Latest Breed of Malware Difficult To Impossible to Clean!

[petef]

I've been successfully cleaning malware infested PCs for years in my computer

service business but in the past few months I've had to format and reload Windows

on a large percentage of cutomer's PCs. Most times it's due to malware named..

VUNDO, VIRTUMONDE, SMITHFRAUD, and SPYWARELOCKER.

 

I use a combiation of cleaning methods and utlities.. NOD32, AVG, SuperAntiSpyware,

Spybot, SDFIX, SmithfraudFix, various Vundo scanners, ComboFix, and HijackThis, in

addition to manual cleaning of Temp files & Prefetch performed using Puppy Linux.

 

In the past couple of months I'm using every trick in the book at the malware

infested PCs of my customers and it's getting much more difficult to impossible

to clean them. More recently I'm coming across infected PCs that won't let

me even install the software needed to clean them. I'm finding that installed

scanners won't even run. The symptoms vary from PC to PC and no 2 are exactly

the same. I had one PC that seemed to clean up but the desktop was left

completely blank with no desktop icons and no task bar/menu bar.

 

***WARNING - LATEST BREED OF MALWARE IS IMPOSSIBLE TO CLEAN*****

TO ALL USERS, HEED THIS WARNING AND PROTECT YOURSELF FROM THE

NEWEST BREED OF MALWARE AND BACKUP YOUR IMPORTANT DATA TODAY!

BACKUPS ARE YOUR ONLY TRUE DEFENSE. WHILE YOUR SYSTEM IS STILL

OPERATING PROPERLY GO BUY A GOOD DRIVE IMAGING BACKUP SYSTEM LIKE

ACRONIS OR NORTON GHOST AND BACK UP YOUR ENTIRE HARD DRIVE.

**************************************************************

 

In the meantime we techs need to band together and share any new

techniques that are effective at cleaning this new breed of malware.

 

One tip I can offer when you find yourself locked out of most XP features

is to first find a way to enable the TaskManager. Spybot scan will do it or

use SuperAntispyware's Repair options to re-enable Taskmanager. Then

use TaskManager's File > New Task feature to browse to the program

you need to run to install or run your anti-malware software.

 

---pete---

[Tony D]

Pete - how timely!!!! I have two machines that came in yesterday and I can't figure out why they are so slow. I've been running the usual scans, but at this point I still haven't fixed either of them. They are both on high speed Internet access (Comcast). One has McAfee and the other has Norton Internet Security. The question is when do you cut your losses and reformat? Do you charge the customer for backup? Of course - you have to. It starts to get costly.

[petef]

The question is when do you cut your losses and reformat? Do you charge the customer for backup? Of course - you have to. It starts to get costly.

 

To my way of thinking, it's my responsibility to decide early on whether

to clean or whether to reformat and reinstall the OS. If I make the mistake

of trying to clean and I spend 3 hours doing so, only to wind up starting

over and reformatting, then I might charge up to 1 hour for initial diagnostics

and eat the other 2 hours wasted going in the wrong direction. Then charge

as normal for the reformat and reinstall.

 

I'm beginning to recognize certain types of symptoms and certain

kinds of malware as indicators that cleaning is going to be too

difficult. However, I also view it as a challenge and I've spent up

to 6 hours trying to find ways to clean this new breed of malware.

In a case like that, I eat the entire 6 hours and just charge my

normal fees for reformatting and reinstalling the OS.

 

---pete---

[Tony D]

Hey - I understand the 'challange'. In slow times, I can afford to spend hours beating the machine trying to find a solution. However, this week is pretty booked and if the customer wants their machine back, it's reformat. The problem is that most don't have backups of their files. So that's an additional effort and charge. The customer may balk, and I'm learning that it's something I need to do because it's time i've spent and time that the customer hasn't invested in backing up their files.

[Dalo Harkin]

I have seen some bad ones but never ones you cant get rid of - the net is a useful resource and I use majorgeeks.com for any software that is specific for certain malware/viruses.

In regards to the McAfee and Norton ones - we know they are not strong in terms of protection and the best advice is to buy a solution that is strong as in NOD32 - it will all come down to what people use their pc for and their knowledge of Malware and how it gets into your system.

[petef]

I have seen some bad ones but never ones you cant get rid of - the net is a useful resource and I use majorgeeks.com for any software that is specific for certain malware/viruses.

 

I had a couple of PCs within the last week, where I was able to perform scans

with NOD32, SAS, Smithfraudfix, SDFix, and HijackThis. The system finally

up clean but windows was damaged to the point where certain programs

would no longer run or the Windows Desktop was just a blank screen.

