Windows Vista
Windows 7
Windows Azure
Windows Server
Windows Phone
Windows 7

Windows 7 : Resolving Malware Issues (part 3) - Determining When Your System Is Infected with Malware

9/8/2011 4:54:21 PM

4. Determining When Your System Is Infected with Malware

As a enterprise support technician, you need to know how to recognize the symptoms of a malware infection on your client computers. Then, if your antivirus and anti-spyware are not functioning or not detecting any malware, you need to know how to remove malware manually.

Here are a few common signs of a computer being infected by a virus, worm, or Trojan horse:

  • Sluggish computer performance

  • Unusual error messages

  • Distorted menus and dialog boxes

  • Antivirus software repeatedly turning itself off

  • Screen freezing

  • Computer crashing

  • Computer restarting

  • Applications not functioning correctly

  • Inaccessible disk drives, or a CD-ROM drive that automatically opens and closes

  • Notification messages that an application has attempted to contact you from the Internet

  • Unusual audio sounds

  • Printing problems

Note that, although these are common signs of infection, these symptoms might also indicate other types of hardware or software problems that are unrelated to malware.

Signs of a spyware infection tend to be slightly different from those of other types of malware. If you see any of the following symptoms, suspect spyware:

  • A new, unexpected application appears.

  • Unexpected icons appear in the system tray.

  • Unexpected notifications appear near the system tray.

  • The Web browser home page, default search engine, or favorites change.

  • New toolbars appear, especially in Web browsers.

  • The mouse pointer changes.

  • The Web browser displays additional advertisements when visiting a Web page, or pop-up advertisements appear when the user is not using the Web.

  • When the user attempts to visit a Web page, she is redirected to a completely different Web page.

  • The computer runs more slowly than usual.

Some spyware might not have any noticeable symptoms, but it still might compromise private information.

5. How to Resolve Malware Infections

The most important way to resolve malware infections is to prevent them in the first place by running antivirus and anti-spyware programs daily with the latest virus and spyware definitions. If malware is discovered on a system, use the application to remove the malware if possible and quarantine it if not. If it is a new malware program, you might need to run a removal tool or perform a series of steps to remove it manually.

These steps naturally apply to malware that is detected. However, as important as it is to remember to use antivirus and anti-spyware daily, it is just as important to remember that no anti-malware application is foolproof. Many malware programs are in fact written around anti-malware software so that they cannot be detected. And if even a single malicious feature remains after a scan, that remaining malware program can install other malware programs.

If you suspect a problem related to malware after running antivirus and anti-spyware applications with the latest definitions, take the following steps:

  1. If you notice changes to Windows Internet Explorer, such as unwanted add-ons or a new home page, use Control Panel to look for and uninstall any unnecessary programs.

  2. Use the Startup tab of the System Configuration utility (Msconfig.exe) to clear any unnecessary startup programs. Note the Registry entry associated with any of these programs. (You can use this Registry information to delete the associated Registry keys if necessary.) Use the Services tab to disable any unnecessary services.

  3. Open Task Manager. Note any unusual services listed on the Services tab or unusual processes listed on the Processes tab. (Be sure to click Show Processes From All Users so you can see all running processes.) Use the Go To Process option on the Services tab and the Go To Service(s) option on the Processes tab to help learn the connection between services and processes that are unknown to you. Then, perform Web searches on services and processes that lack descriptions or that otherwise seem suspicious. If you can determine from your research that any services or processes are associated with malware, right-click them to stop them. Then, in the Services console, disable the associated service so that it cannot run again.

  4. Open the Registry Editor (Regedit.exe). Navigate to HKLM\Software\Microsoft\Windows\CurrentVersion\Run. In the details pane, note any Registry values associated with unwanted started programs. Write the path names provided to the target files in the Data column, as shown in Figure 11, and then delete the Registry values. Then, navigate to HKCU\Software\Microsoft\Windows\CurrentVersion\Run and do the same.

