Last weekend I saw a pretty fierce virus infection and during this week at work I’ve seen a couple of infections as well. Through these events, I’ve made a few notes, learned a few things, and polished some procedures for fighting viruses quickly and efficiently. These steps are, in my opinion, best practice to remove anything from your everyday malware, worms, and viruses, on up to rootkits and droppers that just keep bringing in more bad apps.
I’ve covered a number of these applications before separately as well as having a few prior posts dedicated to virus clean-up which might be worth reviewing at this point:
The Tools
Utilities
These utilities won’t necessarily clear up an infection but they will help you get the big picture of what’s happening to your machine. Both of these tools come from SysInternals and give you the inside scoop on machine behavior.
Process Explorer – Process Explorer is like the Processes tab of Task Manager but so much more informative. It can tell you about threads and related processes. You can also see the properties of what started the process. I recently used Process Explorer to monitor what process was starting up an invisible Internet Explorer. I saw that the process was starting and being sent to a variety of websites with a PHP page and a command to download a file. I then added those sites to the HOSTS file to block them.
Autoruns – Autoruns was given an in-depth look in its own article. How it applies to malware cleanup? Simple. A lot of malware will start up with Windows, either as a service or just a conveniently placed shortcut in the Startup folder. Autoruns can help you track down what’s starting these programs up and disable or delete them. Another reason to have Autoruns is that sometimes the scanners or antivirus will delete the executable but they won’t delete the shortcut or registry key that would be starting the program, leaving you with an annoying error message about a file not found at every start up. Use Autoruns to track down the last remnant and free yourself.
Since Autoruns also tells you where a program is running from, it might point you in the right direction of tracking down some remaining unwanted files.
Scanners and Removal Tools
ATF Cleaner – ATF Cleaner was featured previously in the Spring Cleaning with CCleaner and ATF Cleaner article. ATF Cleaner deletes your temporary files which serves two purposes when it comes to helping in the fight against malware: A lot of malware will download additional files and run from the Temp locations. Your scans will also take a lot less time after running ATF Cleaner because it’s gotten rid of so many files.
One note: I would not run ATF Cleaner first if you are hoping to do some forensics, find out the culprit, or figure out where the infection came from. In all other cases (most), I would use ATF Cleaner first thing.
Malware Bytes Anti-Malware – Malware Bytes has quickly become my favorite malware scanner. It’s fast and doesn’t rely on an ever-growing list of known malware like Spybot. It’s been very reliable and very successfull in finding rootkits and trojans that I’ve encountered. You have an option of running a quick scan or a full scan. The quick scan looks in the typical locations (like individual user profiles and the Windows directory). It then does some heuristics scans at the end which usually results in a few more detections
As you can see from the scan results below, KoobFace has been a popular one lately. It idles in the background to see if you are logged into social networks like Facebook and then makes spammy posts. The results will tell you the name of the violator, the type of the file, and its location. You can uncheck anything you think is a false positive detection and remove the rest. In my experience, I haven’t seen any false positives picked up.
Spybot Search & Destroy – Spybot is my second favorite scanner. It does a good job, but I’ve just found Malware Bytes to be a little bit faster and a deeper scan. Spybot performs its search by going through a list of known malware. Unfortunately, this list keeps getting longer which means the scans take more time to complete. The Spybot updates are released frequently to keep up to date.
Avenger – Avenger is a very simple tool that does most of its work in the background. You can scan for rootkits and disable any found, depending on the options you choose. You can also run a custom script at the time that you might be able to use to target a specific rootkit problem you’re having. My use of Avenger simply involves starting it up, checking both ‘Scan for rootkits’ and ‘Automatically disable any found rootkits’, then hitting the Execute button. It will restart and perform its clean during the Windows start up, which will take a slightly longer time than normal. When you next log into Windows, you’ll be greeted with a log letting you know if it found anything.
ComboFix – ComboFix is a bit of a heavy hitter when it comes to a malware program. ComboFix is not very verbose in what its doing but it will basically go through your system and search for specific malware infections in each stage and then try to remove any infections that it has found. ComboFix is very thorough and seems to work really well against the popular, mainstream malware.
