[TUT] How to tell if you're infected, and what to do

[N3w_2_H@Ck1n™]

I posted this tutorial originally for HF, but I figured it could help people here as well.

Hello, my name is Michael and I'm a member of the HJT team, as well as HackForums Staff. Today in this tutorial I'll be showing you how to find and remove an infection, among other things.

NOTE: All example directories used in this tutorial are from Windows 7, so if you have an earlier version of Windows you may have a different file path to the ones used in this tutorial. In this event, please use www.google.com to find the file path for your Operating System.

Table of Contents~

• How to check yourself for common infections.
  
• What safety cautions to take if an infection is found.
  
• What do I do if I think I'm infected?
  
• What NOT to do.
  
• Some important things you should know about computer security.
  
• My recommendations on security software.
  
• Conclusion.
  

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

How to Check Yourself For Common Infections

A)
Understanding the infection

The first thing you must understand is how viruses, trojans, adware, worms, etc. work. Generally, when you run a infected file, the first thing it will tend to do is create and drop other infected files in locations, such as:

• Temp folder: C:\Users\%USERPROFILE%\AppData\Local\Temp
  
• Windows folder: C:\Windows
  
• Drivers folder: C:\Windows\System32\Drivers
  

And more, these are just common directories but they can be custom (like for example, a Cybergate RAT infection may drop a file in the C:\Windows\System32\Adobe folder, as RAT's and other infections can drop files in custom directories).

This does NOT mean however that you should go deleting everything in those folders, no never EVER EVERRR delete files unless you're SURE they are malicious. Deleting a windows system file could and will likely result in a computer that doesn't even boot up or work properly.


Next, the infected file will attempt to execute the new file(s) it has dropped, these files generally create registry keys. Understanding the registry is a must when it comes to knowing how computers and infections work.

For instance, if a file wants to be ran for all users when your computer starts, it will create a registry key in the following registry directory:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

This means when any user starts the computer up and logs in, any file listed in this registry directory will be ran. However, in this registry (it looks similar but make note of the first folder it's in):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

All files here only execute on startup for the currently signed in user, not any other users on the computer. So when checking your startup files, don't forget to check BOTH registries. Here's what the registry looks like:



To get to the registry editor/explorer, please do the following:

Press the Windows key (next to the left alt) + R to bring up Run > type in "regedit" and hit enter.

NOTE: Again, please for the love of God don't go deleting registry keys unless you're absolutely certain without a shadow of a doubt that it's connected to a malicious file. Deleting legit and protected registry keys can result in having to re-install your operating system. Please always make backups before working in regedit, to make a backup follow these steps:

To make a backup of the registry:

• In regedit, click 'File' > 'Export'.
  
• Navigate to a suitable folder, MAKE sure 'All' is checked down the bottom left.
  
• Name it 'backup of registry.reg' and hit Save.
  

Lastly, files can do other things like inject themselves in to legit processes (which must run all the time) such as explorer.exe; or access your keyboard/disable your antivirus/alter your hosts file etc.

But we don't have time to get in to that. I just want to help you understand that infections usually spread, create registry keys, alter your system etc. and require a lot more than simply deleting one file. It's rare that an infection consists of just one file.

=========================================================
B)
So what signs should I look for?

If experiencing any of the following symptoms, you should assume you're infected:

• You cannot access specific websites, like antivirus websites, paypal, gaming sites etc.
  
• Antivirus is disabled, but not by you; or keeps warning you of attacks/infection.
  
• You're getting weird popups like "Server.exe has stopped working, press end to end the program".
  
• Fake antivirus scans keep popping up saying you're infected, prompting you to buy anti-virus software.
  
• Your online accounts are compromised/hacked.
  
• Your webcam turns on by itself, your mouse clicks by itself etc.
  
• Porn/advertisement websites pop up by themselves.
  
• You're seeing weird files pop up everywhere.
  
• Control panel, task manager, command prompt or regedit are disabled, and not by you.
  
• Your home page changes and you can't change it back.
  

If you notice any of these, or anything else suspicious, it may be cause for alarm.


----------------------------------------------------------------------------------------------------------------------------------------------------------------------

What safety cautions to take if an infection is found

If you believe you have an infection, I'm afraid I have bad news.

Your personal information, details, passwords and banking credentials may be at risk.

