Latest Breed of Malware Difficult To Impossible to Clean!

[Guest Wolfeymole]

So basically your saying just use the windows firewall which I've is heard is good for inbound traffic only and just run eset, sas and MB and that's it?

[Seth]

1) Customer education

2) SAS pro with real time protection.

3) Online scan with Eset once a week.

4) Window's firewall.

 

That's what I've done with around 400 of my customers in the last 2 years without issue, with no nonsense and aggravation from third party firewalls.

[Tony D]

I stopped installing Zone Alarm and going with the Windows firewall because I got too many calls asking what to do when ZA popped up an alert, even after educating the customer. I may not be the best teacher. But I get no more annoying phone calls.

[petef]

1) Boot to Safe Mode.

 

2) Run CCleaner, clear the prefetch, disable System Restore, and remove Spybot if it's there (I don't trust it, or it's Tea Timer not to interfere with the disinfection just as any other installed antimalware app). I also disable Defender if it's there.

 

- Disable all from msconfig's startup items except for jusched. This includes any internet security from msconfig's services as well.

 

 

Ok, stop right there. Remember the topic of this thread being the newest

breed of malware. With the latest breed, the old methods simply won't

work. In the case I'm referring to, you can't even install CCleaner or if you

did it simply won't run. Some anti-malware programs might install & run

but others will not. You have no access to Msconfig or Taskmanager.

 

Ok, with that in mind, what is your procedure?

My basic procedure is as follows:

 

* Boot to Puppy Linux and manually clean Temp folders and Prefetch.

 

* Boot to Windows Safe mode and attempt to copy installers from CD

to HD. If possible, disable the System Restore and items in MSCONFIG

Startup. Then reboot to safe mode.

 

* Safe mode - If I'm lucky, one of the following will install and run..SAS,

HijackThis, SDfix, SmithfraudFix. If not, many times Spybot will already

be installed and I'll run a scan which will enable the TaskManager. Using

Taskmanager, File > New Task, I'll attempt to install SDFix, SmithfraudFix,

ComboFix, or any of a variety of Vundofixers. When SAS fails, one of these

others will usually clean the system well enough to be able to proceed to

the next step.

 

* Install & update SAS and perform a complete scan.

 

* Use SAS repair featues to fix the various problems with the Desktop,

Explorer, or whatever.

 

* If I couldn't access MSCONFIG before, now I should be able to disable

items in MSconfig Startup and reboot PC.

 

* Update & run the Virus Scanner that may already be installed or

unintall any inferior Virus scanner and install NOD32 to do the scan.

 

* Depending upon all previous results, I may run an online Scanner

but I don't resort to that too often. If SAS operates normally, I'll

also install and run a Spybot scan which usually detects a some

registry entries that seem critical that SAS missed.

 

* Install HijackThis and remove selected items.

 

* Exercise the system by browsing to a few websites using Internet Explorer

and also run Windows Explorer to browse some folders. Reboot the PC

to normal mode.

 

* Repeat all scans until they all come up clean.

If SAS keeps detecting the same critical malware I'll run SdFix, or

SmthfraudFix or Combofix.

 

* Visit AOL.com and ensure the mail link operates. This is just a simple

test to ensure the encryption features of IE are still functioning.

 

* Test various applications and Windows features to see if any collateral

damage has occurred as a result of the malware or the cleaning.

 

Note: This is my basic procedure, but it seems that each infected

PC is different, so I can't say I do it exactly the same way each time

because of so many complications and varied conditions. There are

various other things I may or may not do and it all depends upon my

results as I proceed through each step.

 

---pete---

[Guest Wolfeymole]

Good post Pete if I may say so mate.

[Seth]

Ok, stop right there. Remember the topic of this thread being the newest

breed of malware. With the latest breed, the old methods simply won't

work. In the case I'm referring to, you can't even install CCleaner or if you

did it simply won't run. Some anti-malware programs might install & run

but others will not. You have no access to Msconfig or Taskmanager.

 

Ok, with that in mind, what is your procedure?

 

Running the drive cleaner is not a critical step and can be done at any time.

 

Msconfig at this point is not that critical either. It's just a step to have the computer run a little faster for the scans. It can be done at any time as well. Also note that malware worth it's weight ignores you unchecking it in msconfig.

 

With very severe infections, the drive should be slaved and then scanned. In such a case, I do so with sas,mb, and Ewido online scan. I choose Ewido in this case, as Eset scans all drives by default (including the master). Once you put the drive back in, you can address any XP functions that are disabled.