Preventative Tools
Avast – If you were using an anti-virus before the infection, it apparently isn’t working correctly, right? Whether it’s out of date, misconfigured, or a victim of the same malware it didn’t do much good to have it installed if it failed when you needed it. For that reason, I recommend Avast. It’s a free-for-personal-use antivirus that I’ve had very good luck with. It keeps up to date, its default configuration is good, and it’s stopped a number of infected websites and executables in their tracks before an infection could even happen. Avast is also light on system resources unlike some of its more corporate counterparts.
ThreatFire – ThreatFire has its own article that focuses on this complement to your normal antivirus software. ThreatFire doesn’t depend on definitions and thumbprints in order to recognize malware and viruses. Instead, it monitors the behavior of your system and will quarantine a virus based off of suspicious activity. ThreatFire is also light on system resources and can stop a virus infection before it gets a chance to root itself into your files and processes.
The Techniques
The first thing you should do when you suspect yourself to be infected with some sort of malware is physically disconnect yourself from the Internet. Pulling the plug on your network cable is a good way to guard against any of this malware uploading your information to some server in Russia or downloading any additional malware or updates to make the infection any more difficult to combat. Do not reconnect to the Internet until you are certain the infection is contained or you may find all your hardwork has been undone.
Step two is tricky because it needs access to the very Internet you just disconnected yourself from. If you have another computer, download all of the tools listed above and any updates that are available. You can burn the files to a CD or put them on a USB flash drive you don’t mind formatting at the end of this so you don’t spread the problem yourself. If you don’t have a choice, reconnect your computer and download the tools and update them as quickly as possible. Disconnect from the Internet as soon as possible. An alternative browser like Firefox or Chrome might help circumvent some common malware habits of controlling and preventing Internet Explorer sessions.
While looking at your computer so closely for malicious files, you’ll want to be sure you’re seeing the real thing. Windows, by default, hides Protected System Files and file extensions. To get the true picture, we’ll want to change the defaults by following this previous 404 Tech Support article. Be careful not to accidentally delete any system files now. You can revert these settings when the infection is cleaned up.
A number of malware has taken the habit of blocking executables (.exe) from running. This blanket move on their part largely renders your computer useless and many AV tools along with it. For example, if you start up Malware Bytes on a computer with this exe blocking malware, you might see the window flash up for a second and the mbam.exe process listed briefly in the Task Manager or Process Explorer. One trick to get around this is to rename exe files to have a .bat, .pif, or .scr extension instead of .exe. These extensions will allow you to run a file just like before but will likely get around the problem of .exe files being blocked.
You might also try running your computer in Safe Mode (press F8 before the Windows splash screen). Unfortunately, some particularly advanced malware has been able to replace the logon screen in Windows with a BSoD (or Blue Screen of Death) when you try to enter safe mode. While the image is very convincing the code given and timing of the message are indicative of a false message. If this is the case, you’ll have to do all of the work in Windows normal mode using the tools above.
A good method for removing the problems will be through a means of escalation. You may have to rename the executable components of these tools in order to run them. I like to start with ATF Cleaner because it gets rid of a lot of lingering files that aren’t needed. This will remove some malware files from those locations and reduce the time it takes to scan your computer.
After ATF Cleaner runs, you can move unto running a scan with an up-to-date Malware Bytes. This will take some time with the Quick Scan option and even longer withe the Full Scan. I recommend running the Quick Scan now and when you are fairly certain the infection is contained, run the Full Scan for completeness when you can walk away and let the scan run for an hour or two.
If Malware Bytes does its trick with the Quick Scan, you can move onto running Combo Fix or Avenger if you think you’ve been the victim of a serious infection.
You can use the Utilities throughout this process to monitor your computer and what is going on. You can also use them if you need to do some light-duty forensics and give your machine a clean bill of health when all is said and done.
If you have any other tools or suggestions in the Fight Against Malware, please list them in the comments.