Tools for Virus Removal
Jun 15th
Whether you wish to prevent having a virus or malware or if you suspect your system to be infected, here we will be going over some tools and utilities that can be used to prevent malware or to clean your system.
Disclaimer: This is merely for instructional purposes. I am not responsible for any mishaps that may overcome you and your system while executing some of the techniques covered in this tutorial.
Symptoms
Is your system showing signs of an infection? You should ask yourself these questions if you are unsure:
- Do programs take longer to load?
- Do popups plague me when surfing the web?
- Does it seem like the hard drive is doing an awful lot for a simple task?
- Do programs that once worked give strange error messages?
- Is there less memory available than before?
- Is there less space on the hard drive available than before?
- Do files often become corrupted?
- Does Windows hang before going to the desktop?
- Can I access task manager? 1
- Are there strange process running?
- Can I access Run? 1
- Has my internet browser home page changed?
- Am I able to access other windows utilities? 1
- Can I visit anti-virus websites like www.mcafee.com or www.kaspersky.com? 1
- Can I access System Restore? 1
If some of these questions is “yes” then the chances your system is infected with a virus is high. (See below)
1 If you answered “no” to these questions the chances your system is infected with a virus is high.
Note: not all of these questions will mean that your system is infected. It may be an insufficient memory problem, other non-viral software problem, or hardware conflict.
Tools
If you answered “no” to the following questions:
- Can I not access task manager?
- Can I not access Run?
- Can I access System Restore?
- Can I visit anti-virus websites like www.mcafee.com or www.kaspersky.com?
Then you more than likely have an infected system and should be taken off a network immediately. If you cannot access task manager and you suspect there is a malicious process running that needs to be terminated, there are a few options.
First, the malware needs to be found. This can often be tricky if the malware or virus is one that is hidden in the system32 folder or in hidden folders within Windows.
If you are using Windows Vista or Windows 7, open task manager first and look for any malicious processes (see first solution below).
Go to Control Panel > Appearance and Personalization > Folder Options > Click on the view tab and select view hidden files, folders, and drives.
Task Manager
If you have access to task manager then this is the solution to see if you have any malicious processes. If you do not have access, see more solutions below.
Open task manager by pressing CTRL+SHIFT+ESC or CTRL+ALT+DELETE to bring up task manager. Click on the processes tab to view the running processes. Look for any processes that seem malicious by checking the amount of CPU and RAM the processes are using. Malicious processes are not named very intuitively. They generally contain random numbers and letters or there are several instances of the same process running.
This images show several instances of the same process running. This is an easy example that shows poorly names processes and the redundancy of the process. Observe the amount of RAM and CPU usage each instance uses.
If you are using Windows Vista or Windows 7, right click on the process and select Open File Location and then process to end any malicious processes. If you are using Windows XP then the malicious or infect file will need to be found manually which be covered later on.
To end a process, simply click on the process you wish to end and click on end process or you may right click and select end process.
DOS
If you have access to run/command prompt, but not task manager, this is the option for you. If you do not
have access to run/command prompt, see more solutions below.
Note: If you are using Windows Vista or Windows 7, launch DOS in administrative mode by right clicking on command prompt and selecting “Run as Administrator”, respond to the UAC box.
Killing and process in dos does not require any special knowledge of DOS but it does require two main commands: tasklist and taskkill.
Tasklist shows us all services and console processes that are running on the system. We are particularly interested in the console processes. Our command in the command prompt would look like the following:
1 | C:\ > tasklist |
We don’t need any special switches for this DOS command. Remember that we’re looking for console [processes]. Look for console processes that have random number and/or letters. If there are multiple instances of such a process then it might be malicious.
In this instance, the process called 16af79bhdf.exe is likely to be a malicious process. Let us assume that this malicious code is blocking our access to task manager. We cannot find the source of the process from DOS we can, however, kill the process and the search for it manually. There are a few things we should do first:
- Write down the process name 16af79bhdf.exe
- Document how much RAM the process is using
- Document the PID of the Process
- Go to your favorite search engine and search for the process in question. Look on websites to see if this process is malicious.
Assuming that the process is indeed malicious, we will not kill the task!
Note: taskkill is a very powerful command and will terminate core system processes without any hesitation. Be sure you have the image name or PID entirely correct before you terminate a process.
In addition to stopping a difficult process, if you regularly use task manager to stop a process that is freezing your system, you may use the taskkill command as an alternative.
For the example provided above, since there are multiple instances of the malicious program and we’re assuming that they all need to be terminated, we will use the image name switch: /im. We also want to be sure the process will actually end and we will not get a error message, use the /f for forceful termination of the process.
