General guide for removal of computer malware and spyware

Malware, also known as Malicious Software, is software designed to infiltrate or damage a computer system without the owner's information. Malware includes computer viruses, worms, trojan horses, most rootkits, spyware, adware, and other malicious and unwanted software. It generally infects Microsoft's Windows operating system while other OS such as Linux or Mac OS have been relatively safe from malware.

How do you get infected with spyware? Spyware gets on a system through deception of the user or through exploitation of software vulnerabilities. Most spyware is installed without users' knowledge. Since they tend not to install software if they know that it will harm their computer, spyware deceives users, either by piggybacking on a piece of desirable software such as Kazaa, Limewire, BiT Torrent, Yahoo Messenger and Yahoo Toolbar or by tricking them into installing it. Some rogue anti-spyware programs masquerade as security software, while being spyware themselves (i.e WinAntivirus 2009, WinXP Antivirus,etc).

Spyware can also come bundled with shareware or other downloadable software, attached to e-mails, as well as music CDs. The user downloads a program and installs it, and the installer additionally installs the spyware. Although the desirable software itself may do no harm, the bundled spyware does. In some cases, spyware authors have paid shareware authors to bundle spyware with their software.

Another way of distributing spyware involves tricking users by manipulating security features designed to prevent unwanted installations. Internet Explorer prevents websites from initiating an unwanted download. Instead, it requires a user action, such as clicking on a link. However, links can prove deceptive: for instance, a pop-up ad may appear like a standard Windows dialog box. The box contains a message such as "Warning! Your computer is infected with harmful viruses. Would you like to remove them now?" with links which look like buttons reading Yes and No. No matter which "button" the user presses, a download starts, placing the spyware on the user's system. The right way to close this pop-up message is to press Alt and F4 simetenously. Earlier version of Internet Explorer such as IE5 and IE6 are quite vulnerable to such attack. A better alternative is to use Mozilla Firefox browser which is more secure and less vulnerable to unwanted spyware installation.

What does spyware do to your computer? Users of infected computers frequently notice unwanted behavior and degradation of system performance. A spyware infestation can create significant unwanted CPU activity, disk usage, and network traffic, all of which slow the computer down. Stability issues, such as application or system-wide crashes, are also common. Spyware, which interferes with networking software commonly causes difficulty connecting to the Internet. As spyware program can also download harmful viruses and trojan horses to your computer. These virus can lead to many undesirable effects, such as deleting all the user's files, corrupting the Windows installation and spread to other computers connected in the local network.

Certain spyware can also collect your private and confidential informations such as passwords, credit card and bank account numbers. These is particularly dangerous when you often do online banking, shopping or other similar transactions. Some spyware is also know to hijack your computer and use it as a proxy to distribute thousands of spam e-mails. This computer (or server) will eventually be banned by major ISP, web-based e-mail providers (such as Gmail and Yahoo) because of those unsolicited e-mails.

General guide for removal of malware and spyware

1. Download and scan your pc with Malwarebyte's Anti-Malware.

Malwarebytes' Anti-Malware is by far the best anti-malware application on the market today. It is fast and simple to use. The free version is powerful enough to detect and remove most known malware and spyware on your computer while the paid version will have extra features such as realtime protection, scheduled scanning, and scheduled updating.

First, get a copy of Malwarebyte from here.
Then install Malwarebyte on your computer select the Update tab and click check for updates to download the latest database.
When the update is finished, click on the Scanner tab and you can opt to either perform a quick scan or a full system scan. Normally a quick scan is sufficient to detect most known malware. At the end of the scan. Malwarebyte will then display all malware and spyware that have infected your system Click remove all infected items. You may be required to restart your computer to complete the removal process.

2. Use Sysinternals Autoruns and Process Explorer to remove malware.

These next steps involve modifying the windows registry so backing up the registry is highly recommended. You can also set up a restore point with System Restore.
To back up the registry entries, select Run and type 'regedit' (without the quotes). In the Registry Editor click File > Export. Choose All for the export range and type a simple name for the back up. Save it on your root directory (preferably C:).

Autoruns and Process Explorer is part of a set of really useful Windows troubleshooting tools developed by Sysinternals (now acquired by Microsoft). To download both tools go to their website here.
Double-click the downloaded file to run both Autoruns and Process Explorer. Autoruns will list all programs that automatically run everytime the computer starts. To avoid deleting important windows programs, click Options, select Hide Microsoft Entries and hit the refresh button.
A good and harmless program will usually display its publisher's name (i.e Hewlett-Packard,Intel or Adobe) while most malware and spyware won't display any publisher's information. While this is usually true, take caution when deleting unknown entries because there are still some valid programs (usually old programs) that doesn't display any publisher's name. Just use your common sense and your familiarity with the installed programs on your computer. Delete the obvious spyware programs like WinAntivirus 2009, WinXP Antivirus, Ravmon.exe, wscript.exe and Xiao.vbs and programs you think you've never installed (voluntarily) on your PC. The are 16 tabs available in Autoruns but the 7 that you need to analyize are Logon, Explorer, Internet Explorer, Scheduled Tasks, Services, Boot Execute and Image Hijack.
Process Explorer is very much like the default Task Manager program available with all Windows OS except that it gives a more detailed information of every active and running processes in your Windows system. You can also see where a particular process originates from (it's parent program) and how much system resource it is using. Again if you don't see any Company Name in the processes list, it's is safe to assume that that process is a virus or a malware except for the regular Windows processes like DPCs,Interrupts, System and System Idle Process. If you are not sure what a particluar process does, just google for the process' name on the Internet. Chances are somebody or some website will tell you what that process does or whether it's harmless or not. To delete a process just right-click on it and select Delete. Certain types of virus which resides in the computer memory cannot be deleted with Process Explorer or Task Manager. For that you'll need a powerful anti-virus software like McAfee and you can only remove it by logging into a safe mode. Alternatively you can boot up your PC with any Linux live CD, find that suspected program and delete it there. Make sure you empty the trash before shutting down.

