windows internet forums, e.g. Tech Support Forum.

Download Links:

Autoruns
Process Explorer
HiJack This
Malware Bytes Anti Malware

Quick Guide
For anyone in a hurry, read this paragraph. Removing a computer virus is a time consuming task. Nobody ever has just one single virus, and having a virus is like having an ant in your house, it usually returns with an army. A virus scanner is a good deterrent, but if the product is out of date then its a useless product. Tracking down a virus is a matter of knowing what processes on the computer are running, and what should not be running. Any process with a suspicious sounding name or one that's consuming much system resources could be an indication of something more malevolent. Tools to help are system config, task manager and autoruns. When finding a suspect process, look it up on google. If it does turn out to be a virus or malware then sometimes killing the process will work. You also have to find where its called from, and either delete the offending keys in the registry, start service or start-up program. Malware bytes file assassin, or the malignant file remover from the linux side of the disk can take care of locked files. Once all threats have been removed its a matter of rebooting and checking the computer, usually you're looking at 2 hours work, and sometimes if things are really bad you have to decide its its cheaper to wipe the hard drive and reload windows.

Virus Definitions
In its simplest term, a computer virus is a file that can copy itself. This doesn't sound too bad but its the "payload" that the virus can carry that makes it a real security threat. Some viruses are designed to delete files, others can steal passwords, some are designed to make your computer unbootable. There are other types of viruses, defined in simple terms:-

Virus - a file that can copy itself
Trojan - a program that contains a virus or malware
Spyware - a file or program designed to intercept or take partial control of a computer
Malware - a program designed to damage a computer without the owners consent
Worm - a network travelling virus

All the above can loosely be called viruses, and keeping a computer protected is a constant battle between good and evil. The best way is to run an anti virus program and keep it updated. An outdated product is a useless product.

Virus Removal
If you suspect a virus, then the first step is to run a virus scan from windows. You may get lucky and the anti virus (AV) program detects and can remove the virus. If the AV program can detect the name of the virus but cannot remove it, make a note of its name and research it on google. There may be a downloadable utility that can do this for you.

If no Virus is Detected
If an anti virus scan and spyware scan have revealed nothing, and the computer is still running slow or behaving oddly, you'll need to check what processes are running. The next section should help and special tools are available in the form of task manager, autoruns, process explorer and hijackthis.

Displaying Processes
At any time windows always has many running processes. A process is an individual task that the computer runs. In general, the more processes, the more work the computer has to do and the slower it will run. However its not just the number of running processes, whats also important is the amount of system memory (RAM), hard drive space and processing speed. These are known as system resources and every process affects the system resources. Each task is given a process number or PID. Process ID's start at 1 and are assigned by the system kernel. The system kernel is the core of the operating system, but unlike other operating systems e.g. linux, the windows user has no control over the running kernel, but can see its performance via task manager and other tools. The easiest way to see how a system is running is by using Task Manager. Task manager can be started from right clicking the taskbar or pressing Ctrl-Alt-Delete , screenshot below:



Task Manager
The screenshot above is taken from my own computer running Windows XP. For comparison I will also run autoruns and hijack this on the same system.
The screenshot above has more information than a the standard task manager. To view the extra columns, press View, then Select Columns, tick boxes for VM size, Handles, Threads , I/O Read Bytes and I/O Write bytes and you should have a similar display. The bottom line shows 24 processes and CPU usage as 0%. If the computer appears sluggish and takes forever to do anything, you may see a high number of running processes and CPU usage of 100%. CPU usage only drops to 0% when the system is idle, at any other time the running figure will be between these limits; the lower the usage the faster and more responsive the system will be. A quick explanation of the columns:-

Image Name the name of the current process or task.
PID the Process ID number of the current task
User Name the name of the owner of the task
CPU amount of CPU usage in percent
Mem Usage amount of physical RAM used by the task
VM Size amount of Virtual Memory allocated to task
Handles number of open files that the process is using
Threads amount of other simultaneous tasks running in association with current task
I/O Read Bytes amount of information that the process is reading from disk
I/O Write Bytes amount of information that the process is writing to disk

Task Manager Performance Window
Clicking the performance tab will produce a useful display, see below.



