LT   EN   RU  
2024 г. март 28 д., четверг Straipsniai.lt - Информационный портал
  
  Компьютеры > Компьютерные технологии > Прогр. обеспечение
Lankomumo reitingas Версия для печати Spausdinti
Removing Spyware, Viruses, and Other Malware from Windows

An introduction to minor security incident response

For nonprofit staff who use computers all day, system glitches can bring important work to a grinding halt. While you can often prevent trouble on Windows machines through regular maintenance, sometimes trouble finds you in the form of malware, software designed to damage or disrupt your computer system.

Malware -- malicious software -- includes viruses, worms, and other software installed by hackers. Spyware and adware, while not necessarily malicious, is similarly undesirable.

Such software can wreak all sorts of havoc on your computer. It can hog memory, cause crashes, shut down your computer, steal personal data, change your system settings, or force your computer to attack other systems.

Fortunately, keeping this junk from infecting your computer is usually not hard:

* Install anti-virus software and keep it up to date.

* Use a hardware or software firewall.

* Keep your computer up to date with security patches.

Don't install file-trading programs like KaZaa that carry adware and transmit viruses.

But we're all busy people. Maybe you forgot to update your virus definitions this month. Or maybe your coworker's teenager installed file sharing software on your computer. However it happened, your system has been invaded by malware and you need to remove it.

Removing Malware the Easy Way

Sometimes getting rid of malware is easy. Adware like Gator and SaveNow can be removed using the Add/Remove Programs control panel in Windows.
In Windows XP Professional click on Start > Control Panel > Add/Remove Programs.

1. In Windows 2000 Professional, click on Start > Settings > Control Panel > Add/Remove Programs.

2. In the list of programs, locate the software you want to remove. If you see a program you don't recognize, look it up in Google to learn what it is.

3. Select the offending program and remove it with the "Remove" button.

Programs like Lavasoft's AdAware and Spybot Search and Destroy are free to download and are specifically designed to identify and remove spyware and adware components.

Removing a virus is often as simple as updating the virus definitions in your anti-virus software and then performing a complete system scan. Other times, you must follow specific removal instructions or reinstall your anti-virus software.

Removing Malware the Hard Way

Sometimes, removing malware isn't easy at all. It resists your attempts to remove it, reappearing like magic. It seems to mock your attempts to purge it from your system. Maybe you can't even figure out where the program is or what to remove. Don't worry -- you don't have to reinstall your system (although that works). But you do have to do a little work.

If the problem is a persistent program that repairs itself as you try to remove it, odds are good you're not the first person to run into this problem. Someone has probably identified the perfect solution. If you know the name of any component of the software, search for it on the Web or in Google's Usenet archive, and you might find information about how to remove it.

But maybe you can't find an answer. How do you get rid of a program like this? This situation falls into the category of security incident response. Some program is interfering with the confidentiality, integrity, or availability of your system, and you want to recover from it. It doesn't matter what the program is; the same steps can be used to identify and remove it.

If you are recovering from an intrusion by a hacker, this article can't tell you everything you need to know. There are other steps to perform before removing the malware. You might want to leave the foreign program running in an attempt to gather intelligence on the hacker. Contacting the appropriate authorities might be a step in some situations. If you hope to prosecute the intruder, you must proceed carefully in order to avoid destroying evidence of the crime.

But let's say you have just some nasty tricksy spyware or a stubborn virus on your system, and you cannot remove it by the regular techniques. Proceed with the following:

Find the process(es) and kill them.

A process is a computer program that is actively running. In Windows NT, 2000, and XP, it's easy to view the list of processes. Then you can find the offending process and stop it.

Right-click on the taskbar and choose Task Manager from the menu that appears.

* Click on the Processes tab to view the list of running processes.

* Click on the Image Name header to sort the list by name.

* Now the hard part. Plug the name of each process that you do not recognize into Google. Find out what they are. Come up with a list of processes that you know or suspect are related to your malware.

* Kill the processes by right-clicking on them and choosing End Process.

Sometimes you can't kill the processes that way. You might get the message "Access denied." But are you going to let some spyware flack tell you what you can and can't do on your own computer? When you have administrative rights and everything? I didn't think so. If the process cannot be killed in the Task Manager, it's time to bring out the heavy artillery.

