Himself antivirus
The life of the computer goes on as usual, but at one point, the computer restarts, and then the inscription “You have viruses, antivirus download here” appears on the desktop. Someone downloads and installs, someone pulls down the Windows, someone is lucky and his antivirus catches the infection ... And I will try to tell you how to solve the problem yourself and why it is needed.
I'll start with why it is needed. Selfish motivation - in order to learn something new and interesting, to become smarter, etc. Altruistic motivation is to help hundreds and thousands of people in this situation. How - about this below.
To catch the infection on the computer we need ... The most important thing is not to be afraid, everything is real. You also need a head on your shoulders and minimal computer literacy. The third major component is the Internet. Perhaps from another machine, from the LiveCD, but it will be needed. Are you ready? Getting started!
')
The first step is to update the anti-virus database of the existing antivirus, boot in safe mode and scan the computer from it, even if the network is disconnected. If you cannot complete the first two items, you still need to scan. If the infection is found and removed, and the problem disappears - you are lucky. For scanning I recommend CureIt (take here www.freedrweb.com/cureit/?lng=ru ). A full-fledged antivirus engine and database, sharpened for work on an infected system in an EW environment from the enemy :-) That is, with active opposition from antivirus by Trojans and other rubbish.
Antivirus did not help? It happens that no product guarantees 100% protection, and catching an unknown virus is even more difficult. So, it will have to be handles ...
Except in rare cases, viruses and trojans should be presented as a file, so catching an infection is catching a file. Everything seems to be simple, but there can be several hundred thousand files on a modern computer. So, we need a good tool for working with files. I recommend FAR (taken here www.farmanager.com ). Built-in system tools are not suitable: in the case of opposition from the virus, you will not see the desired file.
Problems with flash drives
If, when a flash drive is connected to your computer, the left files start to appear on it or the disks do not open by double-clicking - the worm from the Win32.HLLW.Autoruner family is likely. What to do? Start FAR, climb to the root of all disks and look for the autorun.inf file there. If the file is found, you need to open it in any text editor (in FAR with the F3 button) and look at the insides. Typical content example:
[AutoRun]
OPEN = setup.exe
shellexecute = setup.exe
shell \ Auto \ command = setup.exe
That is, running the setup.exe program when you connect the drive and try to open it. To begin with, we turn off autorun disks (described here as www.izcity.com/faq/winxp/question1517.html ), the way with group policies seems to me more correct. Disabling autorun is a great way to prevent such infections. How to deal with the found files - see a little lower, but not so much autorun.inf is important, but what is written in it. After disabling autorun and rebooting, you need to delete both autorun.inf and the files it contains. It is very likely to help.
IE issues
Another typical manifestation of infection: for some unknown reason you are using IE and every left advertisement, panels, buttons ... starts to appear. In general, it behaves badly. With a high probability, the problem in BHO is Browser Helper Object. BHO is a plugin for the explorer. To get a list of BHO, you can use different programs. In the near future, our DwShark tulzin is expected to be released, which will be extremely useful for finding infections. In the meantime, have to use something else. For example, IceSword ( www.antirootkit.com/software/IceSword.htm ), but this is already a rather serious program, it is necessary to interpret the results skillfully and carefully. And IceSword can in some cases lead to a hang. In general, in IceSword, select BHO and get a list of those installed in the system. You can use HijackThis ( www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis ), it forms a log in which all the BHOs are listed. To check the legality of BHO is a service from CastleCops ( www.castlecops.com/CLSID.html ), you need to enter CLSID (a string of the type 00000000-0002-53D4-0622-35EA0235778E). If CLSID is not found for the database - this is a serious reason to remove it!
For prevention, do not use IE. And not only for the prevention of such cases ;-)
I have considered quite simple and typical cases. Now it is the turn of the search for what is unknown and where it is not known ... This process is long and complex. Since we have IceSword, we run through all the tabs. I don’t remember what is in memory now and how, but if something is marked in red in the list of processes, this process is hidden and the executable file of this process is a candidate for verification! In the same software, you can see open ports and to whom they belong. An extremely powerful thing - Rootkit Unhooker ( www.antirootkit.com/software/RootKit-Unhooker.htm ), is designed to search for rootkits. If you make her a report, uncheck the box "Files". Under suspicion - any processes something intercepting, hidden drivers. Analog - GMER ( www.gmer.net/index.php ). Well and viewing of logs of Heijack: running processes, autorun, services.
I found a strange file ...
