Table of Contents~
* How to analysis yourself for accepted infections.
* What assurance cautions to booty if an infection is found.
* What do I do if I anticipate I'm infected?
* What NOT to do.
* Some important things you should apperceive about computer security.
* My recommendations on aegis software.
* Conclusion.
--
How to Analysis Yourself For Accepted Infections
A)
Understanding the infection
The aboriginal affair you charge acquire is how viruses, trojans, adware, worms, etc. work. Generally, aback you run a adulterated file, the aboriginal affair it will tend to do is actualize and bead added adulterated files in locations, such as:
* Temp folder: C:\Users\%USERPROFILE%\AppData\Local\Temp
* Windows folder: C:\Windows
* Drivers folder: C:\Windows\System32\Drivers
And more, these are aloof accepted directories but they can be custom (like for example, a Cybergate RAT infection may bead a book in the C:\Windows\System32\Adobe folder, as RAT's and added infections can bead files in custom directories).
This does NOT beggarly about that you should go deleting aggregate in those folders, no never EVER EVERRR annul files unless you're SURE they are malicious. Deleting a windows arrangement book could and will acceptable aftereffect in a computer that doesn't alike cossack up or assignment properly.
Next, the adulterated book will attack to assassinate the fresh file(s) it has dropped, these files about actualize anthology keys. Understanding the anthology is a charge aback it comes to alive how computers and infections work.
For instance, if a book wants to be ran for all users aback your computer starts, it will actualize a anthology key in the afterward anthology directory:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This agency aback any user starts the computer up and logs in, any book listed in this anthology agenda will be ran. However, in this anthology (it looks agnate but accomplish agenda of the aboriginal binder it's in):
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
All files actuality alone assassinate on startup for the currently active in user, not any added users on the computer. So aback blockage your startup files, don't balloon to analysis BOTH registries. Here's what the anthology looks like:
[Image: 2jfezb5.jpg]
To get to the anthology editor/explorer, amuse do the following:
Press the Windows key (next to the larboard alt) + R to accompany up Run > blazon in "regedit" and hit enter.
NOTE: Again, amuse for the adulation of God don't go deleting anthology keys unless you're absolutely assertive afterwards a adumbration of a agnosticism that it's affiliated to a awful file. Deleting accepted and adequate anthology keys can aftereffect in accepting to re-install your operating system. Amuse consistently accomplish backups afore alive in regedit, to accomplish a advancement chase these steps:
To accomplish a advancement of the registry:
* In regedit, bang 'File' > 'Export'.
* Navigate to a acceptable folder, MAKE abiding 'All' is arrested bottomward the basal left.
* Name it 'backup of registry.reg' and hit Save.
Lastly, files can do added things like inject themselves in to accepted processes (which charge run all the time) such as explorer.exe; or admission your keyboard/disable your antivirus/alter your hosts book etc.
But we don't acquire time to get in to that. I aloof appetite to advice you acquire that infections usually spread, actualize anthology keys, adapt your arrangement etc. and crave a lot added than artlessly deleting one file. It's attenuate that an infection consists of aloof one file.
==
B)
So what signs should I attending for?
If experiencing any of the afterward symptoms, you should acquire you're infected:
* You cannot admission specific websites, like antivirus websites, paypal, gaming sites etc.
* Antivirus is disabled, but not by you; or keeps admonishing you of attacks/infection.
* You're accepting awe-inspiring popups like "Server.exe has chock-full working, columnist end to end the program".
* Affected antivirus scans accumulate bustling up adage you're infected, bidding you to shop for anti-virus software.
* Your online accounts are compromised/hacked.
* Your webcam turns on by itself, your abrasion clicks by itself etc.
* Porn/advertisement websites pop up by themselves.
* You're seeing awe-inspiring files pop up everywhere.
* Ascendancy panel, assignment manager, command alert or regedit are disabled, and not by you.
* Your home folio changes and you can't change it back.
If you apprehension any of these, or annihilation abroad suspicious, it may be annual for alarm.
--
What assurance cautions to booty if an infection is found
If you acquire you acquire an infection, I'm abashed I acquire bad news.
Your claimed information, details, passwords and cyberbanking accreditation may be at risk.
I acclaim that you abstract this PC from the Internet immediately, and alone reconnect to download any accoutrement that are required. If you do any cyberbanking or added banking affairs on the PC or it if it contains any added acute information, amuse get to a accepted apple-pie computer and change all passwords area applicable, and it would be astute to acquaintance those aforementioned banking institutions to accustom them of your bearings as anon as possible.
If you do not acquire admission to a accepted apple-pie computer, you will still charge to change your passwords, and all added acute information, but alone already your arrangement is accounted clean.
--
What do I do if I anticipate I'm infected?
First of all, if you acquire an antivirus, accomplish abiding it's abreast and afresh run a abounding arrangement scan. Abolish annihilation it finds. Abutting you could run these scans and abolish annihilation they find:
MalwareBytes Anti-Malware (Click to View)
Please download Malwarebytes' AntiMalware.
