I don’t deal with “user”-type issues at my current job, so my exposure to these sorts of things has been drastically reduced to the occasional friend or family member. This past weekend was one such experience, and an experience it was! I had to deal with a particularly nasty bunch of viruses/rootkits/malware, and while I’m no stranger to the routine removal of such things, I actually had to look up some new tools to help me out with this one. I’ll go through my newly expanded list of utilities below, in the order of use.
The Operating System!
First and foremost, before you start downloading and installing the first 10 hits on google for whatever problem you are having, make use of the tools already at your disposal. While you may not be able to solve all your problems without additional tools, at least taking a look around the OS will give you some hints on where to focus your efforts. Here is a list of things I usually do before doing anything else:
- Check currently running services and processes using Task Manager
- More often than not, the problem you are diagnosing is a “slow” computer. Check how much memory/CPU is being used and by what to see if the answer is already right in front of you. The culprit may be an unfamiliar process that is most likely malware, but it could just as easily be a malfunctioning legitimate process. It could also be death by a thousand paper cuts – meaning you have way too many things running at once, perhaps due to necessary startup programs.
- Check Windows Event Logs
- This seems like common sense, but no one seems to start here. The logs are useful, and should almost always give you some kind of idea what the problem is, or at least what part of the system is being affected.
- Update your system
- Now, this step isn’t very likely to fix anything, but it will certainly help keep problems at bay in the future. An up to date system is much less likely to become infected or suffer from performance bugs. It may even reveal problems or infections by virtue of NOT running properly for you (ie. Windows Update errors).
- msconfig
- msconfig is a program that is available on any Windows OS, and can be used to modify startup services, programs, and scripts, specify special boot parameters, and launch some system tools. For example, instead of fighting with your BIOS and bootloader trying to get into the Windows boot selection screen manually by pressing F8 at just the right time, you can just tell Windows to use safe boot next time you restart. Some of you might prefer using 3rd party tools to control most of the behaviour in msconfig (I do as well), but knowing how to use this tool will mean you can make these changes even in cases you do not have access to your favourite utility.
TDSSKiller
This is a new one for me as of my adventure this weekend. Normally, once taking a quick look at the system, I am able to clear up most of the issues and then take care of any malware via MalwareBytes and AV. In this case, the infection was keeping me from being able to run these even in safe mode. TDSSKiller is a utility from Kapersky designed to remove rootkits. Simply run the executable, and let it do its thing. It will automatically remove any results, and with any luck return control of your system to you. I ran this in safe mode, and then in regular Windows.
Combofix
Another new one to me. Unfortunately in my case, TDSSKiller removed only part of the infection – I was still unable to run my usual anti-malware tools. Combofix is also an executable, which scans for known malware and attempts to clean anything it finds. Once finished, it also produces a very informative log that tells you what was scanned, what was found, and how it was dealt with. This tool removed the remaining infections that were keeping me from launching certain applications.
Malwarebytes
This is usually the bread and butter of my computer clean up tools. It seems to find infections that no other software does for me, and removes it with ease. Once TDSSKiller and Combofix removed the more vile of infections, I was able to run Malwarebytes and clean up the remaining offenders.
Microsoft Security Essentials (MSE)
It always seems a bit funny to me that I recommend a Microsoft product for PC security/AV over all others, but my own experiences as well as others documented on the web have shown MSE to superior to most (and sometimes all, depending on the tests) other free AV. Add in that definition updates come down integrated through Windows Updates, it is a free product (no trials), and designed by the guys in Redmond for their very own operating systems, and you get a pretty awesome AV client. And only seeking to prove itself further with me, after all of the above tools (MWB included), Security Essentials actually found and cleaned up a couple additional infected files after completing a full scan.
Clean up
So after all was said and done, and this laptop from hell was behaving again, I had one last issue that I was pretty much expecting to find from the beginning. An earlier attempt to install the most recent Windows Updates tipped me off, but I figured I would wait until everything was clean to try again, and sure enough a number of critical security updates refused to install. Turns out one of the plethora of unsavoury pieces of software I had just removed, had also had its way with the Update service in an attempt to keep some vulnerabilities open.
The errors I was receiving was Windows Update Error 800B0100, which according to Microsoft means that a file needed by the update service is either corrupted or missing. First things first, I attempted to use the System Update Readiness Tool from Microsoft to attempt to install the update manually. This worked for one of missing updates, but not the other. After a bit of digging through Microsoft’s self service sites, I came across an automatic troubleshooter here. This tool took about 10 minutes to repair Windows Update components, re-register some security DLLs, and correct a database issue. After this, Windows Update completed without complaint.
Next step: teach the in-law responsible not to install more spyware!
Links
TDSSKiller – http://support.kaspersky.com/5350
ComboFix – http://www.combofix.org/
Malwarebytes – http://www.malwarebytes.org/
Microsoft Security Essentials – http://windows.microsoft.com/en-US/windows/security-essentials-download
System Update Readiness Tool – http://support.microsoft.com/kb/947821
Windows Update Error 800B0100 – Automatic troubleshooter