1 | C:\ > taskkill /im 16af79bhdf.exe /f |
This lick of DOS code will kill the task (process) with the image name of 16af79bhdf.exe in a foruceful manner. If there are multiple instances of a single process and you happen to know which processes are malicious, there is an alternative to ending individual processes.
1 | C:\ > taskkill /pid 2588 /pid 4448 /pid 304 /f |
This will allow us to select each individual process we wish to end via the Process Identifier (ID). We must use the switch, /pid at every single instance that we wish to kill.
Windows Powershell
If you do not have access to Run or DOS, there is an alternative method that we can use: Windows Powershell. Windows Powershell is a task-based command-line shell and scripting infrastructure designed for system administration. IT Professionals might use Windows Powerhshell to accomplish everday tasks.
The beauty of Powershell is that it will also take some DOS commands and execute them exactly as DOS would. If malicious software blocks access to task manager, run, and command prompt, but not Powershell, we can view running processes and kill any malicious processes within Powershell like we could with DOS.
The environment is slightly different and a little bit more colorful. We can enjoy a medium blue background with the same raster-based text of DOS. To view the running processes we can use tasklist and to terminate malicious processes we can use taskkill.
1 | PS C:\ > tasklist |
Remember, there are things to ask yourself before you killing processes:
- Write down the process name 16af79budf.exe
- Document how much RAM the process is using
- Document the PID of the Process
- Go to your favorite search engine and search for the process in question. Look on websites to see if this process is malicious.
If you find that a process might be malicious, proceed with further instructions to kill the process.
1 | PS C:\ > taskkill /im 16af79budf.exe /f |
This lick of DOS code will kill the task (process) with the image name of 16af79budf.exe in a foruceful manner. If there are multiple instances of a single process and you happen to know which processes are malicious, there is an alternative to ending individual processes.
1 | PS C:\ > /pid 2588 /pid 4448 /pid 304 /f |
This will allow us to select each individual process we wish to end via the Process Identifier (ID). We must use the switch, /pid at every single instance that we wish to kill.
Process Hacker
If you have no access to task manager, Run, DOS, or Windows Powershell, there still is hope out there! There are programs that exist like task manager that can run completely locally. This means that no install is required in order for the program to run and it can be stored on a USB Drive, SD Card, or other hot-swappable portable devices. Be sure to visit http://processhacker.sourceforge.net/ to download the program.
If you wish for it to run locally, download the binary zip file and save to desktop or other convenient location. If you wish to install the program then click on the download button.
If you’re running the program locally, create a new folder called process hacker and put the .zip file inside the folder. Once the .zip file is inside the folder, extract to the same location in which the zip file is located.
There will be 10 files one of which will be called ProcessHacker.exe. Double click on ProcessHacker.exe and the program will launch. Since it’s running locally, give it a moment to fully propagate all of the processes that are running on your system. When it’s complete it will look like the following:
Process Explorer
Process Explorer is an alternative to Process Hacker if you do not have access to task manager, run, DOS, or powershell. Both Process Explorer and Process Hacker have the ability to run locally, however; Process Explorer will only run locally and has no installation .exe available.
Final Thought
Whether you’re preventing an infection or dealing with one, keeping Process Hacker and/or Process Explorer is always something to keep handy. This will help you extinguish malicious software very quickly after your system is infected and you are denied access to task manager. Having a Graphical User Interface (GUI) makes life a lot easier and is definitely more appealing than straight DOS.
Things to consider:
- If you don’t already, get some anti-virus software like kaspersky, bitdefender, notron, mcafee, etc.
- Consider investing in anti-malware software like malwarebytes
- Do not visit shady websites and always have your firewall on
- Use a popup blocker
- Filter your webmail with a spam filter
- Backup your data regularly
- Enable Parental Controls on a wireless router or by using third-party software such as Net Nanny or Cyber Patrol to prevent children from accidentally infecting a computer with malware.
Think you have a virus?
Jun 14th
Is your computer running awfully slow and is sluggish? Does a mysterious program keep popping up on your desktop every 10 seconds? Do you get a lot of popups while browsing the web, random error messages, or the Blue Screen of Death (BSOD)?
If so, then I’ve got some bad news for you. There is a probable chance that your system is infected. In order to understand the infection, we need to be able to identify the characteristics of infections. There are many types of infections and they all have different characteristics.
- Malware
- Trojan
- Virus
- Grayware
- Spyware
- Worm
Malware
Malware is a broad term meaning malicious software including, but not limited to, trojans, worms, viruses, logic bombs, and spyware.