I performed a Windows XP repair installation and even that did not restore

things back to normal. This new breed of malware is like nothing I've seen

before.

 

Typical symptoms can include some or all of the following:

 

* No access to Control Panel, Regedit, or Taskmanager.

 

* Desktop screen suddenly flashes (about every 10 seconds) goes

blank and then displays the icons, while terminating or interfering

with any process you were currently trying to startup or use.

 

* Windows Explorer will open, but will not function to allow

copying of installlation files need for cleaning.

 

* Attempts to run special antimalware cleaning software such

as SmithfraudFix, ComboFix, VundoFix and others fail. They either

terminate themselves or show up as a process running but they

don't actually do anything.

 

* The often used Repair functions of SAS now fail to perform where

with previous malware they did work as expected to fix things.

 

* Desktop backgound is changed.

 

* Windows Screensaver or Desktop background funtions do not

operate.

 

* Windows repair install fails to restore normal operation even

though all the malware scans come up clean.

 

Up to a couple of weeks ago, I was usually able to find a

special malware cleaning tool to clean and fix the computer,

but more recently I'm winding up reformatting and reinstaling

Windows. I'm hoping that some new malware cleaning tools

will be released to combat this new breed of malware.

 

---pete---

Edited July 24, 2008 by petef

[Dalo Harkin]

BUT - the whole reason you pay alot for these 'programs' NOD32 etc is to keep this stuff out -

what I was saying is if you have a sensible head, you know what sites are bound to be full of Malware - it doesn't float around the internet.

People are just click happy and think yes thats ok - accept - but they dont know what they are accepting as they dont read and rush to get whatever they have to do.

My point is people who get Malware and Viruses get it for one of two reasons - they illegally download programs that are rife with both.

Or they are the click happy ones as listed above.

[RandyL]

I agree on all points.

 

It's getting harder and it takes more time.

 

Dave makes the best points. P2P-Click happy-Lack of protection-Free cool stuff and of course the bundled programs that come with it.

 

In terms of cleaning massive infections it's expensive compared to backing up files and re-installing.

 

Free music and movies cost a lot of money if a tech has to spend 12 hours cleaning and repairing the damage at $80 an hour. Even then the files may be lost.

 

And this assumes you can even boot into Windows at all.

 

And on another matter I won't even touch a machine anymore that had AOL on it. It's all just too much work compared to a re-install.

[petef]

I agree with all the points made and the reality is that it's getting tougher

to clean an infected PC so new tools and techniques will need to be

developed in order to clean them.

 

Already, I'm noticing that porgrams like NOD32 and SAS that run in

Windows can't do the cleaning but the ones that run in a CMD window

such as Smithfraud Fix and SdFix are more effective at cleaning.

Now this latest breed of malware is rendering those CMD window

type apps useless, so what's next?

 

I'm already using Puppy Linux to clean Temp files and the Prefetch

when Windows won't allow me access to delete files or folders.

 

I'm starting to think in terms of a new breed of malware *cleaners* that

may need to be developed. One approach might be to run a live Linux

OS that performs the scans to delete any infected files and even

manipulate the Windows Registry, all from a remote OS run totally in

RAM. I think this is the direction we are headed towards for cleaning

an infected PC.

 

---pete---

[Seth]

I've also noticed malware has gotten much nastier in the last month or so.

 

Any functions such as desktop problems, no regedit, TM, etc, should not be addressed until the scans have all been run. All of those can then be fixed using SAS's repair functions, or Doug Knox's XP Security Console.

 

If you can't account for a slow system, and you've addressed msconfig and the malware, then run a chkdsk and watch out for the typical resource hog security suites.

 

I've got a badly infected system that I'm working on right now. I couldn't even install the scanners, so I slaved the drive and ran MB and SAS on it. That was enough to take back control of the computer.

 

BTW- The latest nasties are now onto SAS, and will try to prevent it from installing, or prevent it from updating.

[petef]

BTW- The latest nasties are now onto SAS, and will try to prevent it from installing, or prevent it from updating.

 

Yeah, that's unfortunate, but it was bound to happen. To be fair to

Norton & McAfee when they became the most popular antivirus apps

they also became a target to the bad guys creating the malware, so

naturally they had to increase the size and complexity of the apps

in order to defend against all the counter measures of the malware.

