How to Handle Malware: Complete Guide. Give it to your younger brother, let him do it himself!

Numerous times you used to help your friends and people when their PCs fell to onslaught of malware. So did we. But we got pretty sick and tired of all that and pulled out a trump card by instead compiling a full guide that you can just hand off to the injured party and thus guarantee your non-involvement. Take it and put it to good use!

Tip one. What can we do with the help of Live CD

using emergency repair discs from antivirus companies

Antivirus Live CDs can be used to recover your system once it is rendered unusable by computer viruses. Almost every antivirus company offers this product for free.

The CD is most often a Linux-based boot drive containing scanning and disinfecting utilities along with Linux components. These Live CDs also typically contain additional software tools (registry editing and recovery utilities, disk partition editing utilities, network configuration utilities, etc.).

See chart 1 for a brief description of Live CDs from the most popular Russian antivirus providers.

Chart 1. A brief description of five boot drives of the most popular antivirus software providers

Kaspersky Rescue Disk 10

Live CD ESET NOD32

Comodo Rescue Disk

Dr.Web LiveDisk

Avira Rescue System

The selected Live CD image can be written either on a disc (CD or DVD) or on a memory card. If you're using Windows 7, the image can be written using the bundled software. You just have to right-click the icon, choose "Open with", then "Windows disc image burner". Older versions required special software to write disc images, e.g. Nero Burning ROM or its free counterparts like Img Burn or Ashampoo Burning Studio.

To write a boot image to a memory card you can use the special utilities supplied by antivirus software providers along with Live CD or WinSetupFromUSB. Select the correct USB memory card and the image file, check "Auto format it with FBinst" and then start the process.

WinSetupFromUSB utility

If your PC or laptop is a little behind the times and didn't come pre-installed with Win 8 or higher, then system booting using a boot drive is as easy as 1-2-3. Enter BIOS setup (boot the PC and when the firmware starts running press "Del" or "F2"), change the boot source priority to CD-ROM or USB-memory card (except not all PCs support booting from USB) and wait for it to boot up.

If your PC has Win 8 or higher, you might face certain problems in UEFI mode (in the vast majority of cases). You might find it difficult to enter BIOS setup, and you will have to disable Secure Boot in order to boot from Live CD.

What is Secure Boot

Secure Boot is a UEFI option meant to protect PCs from bootkits, low-level exploits and rootkits. The UEFI boot manager in Secure Boot mode will only run code verified in its own database by a digital certificate.

You can use msinfo32.exe to find out the status of this option. Or rather you can simply read the note in the bottom right corner of the display:

The option's status using msinfo32.exe and the note in the bottom right corner of the display

How to disable Secure Boot

This all depends on your brand of laptop or motherboard, although for the most part the process doesn't differ much. The Secure Boot option can be found either in Security, System Configuration or Boot; you will have to check "Disabled" once you locate it. Then you will have to enable OS compatibility mode. Different manufacturers assign it different names: Launch CSM, CMS Boot, UEFI and Legacy OS or CMS OS. It can be found under "Advanced" in the main menu, then "BOOT MODE" or "OS Mode Selection". Don't forget to save the changes.

Disabling Secure Boot on a laptop with the InsydeH20 setup utility

Live CD workflow

After you manage to boot your computer, you can scan and clean it. Usually this occurs without any prompting. Some Live CDs contain registry editing utilities. This is extremely helpful for analyzing registry autorun legs (most malware uses registries to autorun when the system is booting) or to revise some of the system parameters manipulated by the malware.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnceEx
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\System\CurrentControlSet\Services
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\

HK?U\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

HKCU\Software\Policies\Microsoft\Windows\System

Tip two. The right way to ask for help

calling on the collective mind of virusinfo.info

Virusinfo.info is where malware-worn users can go for help that is in most cases 100% free (don't treat this as an advertisement, we have no affiliation with this resource).