I recommend that you disconnect this PC from the Internet immediately, and only reconnect to download any tools that are required. If you do any banking or other financial transactions on the PC or it if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation as soon as possible.


If you do not have access to a known clean computer, you will still need to change your passwords, and all other sensitive information, but only once your system is deemed clean.



----------------------------------------------------------------------------------------------------------------------------------------------------------------------

What do I do if I think I'm infected?

First of all, if you have an antivirus, make sure it's up-to-date and then run a full system scan. Remove anything it finds. Next you could run these scans and remove anything they find:

MalwareBytes Anti-Malware (Click to View)

Please download Malwarebytes' AntiMalware.

Double click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select Perform Quick Scan, then click Scan.
  The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to restart. Restart if it tells you to.

SuperAntiSpyware (Click to View)

Download SuperAntiSpyware

• Load SuperAntiSpyware and click the Check for updates button.
  
• Once the update is finished click the Scan your computer button.
  
• Check Perform Complete Scan and then next.
  
• SuperAntiSpyware will now scan your computer and when its finished it will list all the infections it has found.
  
• Make sure that they all have a check next to them and press next.
  
• Click finish and you will be taken back to the main interface.
  

ESET Online Security Scanner (Click to View)

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to Yes, I accept the Terms of Use.
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan
  Wait for the scan to finish. Remove anything it finds.

Combofix (DO NOT use this unless you have no choice and are at least moderately educated with computers) (Click to View)

Please download Combofix from one of the following locations:

LINK 1
LINK 2

**IMPORTANT! Save Combofix to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link --> http://www.hackforums.net/showthread.php?tid=198032
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If you used Combofix, please follow these instructions to remove it as it's a dangerous tool in the hands of a novice (Click to View)

• Click START then RUN
  
• Now type Combofix /u in the runbox and click OK

If running these don't completely solve your issues, the infection is either FUD (Fully UnDetectable) or too deep for your level of skill; in this case you should let a more experienced user have a look.

To do so, please follow the instructions given in this thread, and a qualified HJT helper will be on their way to provide assistance.


----------------------------------------------------------------------------------------------------------------------------------------------------------------------

What NOT to do

This applies to anybody who has no experience removing viruses. Even if you're well versed in computing, you should be careful. It's always better safe than sorry.

First of all, DO NOT delete files, folders, registry keys, anything; until you're positive what you're deleting is malicious. How do you do that? Well here's some easy things to try:

• Search the file's name here, here, here, or here.
  
• If it's a process, search it here: http://www.processlibrary.com/directory/?files=
  
• Google it: www.google.com
  
• Upload the file to www.virustotal.com, www.threatexpert.com, or http://anubis.iseclab.org/?action=home
  
• Use a Virtual Machine to run the file in it and check out what it does
  

Secondly, if any pop ups come up saying you're infected and asking you to buy software to remove the infection, IGNORE THEM and DO NOT buy it. It's completely FAKE.

Instead, you likely have a Smitfraud infection so follow the steps in the spoiler.

Smitfraud fix instructions (Click to View)

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Please reboot your computer in Safe Mode by doing the following:

• Restart your computer
  
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  
• Instead of Windows loading as normal, a menu with options should appear;
  
• Select the first option, to run Windows in Safe Mode, then press "Enter".
  
• Choose your usual account.
  

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".


The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart anyway into normal Windows. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply along with a new HijackThis log.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning If your desktop background is removed, it means you weren't infected. Simply put it back..

Now, lastly, you're probably going to be on the lookout for tools/antiviruses that will help you remove the infection. But the reality is most of these tools are designed for experts and shouldn't be messed around with; because you'll probably end up having to re-install your operating system. Also, there's always the chance it's fake and actually infects you.

It's best you use the scans/tools I provided earlier on. Or seek help from an expert.


----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Some important things you should know about computer security

Here's some facts I think you should know:

• Most infections do not damage your computer, rather they use it to advertise/steal information/attack websites/spread the infection.
  
• A trojan is a file that attempts to appear like a legit Windows Process, but really is malicious.
  
• A rootkit/RAT/infostealer/keylogger are all spyware which are capable of capturing screenshots, webcam, keystrokes, saved passwords and gain access to files.
  
