Saturday, August 27, 2011

How to remove viruses.

First off, im back from my mini vacation. so sorry about the lack of content. im back now... and boy is this a good tutorial.

alright, so first off, virus scan's SUCK! let me explain how... a virus scan tries to identify a virus based on the binary data. i don't want to get in depth with how it does this, but just know that it uses the binary data to compare the file to the signature in the virus data base. so all the hackers out there said to themselves... "wait, if i just modify the virus, then the virus scan will be useless"... and they were right!
there is a tool known as a cryptor that will encrypt the virus and hide it inside of an exe... this will look clean to the virus scan, but when ran, it will put the encrypted virus into your ram, decrypt it, and then run it from the ram its self. because it never touches the hard drive, it will never be checked by the virus scan. then you end up with a virus... which sucks for you.

so, in this tutorial, you will learn two things:
  • how to avoid viruses.
  • how to remove them if you already have one.

so, to start, ill talk about avoiding them.... there are 3 ways of getting viruses, the most common one is by downloading an infected .exe file and running it. To avoid viruses in .exe files, just download the file from the official website, try to avoid mirrors and torrents..... if you have to use a torrent / mirror, make sure the comments on the file all look positive. for even more security, you can run the .exe's in a program called sandboxie. this will quarantine all the memory used by the program, so that it will still run, but it can not effect your operating system or

the second way is a bit less common, and is referred to as a "java drive by". this is when you go to a website, which then prompts you to run a java applet, if you accept... the java applet will then run the encrypted .exe on your computer. these java prompts look like this.

To avoid this kind of attack, just make sure you only run java applets from a trusted website, if someone tells you to go to a webcam chatroom or something similar, and sends you to a link you have never gone to before and you see the dialog box above.... press cancel and navigate away from the page. sandboxie also has a protected browser mode.

the last kind of attack is known as a 0-day. this is when there is a new vulnerability discovered in an application. because these are per application, they are not generally used to affect users, instead they are intended to attack large companies, so dont worry about there unless your Sony :p

ok, so now you know how you can be attacked and how to avoid it... but what if you do get infected? most viruses try to mimic legitimate processes, so open task manager, and look for firefox or internet explorer running when it is closed... that is a common sign of infection (however, it doesn't always mean that you are) the most common way of 'removing' a virus without a virus scan, is just to disable it from starting. to do this, just type msconfig into the run prompt (in windows xp) or the search bar in the start menu in vista/7. go to the start up tab, and remove any suspicious process.

run entries are also in the following locations (in your registry):
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
by removing the startup for the virus, then the virus can not start, and is 'removed' (however it is still on your hard drive somewhere).  when you look for the process in msconfig or the registry, it will tell you the location of the .exe that it is running, so just note that down and delete the file later.

NOTE: when removing a file, make sure you boot into safe mode first.

if you ever have questions about what is or is not a virus, there are plenty of forums that will analize 'hijack this' reports, if your not familiar with hijack this, it is a program that gives out a list of running process' as well as possible problematic registry keys.
if you dont know what a startup program is, or what a running application is.... google it! don't remove something that could be important.... what im trying to say, is im not responsible for your idiocy if you mess your shit up.


Anonymous said...

I use NOD32 and malwarebytes. They seem to do the trick of keeping me clean.

Sub-Radar-Mike said...

Welcome back, great tutorial!

ZIane said...

Great tutorial

DesoWave said...

Awesome stuff.

TwistOfEvents said...

Thanks for the tutorial, I actually need this :)

Theflyingblogger said...

Thanks for the information! I'd think this was common knowledge...

Kyle said...

Fortunately I have employed the "common sense" defense against getting viruses pretty effectively so far. If I do get some nasty ones though you can bet I'll be asking someone to analyze my hijack this.

norbi_nw said...

IMO nod 32 + malwarebites FTW :D

Post a Comment