Malware has learned how to sneak past your antivirus and hide in your computer. Jane Hoskyn shows you how to weed out these silent killers
There is probably malware in your PC. You can’t see it, you can’t hear it and you can’t smell it, but chances are it’s there.
The latest annual Kaspersky Security Bulletin says 38 per cent of Kaspersky users’ PCs were hit by “at least one” malware attack in 2014. We reckon that figure is pretty conservative. After all, those users were running products that consistently top the antivirus (AV) tests run by our security team at Dennis Technology Labs (DTL, www.dennistechnologylabs.com). Many people run much less powerful AV software, and some don’t run any at all.
Moreover, the study only takes account of malware that was spotted. Undetected malware, by definition, won’t be included in that headline 38 per cent figure. This all means a huge number of us may well have fallen prey to a silent PC killer. You, me, your next-door neighbour... (definitely your next door neighbour).
To check we’re not just being paranoid, we asked DTL if they thought our computer might be hosting hidden malware. We expected a long-winded, technical reply that translated as “maybe”, but the answer was quick and unequivocal: “Definitely!”
Shouldn’t your antivirus block malware?
As the Kaspersky study shows, even the most powerful AV is far from fallible. That’s no reason not to use AV (please do!), but don’t assume it’ll catch every strain of malware - especially new bugs that security companies aren’t yet familiar with. Viruses, Trojans, worms, ransomware and other forms of malware evolve constantly and quickly to thwart their predators, and have even developed ways to regenerate. That’s how viruses survive, in technology just as in nature.
Over the next few pages we’ll show you how to weed out your PC’s hidden nasties and destroy them so they never come back.
FIND THE HIDDEN MALWARE ON YOUR PC
Investigate mystery processes
You all know the obvious signs your PC is malware-infected. It crashes a lot, it takes longer to start up and shut down, your browser homepage has changed (and refuses to change back), or there’s a big ransom note on your screen.
But the really clever malware dispenses with these clumsy tell-tale signs. Its files hide themselves in the nether reaches of your system folders, and its processes are cunning devils that won’t slow your PC or show up in Task Manager.
This being the case, this malware can run undetected for months or even years, logging what you type, recording your passwords and even, in the case of silent rootkit malware like Zeus, stealing from you when you log into your bank’s website.
Any attempts to weed out this stuff starts with startup. We often recommend the free tool Autoruns (www.snipca.com/15791) for removing pointless processes from Windows startup, but it’s a must-have if you want to find malware, too.
Autoruns is portable, so there’s no installation process to worry about. Download it by clicking the blue ‘Download Autoruns and Autorunsc’ link, then save the small (1.24MB) ZIP file to your Desktop, extract its contents and click ‘autoruns.exe’ to run it (or right-click and choose ‘Run as administrator’ for more thorough results). Wait a couple of seconds while it lists every process that starts with Windows on your PC, including Registry activity, browser extensions and drivers - including the malicious ones. These kind of processes (especially the hidden malware) won’t show up in Task Manager, so don’t even bother with that.
Your Autoruns list will probably look quite intimidating, so use the Options menu to narrow it down bit by bit. Tick Hide Empty Locations, then Hide Microsoft Entries, and let the list refresh until it only contains active third-party items.
Now read down the list and, if you see something you don’t recognise, right-click it and click Search Online (or press Ctrl+M) to check it out on Google in your browser. This is more useful than it sounds. Google searches for the full file name associated with the process (for example, ‘snagitshellext.dll’ in our screenshot) and provides links to the relevant pages of numerous security sites, such as File.net (www.file.net), which reveals whether certain files are safe; Process Library (www.processlibraiy.com), which explains what the process is and why it’s running; and the excellent Should I Block It? (www.shouldiblockit.com), which tells you whether the process should stay or go.
Find suspicious hidden processes automatically
The latest version of Autoruns (13.2, updated in March) incorporates the file-checking database VirusTotal (www.virustotal.com) and adds a Check VirusTotal option to the right-click menu.
At first we assumed (not unreasonably) that we could simply click Check VirusTotal to run an instant check in VirusTotal online, in the same way the Search Online option runs an instant check in Google. Well, it’s not quite that simple - you have to click a few set-up buttons, and the process is far from straightforward.
First, right-click an item and click Check VirusTotal. VirusTotal’s Terms of Service’ page opens in your browser; you don’t need to click anything on the page, just close it. Next, you need to enable VirusTotal scanning in Autoruns. Go to the Options menu, click ‘Scan options’, tick ‘Check VirusTotal.com’, tick Submit Unknown Images, and then click Rescan.