    Figure 11. Copy down the path names to files associated with unwanted startup programs, and then delete the Registry values.

  5. Using the path name information that you copied in step 4, visit these locations in the Windows file structure and delete the target files.

  6. If you still see signs of malware, install an additional anti-spyware and antivirus application from a known and trusted vendor. Your chances of removing all traces of malware increase by using multiple applications, but you should not configure multiple applications to provide real-time protection.

  7. If problems persist, shut down the computer and use the Startup Repair tool to perform a System Restore. Restore the computer to a date prior to the malware infection. System Restore typically removes any startup settings that cause malware applications to run, but it does not remove the executable files themselves. Do this only as a last resort: Although System Restore does not remove a user's personal files, it can cause problems with recently installed or configured applications.

Performing this series of steps resolves a great majority of malware problems. However, once malware has run on a computer, you can never be certain that the software is removed completely. In particular, rootkits are difficult to detect and remove. In these circumstances, if you suspect a rootkit and cannot remove it, you might be forced to reformat the hard disk, reinstall Windows, and then restore user files using a backup created prior to the infection.

5.1. PRACTICE: Enforcing an Anti-Malware Policy Through Group Policy
5.1.1. PRACTICE: Enforcing an Anti-Malware Policy Through Group Policy

In this practice, you use Group Policy to enforce specific settings for UAC and Windows Defender. These exercises require a domain controller running Windows Server 2008 R2 and a client running Windows 7 that is a member of the same domain.

EXERCISE 1 Enforcing UAC Settings Through Group Policy

In this exercise, you enforce new UAC default settings on computers running Windows 7 in the domain.

  1. Log on to the domain controller.

  2. Open Group Policy Management by clicking Start\All Programs\Administrative Tools\Group Policy Management.

  3. In the Group Policy Management console tree, navigate to Group Policy Management\Forest: Forest Name\Domains\Domain Name\Default Domain Policy.

  4. Right-click Default Domain Policy, and then click Edit from the shortcut menu. The Group Policy Management Editor opens.

  5. In the Group Policy Management Editor, navigate to Default Domain Policy\Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.

  6. In the details pane, double-click to open User Account Control: Switch To The Secure Desktop When Prompting For Elevation.

  7. On the Security Settings tab, click Define This Policy Setting, select Disabled, and then Click OK.

  8. In the details pane, double-click to open User Account Control: Behavior Of The Elevation Prompt For Standard Users.

  9. On the Security Settings tab, click Define This Policy Setting, select Prompt For Credentials from the drop-down list, and then Click OK.

    These settings remove the Secure Desktop from all UAC prompts.

  10. Click OK.

  11. Switch to the client running Windows 7. Restart the client, and then log on to the domain from the client as a domain administrator.

  12. Open an elevated command prompt by clicking Start\All Programs\Accessories, then right-clicking Command Prompt and clicking Run As Administrator from the shortcut menu.

  13. A consent prompt appears without a Secure Desktop.

  14. Log off the client, and then log on again to the domain from the client as a standard user without administrative privileges.

  15. In Control Panel, beneath User Accounts, click Change Account Type. A credential prompt appears without a Secure Desktop.

  16. Log off the client.

EXERCISE 2 Disabling Real-Time Monitoring for Windows Defender

A large corporate network should use a managed anti-spyware solution, which Windows Defender is not. Using Windows Defender to provide a secondary daily scan for malware on clients is a good idea, but you should not have two applications performing real-time monitoring. If your managed anti-spyware solution provides real-time monitoring, you should disable the same feature on Windows Defender by using Group Policy.

In this exercise, you use Group Policy to disable real-time monitoring for Windows Defender.

  1. Log on to the domain controller.

  2. Using the steps described in Exercise 1, open Group Policy Management and then choose to edit the Default Domain Policy.

  3. In the Group Policy Management Editor, navigate to Default Domain Policy\Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender.