 

My basic procedure is as follows:

 

* Boot to Puppy Linux and manually clean Temp folders and Prefetch.

 

That's wasting time.

 

* Boot to Windows Safe mode and attempt to copy installers from CD

to HD. If possible, disable the System Restore and items in MSCONFIG

Startup. Then reboot to safe mode.

 

* Safe mode - If I'm lucky, one of the following will install and run..SAS,

HijackThis, SDfix, SmithfraudFix. If not, many times Spybot will already

be installed and I'll run a scan which will enable the TaskManager. Using

Taskmanager, File > New Task, I'll attempt to install SDFix, SmithfraudFix,

ComboFix, or any of a variety of Vundofixers. When SAS fails, one of these

others will usually clean the system well enough to be able to proceed to

the next step.

 

If malware is preventing the install, I can't see how you would succeed in the install by using New Task. Another option here might be to rename the installer.

 

* Install & update SAS and perform a complete scan.

 

* Use SAS repair featues to fix the various problems with the Desktop,

Explorer, or whatever.

 

Disabled functions will usually be enabled again at reboot when whatever program you used to fix it asks for the reboot. That's why I don't usually try to repair such functions until the system is clean of the malware that caused the function to be disabled.

* If I couldn't access MSCONFIG before, now I should be able to disable

items in MSconfig Startup and reboot PC.

 

* Update & run the Virus Scanner that may already be installed or

unintall any inferior Virus scanner and install NOD32 to do the scan.

 

I'd run MB at this point and I wouldn't install Eset. It takes too long and may interfere with the other scanners ability to remove infections. That's precisely why this site and others tell the user to disable their internet security for the disinfection procedure. Note that disabling most internet security apps through msconfig, is often ignored as Task Manager will show processes and services still running from said app.

 

* Depending upon all previous results, I may run an online Scanner

but I don't resort to that too often. If SAS operates normally, I'll

also install and run a Spybot scan which usually detects a some

registry entries that seem critical that SAS missed.

 

Registry entries aren't threats, but merely pointers to malware that has already been removed. The operating system will simply move from the orphaned reg entry, to the next reg entry. Those orphaned entries are called "traces", and they are left behind by good scanners for a legitimate reason. Inferior antimalware apps will detect those benign traces in order to look like it's finding a bunch more that the "other" scanner missed.

[Seth]

Continued from above:

 

Pete,

 

To summarize:

 

1) Having functions such as Task Manager, msconfig, and Regedit disabled by malware, is no reason not to proceed with the disinfection. Following the disinfection, those functions can be easily repaired.

 

2) I don't think you've recognized the ability of customer installed antimalware applications to inhibit proper malware removal.

 

3) There is no need to fight with an infected system that won't let you install any scanners. Simply install the drive as a slave, then run SAS, MB, and the Ewido online scan on it. If you find you have to do this a lot. Then purchase extra long drive cables so you don't have to pull out the infected drive. Severe malware is much easier to remove when the drive is slaved, as the malware can't run, thus disabling it from recreating itself. As such, I'm thinking of getting the long drive cables and running slave scans on every infected system I get.

[petef]

2) I don't think you've recognized the ability of customer installed antimalware applications to inhibit proper malware removal.

 

That might be true. I'm still not quite sure what you mean buy that.

Can you give me an example of of a consumer installed product

that interferes with a specific malware removal technique.

 

 

3) There is no need to fight with an infected system that won't let you install any scanners. Simply install the drive as a slave, then run SAS, MB, and the Ewido online scan on it.

 

Ok, I think this is the main difference and something I've NOT been doing.

Up to now, I've never had to slave a drive just to clean it. So I'll take your

advise and try this technique next time I get into a jam. In the past,

I could often identify the file that the malware scanner was not able to

delete and I'd boot to Puppy Linux and manually delete it, but now it

seems that things have become more complex. I'll try slaving the drive

to clean it and let you know if that makes the difference between

cleaning and reformatting/reinstalling the OS.

 

Do you know of any malware scanners that will scan the registry of a slaved drive?

 

---pete---

Edited July 26, 2008 by petef

[petef]

Registry entries aren't threats, but merely pointers to malware that has already been removed. The operating system will simply move from the orphaned reg entry, to the next reg entry. Those orphaned entries are called "traces", and they are left behind by good scanners for a legitimate reason. Inferior antimalware apps will detect those benign traces in order to look like it's finding a bunch more that the "other" scanner missed.

