Malware Warfare - A Step-By-Step Infantry Training Camp

Add Your Comments

How-to deal with malware – Matt Bidinger

***Disclaimer: Take note that the intended audience for this guide is the techno-geek. Those less geek than myself may find the following instructions somewhat obtuse, but I am assuming that expending my efforts on anyone less geek than myself is likely working towards a lost cause. Joe Sixpack doesn’t know or care about the malware infecting his system, at least not until it doesn’t turn on anymore – and at that point, he’ll bring his system to the techno-geek with wallet in hand***

Does the computer you know and love have the malware blues? How about your “PC-savvy” friends or family – you know – the ones who figured out how to use ctrl-alt-delete and believe they know what’s good for their computer?

When it comes time for a good old-fashioned, passionate, PC ass-whooping, you’re best to not step onto the field of battle without the proper arsenal at your disposal. How best to beat the odds when your outnumbered by these techno-nasties?

Call in the reinforcements – pay a visit to the OC Forums and let them make sure you are getting the following procedure correct – there’s no reason to go it alone, as the people there are a welcoming and extensively knowledgeable group.

Required Software – Go to MajorGeeks and Download, Install, and Update all of these:

  • Mcafee Stinger
  • CWShredder
  • Spybot Search and Destroy
  • Lavasoft Adaware
  • SpySweeper
  • HiJackThis!
  • SpywareBlaster
  • jv16 Powertools

Procedure: Disable System Restore and Reboot into Safemode


Step 1: Clear all temp files

Clear internet, system temp files and cookies files.

Step 2: Run Mcafee Stinger

This step has the potential to detect and remove 40+ viral attacks and all of their known variants from your computer. It is a good standalone program that is quick to find common infections.

Step 3: Run the Online Virus Scan at Symantec Security Response

On the Security response mainpage, you will find an image labeled “Check for Security Risks”. Click on that and choose to run the online Virus Scan. This is an extensive scan which will find all known virii hiding within your system. Removal instructions are available on site at Security Response if you search for the virus name – help is ready and waiting at OC Forums also.

Step 4: Run CWShredder

This program is a sign from the heavens that we are not forsaken on this planet. The CoolWWWSearch/CoolWebSearch malware component is one of the hardiest, nastiest nasties around. This program automatically finds and fixes a CWS infection, seemingly effortlessly. Doing this manually would not only require some extensive education as to the nature of this beast, but a single mistake could bring down your system, as CWS has its claws hooked into some vital system components. Be thankful for this tool and be certain to run its latest version, as CWS seems to constantly be released in new variants.

I want to re-emphasize how important it is to download and run the latest version of this software. Any battle waged against Malware without this utility in hand is fated for defeat. CWS is tremendously common, and this is THE tool to remove it.

Step 5: Run Spybot Search and Destroy, Lavasoft Adaware, and SpySweeper

Run these programs, one after the other, finding and removing everything they find. If you need help on specifics in doing this, visit OC Forums. These programs are fairly intuitive and self explanatory, however, so you should have no problem. It is known throughout the online community that each of these programs all can potentially recognize malware which the other two programs may miss – so yes you should run them all.

Step 6: Run HiJackThis

This software application creates a log file which outlines what is going on behind the scenes of the system and can remove problem entries. This is the trickiest part of this article, as it may be hard to recognize problem entries; once again, visiting OC Forums for assistance here would be wise. Take a look through and remove only things you are certain should be removed – this tool is a powerful weapon in this battle and it has the potential to cause serious damage if wielded incorrectly.

Step 7: Run SpywareBlaster

This application has protection schemes for common vulnerabilities within IE and Firefox, and it also protects the computer from restricted sites which are known to cause problems. It will not protect you from the computing catastrophe which is Joe Sixpack, but it will ease the pain and make up for any accidental deviances you have from techno-geekdom.

Step 8 Continued on page 2…

Step 8: Run jv16 Powertools

The registry cleaner in this package does the best job of any application I have come across and comes with other powerful features also. Running this can remove many errant or no longer valid entries from the Windows Registry. A popular alternative to this is RegSupreme, but I prefer jv16.

Step 9: Run a HDD Defragmenter

I believe Diskeeper to be the best; however, the Windows defragmentation utility will work fine on a client’s system. Running this often gives them a performance difference they can feel after you’ve worked on their system, and setting up a defragmentation task can keep their disk in good working order in the future.

Step 10: Run Services.msc From The Run Prompt

Tweaking the systems service configuration can free up surprising amounts of RAM – 40 MB’s more of available RAM in a system with 512 MB RAM is not unheard of. This will also make the users performance appear much better.

A great site for referencing in this respect is Blackviper.com, as he has a feature called “Windows Service Configurations”, which explains and outlines what is safe to disable and what is not. Here is a quick breakdown of services you can disable:

  • Alerter
  • Error Reporting
  • Human Interface Device
  • Messenger
  • Remote Desktop Helper
  • Remote Registry
  • Telnet
  • WebClient
  • Wireless Zero

Be sure to disable Messenger, as this service can be responsible for receiving pop-ups and it is never used for its intended purpose (this service has nothing to do with MSN).