Your Autoruns list is then scanned by VirusTotal in next to no time, and reloads after just a few seconds. Now click Options, then click Hide VirusTotal Clean Entries, and the list will reload again, showing only the items VirusTotal has flagged as potentially malicious.
As you can see from our screenshot, ‘potentially malicious’ is a fairly broad description. VirusTotal flagged all our installed IObit tools, for example. We’ve got our problems with IObit, too, but we do know its tools aren’t malware.
The reason they’re flagged up in VirusTotal is down to the way VirusTotal works. It collates data from 57 (and counting) security programs and, if only one of those programs says the process is dodgy, VirusTotal marks it as such. Our IObit tools were only deemed malicious by one of the 57, as you can see from the VirusTotal column in Autoruns. Click the fraction (‘1/57’ in this case) to open an Analysis web page showing results from all 57 security programs (this can take a minute or two to load). Click ‘Additional information’ and ‘File detail’ to find out more about the file and where it came from.
Root out rootkits your AV can't see
Some malware makes its presence obvious (ransomware, for example); other malware needs to be tracked down using Autoruns and VirusTotal. But there’s another type that’s far better hidden. Rootkit and ‘backdoor’ malware hides deep inside your system, using your PC’s root tools as an invisibility cloak. You can’t see it, your operating system can’t see it and your AV can’t see it. And, as we’ve seen in the case of Zeus, even the security software used by banks and governments can’t see it.
Root tools aren’t inherently malicious. They’re built into your PC and other devices to hide system settings from meddling hands (hence the ‘rooting’ you read about, usually in relation to Android). Rootkits and backdoor bugs such as Zeus, SpyEye and Citadel (www.snipca.com/15816) hijack your root tools and wreak havoc under cover.
There are plenty of free tools for finding and removing rootkit and backdoor malware. They work separately from your installed AV and won’t interfere with it. We recommend Malwarebytes Anti-Rootkit Beta (www.snipea.com/15810) because, despite its (long-standing) beta status, it’s very easy to use and doesn’t bamboozle you with jargon.
Click the green Download button, save the EXE file and click to run it. There’s no installation involved, but you will need to choose an ‘extraction path’ (click OK) and, in our case, bat away a possible false positive before the tool launches properly. (Our false positive was Applnit_Dlls’, which Malwarebytes forum users suggest is a safe graphics file: www.snipca.com/15811. We took our chances and clicked No to ignore it. It seems fairly common, so it may be flagged on your PC, too.)
When the program window opens, click Next, then Update to download the latest malware definitions, which may take a minute or two. Click Next, then Scan. The scan is thorough and will take a while; ours took almost an hour. It’s also memory-intensive, so your other programs will slow down. Best leave it to run by itself, perhaps when you go to bed.
All being well, when you come back you’ll see a green tick and the reassuring message: ‘Scan Finished: No malware found!’. If the scan does detect rootkit malware, click the Cleanup button and restart your PC to blitz the offender - hopefully Malwarebytes’ own website admits you should run the scan again (repeatedly, if necessary) to make sure the malware has gone.
REMOVE HIDDEN MALWARE COMPLETELY
Remove stubborn hidden malware
If Malwarebytes Anti-Rootkit can’t combat a rootkit infection, move on to GMER (www.gmer.net), recommended by our security team at DTL. This free tool is raw, no-nonsense extremely powerful. GMER is especially well-suited to 64bit PCs, but will work on any PC running Windows XP or later.
You’ll see from GMER’s website that this is not a program designed to appeal to the masses. Click the small grey Download EXE button under the screenshot and run the file (the intimidatingly named ‘r7ouccll.exe’), wait a minute or two for the program window to appear, then click Scan.
As with Malwarebytes Anti-Rootkit, the scan takes some time and will slow down your PC, so leave it to run on its own. To speed things up, use the tick boxes at the right of the window to narrow down the scan to certain parts of your PC only, such as Registry, Files or Libraries.
If GMER finds any sign of malicious rootkit activity, the troublesome file will be displayed in red and a ‘WARNING!!!’ pop-up will appear. Click OK to remove the file, then restart your PC. We’d recommend running the scan again to make extra sure the file has been removed.
Fix damage done by hidden malware
Hidden malware can really mess up your PC, and this damage isn’t magically undone when the malware is removed. Clearing up is a vital part of the process.
