Saturday, March 26, 2011

Know your friends

So you have decided that you won't install antivirus, or use some low-end antivirus. Now what? What to do when a virus comes to your system? What tools do you use for the virus detection and removal?
Below is a list of free-wares that I use.
  1. Process explorer
    It’s a tool developed by sysinternals for Microsoft and is available for free download. This is a kind of better version of task manager. It’s better than task manager in several ways.
    • It can show the running processes in tree-like format, thus the process creation hierarchy is shown and you can identify which process initiated which one.
    • It also shows the path of running process. Thus, if there is a fake executable, (say explorer.exe), which is located at some wrong location, (say your profile folder) instead of its correct location (system32 folder in case of explorer.exe), you can detect that the path is wrong. And hence the file can be a fake one, or at least undesirable one.
    • New process creating and destruction can be seen visually, using color indication. Thus it’s easier to keep track of process creation, when you need to diagnose.
    • Provision to suspend / resume any process – when the parent process is suspended and its children are killed, the suspended parent process cannot re-start the child process again and you can easily delete the child process executable.
    • Process handle – many a times we encounter the issue while “safely removing hardware” that some process is using the hardware. Hence windows cannot remove it. Now, question is which process? You can search for the drive letter (say h:\) and can get the list of processes, which are accessing the drive.
    • And finally, the best part of it: it can replace task manager. I.e. when you try to open task manager (say by pressing ctrl+alt+del or ctrl+shift+esc), it will actually open process explorer. Hence, there is hardly any change required in user habits.
    So I would strongly recommend you to stop using task manager and move to process explorer.
  2. Command prompt
    Nothing comes as handy as command prompt, when trying to delete any file, when your windows explorer does not allow you to do so easily. Simple basic commands like
    • cd
    • dir /a
    • rmdir /s /q
    • type
    • del/erase
    • attrib -s –h
    • title (very stupid command, but helped me in removal of one virus)
    are generally sufficient for our need.
  3. msconfig
    Know which processes and services are loaded at your system startup. Remove suspicious processes and services. You may also remove some genuine process, which you don’t want to run at system startup (like winzip quickpick). It will make your system run faster, as less processes are running on your system. Press Win+R and enter msconfig in the dialogue box to open msconfig.
  4. Autoruns
    it’s kind of advanced version of msconfig. It’s also developed by sysinternals for Microsoft and can be downloaded from here. It shows many paths, where the system checks for startup programs. Remove suspicious items from the list.
  5. Windows explorer / Internet explorer 6 + Shift-delete
    When you find the location where your virus is located, next thing to do is shift+delete (unless, if you want to keep that file as pet for experimentation :P). The virus location can be found out by using tools like process explorer or msconfig or autoruns. Internet explorer 6 can be used to browse your directories, if windows explorer is unable to do so, due to some reason. If you could not delete the virus file for some reason, try deleting using command prompt.
  6. Registry editor
    This is one risky thing to work on. If you mess up something in this, there is a possibility that your system will never boot again. Having said this, I will also recommend that one should play with the registry. Safe option is, to enable system restore, create a system restore point and then play with the registry. In registry, you will find many configurations and settings. When you want to remove some viruses manually, it’s good idea to use registry, to disable the execution of virus. The details of how to use registry, will be given in coming posts, wherever required
  7. Commands – tasklist, taskkill, reg etc
    Well, it’s easy to use task manager (read: process explorer), registry editor… but what to do if somehow the task manager or registry editor has been disabled by some virus? In these cases, we first need to enable these tools using registry. Sometimes, these tools are not disabled in registry, but the virus detects that you have opened the task manager and then t kills the task manager’s process. How to know the name of virus in such case?
    Here, the command line tools are helpful.
    As you can understand from name, tasklist gives you a list of processes running in your system. And taskkill can be used to end a process. There are several options to these 2 commands. For more details, run “tasklist /?” or “taskkill /?” at the command prompt.
    Similarly, whatever you can do with registry editor, everything can be done with reg command. Run “reg /?” for more details about the reg command.
  8. Notepad
    Use notepad to create the registry files, batch files, vbscripts and so on
    I would however, recommend using freeware notepad++ because of the features it provides.
  9. Process Monitor
    It can be used to monitor the process creation, exit, thread creation, exit, opening and closing of files by the processes already running in the system. Thus, it’s easier to keep track of what’s happening in your system.
  10. tweakui
    Again, a powertool by Microsoft… Google for tweakui for the link.
    This gives you many features and customization options, with a nice GUI. The options like autorun features, etc (explained in next post) can be set using this GUI. Overall, it’s a nice free tool.
  11. Firefox + google
    When (almost) everything fails, google comes to our rescue. :-)
    Whatever problem you are facing, try to find some peculiar thing about the virus. This can be the virus exe name (say msmxeng.exe obtained using process explorer or otherwise) or some message string, it pops up (e.g. “I dont hate mozilla but use IE or else”), Search for such specific keywords on internet. Check the sites for some antivirus company, for solution about how to manually remove the virus. These sites may also give details about what harm that particular virus does, so that you can undo that if possible.
  12. Linux live CD
    Finally, you have tried everything possible and known, but you could not delete the virus due to some reason. In such cases, Linux comes to rescue your windows. Boot using the Linux live cd. Mount the partition containing the virus. Locate the virus executable file and, peacefully, delete that file. No program will prevent you deleting that file in windows, when you are booting from Linux.
    There are many, many flavors of Linux live cds, which you can use for this. I mostly use ubuntu or knoppix live cd.
  13. Other computer, with antivirus
    Disconnect the virus infected hard disk from your system and connect to other system with up-to-date antivirus and scan that hard disk. (Still this means, that you install antivirus on only one windows machine. Other systems don’t need to have the antivirus.) After scanning, you can reconnect to your system.
  14. Parted magic
    If for some reason you cannot disconnect it from your system (say, e.g. it’s a laptop hard disk) then copy the infected partition to another external HDD using parted magic. Scan that HDD using antivirus and overwrite that partition from external HDD to internal HDD.

With these handy tools, you will most likely be able to detect, delete most of the viruses.
Posted at 3/26/2011 11:03:00 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)