• Infections can use your hosts file, and DNS name servers to make it so visiting certain sites redirects you elsewhere (like from google to a bad site).
  
• Never fix a winsock line in HJT, as it can damage your internet connection.
  
• Only O2, O3, and O9 lines in HJT are definitely missing when it says (file missing), the rest can glitch.
  
• Deleting a registry key will NOT delete the file it's associated with.
  
• Capitalisation in file names or directories makes no difference in Windows.
  
• If an infection is FUD, scanning will make no difference. Only analysing the computer can help you now.
  
• More than one antivirus/firewall causes conflictions and can do more harm than good. Stick to just one.
  

----------------------------------------------------------------------------------------------------------------------------------------------------------------------

My recommendations on security software

For good protection, I would advise you have each of the following:

1. Antivirus
2. Firewall
3. Antimalware
4. Antispyware

One of each will be a good amount without the risk of conflicts, as two or more AV's can conflict and do more harm than good. The following products I would advise to ANYBODY, but please use no more than one AV and firewall at a time:

Antiviruses:

• NOD32 (this one is free to try for 30 days but costs $40 US to buy).
  
• Avast! Home Edition (free).
  
• Avira Antivir (free).
  
• AVG Free (free).
  

Firewalls:

• Tallemu Online Armor (also free for 30 days but costs money for full version).
  
• Comodo (free).
  
• Zone Alarm (free).
  

Anti-malware programs (for scans only, no real-time protection):

• MalwareBytes AntiMalware.
  
• That's really only the best one but you can use online scans like ESET and Kaspersky.
  

Anti-Spyware programs:

• SuperAntiSpyware.
  
• Spybot Search & Destroy.
  

Other:

• Ad-aware (free anti-adware).
  
• Winpatrol (free program that monitors suspicious changes to your critial system resources, recommended by me)..
  
• CCleaner (run this often to clean your registry and other temporary files etc. Is free.).
  
• KeyScrambler (ultimate protection against keyloggers, costs money).
  

But remember, your best defense is simply being careful.



----------------------------------------------------------------------------------------------------------------------------------------------------------------------

Conclusion

So in the end, the bottom line is unless you've had months of training, it's highly recommended you only use scans and the such to remove malware. Because any manual tools are almost always very dangerous for novices.

Also, remember, just deleting one file or registry key won't remove an infection.

Hopefully this guide will help you figure out if you're infected or not, and provide you with some useful scans/security software to use mile: if scans don't remove it, HJT helpers will for free!

NOTE: This guide was written completely by me, I didn't even research anything prior too or during type-up of the tutorial; everything is from my head lol. You may post this on other sites as long as you give me credit. You cannot respost this on HF; just link to it if you must.

Credits to: N3w_2_H@Ck1n™ from www.hackforums.net

Lastly, if anybody has something I should add, or I got anything wrong, please post about it in this thread

-Michael

[Sickshot]

Another way to determine if you're infected is through a network/packet analyzer such as CommView.

Check and see if certain processes are sending/receiving excess amounts of packets.
Check if a process is using an odd or unneeded port to connect to something.
Check if any processes that don't normally connect to the internet are actually doing just that.

[Eve]

Thanks for this, and happy belated birthday.

[【 ¶ÑÇƦ€Ƿ¦ßŁΞ 】]

Thanks for posting such a helpful tutorial , its really helpful when it comes to getting RID infection. appreciated

[Brandon]

Very detailed tutorial, thanks. This should answer a lot of questions to a lot of people.

This should be stickied, in my opinion. Anyone?

[virus_in_town]

Thats great tutorial for everyone ! I personally think readers can try different software (AV , Firewalls,Anti-spyware etc) according to their choice but if one follows this tutorial he/she will be almost secure. Cheers mate

[Zurmi]

Wow, a great amount of information here. Yet, it's all easy to read.

Well done!

Regards,
Zurmi

[abel305]

That alot of good information thanks for taking the time to ride this and post it.

[Resistance]

Wow, extremely well thought out tutorial you have there hacking!!! I really think it would help Comp newbies to figure out what the hecks happened to their computer if they feel something is wrong.

---

time to ?ride? this and post it.

I just have to correct you this one time, what are we riding? A roller coaster? Lol, it's write. lol made my day!!!

[Bok1ca]

Thanks for this mate. Very helpful.