siliconman01
Global Moderator
Trojans! Chew 'em Up, Spit 'em Out...
Gender: 
Posts: 5671
|
 |
Steps to Take if Malware Appears to be Unremovable
« on: Mar 23rd, 2006, 4:56am » |
|
Provided herein are guidelines of what steps to take if a specific malicious item is not successfully removed by security software.
Security software often detects malware on a system, alarms the users, but then cannot successfully remove the malicious code or item that it identified. This can be the result of weak removal code for a specific infection. Or it may be that the Windows operating system cannot respond properly to the removal code provided in the security software (this is not necessarily the fault of the security software).
Action 1: Do NOT panic! Under MOST circumstances, the problem can be resolved without having to reformat the hard drive and reinstall Windows. There is normally help provided through many user forums on the Internet.
Action 2: Ensure that the system is set up such that all files and folders can be viewed. Also be sure to be signed onto Windows with a user account that has full Adminstrative Privileges. Below is the FAQ procedure for viewing all files and folders:
http://forum.misec.net/board/FAQ/1139610900
Action 3: Ensure that the rulesets and/or definitions for all security software on the infected system are current. Many security software vendors provide daily updates for newly discovered infections or variants and/or corrections to previous rulesets and/or definitions. Ensure that the versions of the security software are also current.
Action 4: Remove unnecessary files from the infected system. Clean out the Temporary Internet Files folders and other temporary folders used by Windows and third party software. This can be quickly and effectly executed by utilizing such programs as CCleaner, Window Washer, the Internet Options utility in the system Control Panel, and the Disk CleanUp utility.
Action 5: Note where the infection is located on the system by examining the alert issued by the security software that is detecting the infection. If the infection is located in the System Volume Information folder or Restore folder, follow the directions for removal explained in the FAQ procedure below:
http://forum.misec.net/board/FAQ/1139255588
Action 6: Scan the infected system with other resident security software scanners to determine if the infection is detected and can be removed through other security software.
NOTE that it is necessary to disable the security software that originally found the infection. Disable prior to scanning with other security software. For example, if the Anti-virus program first detected the infection, it will have "locked" the infected files such that other security scanners will not be able to detect or remove the infection.
Action 7: Reboot the system into SAFE MODE and scan with resident security scanners. SAFE MODE often 'unlocks' malicious files such that the security software can and will remove them. (However, be aware that some infections may not show up in SAFE MODE. So do not assume the infection is removed/gone if the security software detects nothing. Also, some security software will not run in SAFE MODE- it depends on the specific security software program.) After rebooting into NORMAL MODE, always rescan to positively determine if the infection has been removed.
Action 8: Perform remote scans using other security software. The FAQ link below provides links to various remote scanners.
http://forum.misec.net/board/FAQ/1141894786
Action 9: If all the above Actions do not resolve the issue, create a Help request post in the appropriate section of the TrojanHunter Users Forum. Provide as much information as possible per the FAQ link below:
http://forum.misec.net/board/FAQ/1143115267
Applies to all versions of TrojanHunter.
|
Mischel Internet Security Forum
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register