Malware Checklist
Results 1 to 10 of 10

Thread: Malware Checklist

  1. #1

    Lightbulb Malware Checklist

    I wrote a step by step checklist for others to use before I show up to fix their computer. It seems like most problems nowadays are from malware, so I wrote this checklist to save me a few trips across campus to get rid of pop-ups.

    It seems like half the front page of AO these days is covered with spyware, viruses and hijacks, and it seems like we all tell them the same advice. I figured we can link them to this so if they still have symptoms, they will have their HJT, ProcessExplorer, and other logs for us to check out.

    Anyways, I'm going to be using it in the dorms next year, I figure it would save a buttload of time helping out the malware threads.

    As usual-
    Constructive criticism welcome, and edits are inevitable.

  2. #2
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    IMO, disabling system restore should not be done until the end of the clean-up process. Otherwise, you have nothing to fall back on if the user (or yourself) makes a mistake and hurts something critical. We all know users who like to "fix" things on their own and unsupervised. At least with system restore on we have something to fall back on!

    All in all a very nice checklist though! I took the liberty of saving a copy to ship to my folks the next time they load up their pc with "ick".

  3. #3
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Its good, soda, but what is the audience? regular (a.k.a dumbass) users? or some field technicians?
    If audience is regular users, i have to agree with meeeeeeee. Some steps there can be dangerous and users can destroy their own computers doing that. And they must have some kind of admin authority that is uncommon nowadays....
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  4. #4
    The audience is for home users that dont have a network admin to help them out. It is for me to link to others that are not paying me to fix their computer (i.e friends and family), and to work as a preliminary list of steps before people start asking how to fix their computer.

    cacosapo, other than disabling system restore, I don't see any dangerous steps. Maybe you should point them out.

    BTW

    There is a notice and an optional label next to the system restore step. I think I will make it red and detail it.

  5. #5
    Banned
    Join Date
    Jul 2004
    Posts
    31
    cacosapo, other than disabling system restore, I don't see any dangerous steps
    I am personally not a big fan of system restore. I rather back up onto CD, tape, or other external media.

    -Cheers-

  6. #6
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    yeah, u r right soda. I though that you mencioned "msconfig" at your checkilist but you didnt. I dont like regular users using (even for browsing) msconfig. Users tend to "uncheck" or change some items and damage Windows.
    IMHO, i dont think that they need to boot in safe mode or disable system restore. Most of plagues can be destroyed on "Normal" usage. It is a good idea, but it just makes the process harder and users tend to "skip" long walkthrus.
    Maybe you make a basic walkthru for lazzy people and a secondary for people that wants more security?
    Basic walkthru
    - how to install tools and seek out for inside enemies and basic plague combat
    - how to enable automatic updates (windows, a/v, etc)
    - how to collect information to send to you (very good - better than go there and see how dumb your friend is
    "advanced" walkthru
    - that piece that contains safe mode, system restore
    - how to use another web browser (how to install one)
    - how to use a better e-mail software (to replace outlook)
    - i would suggest you to add here FPORT and spy sweeper.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #7
    Just from my experience, the sasser virus could not be removed with the stinger tool unless it was in safe mode. So since then, I have always done my full scans in safe mode.

    And malware has the potential to distrupt other software in normal mode, so I longer consider it a "fully" trusted scan unless its in safe mode.

  8. #8
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    I do agree (how can i dont?) that do thinks in safe mode is better.
    The problem is: those guys will follow that?

    if they are too lazzy, they will start to read that walkthru "hey, this is too long. lets call Soda"

    If you trying to avoid fatigue helping guys for free that insist to put malware.....
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  9. #9
    oldie ric-o's Avatar
    Join Date
    Nov 2002
    Posts
    487
    Soda: Good checklist! I forgot to include the free online virus scanners in the list I sent our users.

    What do you think about adding some of my data (below) to yours as a kind of intro and then use your checklist for the "What to do if you think your PC is infected" portion? That plus any mods from this discussion and maybe MM or Neg can "sticky-it".

