Slashdot Mirror
Stopping Unstoppable Malware?
A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?
You need advanced trojan detection to fully eliminate malware. You need Trojan Hunter as well as Trend Micro Housecall in addition to Spybot and Adaware. At the Trend Micro site, be sure to choose the complete scan. Also, you may have to run Trojan Hunter in Safe Mode along with Adware and possibly Spybot. It depends how much malware is left over after the scan. Some of it might not be able to be removed unless you boot into safe mode. If you run less than those four programs, you will probably miss some malware. I'm saying that from my own experience. The four programs essentially compensate for one another.
Here's how to do it on Win2k:
step 1) try to kill off all the procs you can. Most malware will say "Access Denied", but some can be killed.
step 2) delete all the DLLs and activeX controls from your IE Downoads directory. Many of them will be held 'open' and won't be deletable.
step 3) check the start menu -> Startup folder. Delete any links from here that aren't familiar.
step 4) open your system services (from Computer Management; Administrative tools, whatever). Check for any services that look fishy. I typically sort them by status and look at the 'started'/active services.
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run". We don't search the registry for "Run" because it appears like 1000 times. Delete any keys in the "Run" folder that don't look right. Search about 3 more times for this entry - it appears in multiple places.
step 6) unplug the machine (DON'T power it down). Some malware will try reinsert registry keys at shutdown. Worst case scenario here is that you get a checkdisk warning/error at startup.
step 7) start the machine back up in DOS mode (or Safety with DOS prompt). Go back to the Internet Explorer Downloads directory and delete the DLLs/ActiveX controls. They should get deleted now because the malware processes won't be holding the files open.
step 8) Reboot.
step 9) open the registry back up and see which processes re-inserted registry keys in the "Run" folder (see step 3 above).
I had one particularly nasty one (News.net) that Spybot couldn't delete. I finally killed it by using the process I described above. The trick with news.net, however, was to pull the plug IMMEDIATELY after deleting the registry key. The malware process re-inserts the registry key every 2 seconds, so I had to delete the key and pull the plug on the machine before it could re-insert the registry entry. One of the tricky things that news.net did was not allow me to search in RegEdit. So I used Spybot's startup/registry tool to remove the key. News.net was somehow able to circumvent Spybots registry blocker.
As I'm writing this, I'm using a Windows 2k(sp2) machine from 2001. It hasn't been remastered since then and it's my daily driver. Interestingly, I've never done a single Windows Update on it, and I have fewer problems with exploits and malware than I've had on the 4 other machines that I've had to remaster (again and again) that I ran Windows Update on frequently. Maybe none of the malware writers are wasting time with the old exploits because they figure they've all been patched. Luckily for me, by not doing Windows Update, I've saved myself from all of the Exploits that the new patches have created.
I'm running Office 2000, Firefox, and Thunderbird. I never ever use IE or Outlook, ever. Oh yeah, and I also use a modified hosts file (from http://accs-net.com/hosts/) for ad/malware blocking.
Oh yeah, and use TeaTimer and SpybotSD services to prevent new spyware/malware.
Happy computing.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
After all the time you spend cleaning it, its probably faster to just backup his important files and re-install. And tell him to browse his porn with opera or firefox.
four, ditch any p2p stuff, really! Kazaa is doing more than you think!
Sig Hansen?
I came up with this one last year while going through a similar problem - I managed to delete a number of files the malware was using and then discovered it was repopulating itself from one source file I couldn't get rid of. So, I repermissioned the file so no one had access to it except some made up account I created on the spot. I think I even used negative NTFS permissions (block access to this file to System, Adminstrators, etc.). There were some more steps such as searching and removing every instance in the registry of any file that this thing copied, but the NTFS repermissioning was the key.
If you are one Win9x or have FAT32 on your drive, this won't work for you... but good luck anyway.
Finally, I hate to give in, but go ahead and run the uninstaller - their malware already 0wnzors the computer you are working on, this is not likely to make it any worse...
-Jack Ash
PS: Another thing you might try is booting up one of those WinPE environments (bootable windows on a cd) floating around the net, and deleting it from there...
Boot into Safe-Mode first, then... ...do everything else that will be suggested here.
Unplug the hard drive, and dump it into a specially-configured "disinfectant" computer. Make sure it has up-to-date malware scanners - the four mentioned earlier should do the trick - and then scan it a lot. That should help get rid of some that loads on bootup. Then you might have to go in by hand to get rid of the rest, but it should get you started.
http://unelite.freelinuxhost.com - Rock/Scissors/Paper and RPGs shouldn't mix.
You can't stop an unstoppable malware program, by definition. So, to say that you can stop an unstoppable malware program would imply that he program wasn't truly unstoppable.