The top right shows overall CPU load, at idle it will be 0%, full load 100%. To find out what process is using the CPU click the processes tab and then the CPU column to arrange in CPU load order. To the right is CPU usuage history, bottom left shows the amount of memory used in the Paging File (PF). The paging file (see virtual memory) is very important. On computers with modest and low amounts of memory, any labour intensive task will read and write information to and from the paging file. As the paging file is created on a hard disk, which is thousands of times slower than physical memory the computer will run slow. Physical memory is shown in KB at the lower right of screen. If the value of the PF, is greater than the physical memory, then the computer would benefit from more RAM, or require a tuneup to remove superfluous programs.

Using Task Manager Information
Suppose now you come across a computer and its hard drive is constantly thrashing. Bring up task manager turn on I/O read and write bytes. Click on the I/O bytes read column and it is sorted in order of disk usage; you can easily see what process is hammering the hard drive. Suppose the computer is very slow, then by clicking on the CPU usage column, you should be able to see which process is hogging the CPU.

Virtual Memory
All computers require physical memory (RAM) to run their applications. Once all available RAM has been used, memory is supplemented by reading and writing to a file to the hard drive. This file is called the Paging File and acts as virtual memory (although hard disk are a thousand times slower than memory). On machines with 256M of memory or less (or any computer attempting to run many programs) the system RAM soon gets used and the paging file gets created. When this happens the end user will notice a big drop in performance. Again you can see which tasks are the heavy users of VM by highlighting the VM column in task manager. This is one reason why Norton Antivirus should not be run on a computer with less than 256M RAM, its massive amounts of resources leave little memory for any other task and you're constantly waiting for the hard drive to read and write from the paging file.

Checking Running Processes
If a customer reports a problem with a computer, the first place to look is task manager. You need to know what's running and should it be running?. This is where skill is required. With practice you can quickly identify system and user tasks, network processes and services. Anything unknown you look up on the internet. It soon becomes clear what's normal and what tasks could possibly be viruses or malware.

Some handy resources to help on the Internet are:
McAfee Threat Library
Start up Programs
Task List Org

Knowing whats running and what looks suspicious takes experience and a trained eye. Some virus writers now deliberately use process names that look similar to real tasks e.g. taskmgr.exe (the real task manager process) and taskmgr.exe which is an email worm.

Killing Processes
In task manager this is as easy as highlighting the process, right clicking and choose kill process. (See screenshot).



Some processes will terminate instantly, others may cause a system crash and others may give a locked file warning.

Dealing with Locked Files
If a file is in use you will get an access denied message or similar. To delete locked files, you can seek out all threads and file handles (very time consuming) or use Malware Bytes File Assassin Tool, part of the malware bytes anti malware program (ans also on the CD in the tools folder). This automatically deletes all file handles and kills the file on reboot. An alternative is to run the CD in linux mode and use the Malignant File Removal Tool.

Finding Running Processes
System Tray
A quick word about the windows system tray. This is usually at the bottom right of the taskbar but can be moved about. The system tray from my computer is shown below:

Every item starting in the system tray will create 1 or more additional processes, the more items starting in the system tray, then the slower the system will start. If a user installs software with default choices then many items will be shown here. Its not necessary to have anything in the system tray though for convenience most people like the volume control and clock.

System Configuration Utility
The easy way to find out where processes are started from is the system configuration utility, image below. Start this from the run dialog box by typing msconfig, or control panel. There are several tabs, the startup tab is shown below:



Unticking the box disables the start process, but does not delete it. This is a safe way to carry out diagnostics, as if needed, ticking the box enables the process again. Similarly startup services can be disabled as can entries in the win.ini file. Do not be tempted to experiment here, disabling a needed service can render the computer unbootable.