Step 11: Tweak Windows Configurations

  • After right clicking on my computer, go to advanced tab, then performance settings, set XP to best performance and then recheck “use visual styles” to preserve appearance
  • Set the pagefile to a custom static size by setting min and max to equal values and be sure to click on the “set” button to apply those settings
  • Schedule automatic windows updates while you are here and tell it not to ask, but just install
  • Change their browser homepage to something useful like Google if it is at a default setting
  • Run devmgmt.msc from the run prompt and ensure system devices are using the latest drivers
  • Go to control panel>Add/Remove Programs and “slap anything that looks as shifty as a politician in a sorority house.”
  • Consider setting up a schedule for antivirus, defragmentation, and spyware scans

  • Consider installing/discussing a better firewall application for the user, like BlackIce

Reboot normally and re-enable system restore if you wish.

Conclusion

Each one of these applications are essential to waging this war – if any one of them are overlooked or not included, a major component is being left out. Steps 8 thru 11 may not directly involve malware solutions, but they will give the end user a tangible improvement which will help to get them cooperating with what you tell them they need to do.

After running them, task manager and msconfig should be checked to confirm they are free from any abnormalities. For systems running anything aside from windows 2k or XP, walk to any top floor window and just toss them out – the user’s computing experience, from this point-in-time forward, will be a far more positive one.

Another closing point of interest – Running Mozilla Firefox is a good alternative to continually trying to fix IE vulnerabilities – it isn’t susceptible to BHO’s and ActiveX controls the way IE is and it makes popups history.

Keep in mind that switching from IE to Firefox is a functional solution, but it’s a lot like putting a bandaid on a bullet wound – it’s not fixing the problem, it’s just covering it up. It can be a great alternative to use when waiting for an application update to include a detection for a new variant of Malware infection that isn’t currently recognized, and I have used this for clients in the past.

Ultimately, there are many malware problems which require personal attention to resolve, much like a virus can. I would not install any program not on my list here, as many anti-malware programs themselves come with infections, or adware – so just installing everything and running it is a VERY poor option. Which brings me to my next point – often times, in particularly difficult malware situations, it is necessary to consult a group of knowledgeable peers.

I can’t fully impart to you just how important of a role OC Forums has played in my techno-geekness and solving issues for me in the past. Stop by, introduce yourself and let us help you solve any problem you may have!

Man vs Beast CONTINUED on page 3…

Man vs Beast

So once you have it in small pieces, how do you dispose of the body? Oh wait, I’m getting ahead of myself…

How do you get the system’s user to change their computing habits? Realistically, you don’t. Immunization through Spybot and Spywareblaster, along with clever additions of 127.0.0.1 to the hosts file, can come in handy, but what can be done beyond that? Not a whole lot.

Security updates need to be forced. Any regular scans and fixes need to be scheduled by you and be automatic without their knowledge so that they have to do no more than close the box on the screen when they come back to their PC in the morning. That’s the best you can do.

The user is a callous, abominable beast. Many PC support methods are terribly inefficient, but hell, they keep a lot of people employed… for now.

I’ve learned very quickly, in my PC support position, that the systems were the easy part of my job. Communicating with the users, in a language we both understand, is often the hard part.

I regularly work an international PC support call center where I receive calls from business people, who usually have no interest in understanding the computer they completely depend on to get their work done everyday. Here’s an example of something I do often while working our call center – getting someone to run a remote control application so I don’t have to walk them through fixing the actual problem themselves:

Man: “I’m going to remote control your PC. Could you click on the start button in the bottom left of your screen please?”

Beast: “Right or Left click?”

Man: “Left. A menu should pop up. Now hover the mouse pointer over the text label that says programs.”

Beast: “Where’s the mouse pointer?”

Man: “It’s the arrow on your screen. A list should expand when you hover there. Find accessories in the list that expands.”

Beast: “Oh, the thingy just went away. Why did it do that? Do I left click or right click on start?”

Man: *wraps phone cord around neck repeatedly and falls from chair onto floor*

Realistically, there is a solution – but as with beer, drugs, hookers, and ALL good things – it costs money.

There is an application by the name of DeepFreeze which would solve almost all of your user-caused computer problems – it’s used extensively in public access computing environments. This application allows The Beast to go willy-nilly with their PC, surfing porn, downloading free internet games, P2P’ing, clicking essential operating system files right out of existance – you name it, they can do it and exist in pure glee.

Simply restart the system and in a matter of seconds, every change is as though it never happened. The entire system reverts back to the state in which you “Froze” it. Anything you can do on the PC will have no effect – unless you know the login token to access the DeepFreeze control console and “Thaw” the PC.

I know what some of you are wondering – certain directories can be excluded from being frozen, like the My Documents folder, and allow the user to save their work locally, or they could save their work to a network drive which is not frozen.

Ladies and Gentleman, to my limited knowledge, this is the only viable solution to a user’s repeated attempts at PC hari-kiri. But fear not – after following the step-by-step process I have outlined here, the end user should be so happy with the results and the way their computer feels better than new, that they will be more than happy to have you come back the next time their PC doesn’t start. 🙂

Acknowledgements to the OCForums members who have contributed to this information, especially Wedo and Kendan, amongst countless others.

Matt Bidinger aka in OCForums: IMOG

Leave a Reply

Your email address will not be published. Required fields are marked *