How to remove a Trojan, Virus, Worm, or other Malware

Dialers, Trojans, Viruses, and Worms Oh My!

If
you use a computer, read the newspaper, or watch the news, you will
know about computer viruses or other malware. These are those malicious
programs that once they infect your machine will start causing havoc on
your computer. What many people do not know is that there are many
different types of infections that are categorized in the general
category of Malware.

Malware -Malware
is programming or files that are developed for the purpose of doing
harm. Thus, malware includes computer viruses, worms, Trojan horses,
spyware, hijackers, and certain type of adware.

This article
will focus on those malware that are considered viruses, trojans,
worms, and viruses, though this information can be used to remove the
other types of malware as well. We will not go into specific details
about any one particular infection, but rather provide a broad overview
of how these infections can be removed. For the most part these
instructions should allow you to remove a good deal of infections, but
there are some that need special steps to be removed and these won't be
covered under this tutorial.

Before we continue it is important to understand the generic malware terms that you will be reading about.

Adware -
A program that generates popups on your computer or displays
advertisements. It is important to note that not all adware programs
are necessarily considered malware. There are many legitimate programs
that are given for free that display ads in their programs in order to
generate revenue. As long as this information is provided up front then
they are generally not considered malware.

Backdoor -A
program that allows a remote user to execute commands and tasks on your
computer without your permission. These types of programs are typically
used to launch attacks on other computers, distribute copyrighted
software or media, or hack other computers.

Dialler -A
program that typically dials a premium rate number that has per minute
charges over and above the typical call charge. These calls are with
the intent of gaining access to pornographic material.

Hijackers -A
program that attempts to hijack certain Internet functions like
redirecting your start page to the hijacker's own start page,
redirecting search queries to a undesired search engine, or replace
search results from popular search engines with their own information.

Spyware -A
program that monitors your activity or information on your computer and
sends that information to a remote computer without your knowledge.

Trojan -A
program that has been designed to appear innocent but has been
intentionally designed to cause some malicious activity or to provide a
backdoor to your system.

Virus -A
program that when run, has the ability to self-replicate by infecting
other programs and files on your computer. These programs can have many
effects ranging from wiping your hard drive, displaying a joke in a
small box, or doing nothing at all except to replicate itself. These
types of infections tend to be localized to your computer and not have
the ability to spread to another computer on their own. The word virus
has incorrectly become a general term that encompasses trojans, worms,
and viruses.

Worm -A
program that when run, has the ability to spread to other computers on
its own using either mass-mailing techniques to email addresses found
on your computer or by using the Internet to infect a remote computer
using known security holes.




How these infections start

Just like any program, in order for the program to work, it must be
started. Malware programs are no different in this respect and must be
started in some fashion in order to do what they were designed to do.
For the most part these infections run by creating a configuration
entry in the

Windows Registry n order to make these programs start when your computer starts.

Unfortunately,
though, in the Windows operating system there are many different ways
to make a program start which can make it difficult for the average
computer user to find manually. Luckily for us, though, there are
programs that allow us to cut through this confusion and see the
various programs that are automatically starting when windows boots.
The program we recommend for this, because its free and detailed, is Autoruns from Sysinternals.

When you run this program it will list all the various programs that
start when your computer is booted into Windows. For the most part, the
majority of these programs are safe and should be left alone unless you
know what you are doing or know you do not need them to run at startup.

At this point, you should download

Autoruns and try it out. Just run the Autoruns.exe
and look at all the programs that start automatically. Don't uncheck or
delete anything at this point. Just examine the information to see an
overview of the amount of programs that are starting automatically.
When you feel comfortable with what you are seeing, move on to the next
section.

How to remove these infections

We
have finally arrived at the section you came here for. You are most
likely reading this tutorial because you are infected with some sort of
malware and want to remove it. With this knowledge that you are
infected, it is also assumed that you examined the programs running on
your computer and found one that does not look right. You did further
research by checking that program against our


Startup Database or by searching in Google and have learned that it is an infection and you now want to remove it.

If you have identified the particular program that is part of the malware, and you want to remove it, please follow these steps.

1. Download and extract the Autoruns program by Sysinternals to C:\Autoruns

2. Reboot into Safe Mode
so that the malware is not started when you are doing these steps. Many
malware monitor the keys that allow them to start and if they notice
they have been removed, will automatically replace that startup key.
For this reason booting into safe mode allows us to get past that
defense in most case

3. Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.

4.
When the program starts, click on the Options menu and enable the
following options by clicking on them. This will place a checkmark next
to each of these options.
♣ Include empty locations
♣ Verify Code Signatures
♣ Hide Signed Microsoft Entries

5. Then press the F5 key on your keyboard to refresh the startups list using these new settings.

6.
The program shows information about your startup entries in 8 different
tabs. For the most part, the filename you are looking for will be found
under the Logon or the Services tabs, but you should check all the
other tabs to make sure they are not loading elsewhere as well. Click
on each tab and look through the list for the filename that you want to
remove. The filename will be found under the Image Path column. There
may be more than one entry associated with the same file as it is
common for malware to create multiple startup entries. It is important
to note that many malware programs disguise themselves by using the
same filenames as valid Microsoft files. it is therefore important to
know exactly which file, and the folder they are in, that you want to
remove. You can check our Startup Database for that information or ask
for help in our
computer help forums.

7.
Once you find the entry that is associated with the malware, you want
to delete that entry so it will not start again on the next reboot. To
do that right click on the entry and select delete. This startup entry
will now be removed from the Registry.

8. Now that we made it so
it will not start on boot up, you should delete the file using My
Computer or Windows Explorer. If you can not see the file, it may be
hidden. To allow you to see hidden files you can follow the steps for
your operating system found in this tutorial:

How to see hidden files in Windows

9.
When you are finished removing the malware entries from the Registry
and deleting the files, reboot into normal mode as you will now be
clean from the infection.

Conclusion

Now
that you know how to remove a generic malware from your computer, it
should help you stay relatively clean from infection. Unfortunately
there are a lot of malware that makes it very difficult to remove and
these steps will not help you with those particular infections. In
situations like that where you need extra help, do not hesitate to ask
for help in our computer help forums. We also have a self-help section
that contains detailed fixes on some of the more common infections that
may be able to help. This self-help section can be found here:

Spyware & Malware Self-Help and Reading Room

----
Lawrence Abrams
Bleeping Computer Spyware & Malware Removal Series