Which leads me to the next question: God is omnipotent, so I wonder, could God create a malware program that even HE could not remove? If you have a computer that is behaving badly, start it working on that problem. While it's distracted and busy trying to figure it out, WHAM, you hit it in the head, just like Captain Kirk in that M-5 episode.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
You need to use HiJack This. http://www.spywareinfo.com/~merijn/downloads.html
This program doesn't actually detect spyware/adware/malware, but rather it shows all items that are currently loaded on your system. It does have some helpful hints as to what these itmes might be, but doesn't specifically tell you if something is malware. You have to be saavy enough to figure it out yourself. I've gotten rid of a few nasty progs with this helpful tool.
I have found that very little if any spyware ever shows up on my Windows computer if I have Microsoft Anti-Spyware Beta 1 installed. It has grabbed a few things, and kept me relatively nuisance free.
KillBox
Tech Guy Support Forums
and most notable: MyPCTuneUp which I am assuming is that Aurora Uninstaller you were talking about. According to the forum link above, the uninstaller really works. And it can't hurt to try, considering Aurora has already hijacked your PC, what more can an uninstaller do besides uninstall the malware.
And from personal experience, I've had a few Malware uninstallers from the official company that did a better job removing the malware than SpyBot, MS Anti-Spyware, and Lavasoft Ad-aware.
False. Be careful where you make such broad "...everything..." statements.
Some spyware either is, or borders on, the definition of a rootkit. Rootkits can be detected, but there are a growing number which cannot be removed without an fdisk/format.
I've been experimenting with combinations of software for security, and this is by far the best combination for general use:
FireFox (Browser)
Avast! Home Edition (Anti-virus)
Part of my experiment was to operate as an Administrator at all times. I've been running like this for several months now, and have not encountered a single problem!
No viruses, No Spy-ware/Mal-ware, no annoying restrictions (I'm not using SP2).
Anyone else use this combination? It is by far the strongest combination I've ever used.
I just pooped your party.
Burn the important files to CD. Get an external harddrive, whatever.
Then nuke the harddrive and start over. In my experience going through the pain of finding all of the problems is worse than finding old install disks. You can also start with a clean build of XP SP2 which makes it *much* harder to get infected.
When you image the machine, make sure you set up at least two partitions so starting over in the future is less painful.
A speech...
(I do all my perm editing from the command prompt using the CACLS utility that comes with XP)
1. Instead of having to create a bogus account and deny specific users, just use the command-line switch "/D Everyone" to do the same thing. By doing this you are explicity denying everyone access to that particular file, which gives the added benefit that Windows will not be able to start the process after a reboot! NOTE: Use this with caution! Please do NOT try to execute this command on, say, any files or directories needed for Windows to run!
2. Once you have found and edited the ACLs of the offending processes, reboot the machine. See if any other rogue processes start, and if so repeat step 1 on those.
3. All the registry entries used by the spyware will still be there, but since the reboot they can't run, i.e., you can now delete the reg entries without them coming back.
4. Once you are certain you have found and deleted all the malware entries in "Run", "RunOnce", the Startup folder, etc., re-edit the ACLS of all the malware files (you wrote them down, right?) so that you can delete them (easily done by granting Everyone Full Permission: "cacls /G Everyone:F")
5. To get rid of bogus / malware Services, do the above and then find the Services reg key (HKLM\System\CurrentControlSet\Services) and look for the malware filenames (found by viewing the properties of the service in the Services applet). NOTE: Do NOT delete random keys here...that can be rather dangerous for the stability of the system! When in doubt, leave the entry. As long as the file is safely deleted using the above methods, it should not come back. This process is only to make the malware service disappear from the Services applet.
6. The last tip I have is to use a free utility from SysInternals called RegMon. It monitors the registry hives for any process making changes. Malware and spyware are seemingly *always* making changes, which means they will be rather easy to spot. Use the Filter option liberally to filter out generic Windows processes and other known good ones. By using this method, you may find malware processes accessing the registry that DO NOT SHOW UP in Task Manager or directory listings. While these files definitely exist, they are hooked into the OS in such a way that they hide their presence. You can neither find these files in Explorer, nor using "dir" in a command prompt...but CACLS will still operate on them! (I had to use this method to clean a laptop over the weekend...12 hours of cleaning, because the girl couldn't find her WinXP Home CD, and I didn't have one laying around--irritating, to say the least.)
Now for the usual disclaimer: I am a sysadmin, I know what I'm doing, and I'm responsible for what I screw up. I am NOT responsible for your screwups though, so please be VERY careful when using the above methods...you can really hose your system if done improperly. If you feel like this is a bit too tech for you, I highly recommend SpyBot S&D and TrendMicro's HouseCall. In fact, I used both of those on that laptop along with the above methods to clean the thing entirely.
Happy malware hunting!