How to check if it is a virus or not? There are many different ways. For example, calculate the MD5 amount of a file (software is a bunch!) And search Bit9 for it ( fileadvisor.bit9.com/services/search.aspx ), you need to register. The service indicates from which sources the file was received. If the file is received from large companies - it is clean for sure. Another way is virustotal ( www.virustotal.com ), but it has significant drawbacks: more than 50% of antiviruses can give false positives, or, alternatively, do not detect a virus in a file.
I found a file with infection
Congratulations! Now there are actions that just need to perform. Here habrahabr.ru/blogs/infosecurity/38149 good people have worked and compiled a list of addresses of anti-virus companies, where you should send new viruses. Please send a file using them (in the archive with a password virus, enter the password in the body of the letter). Well, if not for everyone, at least for us, in DrWeb ;-) If the answer from DrWeb is that it is a new virus, then for treatment you need to do the following: wait about 2 hours, then update the database or download the fresh CureIt (download again! There will be new bases) and carry out a system scan. Why CureIt - see above, is a lightweight free and powerful software. The infected file after sending, in principle, can be deleted. However, in some cases, the deletion will lead to the complete inoperability of the system, an example is the FtpLich / Lich family.
If the file you sent is added to the database, you will prevent infection of other computers and help cure those that are already infected. Think of your karma, not only in habre, about the time of other people.
If nothing helped
There are specialized forums. Advertise, again our: new-forum.drweb.com/mod/forum ;-)
useful links
www.freedrweb.com/cureit/?lng=en - CureIt, a free anti-virus scanner on the Drweb engine and with its bases.
www.farmanager.com - FAR, a good file manager.
www.izcity.com/faq/winxp/question1517.html - disable autorun disks in Windows.
www.antirootkit.com/software/IceSword.htm - IceSword, a good system monitoring utility.
www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis - hijackthis, likewise.
www.castlecops.com/CLSID.html - BHO legality check by its CLSID
www.antirootkit.com/software/RootKit-Unhooker.htm - RootKit Unhooker, extremely useful thing for catching rootkits
www.gmer.net/index.php - GMER, likewise.
fileadvisor.bit9.com/services/search.aspx File Advisor, MD5 file check.
www.virustotal.com - file scan with many antiviruses at once.
habrahabr.ru/blogs/infosecurity/38149 - addresses for sending a new virus to antivirus companies
support.drweb.com/sendnew - send file to DrWeb
new-forum.drweb.com/mod/forum - DrWeb forum.
Ps. I hope someone progoditsya. Additions are welcome.
Pps. I will not discuss specific cases of infection here - Welcome to the forum.
I'll start with why it is needed. Selfish motivation - in order to learn something new and interesting, to become smarter, etc. Altruistic motivation is to help hundreds and thousands of people in this situation. How - about this below.
To catch the infection on the computer we need ... The most important thing is not to be afraid, everything is real. You also need a head on your shoulders and minimal computer literacy. The third major component is the Internet. Perhaps from another machine, from the LiveCD, but it will be needed. Are you ready? Getting started!
')
The first step is to update the anti-virus database of the existing antivirus, boot in safe mode and scan the computer from it, even if the network is disconnected. If you cannot complete the first two items, you still need to scan. If the infection is found and removed, and the problem disappears - you are lucky. For scanning I recommend CureIt (take here www.freedrweb.com/cureit/?lng=ru ). A full-fledged antivirus engine and database, sharpened for work on an infected system in an EW environment from the enemy :-) That is, with active opposition from antivirus by Trojans and other rubbish.
Antivirus did not help? It happens that no product guarantees 100% protection, and catching an unknown virus is even more difficult. So, it will have to be handles ...
Except in rare cases, viruses and trojans should be presented as a file, so catching an infection is catching a file. Everything seems to be simple, but there can be several hundred thousand files on a modern computer. So, we need a good tool for working with files. I recommend FAR (taken here www.farmanager.com ). Built-in system tools are not suitable: in the case of opposition from the virus, you will not see the desired file.
Problems with flash drives
If, when a flash drive is connected to your computer, the left files start to appear on it or the disks do not open by double-clicking - the worm from the Win32.HLLW.Autoruner family is likely. What to do? Start FAR, climb to the root of all disks and look for the autorun.inf file there. If the file is found, you need to open it in any text editor (in FAR with the F3 button) and look at the insides. Typical content example:
[AutoRun]
OPEN = setup.exe
shellexecute = setup.exe
shell \ Auto \ command = setup.exe
That is, running the setup.exe program when you connect the drive and try to open it. To begin with, we turn off autorun disks (described here as www.izcity.com/faq/winxp/question1517.html ), the way with group policies seems to me more correct. Disabling autorun is a great way to prevent such infections. How to deal with the found files - see a little lower, but not so much autorun.inf is important, but what is written in it. After disabling autorun and rebooting, you need to delete both autorun.inf and the files it contains. It is very likely to help.
