There are many anti-malware programs out there that will clean your system of nasties, but what happens if you’re not able to use such a program?  Autoruns, from SysInternals (recently acquired by Microsoft), is indispensable when removing malware manually.

There are a few reasons why you may need to remove viruses and spyware manually:

• Perhaps you can’t abide running resource-hungry and invasive anti-malware programs on your PC
• You might need to clean your mom’s computer (or someone else who doesn’t understand that a big flashing sign on a website that says “Your computer is infected with a virus – click HERE to remove it” is not a message that can necessarily be trusted)
• The malware is so aggressive that it resists all attempts to automatically remove it, or won’t even allow you to install anti-malware software
• Part of your geek credo is the belief that anti-spyware utilities are for wimps

Autoruns is an invaluable addition to any geek’s software toolkit.  It allows you to track and control all programs (and program components) that start automatically with Windows (or with Internet Explorer).  Virtually all malware is designed to start automatically, so there’s a very strong chance that it can be detected and removed with the help of Autoruns.

We have covered how to use Autoruns in an earlier article, which you should read if you need to first familiarize yourself with the program.

Autoruns is a standalone utility that does not need to be installed on your computer.  It can be simply downloaded, unzipped and run (link below).  This makes is ideally suited for adding to your portable utility collection on your flash drive.

When you start Autoruns for the first time on a computer, you are presented with the license agreement:

After agreeing to the terms, the main Autoruns window opens, showing you the complete list of all software that will run when your computer starts, when you log in, or when you open Internet Explorer:

To temporarily disable a program from launching, uncheck the box next to it’s entry.  Note:  This does not terminate the program if it is running at the time – it merely prevents it from starting next time.  To permanently prevent a program from launching, delete the entry altogether (use the Delete key, or right-click and choose Delete from the context-menu)).  Note:  This does not remove the program from your computer – to remove it completely you need to uninstall the program (or otherwise delete it from your hard disk).

Suspicious Software

It can take a fair bit of experience (read “trial and error”) to become adept at identifying what is malware and what is not.  Most of the entries presented in Autoruns are legitimate programs, even if their names are unfamiliar to you.  Here are some tips to help you differentiate the malware from the legitimate software:

• If an entry is digitally signed by a software publisher (i.e. there’s an entry in the Publisher column) or has a “Description”, then there’s a good chance that it’s legitimate
• If you recognize the software’s name, then it’s usually okay.  Note that occasionally malware will “impersonate” legitimate software, but adopting a name that’s identical or similar to software you’re familiar with (e.g. “AcrobatLauncher” or “PhotoshopBrowser”).  Also, be aware that many malware programs adopt generic or innocuous-sounding names, such as “Diskfix” or “SearchHelper” (both mentioned below).
• Malware entries usually appear on the Logon tab of Autoruns (but not always!)
• If you open up the folder that contains the EXE or DLL file (more on this below), an examine the “last modified” date, the dates are often from the last few days (assuming that your infection is fairly recent)
• Malware is often located in the C:\Windows folder or the C:\Windows\System32 folder
• Malware often only has a generic icon (to the left of the name of the entry)

If in doubt, right-click the entry and select Search Online…

The list below shows two suspicious looking entries:  Diskfix and SearchHelper

These entries, highlighted above, are fairly typical of malware infections:

• They have neither descriptions nor publishers
• They have generic names
• The files are located in C:\Windows\System32
• They have generic icons
• The filenames are random strings of characters
• If you look in the C:\Windows\System32 folder and locate the files, you’ll see that they are some of the most recently modified files in the folder (see below)

Double-clicking on the items will take you to their corresponding registry keys:

Removing the Malware

Once you’ve identified the entries you believe to be suspicious, you now need to decide what you want to do with them.  Your choices include:

• Temporarily disable the Autorun entry
• Permanently delete the Autorun entry
• Locate the running process (using Task Manager or similar) and terminating it
• Delete the EXE or DLL file from your disk (or at least move it to a folder where it won’t be automatically started)

or all of the above, depending upon how certain you are that the program is malware.

To see if your changes succeeded, you will need to reboot your machine, and check any or all of the following:

• Autoruns – to see if the entry has returned
• Task Manager (or similar) – to see if the program was started again after the reboot
• Check the behavior that led you to believe that your PC was infected in the first place.  If it’s no longer happening, chances are that your PC is now clean

Conclusion

This solution isn’t for everyone and is most likely geared to advanced users. Usually using a quality Antivirus application does the trick, but if not Autoruns is a valuable tool in your Anti-Malware kit.

Keep in mind that some malware is harder to remove than others.  Sometimes you need several iterations of the steps above, with each iteration requiring you to look more carefully at each Autorun entry.  Sometimes the instant that you remove the Autorun entry, the malware that is running replaces the entry.  When this happens, we need to become more aggressive in our assassination of the malware, including terminating programs (even legitimate programs like Explorer.exe) that are infected with malware DLLs.

Shortly we will be publishing an article on how to identify, locate and terminate processes that represent legitimate programs but are running infected DLLs, in order that those DLLs can be deleted from the system.

Download Autoruns from SysInternals

This is a quick to shout out to say thanks to Sunbelt Software who are advertising their anti-virus software called Vipre. Its thanks to these guys that make this blog happen and I’d like you guys(readers) to hit their link on the side to see what they are doing.

Also, later this week I will have a review article on the anti-virus software package they have and comparing it to Microsofts Security Essentials.

Vipre Antivirus

______________________________________________________________

Infected PCs are under the control of cyber criminals

Microsoft has won court approval to shut down a global network of computers which it says is responsible for more than 1.5bn spam messages every day.

A US judge granted the firm’s request to shut down 277 internet domains, which it said were used to “command and control” the so-called Waledac botnet.

A botnet is a network of infected computers under the control of hackers.

The firm said that closing the domains would mean that up to 90,000 PCs would stop receiving orders to send out spam.

A recent analysis by the firm found that between 3-21 December “approximately 651 million spam e-mails attributable to Waledac were directed to Hotmail accounts alone”.

STAYING SAFE ONLINE Use anti-spyware and anti-virus programs On at least a weekly basis update anti-virus and spyware products Install a firewall and make sure it is switched on Make sure updates to your operating system are installed Take time to educate yourself and family about the risks Monitor your computer and stay alert to threats Hi-tech crime: A glossary

It said it was one of the 10 largest botnets in the US.

Machines in a botnet have usually been infected by a computer virus or worm. Typically, users do not know their machine has been hijacked.

Microsoft said that although it had effectively shut down the network, thousands of computers would still be infected with malware and advised people to run anti-virus software.

The court order was part of what was called “Operation b49″.

Along with intelligence organisation Shadowserver, the University of Washington and security firm Symantec, Microsoft managed to get a court in Alexandria, Virginia, to force Verisign, which manages the .com domain, to temporarily switch off the domains.

Microsoft said it was the result of months of investigation and described it as a legal first.

“This action has quickly and effectively cut off traffic to Waledac at the .com or domain registry level, severing the connection between the command and control centres of the botnet and most of its thousands of zombie computers around the world.”