Pskill.exe from SysInternals will blow away any process running on your system or even on a remote system you have an account on. You have to run it from the command line, but it's easy to use.

Download the archive of the program.

Extract the program from the .zip archive. You might need a decompression utility like StuffIT Expander.

Move the program, pskill.exe, to your C: drive.

Open a command window: Click Start, then Run, type cmd and click OK.

In the command window type C:\pskill.exe and the name of the process you wish to kill, then press enter. For example, if you wanted to kill the process for Microsoft Word, you would type:

C:\pskill.exe winword.exe
In this example, Pskill would respond with:
Process winword.exe killed

Stop the program from running on startup.
OK, so the program isn't running anymore. But how do you keep these processes from returning like decomposing corpses from Evil Dead? Somewhere on your system, a component of the spyware is set to automatically run when you start up your computer. But where is it? Is it in the registry? Is it in the Startup folder? Or boot.ini? It could be any of a number of places. Fortunately, Sysinternals comes to your rescue once again.

Autoruns.exe is an applet that displays most of the places where a program can be automatically set to run in Windows. When you find the malware, delete it. Be careful not to delete a program just because it has a cryptic name. Do your best to confirm that the file or registry entry is actually part of your problem, or you might accidentally end up removing a valid portion of your system.

Clean up the mess.

Now that the process is dead and it isn't set to start up automatically, you're all set. You can go further and look for registry entries or try to remove all the components, but once the malware isn't running, and you stop it from starting up again, the program is defeated. All that remains is to clean up as best you can.

Next Steps

It's time for a little reflection. If you actually had to respond to an incident like this, consider what made your system vulnerable in the first place. Was it something you did? Was it something you didn't do? Identify your vulnerabilities so you can take corrective action to ensure your future experiences with malware are limited.

Again, the actions described in this article can be used to assist in various malware scenarios, including when a server has been hacked and an intruder may have left a program running.

For more information about security incident response and forensic investigation of malware, try the "No Stone Unturned" series on SecurityFocus.com.

         

Lankomumo reitingas

Oбсудить на форуме - Oбсудить на форуме

Версия для печати - Версия для печати

Назад
Случайные теги:    Английский язык (2)    Фото (11)    Спортивная гимнастика (4)    Мобильная связь (5)    Казино (9)    Гостья из будущего (35)    Автомобили (6)    Память (2)    Цветоводство (6)    Кормление грудью (5)    Физкультура (3)    Йога (9)    Транспорт (11)    Животные (31)    Драконы (12)    Собаки (6)    Люди (94)    Математика (2)    Астрология (13)    Психиатрия (13)    Комплектующие (18)    Интернет (15)    География (4)    Здоровье (86)    Язычество (3)    Фильмы (10)    Компьютеры (290)    Воспитания (3)    Астрономия (10)    Экология (18)    Латинский язык (7)    Фэншуй (4)    Стиль (5)    Фехтирования (6)    Ислам (3)    Кормление (4)    Медицина (84)    Кино (45)    Звуковые системы (8)    Пиво (29)    Алкохольные напитки (29)    Культура (88)    Операционные системы (8)    Филателия (15)    Безопасность (43)    Садоводство (12)    Технологий (4)    Криптография (17)    Литература (4)    Помощ и превенция (2)
1. Обновление IE возможно, утверждает Microsoft
2. Нравится ли кому-нибудь Norton AntiVirus?
3. Дорогой IE, я ухожу от тебя навсегда
4. Конец WinAmp
5. Суперпиринг
6. Macromedia совершенствует Flash-сервер
7. SpyWare Annihilator Pro
8. Ad-aware
9. SpywareBlaster
10. FreeBSD 5.0 уже доступна для закачки
1. Конец WinAmp
2. Нравится ли кому-нибудь Norton AntiVirus?
3. Discreet выпустила пакет моделирования персонажей для 3D Studio Max
4. Обновление IE возможно, утверждает Microsoft
5. Sun представил планы по Java
6. Лицензионное соглашение на программы Network Associates нарушает свободу слова
7. Microsoft защитил компакт-диски
8. FreeBSD 5.0 уже доступна для закачки
9. Утилиты Intel позволяют разработчикам оптимизировать ПО под Pentium 4 и Xeon
10. Дорогой IE, я ухожу от тебя навсегда
Map