How to avoid getting infected / remove malware

Sozin · 08-07-2015, 03:56 AM

You are free to have this leak but bear in mind, it's not mine, so don't bother me if the links/program/source/whatever stop working. I take no responsibility of this, use at your own risk.
~Sozin

1.1 Scanning [Image: 4nerSv0.png]

__________________________________________________________________________________________________________________________
Make sure to scan all the files you download onvirustotalormalwr.
They givecriticalinformation about programs.
Such as if it starts on launch, steals information etc.
Even if it the scanned file has 0 detections, you are still vulnerable.
Malwr.com
I really like this one, it think it gives as much information asSysanalyzerwhich I will get to.
Signatures
Spoiler
[Image: 1f556254f6bc59082a4de2519cd092a7.png]

[Image: 1f556254f6bc59082a4de2519cd092a7.png]

Keep in mind that, Malwr also provides screenshots of the file it launched.
Malwr.comis not considered a Virtual Environmentso anti-vm has no effect.
More information it provides
Spoiler
[Image: f6012fb236445044d7e4c89ff219f3bc.png]

[Image: f6012fb236445044d7e4c89ff219f3bc.png]

Virustotal
Virustotal doesn't go as deep as malwr.com does, it was made for scanning but also shows
a slight amount of information of the program that has been ran.
I recommend to scan on Virustotal since they distribute, meaning if the malware is undetected,
it will soon be detected. (They send samples to AV companies)
1.2 Sandboxie [Image: cK2cyfI.png]

__________________________________________________________________________________________________________________________
This tool is pretty cool, you can run programs in it without having the risk of getting your machine infected.
Keep in mind that Password Stealers still work in a sandboxie, As mentioned by Zoinexion.
Check out his thread for more information regarding Sandboxie.
You can download Sandboxie here.
1.3 Virtual Machine [Image: WqicLTi.png]

__________________________________________________________________________________________________________________________
A Virtual Machine is roughly said a machine in a machine. So if you have windows for example,
you can create a virtual machine with another copy of windows.
Anything you do in that Virtual Machine cannot harm your main computer.
Image of a VM
Spoiler
[Image: fdcb1b072e64ad75a58a351409409a46.png]

[Image: fdcb1b072e64ad75a58a351409409a46.png]

These are great to use, you can always run programs in a virtual machine, knowing the risks.
If your Virtual Machine is empty, the person who infected you can't do much.
He can still open your CD tray though.
You can download VMware Workstation here.
1.4 Sysanalyzer [Image: w97xMA9.png]

__________________________________________________________________________________________________________________________
This is one of my favorite, it shows you exactly what a program does after you launched it.
Keep in mind this is not a sandbox, so it is recommended to run it in a VM.
Image of the UI
Spoiler
[Image: 75f7bfc5d21f2148b714bfc31648ac0b.png]

[Image: 75f7bfc5d21f2148b714bfc31648ac0b.png]

After running malware with it, it shows me that it made some registry changes. This is often for startup and persistence.
Registry changes
Spoiler
[Image: 2279a9c3563d74eab48d9dc01f586939.png]

[Image: 2279a9c3563d74eab48d9dc01f586939.png]

Processes that started running after launch
Spoiler
[Image: 6e5c5313e2207e3a519d2b21b5b9d003.png]

Connection logs

Spoiler

[Image: 625d5ca6a6ee18e72ed3e019ec63fdcd.png]

7:26:50 PM B48 /AutoIt3ExecuteScript "C:\Users\Ferat\AppData\Local\Temp\611515" /AutoIt3ExecuteScript "C:\Users\Ferat\AppData\Local\Temp\611515"
7:26:50 PM D88 TERMINATED croror.exe
7:26:51 PM FE8
7:26:51 PM B48 TERMINATED croror.exe
7:26:53 PM 810 TERMINATED dllhost.exe
7:26:53 PM D70 /AutoIt3ExecuteScript "C:\Users\Ferat\AppData\Local\Temp\712196" /AutoIt3ExecuteScript "C:\Users\Ferat\AppData\Local\Temp\712196"
7:26:53 PM FE8 TERMINATED imnotavirus.exe
7:26:54 PM 694
7:27:00 PM 694 TERMINATED vbc.exe
Here you can see that it executed a script, terminated the original file, executed another script and then launched the process with the name I gave it.
You can get Sysanalyzer here.
1.5 Up to date AVs [Image: RMZXZWm.png]

__________________________________________________________________________________________________________________________
I really recommend people to get Eset Nod32. It is usually one of the fastest AV to give malware detections.
Even if you are infected, give it a week max, run a scan and you should be good again.
Most people have a hard time crypting against eset nod32, and even if it is undetected, it won't be long before it is detected.
But that isn't the main reason why I like Eset Nod32.
It also gives you this cool feature.
Spoiler
[Image: 18f21436b6cd5d92f58007ac8ea2f8b4.png]

[Image: 18f21436b6cd5d92f58007ac8ea2f8b4.png]

It shows you a list of all running processes.
All you need to do is pay attention to these:
Spoiler
[Image: 13e58a338884dfda36e9a9ee5f8efd14.png]

The ones with theexclamation marks indicate that the process is new.
Note that if you are running 32 bit, some malware will be able to hide them selves from the process list.
You can get Eset Nod32 here.
1.6 Trust and Ending [Image: 3xDYXV9.png]

__________________________________________________________________________________________________________________________
Check if the person from who your download is, is trusted. Always read the comments and check the feedback.
Also try look at your processes and see if you find something suspicious.
If you follow this guide, I am sure you will stay safe on the internet.
Keep in mind that smart malware does not have anti-sandboxie, nor anti-vm.
They could've been bound to an actual program with a delay of 5 minutes before startup.
If a program works, it doesn't mean its not infected.
I wrote this one myself, it is not a leak but I don't know where else to post it.

How to avoid getting infected / remove malware

Submitted by Sozin, 08-07-2015, 03:56 AM, Thread ID: 6090