 

I fully understand what you are saying but pointers to malware are not the

only kinds of registry entries to be concerened about. Registry entries can

also disable features or otherwise cause the Windows OS to malfunction.

It's very difficult to say which registry entries are benign, which are pointers

to a malware file, or which ones manipulate how the OS functions, so I prefer

to see all traces of malware removed from the registry.

 

Seth, I know you don't like Spybot, but it has worked well for me in for many

years, as long as the TeaTimer is disabled. It's serves as a check on SAS and

often picks up malware that SAS misses. Likewise SAS picks up on Malware

that Spybot misses, but SAS is the superior scanner. They work well together

and I always I run SAS scans first. The real value of Spybot is it's immunize

feature which keeps the user from ever gaining access to the thousands of

known dangerous websites. The downsde of the immunize feature is that

it must be run in each user account in order to protect all the users.

This immunize thing is a good topic for another thread.

 

---pete---

[RandyL]

A very enlightening discussion everyone. I'm taking all your ideas to heart. I'm always open to learning new tricks.

 

I have to say Pete your methods and the programs use use (especially the specialized ones) are almost exactly like mine. I too open certain applications after cleaning. This help determine if the malware is really gone or re-installs. I also run all the scans one last time after I think it's gone for good. I've never had to try a linux method yet. I'll ask you how if I need to if you don't mind.

 

A question for you seth. How do you slave a SATA? Do you just plug it in and scan it? I'm new to SATA.

[petef]

I've never had to try a linux method yet. I'll ask you how if I need to if you don't mind.

 

Done! :)

 

http://extremetechsupport.com/forum/dos-me-linux-apple-mac-issues/3240-windows-users-why-you-need-puppy-linux-cd.html#post21589

 

---pete---

[RandyL]

Got it saved Pete. Thanks.

[maynardvdm]

Nice one Pete! Looks good :)

[Tony D]

I often pull the customer's hard drive and connect it to one of my machines for scanning purposes. I don't normally connect it as a slave. I use a USB adapter (StarTech USB2SATAIDE). I can connect a 2.5 or 3.5 IDE or SATA drive. No need to open my machine.

[Tony D]

Here's what the adapter looks like: photo is from the manufacturer's site:

 

Product Detail | StarTech.com

 

The top cable shown powers the hard drive. It has a connector for 3.5" IDE and SATA. It also has a connector for powering 2.5" IDE drives. I haven't needed to power 2.5" drives because the power coming from the computer USB port has always been sufficient.

 

The bottom cable shown connects to to the USB port on your computer. The other end and has three sides to allow connection to either a 2.5" IDE, 3.5" IDE, or SATA drive.

[Seth]

My percentage of infected computers has risen dramatically in the last month or so. By 11:00 this morning, I picked up two infected systems at a business, and one at a residence. I've only checked out one so far, but it is running the paid version of Avast, Spybot, and Adaware. The owner has run scans with all three, but the rogue product popups remain. No XP functions are disabled, so I did a basic cleanup, then removed Spybot and Avast. I didn't have to ask him to remove those, as while I was there, he requested something better. I'm currently two minutes into a sas scan. So far, it's found Registry Cleaner Trial, AntiVirus XP, and WsnPoem.

 

Anyway, great discussion.

 

Kelly,

 

Thanks for that sata adapter link.

 

Randy,

 

The bios might try to boot to the Sata, so you'll need to adjust that if it happens.

 

That might be true. I'm still not quite sure what you mean buy that.

Can you give me an example of of a consumer installed product

that interferes with a specific malware removal technique.

 

Tea Timer will prohibit certain file and registry changes, but I don't know the specifics. All I know is that I visit a lot of professional malware removal sites, and the word is to disable Tea Timer and AntiVirus apps before the disinfection. I go one further since many of these programs don't actually disable when you request it, and the customer wants it off anyway because it didn't protect the computer. So, I remove them.

 

Ok, I think this is the main difference and something I've NOT been doing.

Up to now, I've never had to slave a drive just to clean it. So I'll take your

advise and try this technique next time I get into a jam. In the past,

I could often identify the file that the malware scanner was not able to

delete and I'd boot to Puppy Linux and manually delete it, but now it

seems that things have become more complex. I'll try slaving the drive

to clean it and let you know if that makes the difference between

cleaning and reformatting/reinstalling the OS.