I suspect that this is what contributed to them to becoming big

bloated resource hogs. I hope the same fate is not destined for

SAS as it becomes more and more popular. Again, this might be

another reason to have the malware cleaners running in a separate

OS such as Linux to clean a Windows OS as this method would be

much more immune to any counter measures of the malware.

 

---pete---

[Seth]

Before using sas or mb on any system, save the latest updated version to a usb drive and install it from such.

 

Regarding clean install hell:

 

1) Documents and pictures scattered all over the drive.

 

2) 3,4, or 5 separate accounts to back up.

 

3) After 40 or so minutes to back up just one folder, the process is basically aborted as: "Window's cannot copy blah blah blah".

 

I hate clean installs.

[petef]

Any functions such as desktop problems, no regedit, TM, etc, should not be addressed until the scans have all been run. All of those can then be fixed using SAS's repair functions, or Doug Knox's XP Security Console.

 

Just this past week I had one where SAS's repair that always worked in the

past now failed to fix the problem. I speaking about the Enable Task Manager

repair that even Spybot is capable of fixing. When I saw that SAS couldn't

fix it I said to my self, Oh boy now we are in trouble becasue the malware

seems to be aware of SAS and it's blocking it's counter measures. It's

becoming a real cat and mouse game.

 

---pete---

[Seth]

Just this past week I had one where SAS's repair that always worked in the

past now failed to fix the problem. I speaking about the Enable Task Manager

 

 

---pete---

 

You could have also tried "Remove Explorer Policy Restrictions".

 

Sas is on it, and that's why you have to have their latest version on a usb stick (as in download it right before the disinfection process).

 

For example, I had about a three day old version of sas that was prevented from updating due to a form of malware on a particular computer. So I uninstalled sas and got the latest version which addressed that issue.

 

BTW- I ALWAYS use complete scans.

[petef]

You could have also tried "Remove Explorer Policy Restrictions".

 

Sas is on it, and that's why you have to have their latest version on a usb stick (as in download it right before the disinfection process).

 

For example, I had about a three day old version of sas that was prevented from updating due to a form of malware on a particular computer. So I uninstalled sas and got the latest version which addressed that issue.

 

BTW- I ALWAYS use complete scans.

 

Thanks for the tips.

 

When SAS fails me, I'll run SDFIX, SmthFraudFix or various "VundoFixers"

and that's been very effective, but in recent weeks the malware is

even stopping them from running, so I'm in search of some new tools

or methods. You have confirmed that slaving the infected HD is now

becoming necessary. So it's also becoming much more difficult to

impossible to do the cleaning at the customer's home.

 

Seth, I had one this past week where with great diffficulty I was able to

gain control of the system and perform multiple scans with SAS, and

NOD32 to clean it. It appeared clean and I even performed a WinXP repair

install afterwards to try to restore any damage to the OS. I then inststalled

Kaspersky Internet Security which alerted me to the fact that Explorer.exe

was infected and attempting to perform processes on other appications.

 

Wow, I was quite impressed with Kaspersky, but it's too complex for the

average user. Anyway, I wound up running other cleaners and spent in

excess of 6 hours throwing every trick I know at this probem only to

finally give up and reformat & reinstall Windows. In all the years of

malware cleaning, I've never seen such sophisticated and difficult

malware.

 

Now when I run SAS and see Vundo, Virtumonde, Smithfraud, or

SpywareLocker coming up I'm thinking that it's going to be easier

and more efficient to just wipe and reload if the PC does not have

a lot of data to deal with or lots of applications or peripherials installed.

If I find this happening often I might begin running SAS Quick Scan

for the initial diagnosis in order to decide whether to clean or whether

to wipe and reload.

 

---pete---

Edited July 25, 2008 by petef

[Seth]

Pete, use MalwareBytes as well.

 

I've never had the need to use VundoFix, SmitFraud, etc.

 

Was that system showing any signs of infection when Kaspersky alerted you?, as it may have been a false positive. Kaspersky should have identified the file, and you could have uploaded it to VirusTotal, or delete it manually by slaving the drive or using a Linux distro.

[petef]

Was that system showing any signs of infection when Kaspersky alerted you?, as it may have been a false positive. Kaspersky should have identified the file, and you could have uploaded it to VirusTotal, or delete it manually by slaving the drive or using a Linux distro.

 

The system was coming up clean per scans and I can't recall the exact details

but I think Windows was operating properly. Kaspersky identified the file..

explorer.exe. Prior to that, explorer.exe was being reported by Windows as

not being found, so I assume it was replaced when I performed the Windows

repair installation, only to become infected again as evident by Kaspersky's

alerts. All this was after performing 6 hours of scan and various cleaning,

and it just wasn't worth anymore time to troubleshoot. It was more of an

experiment to see if cleaning was possible or even practical.