  4. In the details pane, double-click to open Turn Off Real-Time Monitoring.

  5. In the Turn Off Real-Time Monitoring dialog box, select Enabled, and then click OK.

  6. Switch to Client1. Log on to the domain from Client1 as a domain administrator.

  7. Open a command prompt and type gpupdate. You might see a notification bubble appear indicating that Windows Defender is turned off.

  8. After the command finishes executing, click Start, type windows defender, and then click Windows Defender in the Start menu.

  9. In Windows Defender, click Tools, and then click Options.

  10. Select Real-Time Protection from the list of options.

  11. The settings are dimmed. Real-time monitoring is disabled.

  12. Return to the domain controller and the Default Domain Policy. Revert the Turn Off Real-Time Monitoring policy setting to Not Configured, and then click OK.

  13. Rerun gpupdate on Client1, and then close all open windows on both computers.

Other -----------------
- Windows 7 : Resolving Malware Issues (part 1) - Understanding Malware & Understanding UAC
- Microsoft Word 2010 : Expanding Word Functionality - Setting ActiveX Control Properties & Adding VBA Code to an ActiveX Control
- Microsoft Word 2010 : Expanding Word Functionality - Inserting ActiveX Controls
- Microsoft PowerPoint 2010 : Setting Add-in Security Options & Setting ActiveX Security Options
- Microsoft PowerPoint 2010 : Selecting Trusted Publishers and Locations & Setting Document Related Security Options
- Microsoft Visio 2010 : Linking to a Specific Location in a Document
- Microsoft Visio 2010 : Linking to a Website & Linking to a Document
- Microsoft Excel 2010 : Removing Table Rows and Columns & Entering Data in a Table Using a Drop-Down List
- Microsoft Excel 2010 : Creating Calculations in a Table & Working with Tables
- Microsoft Word 2010 : Using Content Controls to Create Documents
Video tutorials
- How To Install Windows 8

- How To Install Windows Server 2012

- How To Install Windows Server 2012 On VirtualBox

- How To Disable Windows 8 Metro UI

- How To Install Windows Store Apps From Windows 8 Classic Desktop

- How To Disable Windows Update in Windows 8

- How To Disable Windows 8 Metro UI

- How To Add Widgets To Windows 8 Lock Screen

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
programming4us programming4us
Top 10
- Sharepoint 2013 : New Installation and Configuration - Configuring Your SharePoint Farm
- Microsoft Dynamics CRM 4.0 : SharePoint Integration - Store Attachments in SharePoint Using a Custom Solution
- Migrating to Exchange Server 2007 : Migrating from Exchange 2000 Server or Exchange Server 2003 to Exchange Server 2007 (part 2)
- Maintaining Windows 7 : Check Your Hard Drive for Errors
- Personalizing and Configuring Windows 7 : The Windows 7 User Interface (part 3) - Branding Windows 7 like a PC Maker
- Duplicating and Copying DVDs (part 2) - Ripping DVDs to the PC
- Windows Phone 8 : Configuring Basic Device Settings - Wi-Fi Networking (part 2) - Removing Known Networks
- Client Access to Exchange Server 2007 : Using Outlook 2007 Collaboratively (part 1)
- Windows Phone 7 : AlienShooter Enhancements (part 2) - Tombstone Support, Particle System
- Microsoft Exchange Server 2007 : Single Copy Clusters (part 2) - Installing Exchange Server 2007 on the Active Node
Popular tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 windows Phone 7 windows Phone 8
programming4us programming4us
Popular keywords
HOW TO Swimlane in Visio Visio sort key Pen and Touch Creating groups in Windows Server Raid in Windows Server Exchange 2010 maintenance Exchange server mail enabled groups Debugging Tools Collaborating
programming4us programming4us
Natural Miscarriage
Windows Vista
Windows 7
Windows Azure
Windows Server
Game Trailer