0

My PC is affected with a worm which actually launches my browser with some random URL. My thinking is it is residing in some startup script or Registry. Can someone suggest how I can detect and remove this malware?

OS: Windows 7 Pro

gmuhammad
  • 183

3 Answers3

2

There are usually three locations to check: the Startup menu folder, the registry run key and msconfig Services tab. The msconfig Startup tab should reflect the registry entries but it's a good idea to check both. In all of these places, delete or disable all that is not trustworthy or that you don't want to run at startup.

  1. Startup folder:

    C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  2. Registry: run (CTRL+R) regedit, search (F3) for key run (match whole string only), and after a few you should end up at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run. This way, you should encounter the run keys for other users as well as for the default user: better check them, too.
  3. Msconfig: run (CTRL+R) msconfig and see tabs Services and Startup.

UPDATE: Also check the Task Scheduler as per Alex's comment: it can contain tasks that are to be executed at startup.

Apart from doing this, you should run a full antivirus scan before trusting your system again.

simlev
  • 3,912
2

There are several things you can try:

ONE: Process Explorer and Process Hacker can show you the parents of each process. In the screenshot below, Process Hacker reveals that MultiCommander has launched Firefox.

enter image description here

Of course, this is only possible when Firefox is closed and started from scratch, but I think you can manage. You can then use Process Explorer or Process Hacker to locate the sucker that launched the browser and delete it.

Twist: What if the process that you want to delete launches your browser and then end? Here, Process Explorer has an advantage over Process Hacker. Process Explorer remembers the name of that process even after it is ended, provided that Process Explorer is started before the that process ends. (You can right-click on Firefox.exe or whatever browser you use and select Properties to see that.) That way, you can search for a file with that name.

TWO: Autoruns can show you all the nooks and crannies of Windows that launch startup apps. It can be overwhelming at the first glance. I bet you didn't know there are so many places from which a malware can start!

enter image description here

But there are ways to filter the results:

  1. Go to Options > Scan Options... and check "Verify code signatures". (Most important step)
  2. Make sure Options > Hide Microsoft Entries is checked
  3. Make sure Options > Hide Windows Entries is checked

You will most probably find your malware in the Logon or Scheduled Tasks tab. It is probably not digitally signed, so it will show up in red.

The good thing about Autoruns is:

  1. You can save the results and send it to someone for analysis.
  2. You can analyze an operating system while offline. So, if you suspect you are infected by a rootkit that is avoiding detection by subverting Windows kernel, you can boot from a Windows setup disc, run Autoruns from there, connect to the now-offline OS and catch that malware while asleep!
0

AdwCleaner, from Malwarebytes, is quite a good tool for removing malware such as this. It automatically detects rogue registry keys or settings, as well as scanning a host of other files and settings. I've had good success with it with many different browser hijackers, and different malware(s). Good Luck!

Bilfred
  • 673