3. Use a good antivirus software.

I have used and tried a many major antivirus software in my line of work and I have come to these personal conclusion on which antivirus really works and which are just a waste of money.
The best antivirus software out there is without a doubt, McAfee antivirus. I've tried many brands of antivirus software and nothing works as effectively in detecting and removing viruses like McAfee does. Although their price is a little bit more expensive than other antivirus software, it's worth every penny, trust me. I've been using primarily McAfee antivirus to remove viruses from all of my client's PC for the past 2 years and I can confirm that at least 95% of known viruses is detected and can be removed with McAfee antivirus.

Coming second best are Panda Antivirus, Avira Antivir and AVG Free 8. Panda Antivirus is almost as good as McAfee but it can use up quite a lot of system resources. Avira Antivir and AVG Free 8 both comes with a free version but also offers a highly effective virus scanning and removing capabilities (although not as good as McAfee). If you lack the budget to buy McAfee antivirus then I would recommand that you install either Avira Antivir or AVG Free 8. Personally, I prefer to use AVG Free 8 because I can install it on as many PC as I like while Avira requires me to register for every single software downloaded before I can use it which prove to be a hassle.
When installing AVG Free 8, remember NOT to install the AVG Security Toolbar. It will just slow down your browser.
You might also want to disable the LinkScanner component on your AVG antivirus. This little feature will scan all outgoing links on every website that you visit thus substantially slowing down your browsing experience. I don't know why they think it's neccessary to scan every single hyperlinks. That's just paranoid man.

Now here are the generally expensive but totally useless antivirus softwares. Symantec's Norton antivirus, Kaspersky antivirus and TrendMicro antivirus. Symantec unfortunately came with many major PC vendors (such as HP and Dell) but is usually ineffecive in curbing and preveting virus infections. Kapersky antivirus while cheaper than most major antivirus is also not so effective in detecting and removing viruses. TrendMicro is from my experience, the crappiest and totally useless antivirus software you can buy in the market. Not only it misses out a lot of new and old viruses, when it does detects them, most of the time, it cannot do anything to those viruses except to quarantine them. So naturally, PCs installed with TrendMicro antivirus is the most virus-ridden one. Might as well save your money and use AVG or Antivir than throw them away by buying TrendMicro.

Save for the useless TrendMicro, many popular antivirus software doesn't support older Windows OS like Windows ME, 98 or 95. This is where Clam Antivirus comes to the rescue. This open-source and community-driven antivirus software doesn't offer real-time protection but at least it's just as good as AVG and Antivir and what's more it's free.

4. Removal of specific spyware/viruses.

Certain spyware or viruses may from time to time escape from being detected by Malwarebyte or McAfee antivirus. Getting rid of these malware require specific action to be taken like deleting specific registry entries or removing them in a non Windows operating system (such as Linux).

Removing xiao.vbs virus.

Xiao.vbs is a type of worm virus that replicates and distributes itself to other PCs and servers through the local network and the Internet. Lately xiao.vbs has infiltrated and infected many computers in a network especially those with weak antivirus software. Computers infected with xiao.vbs will usually become really-really slow. Using Malwarebyte will detect and remove this virus but your Windows system will not be completely clean from this virus until you delete its registry entries.
To do that, open the Registry Editor by typing 'Regedit' in Run. Click Edit > Find and type xiao.vbs in the dialog box. Click Find Next.
The full registry entry for xiao.vbs is wscript.exe xiao.vbs. Right-click on that and select delete. Click find next (or F3) to find and delete all the remaining entries in the registry until you finish searching through the registry.

Bleepingcomputer.com is a great free web based community and discussion forum for answering general and specific malware and virus troubleshooting guide, computer help, security issues and technical questions. In fact I was introduced to Malwarebyte and Autoruns by searching through this website's forum. Feel free to browse this site for guide on removing most known malware.

4 comments:

  1. Yeah I spent the entire weekend writing that.

    ReplyDelete
  2. After I run the regedit command, I can't seem to delete the xiao.vbs file.. They said the value is not set and I'm unable to delete the it.. =(

    ReplyDelete
  3. Dear 상진현,

    Run Regedit again and try removing xiao.vbs in these entries:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\xiao.vbs

    or/and

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

    If still not successful, try doing that in safe mode by pressing F8 after the BIOS screen, good luck!

    ReplyDelete