Try using all of these programs:
Microsoft Anti-Spyware
Spybot
AdAware
HijackThis
Those are 4 programs I run regularly. I usually do these in this order:
1) Update all definitions in all programs
2) Reboot to Safe Mode
3) Run Add/Remove Programs and remove any unknown programs
3) Run AdAware, remove all infected files
4) Run Spybot, remove all infected files
5) Run Anti-Spyware, remove all infected files
6) Run HijackThis, remove all non-system files (only run this if you are an expert at it)
7) Clean out Internet Explorer Cookies
8) Clean out ALL temp files
9) Clean out all unknown files in the Windows & System32 directories (again, expert only)
10) Reboot (pick safe mode again)
11) Run all of the scanners again to be sure of removal
12) Reboot into normal mode, run scanners AGAIN (to verify)
Obviously if malware comes back shortly (within 10 minutes or so) check Services (start --> run --> "services.msc") and remove any that you don't recognize.
The only piece of malware that I haven't been able to remove was a variant of CoolWebSearch. Not even CWShredder got rid of it (or even detected it) as well as all of the other cleaners.
Good luck.
format c:
You might want to look into Bart PE. It is a program to create a bootable cd that runs Microsofts Pre-execution Environment. There is a plugin for Ad-Aware, and you may be able to find plugins for Spybot-SD and MS Antispyware beta (not sure though). This is useful, because you are now running a lite version of your MS os from the CD. The antispyware software should now have a much easier time removing files, since the os won't have them open.
your going to want to get a few things first, and your going to need some time to do this.
First get these. do a google search if you dont know where to get them.
HijackThis
Microsoft Antispyware
spywareblaster
winsockfix (it's at majorgeeks if you do a google search)
First off, make a restore point, then if you cant get online at all run the winsock fix which should fix that, then install spywareblaster, update it and enable all protection
From there update all of your existing anti-virus/anti-spyware to the latest revisions and defs, Then Install Microsoft Antispyware and update it to the latest defs. The reason you want MSAS is because MSAS will start prompting about any questionable activity it detects. make sure you set anything it considers questionable to block or remove. This will at least give you a general Idea what to look for and keep the reinfection down to a point. Then in MSAS, do a full system scan. Remove everything that it finds and restart the PC in safe mode with no network.
When it boots up in safe mode, stop and keep in mind that if you open up any explorer windows you just reinfected your PC again, so make sure everything you need is on the desktop or accessable in the start menu. From there do another scan with MSAS, as well as any other anti-virus/spyware app you updated in the first part with full system scans. Then using the command prompt, delete everything in the following folders
C:\documents and settings\\local settings\temp
C:\documents and settings\\local settings\temporary internet files
C:\windows\temp
From there run hijackthis and look it over. anything you see there that looks questionable in there you remove. in particular, startup entries going to temp folders, random named exe files, exe files in C:\windows or C:\windows\system32 and any bho or dpf that you cant remember installing, or has the word search, bar, smiley, sounds fishy or like it's trying to benefit something that should be ok by itself, especially if you dont have it, such as "Microsoft Antispyware Helper" (yes I saw a real nasty one using this as it's name). If you are really in doubt, and have access to another machine, go to http://www.hijackthis.de/en put the hijackthis log into it, and it will tell you what to delete and why. After you clean it up make a clean log from hijackthis and restart.
From there restart and it should be clear or relitively clear. If it's not, then run hijackthis again and compare it to the old file. It should give you clues on what to look for, but there is a good chance that your system is rootkited (something rootkitrevealer will tell you). If it is, I'd recommend a reinstall since there's no telling whats going on in the background, but if you still need to clean it the only way is to insert the hard drive into another PC and do another full anti spyware/virus scan on the drive. or use pebuilder to boot the machine into windows and do it that way.
In Soviet Russia, Trojan exploits YOU!
You see, i hate using all these miscellaneous programs to find trojans. partly because i want to go in and quickly fix a person's problems.
/a" which will abort the shutdown command, and allow you to continue your cleanup.
The first thing i recommend is the Startup Control Panel which installs a very handy control panel. It will show you every startup that Windows has, including the registry-only ones that aren't apparent to the user. Install, run, and see what starts with the computer.
open the Task Manager (Ctrl-Shift-Esc), and using "End Process Tree," shut off any programs that you found in the Startup Control Panel
Then go in to the Startup Control Panel and turn off their registry entries for startup. If you've shut down the process, it won't reregister. then you can worry about tracking down the files later.
This has never failed me, regardless of the malware. Frankly, it surprises me how reliable it is. The one other concern is maybe you end up shutting down an infected vital system process (one virus not worth mentioning that infected lsass.exe). If in the process of killing processes, the computer suddenly says it's shutting down in 30 seconds (which happens when you kill the lsass process), then hit Windows-R for a run dialogue, and type "shutdown
I still have one small piece of spyware hiding somewhere that none of the above can find. It only runs when I run IE (which I very rarely do these days), pathetically raising popup windows with nothing in them! I haven't bothered to chase it down, since it isn't that much of a nuisance. But maybe I'll apply some of the tricks I learned today, just for the exercise!
