How to troubleshoot a suspected Malware infection

PDFPrintE-mail

Please follow the below steps if you suspect that you may be infected with a threat which your Symantec product isn’t detecting:

-    Ensure you have the latest virus definitions by running LiveUpdate.
-    Run a full system scan, removing any malicious files which are detected.

If, after following the above steps, no threat is found, check for any recently created or suspicious files in the following locations:

-  C:Documents and SettingsAll UsersStart MenuProgramsStartup
-  C:Documents and Settings[user name]Start MenuProgramsStartup
-  C:Documents and SettingsAdministratorStart MenuProgramsStartup
-  C:Documents and SettingsDefault UserStart MenuProgramsStartup
-  C:WinNTProfilesAll UsersStart MenuProgramsStartup
-  C:WinNTProfiles[user name]Start MenuProgramsStartup
-  C:WinNTProfilesAdministratorStart MenuProgramsStartup
-  C:WinNTProfilesDefault UserStart MenuProgramsStartup
-  C:WindowsStart MenuProgramsStartup
-  C:WindowsAll UsersStart MenuProgramsStartup

Check the common loading points for any suspicious files using the msconfig utility:

For Windows 98/Me
-  Click Start, and click Run. The Run window appears.
-  In the Open box, type msconfig and click OK. The System Configuration Utility appears.
-  Click the Startup tab.
-  Scroll through the list of files.
-  If you see a suspicious file, then note the name.
-  Click the Win.ini tab and then clear the checkbox in front of [windows]. Look for any entries in the Load= or Run= lines. Note any files that you see.
-  Click the System.ini tab and then clear the checkbox in front of [boot]. You should see an entry Shell=Explorer.exe. Check to see if there is another file name to the right of Explorer.exe. If there is, then note the file name.
-  Click Cancel to close the System Configuration Utility.

For Windows XP
-  Click Start, and click Run. The Run window appears.
-  In the Open box, type msconfig and then click OK. The System Configuration Utility appears.
-  Click the General tab.
-  Click Selective Startup.
-  Click the Startup tab.
-  Scroll through the list of files.
-  If you see a suspicious file, then note the name.
-  When you are finished, click Cancel to close the System Configuration Utility.

Check registry load points:

-  Click Start, and click Run. The Run window appears.
-  In the Open box, type regedit and then click OK. The Registry Editor appears.
-  Browse to the following registry keys and note any suspicious file names in the right hand pane.

HKEY_CURRENT_USERSoftwareMicrosoftWindowscurrentversionRun
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowscurrentversionrunonce
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowscurrentversionrunservices
HKEY_CURRENT_USERSOFTWAREMicrosoftWindowscurrentversionrunservicesonce

HKEY_CURRENT_USERSoftwareMicrosoftWindowscurrentversionPoliciesExplorerRun
HKEY_CURRENT_USERSoftwareMicrosoftwindowsntcurrentversionWindows
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionrunonce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowscurrentversionrunonceex
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionrunservices
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionrunservicesonce
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowscurrentversionPoliciesExplorerRun
HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindowsntcurrentversionWindows
HKEY_LOCAL_MACHINESOFTWAREMicrosoftwindowsntcurrentversionWinlogon
HKEY_LOCAL_MACHINESoftwareMicrosoftwindowsntcurrentversionWindowsappinit_dlls
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionExplorersharedtaskscheduler
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify
HKEY_LOCAL_MACHINESoftwareMicrosoftSharedToolsMSConfigstartupfolder
HKEY_LOCAL_MACHINESoftwareMicrosoftSharedToolsMSConfigstartupreg

Check for any suspicious processes running in task manager:

-  Press Ctrl+Shift+Esc to open the Task Manager.
-  Click the Process tab.
-  Click "Image Name" twice to sort the processes.
-  Look through the list for possible threats and take a note of the file name.

Submit suspicious files for analysis:

Any suspicious files identified in the above steps should be submitted to Symantec Security Response for analysis:

-  There are 2 locations to which you can submit malware:

http://www.threatexpert.com/submit.aspx - use this submission page if you would like a quicker response on your submitted malware. It also provides a place to track your past submissions
https://submit.symantec.com/retail - use this submission page if you would like to pass along malware information to Symantec without an immediate follow-up
-  Locate the files identified above and submit for analysis following the instructions provided

-  An email with a tracking number one will sent once the submission has been received.
-  A closing email will be sent once submissions have been processed with the results of the analysis
-  For files which are determined to be malicious, details of the definition versions which provide detection will be included in the email.


Read Full Article