Malware incidents - What to do when your computer gets infected

Your computer suddenly starts acting weird. Unknown windows pop up. Programs that you don't remember you had installed alert you that your computer is infected and ask you to buy a full version to get rid of the detected viruses. Your system becomes unstable and unresponsive, you can't do anything, your system freezes and all you can do is push the button to shut it down....Sound familiar?

How many of you have gone through this? Well, just like human beings, computers can get sick as well, but before smashing it with a baseball bat, there are some preliminary steps to take.

To understand what exactly is going on, you first have to identify what the problem is. Often, IT professionals need to analyze closely all the reports about the incidents to shed light on the situation. There can be several contradictory clues pointing to the nature of the problem. A system administrator could suddenly notice an abnormal peak of sent packets or a security software could stop working or not communicating reports. Some of these symptoms are inconclusive and can be due to several reasons other than malware. But some can indicate that you have malware in your system.

Preliminary analysis

The first thing to do is check to see if the computer has been infected and that the observed symptoms are not due to another reason (software conflicts, hardware issues, etc.).

This is done through an elimination process. Sometimes it's easy to understand what is wrong. When weird windows pop up alerting you about alleged viruses found in your system and ask you to purchase the complete version to get rid of them (but you didn't install the program and you don't know where it’s coming from), you can bet that your system has been infected. In other scenarios, it can be quite tricky to determine the culprit because you can get infected by more sophisticated malicious software that is hidden deep in the operating system and is capable of compromising the anti-malware programs present on the computer making the malware undetectable.

You will need to check for suspicious or unknown processes running in background. Besides Task Manager or Netstat Windows utility, third-party software can also be helpful, such as Process Explorer, Pslist, Look@Lan. These additional programs are helpful to gain a clearer picture of the situation. They show what process is currently using a certain port and how much RAM memory it is utilizing. Sometimes this is a clue that there are malicious programs disguising themselves as legitimate Windows processes.

Numerous viruses variants try to disguise themselves under the name of an important Windows process called svchost.exe. If a process with the latter name appears in Task Manager but uses too much RAM and it's not found in its correct location (C:\Windows\System32), we're surely looking at a virus disguised as a Windows process.

A tricky kind of malware is rootkits. They hide in the operating system, taking advantage of several vulnerabilities and automatically run at start up. To detect them, you need to use specific software such as Sophos Antirootkit, because antivirus programs don't always track them down.


Malware removal

If the preliminary analysis shows consistent evidence that your computer is infected, you then need to determine how to restore your system to its normal state.

You first need to check the current anti-malware software that is installed and its status. It might be that no program is currently installed or is an outdated product (because it's been discontinued or the version present in the system isn’t the most recent version). The possible infections can be various: trojan horse, worm, virus, rootkit, etc. An outdated antivirus program is the same as no antivirus program.

As your resident anti-virus system may be compromised, in order to perform the elimination process and scan the system, I like to use an online antivirus scanner capable of also removing infected files. Examples of these online programs include Nod32, McAfee (it only supports Internet Explorer), or Bitdefender.

The safest way to proceed is to boot up your computer in Safe Mode by pressing the F8 key after start up. From the resulting menu choose Safe Mode with networking. This way Windows will load only its core drivers and system files but not the malware, allowing you to scan the system faster and without problems. Sometimes the malware payload, can be annoying. Several viruses and trojans cause a huge number of pop-up windows to show up on the screen, which clogs up your system and your RAM memory, making it impossible to get rid of them. Booting to Safe Mode prevents this from happening.

Fig. 1 (Click to enlarge)

For a first check on the situation I suggest scanning the system with these programs: SuperAntiSpyware (Fig. 1, Fig. 2), Malwarebyte's Antimalware (Fig. 3), Spybot Search and Destroy, and McAfee Stinger. There are other ones around but I personally have used the listed ones. I can remember one occasion when Malwarebyte was the only software to successfully remove a hoax virus from the computer of one of the employees at my company.

After updating, upgrading or installing the anti-malware software, the first thing to do is disconnect the computer from the local (or home) network to prevent the infection from spreading.

Fig. 2 (Click to enlarge)

 

 

 

 

 

 

 

 

 

 

 Once you have gotten rid of all infected files on a client, it's important to understand if the incident concerns only that specific client or if it is more extended and whether other clients or even the server have been affected.

If you've been lucky and have intervened in time to contain the infection, you only have to think of a prevention plan. If that is not the case, you'll have to think of a disaster recovery plan and clean up all the PC's involved, including the server. A prevention plan may include employee training on internet and email safety, evaluating if the current security systems in place are sufficient and making necessary changes if it is not, such as upgrading outdated versions of antivirus software or switching to another product.
I will never stop pointing out the importance of the human factor in security systems and in determining possible breaches and incidents. Other than technical aspects, a corporate culture that educates and motivates employees on best practices is important. Employees need to understand the reasons for security measures and the consequences of them not being followed. By actively engaging employees and involving them in system security measures as opposed to them being passive subjects, a company can efficiently achieve its targets.

That being said, no system is 100% safe. Modern security and risk management concepts don't focus on keeping the enemy off the walls but rather on what lessons can be learned from a malware incident. In fact, when a security incident occurs, it can show us that the software we considered reliable is not or lead us to find better and safer ways to get the job done. Infections are always a mayhem to both home and corporate users, but they can also be an opportunity to improve.

Fig. 3 (Click to enlarge)