 

---pete---

[Seth]

The system was coming up clean per scans and I can't recall the exact details

but I think Windows was operating properly. Kaspersky identified the file..

explorer.exe. Prior to that, explorer.exe was being reported by Windows as

not being found, so I assume it was replaced when I performed the Windows

repair installation, only to become infected again as evident by Kaspersky's

alerts. All this was after performing 6 hours of scan and various cleaning,

and it just wasn't worth anymore time to troubleshoot. It was more of an

experiment to see if cleaning was possible or even practical.

 

---pete---

 

Kaspersky should have shown the path as well, at which point I would have uploaded it to Virus Total to see what all the other Av's had to say. I bet it was a false positive.

 

You said, "I've had to format and reload Windows

on a large percentage of customer's PCs."

 

No offense, but you must be missing something if that's the case. I average two disinfections a day with all sorts of Vundo variants and other really strong malware, but I don't even remember the last time I had to wipe and load. Occasionally though (maybe 5% of the time), I'll have to slave the drive to run the scans or delete the executable.

 

I wonder if we are using the same disinfection procedure? For example, I disable Spybot and any other Antimalware program before a disinfection procedure, as they have the ability to prevent the scanners from deleting some of the malware they find. That's just one of the pre-disinfection steps I take.

Edited July 25, 2008 by Seth

[Guest Wolfeymole]

Let's discuss each other's procedures for the benefit of all.

[Tony D]

I'm no expert, so I've been using the procedure that this site recommends. Then if I still have problems, I poke around and get frustrated. After a couple of days of not getting anywhere, I backup the user files and reinstall XP. I haven't had a Vista machine yet to work on.

[Seth]

Let's discuss each other's procedures for the benefit of all.

 

Here's mine in a nutshell:

 

The customer is disgusted at their current antimalware app and wants something better. I then explain SAS and its price and features. The customer always buys it. Note that after the disinfection I place an icon on the desktop for Eset's online scan to be run weekly.

 

1) Boot to Safe Mode.

 

2) Run CCleaner, clear the prefetch, disable System Restore, and remove Spybot if it's there (I don't trust it, or it's Tea Timer not to interfere with the disinfection just as any other installed antimalware app). I also disable Defender if it's there.

 

- Disable all from msconfig's startup items except for jusched. This includes any internet security from msconfig's services as well.

 

3) Start up the computer and remove current internet security products. Restart to Normal Mode.

 

4) Install SAS, update it and run a complete scan. Restart the computer and do the same for MB. Restart and run Eset. You can also run HT since it's quick, but it's usually not needed.

 

5) Restart the computer, enable SR, and remove MB.

 

6) Activate SAS with a lifetime key, disable its cookie detection, and set it to run a daily complete scan. Put an icon on the desktop for Eset's online scan.

 

Total time is a couple of hours. Actual total work time is about 15 minutes:D

[Tony D]

I've been disabling the daily scan. It slows the machine down. If the system is clean and real-time protection is enables, I don't see the need for daily scans.

[Guest Wolfeymole]

Ok so............what does the customer do for permanent AV and Firewall protection Seth if I may ask?

 

You did say you'd removed them in section 3 yes?

[Seth]

I've been disabling the daily scan. It slows the machine down. If the system is clean and real-time protection is enables, I don't see the need for daily scans.

 

Infections can (and often) get through any antimalware's real time protection, but will be caught and removed on the scheduled scan. If you're going to do that, then at least set it for once a week, or remind the customer to manually run a scan every week.

 

SAS should not significantly slow the system for typical usage when it's scanning. That is unless the system has very low specs, or something else is wrong (like a failing hard drive).

[Seth]

Ok so............what does the customer do for permanent AV and Firewall protection Seth if I may ask?

 

You did say you'd removed them in section 3 yes?

 

Yes, and just use the Window's firewall.

 

IMO, firewalls are only effective in the hands of an experienced user, and often that is questionable. For an inexperienced user, using a third party firewall can be disastrous as they get sick of the prompts and either allow or dis-allow everything. Then there is also the inherent issues with running a third party firewall.

 

Besides, with a good antimalware app running in real time, good customer education, and a weekly scan with Eset, then I don't recommend (but rather deter) a third party firewall.

 

Also note that there is no longer a heck of a lot of difference between antivirus, antispyware, antimalware, etc. That is as far as what they attempt to detect and remove.