Which brings me to the #1 anti-spyware measure: run Internet Explorer as little as you can!
No nearly so easy.
I ended up with something installed, it was very odd:
1. It was not a seperate process, it bounded itself to IE. No process to end other than IE and in a work environment where Firefox is not an option that's a problem.
2. When uninstalled and files deleted it reinstalled itself. The files had to be deleted manually. Yet they reinstalled with random file names, the only way to identify them was by working out they were always a combo of 5 letters and had the same file size.
3. Sure it had a registry entry, but when it spread it randomly named itself as in step 2. Manual registry editing was the only option, somewhat risky as entries could be deleted by mistake.
4. Because of 1, 2 and 3, there were no processes and files to be deleted automatically. It becomes a manual process.
The solution: We did a diff of the registry from a backed up version and went through line by line. Could have done a reinstall, and did in the end (with something this sneaky what elso could it have been doing?) but it was very interesting to see how it worked. Lets hope this type of malware remains in the minority.
You're kidding, right? This stuff makes it harder to keep your PC safe. Expect it to become dominant.
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run".
Sadly, you can't do that with Aurora [I was up with it until 5AM last night, and I'll be at it for the rest of tonight, and much of tomorrow]. I'll expound on the registry stuff in a moment, but first let me outline a few other things you'll have to deal with.
Aurora installs at least two services [Start | Programs | Administrative Tools | Services]; they're down at the bottom, called "Win" this, and "Win" that [I forget the exact names, but they're pretty obviously malware services]. It also installs executables and "cabinet" [.CAB] files all over your computer, as well as desktop links and web browser plugins, and probably a whole host of other things I didn't discover. And every user who logs in after the infection will get copies of this crap installed throughout the entirety of their "Documents and Settings" folder.
If you have a second copy of the operating system [at worst, take the hard drive out and install it in another computer as a secondary drive], then you can search the entire hard drive for files that were introduced on or later than the date of infection and delete MOST of the crap that was installed.
However, in our case, the underlying file that invoked "Aurora" was \WINNT\zbkiebmtvti.exe [it might have a different name for you], but it was somehow installed with a modification date of 04/09/2004 [our infection was yesterday, 05/08/2005], so a simple search on recently-modified files will not find that one [and may not find other newly-introduced files, with fake modification dates, that are lurking in other parts of your hard drive].
However, even if you disable the services installed by Aurora, and even if you could delete all the files it installs, it does something FAR more malicious - something that I've never before seen in malware, which gets back to the point I wanted to make at the beginning of this reply: At or near the registry point HKLM\Software, Aurora inserts an "infinitely large" subtree into your computer's registry [I assume that they used either the maximum size of a registry subtree in Windows, or the maximum size of an entry in the underlying MSJet database, or something similar]. When either regedit.exe or regedt32.exe encounters this "infinitely large" subtree, they both crash, and tend to exit Dr Watson style [I guess it never dawned on the poor guys who designed regedit.exe and/or regedt32.exe that someone would do something quite so evil]. You can't search beyond this "infinitely large" subtree, and neither regedit.exe nor regedt32.exe are capable of deleting any of its branches [at either the beginning of the subtree, or at its end], so you can't do the old trick of searching for "RunOnce" and then moving up one key to get to Run.
Anyway, it seems to me that anyone who would do something as malicious as purposely inserting an "infinitely large" subtree into your registry, with the intent of crashing regedit.exe and regedt32.exe, is precisely the sort of person who would install a keyboard sniffer to record your VISA and Mastercard info. So I'm basically wiping the drive clean and reinstalling the operating system from scratch.
Quite frankly, if I ever meet the bastards who wrote this crap [and who thought that it would be some kinduva nifty-cool business plan to go around inserting "infinitely large" subtrees into people's registries], then I will be sorely tempted to shoot them and throw their God-damned corpses in a swamp.
And no, I am not kidding.
Or you could find a live-cd that uses the ntfs.sys driver to read/write NTFS partitions. Knoppix will read them out of the box, but I'm not sure if it will write properly. Last I read, which was a few months ago, the NTFS write support with the driver in the kernel could only write to a file as long as the size didn't change. So I assume that means deleting is out of the question.
Another good tool is a boot cd called "Hiren's Boot Disk". It has lots of commercial software so I believe you'd have to look for it on P2P or torrent websites to obtain it, but it has some good tools on it.
As these people write better malware, it's going to get increasingly more difficult to remove them while windows is running.
Or, like the parent suggested, run linux and exchange this hassle for different hassles. I know I did. But it's more fun in the long run.