Malware isn’t simply poorly coded software that causes memory leaks and other issues with Operating Systems; this software is created solely with the intent of collecting information, annoying the user, and causing mild to severe harm to a user’s Operating System and sometimes hardware.
Since we’ve gone over the broad umbrella of Malware, let us delve into the specifics.
Spyware
Spyware does exactly as its name implies. Spyware is used to collect bits of information about a user when the computer is being used. This is done without the users knowledge and is done in the background without the users knowledge.
Spyware is known the change computer settings, install programs, changing internet settings, change internet homepages, slow connection speeds, and other types of things that can invade a users privacy.
Spyware can lead to identity theft, credit card fraud, stealing of banking information, and password that gain access into encrypted content. A popular spyware program is called a keylogger which literally logs every keystroke to a remote location via browser exploitation and the internet.
Yet another form of spyware is called scareware which is design specifically to get a user to buy a product. This type of spyware will often have messages claiming a users computer to be infected and in order to remove said infections a full version will need to be purchased. This can lead to credit card fraud since they usually require payment by credit card.
Traits
Spyware has specific traits to it, however. This will allow you to identify a spyware infected computer.
- Slow system performance
- Significant decrease in connection speed
- Random programs being installed without your knowledge or consent
- Background has changed and will not change back
- Popups claiming that your web browser is out of date or system is infected
- Not able to uninstall programs
- Desktop has changed and cannot be changed back
- Mouse pointer moves itself
- Mouse pointer disappears
- Cannot access run or task manager
- Windows start bar/button goes missing
- Computer shuts down and starts up by itself
- Documents and files are printed by themselves
- Slow internet connection
- Dramatic loss of hard drive space
- Denial of Service attacks
- Web Server being brought down
- Annoying popups on your desktop
- Cannot access task manager
- Cannot access Run
- Cannot System Restore
- Cannot visit certain websites like mcafee.com or kaspersky.com
- Boot Sector Virus
- Master Boot Record (MBR) Virus
- File Infecter Virus
- Macro Viruses
- Slows system performance
- Dramatically slows web browser
- Sluggish internet connection
- Random error messages
- Blue Screen of Death (BSOD)
- Not able to access run
- Not able to access task manager
- Processes running with random characters and/or numbers
- No access to System Restore
- Blocked access to certain or all applications
- Unable to access anti-virus websites e.g. mcafee.com or kaspersky.com
These are some symptoms of Spyware; How to prevent spyware will be covered later on in the article.
Trojan Horse
Named after the Trojan Horse in which Greek solders housed themselves in for a surprise attack in Troy. This Trojan Horse was intended to deceive the Troy solders, making them think it was a gift of peace rather than a surprise attack.
A computer infection called a Trojan or Trojan Horse is no different. These trojans have hidden agendas and hidden functionality.
A trojans sole purpose is to acquire information about a users, initiate distributed denial of service attacks on web server, data theft, deleting files, installing unsolicited programs, etc.
Sometimes trojans can be relatively harmless and other times they can infect the master boot record (mbr) or partition tables which will cause a critical failure of a users operating system. This will crash the computer and essentially render the computer unusable unless the OS is reinstalled.
Especially dangerous Trojans will allow a hacker to physically hijack a users computer. Depending on the complexity and severity of the trojan, the hacker can disable the keyboard, mouse, monitor, change the desktop background, access the administrator command prompt, access the registry, and delete critical OS files.
Traits
The traits of a torjan are similar to spyware since a trojan is basically a form of spyware. They do, however, differ from spyware.
Worms
Worms are unlike a Torjan Horse or Spyware. Worms are self-replicating programs that uses a network to send copies of itself to other computers. Worms are specifically target computers with unencrypted internet access, weak network passwords, weak computer passwords, and computers with out-dated antivirus software.
Perhaps one of the worst worms ever in the history of technology is the ILOVEYOU worm which arrived in email boxed in early May of 2004. This internet worm contained the text, “ILOVEYOU” as the subject line and the content of the email. There was also an attachment called “LOVE-LETTER-FOR-YOU.TXT.vbs”. This visual basic extension was hidden from unsuspecting users to see and tricked users into thinking it was a mere text file with more lovely words. However wonderful as it was, upon opening the .txt file the worm automatically sent a copy of the email to everyone in the users windows address book with the users email address. The worm also made malicious changes to the Windows Operating System and replicated itself throughout the registry. The worm estimated $5.5 billion damage and infected 50 million systems.