Double bang mbam-setup.exe to install the application.
* Accomplish abiding a checkmark is placed abutting to Amend Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, afresh bang Finish.
* If an amend is found, it will download and install the best recent version.
* Already the affairs has loaded, baddest Perform Quick Scan, afresh bang Scan.
The browse may booty some time to finish,so amuse be patient.
* Aback the browse is complete, bang OK, afresh Show After-effects to appearance the results.
* Accomplish abiding that aggregate is checked, and bang Abolish Selected.
* Aback ablution is completed, a log will accessible in Notepad and you may be prompted to restart. Restart if it tells you to.
SuperAntiSpyware (Click to View)
Download SuperAntiSpyware
* Load SuperAntiSpyware and bang the Analysis for updates button.
* Already the amend is accomplished bang the Browse your computer button.
* Analysis Perform Complete Browse and afresh next.
* SuperAntiSpyware will now browse your computer and aback its accomplished it will annual all the infections it has found.
* Accomplish abiding that they all acquire a analysis abutting to them and columnist next.
* Bang accomplishment and you will be taken aback to the capital interface.
ESET Online Aegis Scanner (Click to View)
Please run a chargeless online browse with the ESET Online Scanner
Note: You will charge to use Internet Charlatan for this scan.
* Tick the box abutting to Yes, I acquire the Terms of Use.
* Bang Start
* Aback asked, acquiesce the ActiveX ascendancy to install
* Bang Start
* Accomplish abiding that the options Abolish begin threats and the advantage Browse exceptionable applications is checked
* Bang Scan
Wait for the browse to finish. Abolish annihilation it finds.
Combofix (DO NOT use this unless you acquire no best and are at atomic moderately accomplished with computers) (Click to View)
Please download Combofix from one of the afterward locations:
LINK 1
LINK 2
**IMPORTANT! Save Combofix to your Desktop
* Disable your AntiVirus and AntiSpyware applications, usually via a appropriate bang on the Arrangement Tray icon. They may contrarily baffle with our tools. If you acquire adversity appropriately disabling your accurate programs, accredit to this articulation --> http://www.hackforums.net/showthread.php?tid=198032
* Double bang on ComboFix.exe & chase the prompts.
* As allotment of it's process, ComboFix will analysis to see if the Microsoft Windows Recovery Console is installed. With malware infections actuality as they are today, it's acerb recommended to acquire this pre-installed on your apparatus afore accomplishing any malware removal. It will acquiesce you to cossack up into a appropriate recovery/repair approach that will acquiesce us to added calmly advice you should your computer acquire a botheration afterwards an attempted abatement of malware.
* Chase the prompts to acquiesce ComboFix to download and install the Microsoft Windows Recovery Console, and aback prompted, accede to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will abide it's malware abatement procedures.
[Image: RcAuto1.gif]
Once the Microsoft Windows Recovery Console is installed application ComboFix, you should see the afterward message:
[Image: whatnext.png]
Click on Yes, to abide scanning for malware.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may annual it to stall.
2. Do not "re-run" Combofix. If you acquire a problem, acknowledgment aback for added instructions.
3. ComboFix may displace a cardinal of Internet Explorer's settings, including authoritative I-E the absence browser.
4. Combofix prevents autorun of ALL CD, billowing and USB accessories to abetment with malware abatement & admission security. If this is an affair or makes it difficult for you -- amuse acquaint your helper.
5. CF disconnects your apparatus from the internet. The affiliation is automatically adequate afore CF completes its run. If CF runs into adversity and terminates prematurely, the affiliation can be manually adequate by restarting your machine.
If you acclimated Combofix, amuse chase these instructions to abolish it as it's a alarming apparatus in the easily of a amateur (Click to View)
* Bang START afresh RUN
* Now blazon Combofix /u in the runbox and bang OK
If active these don't absolutely break your issues, the infection is either FUD (Fully UnDetectable) or too abysmal for your akin of skill; in this case you should let a added accomplished user acquire a look.
To do so, amuse chase the instructions accustomed in this thread, and a able HJT abettor will be on their way to accommodate assistance.
--
What NOT to do
This applies to anybody who has no acquaintance removing viruses. Alike if you're able-bodied abreast in computing, you should be careful. It's consistently added acceptable safe than sorry.
First of all, DO NOT annul files, folders, anthology keys, anything; until you're absolute what you're deleting is malicious. How do you do that? Able-bodied here's some accessible things to try:
* Chase the file's name here, here, here, or here.
* If it's a process, chase it here: http://www.processlibrary.com/directory/?files=
* Google it: http://www.google.com
* Upload the book to http://www.virustotal.com, http://www.threatexpert.com, or http://anubis.iseclab.org/?action=home
* Use a Virtual Apparatus to run the book in it and analysis out what it does
Secondly, if any pop ups arise up adage you're adulterated and allurement you to buycomputer appliance to abolish the infection, IGNORE THEM and DO NOT shop for it. It's absolutely FAKE.
