gregmcc
Honorary Master
Thought I'd just put together a few points which might be able to help someone out.
With new malware being released all the time its quite possible your machine could become infected with with a new piece of malware than your AV program does not detect.
Below are a few steps and tools I have used over the years to help identify the malware:
1) First make sure your AV program is up to date - reboot into safe mode and run a full scan. Some malware is smart enough to hide themselves when running on normal mode, or if the malware is in use your AV program will not be able to remove it. In safe mode hopefully the malware will not be running - this is not always the case. I've seen lots of malware which hooks into safe mode.
2) Use Autoruns “This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor,
shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them.”
http://www.microsoft.com/technet/sysinternals/systeminformation/autoruns.mspx
This is helpful in identifying the actual application that is causing the problem. If you know your way around the PC you will more than likely be able to spot suspect programs fairly easily. You can also delete the entries from autoruns thereby stopping the malware from running. Again this is also not always true - some malware monitors what you do - if you delete an entry, it just adds it back.
3) If you find the suspect application upload it to virustotal (http://www.virustotal.com/) This is a free virus and malware scanner - they run your sample through 20 or so different scanners and let you know the results. This is useful in that if other scanners identify the malware it will bring you a step closer on how to remove it - visit the appropriate vendors site and see if they have steps you can follow to remove the malware.
If its new malware virusttotal will share the sample with other vendors helping to bring out pattern files much faster.
4) If you suspect you have a root kit try MS's free root kit revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx) or McAfee's free root kit detective. (http://vil.nai.com/VIL/STINGER/RKSTINGER.ASPX)
5) Try the latest version of Ad-Aware or Spybot - these are both great programs which could detect the malware.
6) If none of the above helps - try filemon (http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx) and regmon (http://www.microsoft.com/technet/sysinternals/processesandthreads/regmon.mspx)
These let you monitor the registry and file access in real time - if the malware is active, chances are good you will see it here.
This is by no means a complete list of tricks or tools - but so far its helped me catch and submit a lot of new samples.
With new malware being released all the time its quite possible your machine could become infected with with a new piece of malware than your AV program does not detect.
Below are a few steps and tools I have used over the years to help identify the malware:
1) First make sure your AV program is up to date - reboot into safe mode and run a full scan. Some malware is smart enough to hide themselves when running on normal mode, or if the malware is in use your AV program will not be able to remove it. In safe mode hopefully the malware will not be running - this is not always the case. I've seen lots of malware which hooks into safe mode.
2) Use Autoruns “This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor,
shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them.”
http://www.microsoft.com/technet/sysinternals/systeminformation/autoruns.mspx
This is helpful in identifying the actual application that is causing the problem. If you know your way around the PC you will more than likely be able to spot suspect programs fairly easily. You can also delete the entries from autoruns thereby stopping the malware from running. Again this is also not always true - some malware monitors what you do - if you delete an entry, it just adds it back.
3) If you find the suspect application upload it to virustotal (http://www.virustotal.com/) This is a free virus and malware scanner - they run your sample through 20 or so different scanners and let you know the results. This is useful in that if other scanners identify the malware it will bring you a step closer on how to remove it - visit the appropriate vendors site and see if they have steps you can follow to remove the malware.
If its new malware virusttotal will share the sample with other vendors helping to bring out pattern files much faster.
4) If you suspect you have a root kit try MS's free root kit revealer (http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx) or McAfee's free root kit detective. (http://vil.nai.com/VIL/STINGER/RKSTINGER.ASPX)
5) Try the latest version of Ad-Aware or Spybot - these are both great programs which could detect the malware.
6) If none of the above helps - try filemon (http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx) and regmon (http://www.microsoft.com/technet/sysinternals/processesandthreads/regmon.mspx)
These let you monitor the registry and file access in real time - if the malware is active, chances are good you will see it here.
This is by no means a complete list of tricks or tools - but so far its helped me catch and submit a lot of new samples.