Bad worms can infect a computer and render it basically unusable. Worms can literally hijack a users computer and use the system as a zombie computer where it send copies of the worms to anyone and everyone.
Traits
Worms are somewhat tricky to detect since they depend heavily on a network connection to work. The majority of the worms out there don’t contain payloads or additional code to seriously harm a system. They’re mainly implemented to see how many systems can be infected, to bring down a website, or to cause a nuisance.
Grayware
Grayware is a different form of malware and is solely intended to make a user bang their head against their monitor. They also harm a system but it’s done in a highly obnoxious fashion. Popups, banner ads on websites, remote access tools, dialers, and irksome jokes are embedded in grayware.
Grayware can cause serious security holes in a system and it can also introduce more severe infections like spyware, viruses, and logic bombs.
Traits
Virus
Viruses are in their own category at times. Some consider a virus to not be a form of malware and some do.
A virus will attach itself to a program of file and will begin to copy itself. These file transfers will cause the virus to spread as it is passed through one computer to the next. Viruses might change data, corrupt data, or degrade the performance of a users system by taking up memory and disk space.
Viruses have for main categories, they are the following:
Boot Sector Virus
A boot sector virus infects the boot records on a hard drives and also floppy disks. Once the users boots the computer the virus will be saved in the boot record and infect other types of media as data is written to them.
MBR Virus
MBR viruses infect the Master Boot Record of a hard disk which is the first of a hard drive. The MBR contains the partition table, bootstrapping files to load the OS after the POST has run, and a unique digital signature to identify the disk media.
The virus will fester on the mbr upon successful boot and will infect other files and may even corrupt a users partition table and critical system files that load the OS.
File Infecter Virus
A file infecter virus will infect files that contain .exe and .com files. Sometimes these viruses will remain in the memory and infect other files and applications. This type of virus will only infect files as they are executed.
Macro Virus
Macro viruses will infect certain data files and most notably, Microsoft Office Files such as, Word documents, Excel spreadsheets, Power Point presentations, and Access databases.
A macro virus may also share the traits of a worm and spread themselves across a network.
Traits
Real Hosting
Jun 11th
Real hosting is something much more than what meets the eye. It is more than a place to merely store files and have a space on the Internet. It’s more than just unlimited this and unlimited that; it involves real space, real deals, real support, and real guarantees.
What you REALLY pay for
Ever heard of the Myth of Unlimited Hosting? Aside from being technically impossible, it is highly unlikely that a web hosting company will charge you $4.95 a month if you agree to stay for 60 months. This includes unlimited disk space, a free domain name, unlimited bandwidth, unlimited databases, unlimited FTP accounts, unlimited emails, and unlimited everything else.
If you happen to break the 60 month agreement you are slapped with a termination fee and other hidden fees. This can quickly become a major hassle, especially when you receive poor support and service when you just want out of a bad hosting situation.
Often, in these situations, the hosting companies will begin to nag at you when too much space is taken up on a shared server, you’re taking up too much CPU, or taking up too much RAM on the server. This renders the promise of unlimited features as invalid and not a real guarantee and not real, honest hosting.
These types of hosting companies will go into your account and begin changing things if you have too many files on the server, if the files are taking up too much space, or too many “unrelated files”. They will disable the website and then it becomes a hassle to get your website back online. While they’re breaking promises, you’re losing traffic, clients, and/or money. Whether it is a business website or a personal blog, it is embarrassing when you have to explain to clients and friends why your website is down in the first place.
While you’re banging your head against a wall wondering why your website was suspended, they will be helping other people and not replying to your support tickets, emails, or phone calls. Some hosts will treat you like a second-class citizen if your account is suspended.
What you get with real hosting from AtomicPages
AtomicPages Real Hosting is different; we do not make promises we cannot keep. We will never claim to have unlimited features and go back on our word later on. The amount of features you pay for is the amount of features you will actually receive and nothing less; no questions asked.
This is what defines real hosting from impostors. We are honest, backup our guarantees, and have real morals. You will never hear that we are suspending your account due to too much space, taking up too many resources on the server, or any other made-up excuse. We will not impose upon your website unless it is breaking the law. AtomicPages real hosting will never leave you in the dark about your website.
Helping people with websites and delivering good quality hosting while keeping a promise is not all smoke and mirrors. There is no mystery to keeping a promise.
All you ever wanted to know about DOS: Copy
Jun 9th
In this tutorial, we’re going to talk about more essential commands to know in DOS. We’re going to get a little more loose with the syntax in this tutorial so knowledge of the bare essentials is key in fully understanding this new loose syntax.