If you’ve downloaded Malwarebytes Anti-Rootkit, you’ve already got the powerful free clear-up tool FixDamage. You’ll find it in the ‘Plugins’ folder in the ‘mbar’ folder on your Desktop. Before running it, save your work, close your programs and create a system restore point. Click ‘fixdamage.exe’, then Yes, then press ‘Y’ when the command-line window opens. The tool will automatically find and repair any changes to your system settings made by rootkit or backdoor malware.
Adware and other PUPs (potentially unwanted programs) also litter your PC with hidden leftovers. Adware may not sound as scary as rootkits, but you’re much more likely to encounter it - and it dumps hazardous junk in hard-to-reach locations in your Registry and operating system (OS). This junk may include files that change your system settings and regenerate when you delete them.
To find and remove adware, run the free portable program AdwCleaner (www.snipca.com/15819), one of our (and your) favourite security tools ever.
It scours your PC for hijackers, Trojans and their hidden leftovers. It won’t find everything, however, so run Malwarebytes Anti-Malware Free (www.snipca.com/15821) as well. Malwarebytes Anti-Malware Free is not an AV program, because it doesn’t attempt to stop nasties getting into your system (despite its claim to “protect you from malware”), but it’s great for finding bugs and traces that AdwCleaner misses. If it detects malware you can click Review Detected Items to investigate the infection while the scan is still running. You can then remove selected items safely and completely.
Unlike the tools we’ve mentioned so far, Malwarebytes Anti-Malware Free does need installing. Click the black-and-white Download button, then save and run the setup wizard. There’s no adware to opt out of (we’d be horrified if there were), but do untick ‘Enable free trial of Malwarebytes Anti-Malware Premium’ before you click Finish.
STOP MALWARE HIDING IN YOUR PC AGAIN
Choose one antivirus
Your AV suite is the most important program on your PC. It’s your body armour on the malware battlefield. If you choose and use your AV wisely, you may never have to remove hidden malware - because it stands a much smaller chance of getting into your PC in the first place.
In DTL’s most recent Anti-Malware Report (www.snipca.com/15775; scroll down for the latest results as a PDF), only one product, Kaspersky Internet Security 2015 (www.kaspersky.co.uk/internet-security), blocked all 1,140 threats. But Kaspersky is a huge and memory-hogging program, so you might prefer the lighter ESET Smart Security (www.eset.co.uk/Home), which came a close third behind Kaspersky and Norton Security (www. snipca.com/15822). Both ESET and Kaspersky cost £39.99 for a one-year, one-PC licence; Norton is £49.99.
The best free AV is Avast Free Antivirus (www.snipca.com/15823), which has fared very well against its paid-for rivals in all DTL’s recent tests and includes an ‘intelligent anti-malware’ scanner that detects threats no-one has even heard of yet. Its paid-for version (£39.99) also has a ‘virtual window’ tool that lets you conduct online transactions without being detected by hackers using rootkit malware.
Don’t use Microsoft Security Essentials (MSE, www.snipca.com/15824). MSE is free and made by Microsoft (trustworthy, you’d think), but the program has failed dismally in all DTL’s lab tests since 2013. If it’s on your PC, get rid of it and install an AV that works.
Whatever AV you choose, it should be your one and only. Two or more AV suites will conflict with each other and neither will work properly, leaving you unsafe. Malwarebytes Anti-Malware Free is not an AV and can be run safely alongside your AV.
Cut down your installer habit
Nothing you do on your PC is safe unless your AV is enabled and up to date. However, you can help it by cutting out ways for malware to reach your system. One option is to stay off the internet completely, but we wouldn’t recommend that - the internet is fantastic and mostly safe, especially if you use a free advert-blocker such as Adblock Plus (https://adblockplus.org). The next best option is to stop using software installers.
When you install software, you give its setup wizard privileged access to your Registry and hidden system folders, so it can plant program files and settings there. If adware can get into your system this way, so can invisible malware. So think twice before running an installer for a free program from a developer you’ve never heard of.
Portable programs are a safer alternative. Most of the security tools we’ve mentioned here are portable, which means they don’t have to be installed at all. On the downside, they don’t update automatically because they don’t insert any files into your Registry. They’re also easy to lose track of in your PC, because they’re not indexed as software by Windows. Still, if we had to choose between a PC full of hidden portable tools and hidden malware, we’d go for hidden portable tools any time.
Free web-based tools are another great alternative. They don’t need to be downloaded, let alone installed. You can edit photos online (Pixlr, www.snipea. com/15825), edit and manage documents online (Office Online, www.snipca.com/15826), check for hidden malware in any file (including EXE files) or URL using the online version of VirusTotal (https://www.virustotal.com) and much more, all in your browser.