Malware infections: what to look for and how to get through the crisis

Most home computer users have experienced some form of malware infection at some time. While there are many tools that help to automate the process of detecting, containing, and removing threats, there are also some simple, practical steps users can take that don’t involve sophisticated software. With a little knowledge, some free tools, and a modest effort, computer users can relatively easily isolate threats and make sure their PC at least cannot infect other machines.

In this article, we’ll talk about “first-aid” methods of detecting and manually removing malicious programs from a PC and preparing the system for a more thorough inspection by antivirus and/or antispyware software.

Introduction

As I am closely connected with computers and security software, I am often asked by friends and acquaintances to come over and see if their computers are safe from malware. Most of my friends don’t take security seriously and ask for help only when there’s a serious problem, such as the computer slowing to a snail’s pace or becoming totally inoperable. Although I really don’t approve of this kind of approach to security, I always end up helping them out. My firsthand experience with many of the computer problems I’ve seen has led me to write this article. The information that follows explains how to use the free tools and utilities available to contain or disable the threats, either included with Windows or freeware downloadable from the Internet. These tools can easily be stored on a USB drive and taken to an infected computer.

Temporary malware disablement

There are many things that may point to the presence of malware on a PC: sluggish performance, failure to start or shutdown, strange programs loading when Windows starts, unexpected or erratic behavior of installed software – any of these or other unusual PC behavior may lead one to deduce that malware is the culprit.

Basically, disabling a threat takes two steps – the first one being to close malware down in a current Windows session, and the second to prevent the malware from reloading on subsequent bootups.

Step one

In order to close active malware, you’ll need to have a list of all programs currently operating on a PC so that you can pick the one you want to switch off and “kill” the rogue program. To see a list of all currently working programs, you can use the Processes tab in the standard Windows Task Manager. Task Manager is invoked by pressing the Ctrl, Shift and Del keys together (sometimes called the “three finger salute”). You can sort the entries in Task Manager columns to see running tasks arranged in alphabetical order. Running programs can be terminated by right-clicking on the target task and selecting “end task” command. Take care when closing programs this way, as mistakenly closing the wrong program, such as svchost.exe, an essential Windows application, will trigger a Windows emergency shutdown, resulting in possible loss of unsaved data.

I recommend you undertake a preliminary investigation into the program you are intending to stop with Task Manager, such as performing a Google search on the name of the executable or by going to the Process Library portal for further information on what the process does. Doing this for svchost.exe query would yield the following results, which show that the program is legitimate and should not be terminated. On the other hand, if you see a program with a name like msblast.exe, a well-known virus, running on your computer, it is a sure indication of a serious problem and the program should be terminated immediately.

While Task Manager is useful for simply checking out active programs, it can’t tell you where to find the executable on your computer or which application caused the task to start.. For a more detailed look at active tasks, I recommend using Process Explorer, a free utility available from the Sysinternals website.

With Process Explorer, you have a much more detailed view into system activity. If you choose the appropriate columns in the View menu, you’ll be able to see any working executables’ path, its publisher’s name, and important program descriptions; together, this should give you sufficient information about the authenticity of any running applications to determine its legitimacy. You can arrange the data by sorted on any of the columns.

By right-clicking on the selected task and choosing “Google”, you’ll be taken to the search engine’s query results page for the given executable. Choosing Show Process Tree (fourth icon from the left), you’ll see a hierarchy of events and the initiating applications.

If you look carefully, you’ll see that most of the tasks running are Microsoft products, and that is a big step towards solving the problem. Keep an eye out for programs other than from Microsoft, particularly if they are of suspicious origin or if you don’t know why they are running. Be especially vigilant in regard to programs that don’t have a publisher field filled in - most malware authors won’t bother with populating this field, so that’s a big clue right there that the program in question may not be legitimate.

Process Explorer once helped me to locate a Mrak5 virus which was calling itself svchost.exe but, unlike the legitimate process of this name (with multiple instances running at the same time), it was started from a different location than the original executable and didn’t have the Company Name identity supplied. Task Manager would not have been able to help me in that situation, although I did notice that the name was listed in capital letters, which is not normal. Just as with Task Manager, you can terminate a process in Process Explorer using right-click commands.

Process Explorer can do other really useful things like listing all running DLLs belonging to a process, or tracking resource allocation for a particular application, but that’s rather more advanced and we don’t need to go to these lengths if we only want to know what is running and whether it’s legitimate.

Removing the ability for malware to start up automatically

Now that we know how to defeat malware locally in a current Windows session, the next step is to prevent it from being able to reload itself automatically the next time Windows starts.

Step two

A built-in Windows tool called “System Configuration Utility”, which is invoked by typing “msconfig” in the Start menu’s Run dialog box, is designed to provide a flexible way for users to set up how the system is initiated and what software is loaded at boot.

The rightmost tab, called Startup, enables users to configure which programs will be auto-loaded. By simply un-checking the corresponding line, the selected object is removed from auto-execution. When I visited my friend’s computer the other day and found that he’d been infected by a spyware program called WhenU, I used this tool to disable two objects so that the spyware couldn’t restart, and manually deleted all related objects from the hard drive afterwards.

Again, you can search the Internet for additional information about the program you’re contemplating disabling; if it turns out that you’ve gone too far, you can undo the action by simply re-checking the object you previously disabled. As with any task involving changing configurations, you’d be wise to back up your settings first so that you can easily restore them if anything goes wrong.

To do this, you can use the System Restore program which can be started by typing the following string: “%SystemRoot%\system32\restore\rstrui.exe”. It allows creating a restore point before you decide to make any significant change to the system and rolling settings back to the backup point if the need arises. Additional details can be found here.

In msconfig.exe’s Services tab you can also select what services you want to start at the same time as Windows; check the “Hide All Microsoft Services” entry to see a shortlist of other non-Microsoft services you might consider disabling. Again, use caution and a search engine to find out about the services running that were not produced by Microsoft. Doing this has in the past enabled me to deactivate a known virus which was auto-executing using the normally-trustworthy name “TCP Protocol Errors Correction Service”.

A very powerful yet easy to use program for configuring startup properties is Sysinternals’ “Autoruns” software. The useful tabs for most users would be “Logon” and “Services. The program features many customization options, letting you tweak everything down to the smallest detail. Watch out for more on Autoruns in a future issue of Security Insight.

Summary

While antivirus and antispyware programs are essential for online security, as is the use of a robust bi-directional firewall like Outpost, knowledge of how to use simple system tools is valuable backup information to have when, for whatever reason, you can’t access or use your regular security tools.