Revised Syntax
In previous tutorials, we’ve typed the path to files long hand. For example:
1 | C:\Users\Dennis> cd C:\users\dennis\documents\downloads |
Note: For the differences between the three filing systems, please click here.
This is meant to under stand the syntax of the path and used to learn how the files are structured in XP, Vista, and Windows 7. The short hand version assumes that knowledge of the “file tree” is known and understood easily. The short-hand notation saves time and makes navigating through DOS more efficient. Short-hand notation is like the following:
1 2 3 | C:\Users\Dennis> cd music vs. C:\Users\Dennis> cd C:\users\dennis\music |
Both of these examples will take us to the same destination. The only difference is that the latter example provides the entire path to the destination (which is somewhat redundant) and the first example already assumes we’re talking about a Music directory that exists in the path C:\users\dennis.
Copy
Being graced with this “revised syntax” we can now commence and learn more commands in DOS! Our first command is an extremely useful command: copy. The most widely used command once upon a time but has been eclipsed by xcopy which has been succeeded by robocopy (Vista and 7 only).
The copy command is slightly more complex then any other command that we’ve gone over so far. There are more switches that can be used to dictate how the command executes and we need to write two paths. The syntax is as follows:
1 2 3 4 | C:\> Copy [switches] source [switches] [drive]\[path] destination [switches] [drive]\[path] C:\> Copy *.* d: C:\Users\Dennis\test copy stuff.txt C:\users\dennis\desktop |
The first command will copy all files in the current directory to the D: drive. This is an unsophisticated way of creating backups of files and folders.
The second example is copying the file from the directory C:\users\dennis\test to C:\users\dennis\desktop.
Useful Switches
The copy command comes with useful switches that all us to define what type of file we are copying and what actions we want to take once the file is copied.
| Switches | Description |
|---|---|
| Source Switches | There are two separate switches for source and destination |
| /A | Indicates that the file is an ASCII Text File |
| /B | Indicated that the file is a Binary File |
| Destination | Destination Switches |
| /V | Verifies that the copy was successful and done correctly. |
| /N | Uses a short filename, if available, when copying a non-8-dot 3 name. |
| /Y | Suppresses prompting to confirm that you want to overwrite an existing destination file. |
| /-Y | Causes prompting to confirm that you want to overwrite an existing destination file. The prefix (-) means “not” in most cases. |
Cool Copy Tricks
There are two cool tricks that stand out with the copy command. The first:
1 2 3 | C:\> copy con stuff.txt This is some text^Z 1 file(s) copied. |
The copy command when combined with con allows us to create a text file that we want to copy to the directory. the ^Z is done by pressing control+z, this saves and exits. Though, an easier way is to use the edit command.
The second trick is equally as cool and makes sense if you know xcopy or robocopy (Vista and 7 only). This trick will actually allow us to combine the contents of two files together. For example:
1 | C:\users\dennis\test> copy stuff.txt+more-stuff.txt |
This will copy the contents of more-stuff.txt and combine it with stuff.txt We can verify that the copy was successful by using the type command to view the contents of the .txt file.
Basic Unix Commands – Part 1
Jun 8th
Similar to using DOS in windows, in Linux and Mac OS X operating systems, you can use the terminal using Unix Commands. Here I will just quickly highlight the basics of how to use unix commands.
Once you open the terminal, you can start typing commands. After typing a command hit the enter key to execute it. When a command is finished executing it will display another prompt where it will wait for another command. Some commands will output things into the terminal window and others won’t.
Navigating the File System
Using unix commands, you can navigate through all your files and folders using just text. When you open a terminal window you start in your user account’s home directory. If you type the command ls you will see all files and folders within your home directory listed.
Unix commands also have options that you can set on them. For example the command ls -l would also list all your files but include more information like size and date.
Changing your current directory
To change your current direction you use the command cd [directory]where [directory] is the path to the directory you want to move to. For example if my current directory contains a folder called “Documents” and I want to move into this folder I would type cd Documents.
The command cd .. would move me to the parent directory of the current directory and cd ../../ would move me to the parent of the parent directory. A command like cd Documents/files would move me into the files directory that is inside the Documents directory. And you can use all different combinations of these like cd ../Music/songs would move up one directory and then into the Music/songs directory. If you try to move to a directory that doesn’t exist you will get a message output that says “No such file or directory”.
Deleting files and folders
To delete files in Unix you use the command rm [file] where [file] is the name of the file you want to delete.
To delete an entire directory and all the files contained in it, you use rm -r [directory] where [directory] is the path the directory you want to delete. Be very careful with this command as you could accidentally delete a lot of files all with the one command.
