Tuesday, May 19, 2009

Experience Cleaning Malware Infected Box

The answer to “how to clean a machine that’s been massively infected with malware” is, in one word, Perseverance. I had even, at one time, given up completely on the process, and was certain I’d have to blow away and re-install the computer from scratch, but I stuck it out, and was able to eventually solve the problem.

Here’s the story:

My wife has a decent IBM Thinkpad T42, running Windows XP SP3. It had a copy of Norton Antivirus, but that had fallen out of date (and she’s not a very good “safe surfer”, which made it even harder). Her computer had gotten infected with Virtumonde.sci. This particularly nasty piece of malware hides in several places in the computer, and is hard to eradicate.

The evidence she’d contracted something nasty happened right after she accidentally clicked on a page that “looked” like a normal Windows Explorer pane, but was actually a hot link to a downloaded Trojan. The Trojan, containing the Virtumonde.sci code, executed, and made several insidious changes to her system… In fact, I’d only ever seen one piece of malware harder to remove, and that’s saying a lot (I’ve seen a lot of junk in my day!).

Well, my first job was to get SpyBot Search & Destroy. I highly recommend it and it’s free, but I recommend you support the developer by donating. Unfortunately, I couldn’t just fire up Internet Explorer and go download it. The thing about Virtumonde is that, what it does is hide in your computer and download OTHER malware that you have to contend with. Most of these involve clickjacking and pagejacking in Internet Explorer.

Luckily, I’d downloaded and installed both Google Chrome and Mozilla Firefox on her computer a couple of months ago (I don’t care for IE), so I fired up Chrome and went looking for Spybot. I downloaded it from download.com, and installed it on her computer.

The initial run of the software took forever, interjected with sounds of “You’ve won!” or “Contact us for your winning number”, or some other such drivel, from web pages being served up in the background on her computer, which had been taken over by a piece of malware that Virtumonde had called into existence. This other software fired up IE clients in the background (hidden), and sent them to pages containing web ads, including vocal ones (ARGH!!!!).

After running Spybot, which takes a while, I had several hundred things for it to fix. It fixed 99% of them, but there were five or so elements (malware, registry entries, etc), that it needed a reboot and rescan to try to eradicate. So I did that.

That fixed 4 of the problems, leaving me with just one. I performed the reboot and rescan process again, but was unable to get that dang thing removed. On my contemplation of ritual suicide, I thought about the “Tools” menu in Spybot. These help me by showing me what Browser Helper Objects (BHOs), ActiveX objects, startup elements, processes, etc. are set up on the machine. Of course! I could go there to figure out what the deal was.

So, upon scanning the BHOs, I found some things that didn’t look right, and I deactivated them (I didn’t remove them, yet, because I wasn’t sure if they were bad or not, at this point). I did the same thing for browser help pages, host file information, and other elements. But what really jumped out at me was the recurrence of a program in the process list (like what you see in Task Manager, but with more information). It would disappear when I killed it, but come back a few minutes later. That meant that something else was re-calling it into existence!

Going through the help for the different pieces of malware, I found that Virtumonde hides in a web page that is coded to be the background page for Windows “Active Desktop”. So it’s basically always running, and gets loaded on system startup, but not from the “Run” or “RunOnce” registry entries. So I went to my display properties to change the background… and couldn’t! The ability to change the background was grayed out! Why in the frak would Microsoft make it so that this couldn’t be adjusted easily is beyond me, but it’s simply stupid.

After doing some research, and comparing my wife’s settings to mine (I have an identical laptop), I figured out what the registry entries were for “Background” and it’s settings in the registry, to have it editable, and not use the Active Desktop.

I rebooted the computer and re-ran the scan, but it kept coming up with new and interesting pieces of malware every single time! I finally figured out that Virtumonde had downloaded and installed the malware I was seeing NOW on the previous reboot, before I removed it. Therefore, to ensure that nothing was compromised, I rebooted in Safe Mode, without networking support, and re-ran Spybot.

While it was running, I checked the registry, to see if anything jumped out at me… and something did. I noticed that there were waaaay too many users for the system, and they had funky user names. And several pieces of malware that used Winlogon or Run / RunOnce entries in the Registry, were doing it from these other, nonsensical user names. I decided to just eliminate them.

They weren’t in the Users control panel applet, so I switched back to the registry to simply delete them. That turned out to be easier said than done – the permissions were all set to read-only, and on some of the entries, even after I’d set the permissions otherwise, I couldn’t delete them. Very frustrating, but not crippling, so I checked in on Spybot.

I had to eventually run Spybot several times, but it finally came up clean! Woo Hoo! I had finally slain the beast… or so I thought…

…I rebooted the computer into regular mode, and told my wife I had it fixed. Five minutes later, all kinds of ads started popping up on her computer. The malware was back.

