Technology Information

Archive for April, 2011

           No have a difference what antivirus program we have, it can’t acknowledge any as great as each malware out there.. Until Antivirus companies get samples of ultimate malware, it will sojourn undetected.

           The antivirus applications currently operate heuristics as great as active indicate to acknowledge even opposite viruses though still we competence confront a lot of situations when we know your mechanism is putrescent as great as a antivirus is wordless about that. After celebration of a mass this article, it won’t be a complaint anymore.

You need routine Explorer to brand a malware process. Download it from here:

             http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

There have been dual alternative collection which we competence need, depending upon a astringency of a issue:

Killbox

 To undo a malware record upon reboot if we can’t do it right away

Dial-a-fix

To mislay any limiting policies which malware has combined in registry in sequence to invalidate charge manager, authority prompt etc.

Step 1: Identify a malware process

       Process path-finder shows we a lot of report which charge physical education instructor doesn’t show. (You competence not even be equates to to open charge physical education instructor if a malware has infirm that.)

       In Process explorer, we can additionally right click upon a process, click ‘Properties’ as great as find even some-more information. Note which here is where we find out a place of a tangible routine which we will need.

     Malicious files can be an exe record or a non exe record with prolongation .vbs,.dll etc.. We need to find a files of both types.

Finding antagonistic exe files:

Open Process Explorer as great as demeanour for a processes of following sort as great as note down their names as great as locations:

Process which has no outline or association name

Process which is highlighted in purple (If highlighted in purple, it equates to which a picture is packed; Malware is customarily packaged so which an antivirus program cannot commend a file)

Process which has a name which looks similar to a core complement record name is misspelled.

(For e.g. we competence see a routine with name ‘svhost.exe’. There is essentially a                svchost.exe which is a Windows file. The technique is to have we to hold which it is a Windows file)

Process with a name of an tangible Windows record though is in a opposite location

(For e.g we competence see a svchost.exe routine regulating from C:\Documents as great as settings\Administrator. The tangible svchost.exe record is located in C:\Windows\system32)

Process with singular minute (a.exe, b.exe, c.exe)

Process with name which creates no clarity as great as has pointless alphabets (for eg: hkydhrlwjds.exe)

Usually we will usually see a singular routine as great as to illustrate your malware sport will be really easy. And by experience, we will be equates to to mark a malware routine usually by seeking during Process explorer.

Finding antagonistic non-exe files:

There have been a little malware files which have been not exe files as great as as a result have to operate an one more routine to launch them. So, we have to acknowledge them as well. Look for a following as great as note down a record name as great as locations:

Look for processes with name rundll32.exe. This is a Microsoft routine which is used to run dll files. Right click a routine as great as click ‘Properties’. Look what it says underneath authority line.

You competence see something similar to “rundll32.exe” shell32.dll, Control_RunDLL    ”C:\WINDOWS\system32\ahtjlfuil.dll”,

We have been usually meddlesome in a dll record ahtjlfuil.dll.. Note down a name as great as location

Look for processes with name wscript.exe. This is a Microsoft routine which is used to run vbscript (.vbs) files. A vbscript pathogen as great as autorun.inf viruses will operate this routine to run.

Right click a routine as great as click ‘Properties’. Look what it says under  authority line.

               You will see something similar to this:

                “C:\WINDOWS\System32\WScript.exe” “D:\shtnghyr.vbs”

                  We have been meddlesome in a record “D:\shtnghyr.vbs”..

                 Note down a name and  location

In Process explorer, Click ‘View’ – ‘Lower mirror view’  – ‘Dlls ‘ . This will uncover a dlls regulating underneath comparison process. Select a complement processes similar to explorer.exe, iexplore.exe, lsass.exe, winlogon.exe as great as csrss.exe.

In a reduce pane, demeanour for dlls which has a symptoms which we talked about in ‘Finding antagonistic exe files’ section. Ignore a files which have been not dlls. If we find any questionable record which has those symptoms, right click a dll file, go to ‘Properties’ as great as note down a place as great as name.

Step 2 – Find one more report about a identified files

After we note down a processes, we can do dual things to establish if it is a malware:

 Number one#:  Search in Google. If it is a well known file, your initial couple of formula will embody pages from www.file.net, www.processlibrary.com etc. If Google poke formula have been usually forum posts or we get no formula during all, afterwards it is many expected a malware.

Number two#: Upload a record to any of these dual sites: www.virustotal.com as great as http://virusscan.jotti.org . These sites will indicate a singular record regulating mixed antivirus engines as great as give we a results.

Step 3 – Deleting a antagonistic files

If a record is a standalone routine or regulating underneath rundll32.exe or wscript.exe, afterwards we can usually finish a routine as great as undo a record from a location

If a record is a dll record bending to iexplore.exe or explorer.exe, we can still finish these processes as great as undo a record from a location.

But if a record is injected in to a core routine similar to winlogon.exe, lsass.exe or csrss.exe, afterwards we can’t finish a process; it will close down a Windows. That is when we have to operate ‘Killbox’ to undo a record upon reboot. Open Killbox, crop a record which has to be deleted, check a box to undo upon reboot as great as click a undo icon. Reboot when it prompts we to do.

Killbox uses a pass in registry called ‘PendingFileRenameOperations’ to store a entries which have to be deleted upon a subsequent reboot. Some malware processes guard a registry pass as great as undo any entrance which is added.

 If which happens, we competence get an error: PendingFileRenameOperationsRegistry Data has been Removed by External Process! If we get this error, afterwards try deletion a record from protected mode, from liberation console or from any foot disks similar to ERD commander, hiren foot cd etc.

   It would be improved if we rename those files instead of deletion them as great as upload a   infected files to any antivirus website. By uploading a files, a antivirus association has a possibility to get a representation as great as embody them in their signatures. This will be beneficial to millions of others who competence be carrying a same problem.

Step 4 – Remove any limiting policies which malware competence have combined

     Many spywares, viruses, Trojan horses etc invalidate executive collection similar to charge manager, registry editor as great as authority prompt. You competence get an blunder observant “Task physical education instructor has been infirm by a administrator’

    You can operate Dial-a-Fix to mislay these policies from a registry. When we open it, it scans for a limiting policies as great as lists them. You can check all of them as great as simply delete.

Step -5 : Final purify up

 Doing all a stairs doesn’t mislay all a traces of spyware. Still there competence me left out registry entries. You can operate Ccleaner to purify a registry.

If possible, run a little pathogen scans online so which we can have certain which a complement is utterly clean. Update your complement with ultimate confidence updates as great as we should be great to go.

Some of my alternative articles:

100% Cpu: How To Fix It? – A Complete Troubleshooting Guide

How Fast is my Internet? – Check Your Internet Speed Online!

Secure Delete – How to Delete Files Permanently From You Hard Drive?

Why Does The Computer Freeze And How To Fix It?