 

Ok. The only other time you would need to slave the drive, is if any scans produce a BSOD, lockup, or restart. That's typically the malware that is interfering with the scan, so slaving the drive will take care of that.

 

I fully understand what you are saying but pointers to malware are not the

only kinds of registry entries to be concerened about. Registry entries can

also disable features or otherwise cause the Windows OS to malfunction.

It's very difficult to say which registry entries are benign, which are pointers

to a malware file, or which ones manipulate how the OS functions, so I prefer

to see all traces of malware removed from the registry.

 

Only your last of three example is a concern, but that is easily remedied once the system is clean. In fact, it should not even be addressed until the system is clean.

 

If your concerned about the malware traces in the registry, thern after you have slaved the drive and ran the scans, then master the drive and choose the registry as a scan location. That should only take about two minutes.

[Seth]

Randy,

 

The adapter Kelly posted is a USB to IDE/SATA adapter, so since that can be hooked up when the computer is running, you don't need to worry about the boot drive.

 

If your mobo is sata capable though, I would hook up the Sata drive directly to Sata port 2, as the scans will be much faster than a usb connection.

[Seth]

Seth, I know you don't like Spybot,

 

1) Buggy Tea Timer causes numerous problems.

 

2) Often deletes legitimate password/username cookies.

 

3) Requires a ridiculously long rescan on reboot.

 

4) Often deletes legitimate files causing unusual operating system behavior.

 

5) Far better options to choose from: Sas, MB, Ewido, Eset.

 

6) Deceives the user by naming harmless tracking cookies with obscure malware names.

 

There's more if I gave it more thought, but the above is also why Rich and others at KH don't even use it anymore.

[RandyL]

Thanks seth. You answered my questions perfectly.

[petef]

If your concerned about the malware traces in the registry, thern after you have slaved the drive and ran the scans, then master the drive and choose the registry as a scan location. That should only take about two minutes.

 

Great idea!

Thanks for all your other replies too.

You make good sense.

 

---pete---

[petef]

1)

4) Often deletes legitimate files causing unusual operating system behavior.

 

All your other points I understand and agree with. The one above I haven't

seen personally, but I suspect it may have been true for a period of time with

older versions. To this day, I'm having good results with Spybot and SAS,

but again, SAS is the superior product and I always do the SAS scan first.

 

Thanks for clarifying why you dislike Spybot.

I'm just glad you didn't say it leaves giant holes in the registry.

Hehehee (inside joke).

 

---pete---

[petef]

Kelly,

When you perform a typical anti-malware scan on a USB conneted drive, roughly how long does it take to complete?

 

---pete---

[Seth]

Pete,

 

Seriously my friend, If i were you I would replace the Spybot scan with a MalwareBytes scan, then follow up with online Eset (Or online Ewido on a slaved drive).

 

I think you'll find by doing so, you'll be 2 years free of a clean install like me:D

Not just because MB is far superior scanner to SB, but it's a heck of a lot safer.

[petef]

Pete,

 

Seriously my friend, If i were you I would replace the Spybot scan with a MalwareBytes scan, then follow up with online Eset (Or online Ewido on a slaved drive).

 

I think you'll find by doing so, you'll be 2 years free of a clean install like me:D

Not just because MB is far superior scanner to SB, but it's a heck of a lot safer.

 

I'll certainly try your suggestions.

Main differences being to use MalwareBytes and

slaved drive scans when necessary.

 

Just to clarify about my "clean installs" for the past few years, in year

2006 I'd estimate my clean installs to be about 20%. In 2007 about 2%.

In 2008 Jan thru Apr about 0%. In 2008 May thru Jun about 25%.

In 2008 Jul about 80%. Those are very rough figures but I think you

get my drift.

 

The dramatic diference from 2006 to 2007 was due to improvements

in my cleaning process. The dramaitic difference in recent months is

due to the new breed of malware.

 

---pete---

[RandyL]

I'm lucky guys. I don't have to do it for a living. I've just got to clean them for extended family members and extended friends and their families.

 

Over the years my job gets easier. I lecture them on their habits and they pass it on. The few that won't I tell them to reinstall or pay me a bucket of money after the first time.

 

Dump the free dodgy programs. (You know what I mean) install good AV and antispyware programs. Stay away from P2P. Keep updated.

 

The bottom line is most people allow these worst cases to be installed or have no protection. Once educated they learn. If not charge them a bucket of money. Then they will listen and be educated. No pain. No gain.