Despondent, I contemplated if it would be simpler to beat myself to death with her computer or re-install the operating system (a tough choice). I decided that the simple solution was to ignore it… for now.

Fast forward 1 week, during which time my wife has been using my computer to do all of her internet surfing. Now, you remember me mentioning that she’s not exactly the safest surfer in the world? Yeah… well, this concerned me to no small degree. I mean, if she wants to use her computer on the internet in an unsafe manner and gets bitten for it, that’s her choice. But not mine! She knew that was the best way to get me to work on her computer (and she was right). So I tackled the problem again yesterday afternoon…

I again used my favorite tool, Spybot Search & Destroy. I started immediately from Safe Mode, logged in as Administrator (which no one uses on her computer, so there’s less crud in it), though, and disabled every single Startup entry, including ones that I knew were OK (baseline). I ran the checker, and had it remove all of the malware it could find. I rebooted several times during this process, finally getting not one, but two clean bills of health from Spybot before I continued to my next plan.

Next, I started the computer in Safe Mode, and logged in under my wife’s account. I again ensured that there were no Run, RunOnce, WIN.INI, SYSTEM.INI, Background, Classes, or Winlogon elements being loaded by checking the Startup Items in the Tools menu in Spybot. I then ran the checker.

The first time, it came up with a problem, but it was just a cookie – no big deal, there. I rebooted, checked the startup elements again, and re-ran the checker, and it came up clean. I then did it AGAIN, and it again came up clean.

“All Right! I’m on a roll!”, I said, and decided to take the plunge. I rebooted the computer, and let it start up normally, under my wife’s user account. I had set Spybot to run on startup (the only thing set to run at startup), and it went along it’s merry way. Man, it’s interesting how much longer that scan takes on “normal” rather than “safe” mode!

However, when it was done, another perfectly clean bill of health! I rebooted one final time, re-ran Spybot one final time, and still showed no malware!

So, finally, I re-enabled the startup elements that I KNEW were good (like the Trackpoint controller, etc), and rebooted, and then re-ran the scan one final time.

Finally clean, I shut the computer down and went for some liquid refreshment – well deserved, I believe.

May this help you in your struggles with the lowlife black hats in our industry…

Todd Fuder

9 comments:

Foot Massagers Review said...

Just pure brilliance from you here. I have never expected something less than this from you and you have not disappointed me at all. I suppose you will keep the quality work going on.
If you want to learn more about Best Massage Machine, you visit now

Foot Massagers Review said...

I would like to express thanks to you just for rescuing me from such a circumstance. Because of exploring through the online world and meeting recommendations which were not helpful, I figured my life was done. Being alive devoid of the strategies to the issues you have solved all through the write-up is a serious case, and ones which might have adversely affected my career if I hadn’t discovered your web blog. Your primary ability and kindness in handling every aspect was very useful. I am not sure what I would’ve done if I had not come upon such a step like this. I am able to at this time look forward to my future. Thank you so much for this skilled and amazing help. I won’t hesitate to recommend your web sites to any person who desires support about this subject matter.
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

Needed to compose you a tiny note to finally thank you very much yet again for your personal splendid methods you have discussed above. It is strangely open-handed with people like you to provide publicly all that a number of people would have marketed as an electronic book to generate some bucks for their own end, primarily now that you could possibly have tried it if you ever wanted. These inspiring ideas likewise acted like a fantastic way to know that the rest have the same dreams really like my personal own to see a whole lot more concerning this problem. I’m sure there are thousands of more enjoyable times in the future for many who check out your blog.
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

Exceptionally useful post ! There is a considerable measure of data here that can enable any business to begin with a fruitful long range informal communication campaign!
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

Thank you for sharing excellent information. Your website is so cool. I am impressed by the details that you have on this website. It reveals how nicely you understand this subject. Bookmarked this website page, will come back for extra articles.
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

I enjoyed over read your blog post. Your blog has nice information, I got good ideas from this amazing blog. I am always searching like this type blog post. I hope I will see again.
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

Nice article, thanks has been sharing this information. Do not forget to visit our website to share information and knowledge about health.
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

The subsequent time I read a blog, I hope that it doesnt disappoint me as a lot as this one. I imply, I do know it was my choice to learn, however I actually thought youd have something attention-grabbing to say. All I hear is a bunch of whining about something that you could repair in the event you werent too busy in search of attention.
If you want to learn more about best massage machine, you visit now

Foot Massagers Review said...

I enjoyed over read your blog post. Your blog has nice information, I got good ideas from this amazing blog. I am always searching like this type blog post. I hope I will see again.
If you want to learn more about best massage machine, you visit now