Facts to better write your malware-fix
Identification of malware
When you start getting involved in malware fighting, recognizing certain infections is hard. Every infection has specific characteristics. There are sites where you can find descriptions of various infections.
-
Read a log several times to get a good grasp of what it has.
-
Using Google or the Castlecop database or a good online hjt analyzer page the lines can be found that should be fixed.
-
Important about filtering is that it can be a further indication of the malware at hand. Many malware infections demand more of you than just simply end a process.
Most databases like castlecops give links to further information about the specific infection.
Then you can also find interesting information here. The most important resource for information always is Google. You stand on the shoulders of many malware fighters in what you do. How did others handle a similar infection on a reliable help site.
Read a hijackthis-log/
From a line of a hijackthis log you can see what it is?
Take this line for instance:
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
A 04-line consists of a name of a process and the name of a program.
O4 - HKLM..\Run: [Program-name] “C:\Program Files\map\proces.exe”
In the Castlecops database look for a process named nwiz.exe 3 posible variants.
All have a different program-name. So the combination gives you the key. In this case nwizz.exe is part of nVidia graphics cards drivers.
Do’s and don’t’s
- Clean the computer with standard scanners before anything else.
Hijackthis is brought in as other methods did not solve the problems. Then HJT is not finding all…
By using various reliable malware scanners a lot can be taken off. Maybe the problem is solved completely.
But when everything fails we use a “dangerous” program like hijackthis.
There are cleansing routines to state how a PC is cleansed correctly.
-
Never fix with a hjt program that has not been updated to the latest version, and hijackthis.exe has been placed in the right file. An older version of hijackthis misses things and messes your cleansing up.
Hijackthis.exe should be unzipped te zijn and put in a non-temperal file. This to prevent to loose backups. -
Never start a fix with systemrestore disabled.
You reset system restore only after the PC is fully cleansed. not earlier. If something goes wrong, you have nothing to cling to. Step 7 describes how you can reset system restore. -
Hijackthis is NO scanner.
Fixing wrong lines with Hijackthis is not sufficient to cleanse all malware. Sometimes we need additional tool,or manual removing processes can be necessary in severe cases.
Only fixing the 02-lines takes the processes out, but with exemptions.
-
As a rule of thumb leave all 016-lines unfixed.
Most 016-lines are completely harmless and useful even. A database will give you the malware ones. -
(file missing) does not always equals that file is actually missing.
In a hijackthis-log you may find (file missing) behind a line. These are mostly 02, 03, 09 or 023-rules.
Normally only for 02- and 03-lines this can be taken as a fact, in other cases it is dubious.
This is a known bug in Hijackthis. As a rule 09 and 023-regels with (file missing) can be left alone,
only when it is not known malware, then the files that come with it should be fixed.
When in doubt about a (file missing) you can check if the process is active in “running processes”. -
Manually changing the register is a matter of last resort and a final option.
It is utterly dangerous for the victim without experience to have a go at the registry.
A small mistake can make that the PC will misfunction or halts.
When all scanners fail, hijackthis and other tools fail, it is better to write a register fix for the victim.
When this also fails, manual registry alterations are allowed, but back-up the registry first, and fully instruct. -
Do not take a process out before you have identified it to be bad, and know what it is and does.
When in doubt, and no database to go by, these options are still open to you.
- Have a file scan by uploading it to Jotti, or Virustotal and look at the results, more results more likely to be malware.
- Look what firm made the file.
- Rename the file in question and move to a backup-file. If it is essential you can put it back later.
-
Never fix a 010-line using hijackthis
This may corrupt winsock, and you loose your internet connection.
Better to use LSPFix or Winsockfix for these purposes. -
At the end of your malware topic. give some further security tips to prevent re-infection.
Tell them they need a FW and one resident AV scanner. For us we are avast evangelists! And stress the importance of patching windows and other software.
Outline of your fix
Every fix is different, but generally this is a good outline.
-
We welcome those that seek help from us.
Tell them not to panic, tell them all will be well in the end. -
Let them know what infection they have, and when known how they were infected.
-
When hijackthis.exe is in a wrong folder, it should be placed in the right one.
-
Let them download the tools necessary to fight the malware at hand.
-
Let them make hidden files visible, so they can be found and deleted.
-
Deinstall infections through configuration screen > software. A better option than manual uninstall.
Do not forget to restart after every uninstall. There are lists for easily to uninstall malware programs. -
Have your instructions printed for further instruction as a txt.file. This because the rest of the cure should be dome in SafeMode.
-
When a PC has various infections, it is better to have the victim start up his PC in SafeMode.
In SafeMode malware processes responsible for the infection are non-active, so easier to be deleted. -
Have the malware-lines fixed with Hijackthis. Do not forget that all othr windows and programs should be closed, before fix checked can be entered.
-
Have all malware folders and files deleted.
-
In SafeMode also clean temp-folders, where malware can reside.
A new scan can be better performed that way. -
Have the PC restart in normal mode
-
Perform an online scan or a DrWebCureIt scan for instance.
-
Tell what logs you like to have attached.
Ask whether the victim encountered further problems. -
Wish the victim all the best and thank them for coming here for help.
- Make you fix readable by using bold, italics etc. and numerics.
- Many that come here for help are not very computer savvy. Be precise and simple in your instructions.
If at a certain point your malware cleansing routine may take a wrong turn, ask for help from the experienced malware fighters here.
No one will blame you, now dive into it, and try to help others,
polonus (malware fighter)
P.S. hijackthis manual: http://hometown.aol.co.uk/jrmc137/index.htm
A very good link to an extensive hijackthis manual can be found here:
http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html