Terminating Processes Using UVK

Here's a situation, you have malware but your antivirus can't remove it and malware keeps coming back.  Since majority of computer users don't know how to manually terminate a malware process, here's a simple way to do that using Ultra Virus Killer.

First launch UVK and click Process Manager.

Click on Kill all processes.

Select any of the four selections and click Kill processes.  Sometime selecting Kill all non system processes will do the trick.

Click yes to continue.

After that, you can now perform a Full Scan of your PC using an updated antivirus.  Scan also your infected external drives.

Malware Removal 101

It's been a long time since my last post so here goes.

Here are the lists of techniques you can do to remove malwares.  Some of these are easy no brainer, to moderately difficult to extremely hard (for the average Joe, and some technicians included).

Here are the easiest solution though you need some preparations for these to work like downloading the iso and burning or making a bootable USB drive.

• Using a Bootable CD/DVD/USB of any AntiVirus.  Advisable to update the antivirus signatures before scanning.  Here are a few examples:  
• Dr.Web LiveDisk
• Kaspersky Rescue Disk
• BitDefender Rescue CD 

• Booting on a Live Windows environment and running an updated Portable AV like Avira PC Cleaner or Emsisoft Emenrgency Kit

• Performing a scheduled Boot Scan (Ex. Avast!)

• Booting in Safe Mode with Networking and running MBAM Chameleon

• I'll add Hiren's Boot CD.  Unless you have the latest version of an antivirus with the option of updating the AV signatures, you might miss a zero-day malware or newer strains by scanning with an outdated AV.  (Note:  I use HBCD ver. 10 so I never use it for scanning)

• Scanning the infected HDD as a slave on a clean system with updated antivirus

This one requires that you know where to look for malwares

• Booting with Live Windows CD/DVD or any Linux distro and manually deleting the malware that starts with Windows.  With Windows, I'd start with the registry (research offline registry editing) and work my way in reverse.  If you don't know your way around the registry, you can use programs like Autoruns.  For Linux, I'll look for the usual places where a malware may reside.  Temp folder is a good place to start.

There are times when malware will not let you boot in Safe Mode, in cases that you can, you can try the following:

• Boot in Safe Mode with Networking so you can update your antivirus prior to scanning.

Last is removing the malware while it is active in memory in Normal Mode.  The steps are simple.

• Search and Destroy
• Search - Using Tasklist, TaskMan or any similar program to look for suspicious running processes.  Or other suspicious programs that starts with Windows
• Mostly these are processes with gibberish filename (Ex. sfhkewj.exe)
• Something that looks like a legit Windows file but in the wrong place (Ex. C:\Windows\System\csrss.exe)
• Shortcuts, *.pif or *.vbs/vbe in Startup folder
• Other programs that starts from AppData or Temp folders
• Destroy - Terminating the running malware processes using TaskMan or similar app and deleting the malware plus other drop files.

• Another way to look for malware file location is to look at the registry.  Here are some of the key locations:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Using enumerators or AV tools to look for malware.  You base your search on the report logs

• OTL
• RunScanner - Some say this is obsolete but I still use it and still works for me
• Farbar Recovery Scan Tool (FRST)
• HiJackThis Fork - Still works for low to medium risk malware
• Spyderman - A short script I wrote to look for Brontok worm

After you terminated the malware from running, it's time to do a scan using an updated antivirus/antimalware

Scan also all external/USB drives.  Unhide all folders and files in case you were infected with a shortcut worm like Ramnit.

Note:  For other high risks malware/worm (Ex. sality, virut) always use a dedicated removal tool.

Other tools for malware removal worth mentioning that I still use:

• File Assassin - Use this to delete stubborn malware
• Unlocker - Same function as File Assassin
• Blitzblank - My Go tool when File Assassin or Unlocker failed to delete malware.  Must have prior knowledge of files and registry items to delete.

---

All content ("Information") contained in this report is the copyrighted work of WinXPert: Virus and Malware Removal.

The Information is provided on an "as is" basis. WinXPert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, WinXPert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise. 

Copyright © 2019 WinXPert. All rights reserved. All other trademarks are the sole property of their respective owners.

To GOD be the glory!

Managing Risk

Advanced Techniques

The guidance in IT Pro Advanced Techniques helps IT professionals investigate, analyze, and—when possible—remove malware from an infected computer. This guidance, intended for advanced users, helps IT professionals understand the impact of malware and create a rudimentary roadmap for cleaning infected computers. In addition, this effort provides the user more information about the internal operation of malware.

The guidance involves the use of several Windows Sysinternals tools, a suite of advanced diagnostics and troubleshooting utilities for the Windows platform available for download at no charge from the Microsoft Download Center.

Source:  http://www.microsoft.com/security/sir/strategy/default.aspx#!malwarecleaning