Instead, you acceptable acquire a Smitfraud infection so chase the accomplish in the spoiler.
Smitfraud fix instructions (Click to View)
You should book out these instructions, or archetype them to a Notepad book for annual while in Safe Mode, because you will not be able to affix to the Internet to apprehend from this site.
Please download SmitfraudFix (by S!Ri)
Extract the agreeable (a binder called SmitfraudFix) to your Desktop.
Please reboot your computer in Safe Approach by accomplishing the following:
* Restart your computer
* Afterwards audition your computer beep already during startup, but afore the Windows figure appears, tap the F8 key continually;
* Instead of Windows loading as normal, a card with options should appear;
* Baddest the aboriginal option, to run Windows in Safe Mode, afresh columnist "Enter".
* Choose your accepted account.
Once in Safe Mode, accessible the SmitfraudFix binder afresh and double-click smitfraudfix.cmd
Select advantage #2 - Apple-pie by accounting 2 and columnist "Enter" to annul adulterated files.
You will be prompted : "Registry charwoman - Do you appetite to apple-pie the anthology ?"; acknowledgment "Yes" by accounting Y and columnist "Enter" in adjustment to abolish the Desktop accomplishments and apple-pie anthology keys associated with the infection.
The apparatus will now analysis if wininet.dll is infected. You may be prompted to alter the adulterated book (if found); acknowledgment "Yes" by accounting Y and columnist "Enter".
The apparatus may charge to restart your computer to accomplishment the charwoman process; if it doesn't, amuse restart anyhow into accustomed Windows. A argument book will arise onscreen, with after-effects from the charwoman process; amuse copy/paste the agreeable of that address into your abutting acknowledgment forth with a fresh HijackThis log.
The address can additionally be begin at the basis of the arrangement drive, usually at C:\rapport.txt
Warning If your desktop accomplishments is removed, it agency you weren't infected. Artlessly put it back..
Now, lastly, you're apparently activity to be on the anchor for tools/antiviruses that will advice you abolish the infection. But the absoluteness is best of these accoutrement are advised for experts and shouldn't be messed about with; because you'll apparently end up accepting to re-install your operating system. Also, there's consistently the adventitious it's affected and absolutely infects you.
It's best you use the scans/tools I provided beforehand on. Or seek advice from an expert.
--
Some important things you should apperceive about computer security
Here's some facts I anticipate you should know:
* Best infections do not accident your computer, rather they use it to advertise/steal information/attack websites/spread the infection.
* A trojan is a book that attempts to arise like a accepted Windows Process, but absolutely is malicious.
* A rootkit/RAT/infostealer/keylogger are all spyware which are able of capturing screenshots, webcam, keystrokes, adored passwords and accretion admission to files.
* Infections can use your hosts file, and DNS name servers to accomplish it so visiting assertive sites redirects you abroad (like from google to a bad site).
* Never fix a winsock band in HJT, as it can accident your internet connection.
* Alone O2, O3, and O9 curve in HJT are absolutely missing aback it says (file missing), the blow can glitch.
* Deleting a anthology key will NOT annul the book it's associated with.
* Capitalisation in book names or directories makes no aberration in Windows.
* If an infection is FUD, scanning will accomplish no difference. Alone analysing the computer can advice you now.
* Added than one antivirus/firewall causes conflictions and can do added abuse than good. Stick to aloof one.
--
My recommendations on aegis software
For acceptable protection, I would admonish you acquire anniversary of the following:
1. Antivirus
2. Firewall
3. Antimalware
4. Antispyware
One of anniversary will be a acceptable bulk afterwards the accident of conflicts, as two or added AV's can battle and do added abuse than good. The afterward articles I would admonish to ANYBODY, but amuse use no added than one AV and firewall at a time:
Antiviruses:
* NOD32 (this one is chargeless to try for 30 canicule but costs $40 US to buy).
* Avast! Home Edition (free).
* Avira Antivir (free).
* AVG Chargeless (free).
Firewalls:
* Tallemu Online Armor (also chargeless for 30 canicule but costs money for abounding version).
* Comodo (free).
* Zone Anxiety (free).
Anti-malware programs (for scans only, no real-time protection):
* MalwareBytes AntiMalware.
* That's absolutely alone the best one but you can use online scans like ESET and Kaspersky.
Anti-Spyware programs:
* SuperAntiSpyware.
* Spybot Chase & Destroy.
Other:
* Ad-aware (free anti-adware).
* Winpatrol (free affairs that monitors apprehensive changes to your critial arrangement resources, recommended by me)..
* CCleaner (run this generally to apple-pie your anthology and added acting files etc. Is free.).
* KeyScrambler (ultimate aegis adjoin keyloggers, costs money).
But remember, your best aegis is artlessly actuality careful.
--
Conclusion
So in the end, the basal band is unless you've had months of training, it's awful recommended you alone use scans and the such to abolish malware. Because any chiral accoutrement are about consistently actual alarming for novices.
No comments:
Post a Comment