IE issues
Another typical manifestation of infection: for some unknown reason you are using IE and every left advertisement, panels, buttons ... starts to appear. In general, it behaves badly. With a high probability, the problem in BHO is Browser Helper Object. BHO is a plugin for the explorer. To get a list of BHO, you can use different programs. In the near future, our DwShark tulzin is expected to be released, which will be extremely useful for finding infections. In the meantime, have to use something else. For example, IceSword ( www.antirootkit.com/software/IceSword.htm ), but this is already a rather serious program, it is necessary to interpret the results skillfully and carefully. And IceSword can in some cases lead to a hang. In general, in IceSword, select BHO and get a list of those installed in the system. You can use HijackThis ( www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis ), it forms a log in which all the BHOs are listed. To check the legality of BHO is a service from CastleCops ( www.castlecops.com/CLSID.html ), you need to enter CLSID (a string of the type 00000000-0002-53D4-0622-35EA0235778E). If CLSID is not found for the database - this is a serious reason to remove it!
For prevention, do not use IE. And not only for the prevention of such cases ;-)
I have considered quite simple and typical cases. Now it is the turn of the search for what is unknown and where it is not known ... This process is long and complex. Since we have IceSword, we run through all the tabs. I don’t remember what is in memory now and how, but if something is marked in red in the list of processes, this process is hidden and the executable file of this process is a candidate for verification! In the same software, you can see open ports and to whom they belong. An extremely powerful thing - Rootkit Unhooker ( www.antirootkit.com/software/RootKit-Unhooker.htm ), is designed to search for rootkits. If you make her a report, uncheck the box "Files". Under suspicion - any processes something intercepting, hidden drivers. Analog - GMER ( www.gmer.net/index.php ). Well and viewing of logs of Heijack: running processes, autorun, services.
I found a strange file ...
How to check if it is a virus or not? There are many different ways. For example, calculate the MD5 amount of a file (software is a bunch!) And search Bit9 for it ( fileadvisor.bit9.com/services/search.aspx ), you need to register. The service indicates from which sources the file was received. If the file is received from large companies - it is clean for sure. Another way is virustotal ( www.virustotal.com ), but it has significant drawbacks: more than 50% of antiviruses can give false positives, or, alternatively, do not detect a virus in a file.
I found a file with infection
Congratulations! Now there are actions that just need to perform. Here habrahabr.ru/blogs/infosecurity/38149 good people have worked and compiled a list of addresses of anti-virus companies, where you should send new viruses. Please send a file using them (in the archive with a password virus, enter the password in the body of the letter). Well, if not for everyone, at least for us, in DrWeb ;-) If the answer from DrWeb is that it is a new virus, then for treatment you need to do the following: wait about 2 hours, then update the database or download the fresh CureIt (download again! There will be new bases) and carry out a system scan. Why CureIt - see above, is a lightweight free and powerful software. The infected file after sending, in principle, can be deleted. However, in some cases, the deletion will lead to the complete inoperability of the system, an example is the FtpLich / Lich family.
If the file you sent is added to the database, you will prevent infection of other computers and help cure those that are already infected. Think of your karma, not only in habre, about the time of other people.
If nothing helped
There are specialized forums. Advertise, again our: new-forum.drweb.com/mod/forum ;-)
useful links
www.freedrweb.com/cureit/?lng=en - CureIt, a free anti-virus scanner on the Drweb engine and with its bases.
www.farmanager.com - FAR, a good file manager.
www.izcity.com/faq/winxp/question1517.html - disable autorun disks in Windows.
www.antirootkit.com/software/IceSword.htm - IceSword, a good system monitoring utility.
www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis - hijackthis, likewise.
www.castlecops.com/CLSID.html - BHO legality check by its CLSID
www.antirootkit.com/software/RootKit-Unhooker.htm - RootKit Unhooker, extremely useful thing for catching rootkits
www.gmer.net/index.php - GMER, likewise.
fileadvisor.bit9.com/services/search.aspx File Advisor, MD5 file check.
www.virustotal.com - file scan with many antiviruses at once.
habrahabr.ru/blogs/infosecurity/38149 - addresses for sending a new virus to antivirus companies
support.drweb.com/sendnew - send file to DrWeb
new-forum.drweb.com/mod/forum - DrWeb forum.
Ps. I hope someone progoditsya. Additions are welcome.
Pps. I will not discuss specific cases of infection here - Welcome to the forum.
Source: https://habr.com/ru/post/38471/
All Articles