If you want help there, you will need reports from two utilities: HijackThis by Trend Micro and AVZ by Oleg Zaytsev.

Use the Help! feature first. If you are absolutely certain your computer is infected and you see every indication that this is indeed the case, but your antivirus software won't help much, get registered on the site and do as follows:

Use the Help! feature by virusinfo.info

File menu, Ordinary Script in AVZ. These two utilities produce log files (for AVZ they are saved in the LOG folder located in the program folder, for HijackThis the log file is saved in the program folder). Attach these files to your message on the forum.

If you have to run a script in order to cure the PC, you will have to copy its text directly from the forum message, then in the AVZ File menu choose "Run script", and then paste in the copied text. Click "Start".

If there is no indication of an infection, yet you've still got a feeling that your PC is out of sorts, VirusDetector is what you need to be using. You don't have to register to use it. Just do as follows:

Use VirusDetector feature

Tip three. What else can we use besides antivirus software

using system analysis utilities

Autoruns

Malware is known to autorun when the system is booting, so it can reside there. There are lots of locations and places it can hide in Windows. To get to know all these locations you will have to use Autoruns, a very famous software in certain circles and a part of Sysinternals utilities.

This utility shows all programs, features and libraries that start up together with the system. It can also delete any of them from the list for a certain period of time or forever.

Autoruns from Sysinternals

It should be noted that some malware scan the startup location and reset all the entries that were deleted. That is why after you delete all suspicious programs you need to refresh the list by clicking "Refresh" or "F5" to find out whether they are back or not.

shutdown.exe /r /o

If the program is back on the autorun list, you can be sure it is malware (practically no other program would ever constantly check its own autorun and repair itself). In order to delete it, you will have to try and shut it down using the task manager. But most malware resists this process, so the ordinary task manager won't be of any help. But certain unconventional task managers like Process Hacker might help.

Process Hacker

Process Hacker is a free utility with open source code that monitors any system services and processes started. It is a powerful tool that helps manipulate processes and services in order to monitor and analyze them (including DLL). It includes:

• process termination (there are seventeen different ways and can terminate almost any started process);
• process suspension and restarting;
• viewing process statistics and history;
• view process memory dump;
• view traffic, environment variables and handles;
• read and edit security descriptors for processes and traffic;
• track hidden processes;
• exporting DLL;
• view and close network connections
  and many other options.

Process Hacker

In order to suspend a suspicious process, right-click and choose "Suspend". In order to terminate it, right-click on it and choose "Miscellaneous", then "Terminator", then choose a termination method (or you can use all of them, at least one of them is bound to work) and press "Run Selected".

After that you can delete the entry in Autoruns and it won't reappear. Then you can delete the malware file. The path to it can be found in Autoruns.

You can also use Process Explorer from the same Sysinternals, however, it doesn't have such a wide range of capabilities.

Anvir Task Manager

This utility combines the autorun manager and process manager. It lets users analyze programs and services that start together with the system and receive complete information on the started processes, including

• tracking the started processes: the path, command prompt, memory, disc and processor usage, DLL downloaded, used files, created windows, streams and handles, performance counters, file version information;
• running Windows autorun areas: disable, edit, track and block all program attempts to add themselves to the autorun list;
• speeding up Windows boot by disabling unnecessary programs using pending start, selecting process priority automatically or using template-driven termination;
• analyzing information on processor and hard disc utilization.

Anvir Task Manager

There is a commercial (Anvir Task Manager Pro) and free (Anvir Task Manager Free) version of the program, the latter having slightly less functionality.

WWW

Links to Live CD images from this article:

Kaspersky Rescue Disk 10
Live CD ESET NOD32
Dr.Web LiveDisk
Comodo Rescue Disk
Avira Rescue System

Links to HijackThis and AVZ:

AVZ
HijackThis

Links to other utilities:

Autoruns and Process Explorer
Process Hacker
Anvir Task Manager (free version)
WinSetupFromUSB