Services
Bringing up the services list from either computer management, typing services.msc in the run dialog box or services in the find utility in Vista will appear similar as below.



A service is what the operating system controls, and can be set to automatic, manual or disabled. Stopping some services will prevent windows from running, but some malware and virus writers now attempt to evade discovery by creating an entry in the services list.

A comprehensive list of services and description can be found on Wikipedia,
click here.

AutoRuns
A much more powerful version of task manager, available as freeware is Autoruns, screenshot below. Autoruns combines all the features of task manager, msconfig and the services list as a powerful all-in-one diagnostic and configuration utility.



At first look this is a mine of information, and working with this program takes a few hours practice. The snapshot above is taken from my own computer, and has the same running processes as task manager. In the everything tab, the fourth heading which starts:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
contains many of the user started processes. Unlike task manager, a description is given and also the image path to where the program is started from. In the screenshot AVG is the anti virus, two drivers are running for an Nvidia graphics card, and Clone Cd tray is a user choice program. System services are displayed under the system tab, whereas in task manager they are all lumped together.

To prevent program from loading untick the tickbox at the extreme left. The entry can be right clicked and deleted, but after making any changes, a reboot is first advised and check for system stability.

Process Explorer
An extension of Autoruns is the partnering program Process Explorer, shown below.



Any item from autoruns, can be right clicked and opened in process explorer. As with task manager, disk I/O, virtual memory and memory usage can also be viewed. Clicking any columns allows the display to be re-arranged in order of the highest system resource. A useful feature is the command line path and a right click allows individual resource management of a process to be graphed.

Hijack This
The next diagnostic tool in the tools folder is known as Hijack This, screenshot below:



Hijack this is very powerful tool and a cross between Task Manager and Autoruns. From the main menu of hijack this a system scan takes a snapshot of all running processes and system services. In addition it includes many more entries, not shown in task manager, but present in autoruns. Each item has a category that can be look up using the info button. I'm going to explain some of the more notable entries:

R0,R1,R2,R3 - Start page and search page for Internet Explorer. If any entry looks suspect and you see a URL that looks suspicious (not the customers start page) uncheck the box and click Fix Checked button.

F0,F1,F2,F3 - Autoloading Entries from old INI files. These are old autoloading entries from older windows versions. F0 references are always bad, F1 to F3 are usually old programs, research on google if unsure.

01 - Hosts file redirection. The windows hosts file has been intercepted and possibly used in a browser redirect. To correct edit the file or untick the entries..

04 - Autoloading Programs from Registry or Startup Group. Any program that loads automatically will be referenced here. This includes legitimate driver files and programs of the users choice. This is also where many spyware and malware programs start. Killing them here will stop them from reloading. Tread carefully and be warned, there is no way to put an item back in place, should you make a mistake.

23 - Startup services. These are just the running services, making it easier to see what service has started. The service tab in windows computer management lists all services, whether running or not.

These are the main categories, information on any other item can be found from the main tool bar and clicking on info. TrendSecure have also provided some information about Hijack This in the form of their Quick Start Guide.

Final words of advice, with thousands of viruses, malware and spyware on the loose at any time, its an impossible task learning everything and keeping up to date. The best advice is to use the links and "Google" at all times. It takes many years to become an expert.

Malware Bytes
Anti virus programs look for files that have been corrupted with a known virus signiture, anti spyware programs will look for files or registry entries that are known spyware. However malware may often exist and lay undetected. Malware is a program or utility, often disguised as something familiar, perhaps an anti virus program, but instead does not do what it claims to be, and instead will hijack your browser, delete files or other damage to your computer. Malware Bytes offer a free utility called Malware Bytes anti malware, screenshot below:



Running a scan with Malware Bytes Anti Malware may save you hours of work, there is an update tab to update the latest malware definitions, and if malware is detected the program offers to reove it for you.

No comments:

Post a Comment