    NOTES:
    * This is geared toward HOME machines, do not perform this on your work/company machine without checking with their IT organization first.
    * Credits: some information here was taken from Merjin's programs and site (http://www.spywareinfo.com/~merijn/index.html) and Christian Wagner at IO.com (http://www.io.com/~cwagner/spyware.html.).


    What is spyware?

    Spyware is a general term for a program that secretly monitors your actions (ie.; web surfing, email usage, etc) or collects and sends personal information to a 3rd party on the Internet. Sometimes times they are sinister such as acting like a remote control program for a hacker to use to control your PC for dubious purposes or software companies using it to gather data about their customer's web surfing habits to use to sell the data to other marketers. Generally spyware is frowned upon because of the secretive nature - the user is unaware of what it's doing or how it's using the data it is collecting.

    The precise definition of spyware varies depending on who you ask. The calling card of a spy is that it is sneaky and not easily noticed. Spyware is any software that performs sneaky activities behind the user's back--these activities can range from installing itself onto your computer, gathering information on you and transmitting it across the Internet, downloading files or running programs on your computer, messing with your system settings, or even trying to silently pass itself on to others.

    Like a real spy, it may don disguises to hide itself and its intentions. It will try very hard not to be noticed. It will persist in the background even after you tell it to go away. It might even try to hide from you if it knows you're looking for it!

    Some characteristics of spyware:
    Collects information from your computer without your knowledge and/or consent
    Transmits a unique code to identify you (for tracking purposes) without your knowledge and/or consent
    Collects/transmits information about your computer use or other habits without your knowledge and/or consent
    Installs itself on your computer without your knowledge and/or consent
    Keeps reinstalling itself, no matter how many times you remove it
    Performs other unwholesome duties without your knowledge and/or consent

    You can also take a look at a good FAQ about spyware here: <http://www.io.com/~cwagner/spyware.html>


    Top 13 signs your PC is infected with spyware:

    * Web browser could be Internet Explorer, Mozilla, Opera, etc.
    * If you see one or more of the following symptoms you could be infected.
    1) Your usual home page or start page is changed and you have no idea why.
    2) An unexpected toolbar appears in your web browser or on Windows and you don't know how it got there.
    3) Your firewall alerts you to an unknown program or process trying to access the Internet.
    4) New shortcuts appear on your desktop that you didn't put there.
    5) New entries appear in your favorites folder that you didn't put there.
    6) Your computer starts acting sluggish and slow (this could also be from a number of other reasons however).
    7) Enormous web browser slowdowns when typing
    8) Unable to access antispyware tools or sites
    9) Redirections to another search site when trying to visit Google
    10) Popups in Google and Yahoo when searching
    11) Sites in the IE Trusted Zone you didn't add
    12) Redirections to CoolWebSearch related pages
    13) Redirections when mistyping URLs

    Note: Many "free" downloads come with adware and spyware attached. Read the end user license agreement (EULA) carefully and beware what you install!


    What to do if you think your PC is infected:

    IMPORTANT: Be sure to type web addresses in exactly as stated here (copy it from here is best approach). There are many "imposters" with web addresses that are SIMILAR to the valid web addresses. These "imposters" pose as spyware removers when they are actually spyware themselves.

    1. Boot Windows up in SAFE MODE and run anti-virus scan of entire system
    2. Install and run Ad-aware and remove any found. I recommend running this program regularly, weekly. You can find this program at <http://www.lavasoftusa.com/>
    3. Install and run Spybot Search & Destroy and remove any found. I recommend running this program regularly, weekly. You can find this program at <http://www.safer-networking.org/>.
    4. Install and run CWShredder. You can find this program at <http://www.spywareinfo.com/~merijn/files/CWShredder.exe>
    5. Check your browser for spyware (aka parasites): <http://www.doxdesk.com/parasite>

    There are also programs available that will show you your PC's startup entries along with what are called Browser Helper Objects (BHO). These objects are add-on pieces of software which enhance your Internet browser (re.; Internet Explorer, Mozilla, Opera, Netscape Navigator, etc). In many cases the spyware will add these types of objects to be used to tracking your web surfing and/or keyboard entries.
    Caution: Be careful when running these BHO detector programs, you could break Windows and/or software applications if you remove the wrong items. See sites where security people will help users in need of help at <http://forums.spywareinfo.com/>.

    Recommended BHO Detection/Removal Software:
    * HijackThis at <http://www.spywareinfo.com/~merijn/files/HijackThis.exe> (main page is at <http://www.spywareinfo.com/~merijn/downloads.html&gt
    - You can run this program and submit your log to www.spywareinfo.com for analysis.
    * BHODemon at <http://www.definitivesolutions.com/bhodemon.htm>

    Resource to Check Processes (from HijackThis log):
    * Sysinfo.org http://www.sysinfo.org/

    Once you have a clean PC you should consider installing spyware blocking software, here are some recommendations:
    SpywareBlaster at <http://www.javacoolsoftware.com/spywareblaster.html>
    IE-SPYAD at <https://netfiles.uiuc.edu/ehowes/www...ce.htm#IESPYAD>
    Blocking Unwanted Parasites using HOSTS file at <http://www.mvps.org/winhelp2002/hosts.htm>


    WARNING about fraudulent anti-spyware software:

    There is a fair amount of software out there which advertises themselves as spyware detectors and removers but which are actually spyware themselves! BE CAREFUL - I recommend only using KNOWN good anti-spyware applications.

    Note that searching on Google and other search engines for terms like "Spyware" will find a number of these fraudulent products, both in search engine hits and in "sponsored links" (i.e. advertisements). There's probably a few examples in the Google AdWords to the right, since filtering them out is next to impossible.

    Stay away from the following - DO NOT INSTALL THESE!!!:
    SpyKiller, XoftSpy, SpyCatcher, SpyGuard, Spyware Nuker, SpyHunter, Warnet, Virtual Bouncer, AdProtector, Spyware Remover (from BulletproofSoft), SpyFerret, SpyGone, Stop-Sign, SpyBan, SpyAssault, SpyBouncer, SpyDoctor, SpyBlocs/eBlocs, NoAdware, PAL Spyware Remover, and SpyAssassin (aka "Ada-Ware") are all either of very dubious quality or known malware sources themselves.


    WARNING about "helper" software:

    There is a LOT of software out there claiming that they can help you search the Internet whether it's for the best deal on a new camera, or just trying to find information. Many times these advertise as web browser (re.; Internet Explorer, Mozilla) helper tools. BE WARNED: Most often than not these tools contain spyware with them. Think twice before installing, I recommend you don’t install them. However, if you really feel the need for them do research about these tools on the sites mentioned above such as <www.spywareinfo.com> or <www.spywarewarrior.com>.


    NEVER install anything from a pop-up advertisement !!!

  10. #10
    Senior Member
    Join Date
    Feb 2004
    Posts
    202
    Nice both of you!

    from ric-o:
    Stay away from the following - DO NOT INSTALL THESE!!!:
    SpyKiller, XoftSpy, SpyCatcher, SpyGuard, Spyware Nuker, SpyHunter, Warnet, Virtual Bouncer, AdProtector, Spyware Remover (from BulletproofSoft), SpyFerret, SpyGone, Stop-Sign, SpyBan, SpyAssault, SpyBouncer, SpyDoctor, SpyBlocs/eBlocs, NoAdware, PAL Spyware Remover, and SpyAssassin (aka "Ada-Ware") are all either of very dubious quality or known malware sources themselves.
    Here's a great link to reference to figure out the good, bad and ugly of spyware cleaning/removal programs: http://www.spywarewarrior.com/rogue_anti-spyware.htm

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •