Tuesday, May 19, 2009

Experience Cleaning Malware Infected Box

The answer to “how to clean a machine that’s been massively infected with malware” is, in one word, Perseverance. I had even, at one time, given up completely on the process, and was certain I’d have to blow away and re-install the computer from scratch, but I stuck it out, and was able to eventually solve the problem.

Here’s the story:

My wife has a decent IBM Thinkpad T42, running Windows XP SP3. It had a copy of Norton Antivirus, but that had fallen out of date (and she’s not a very good “safe surfer”, which made it even harder). Her computer had gotten infected with Virtumonde.sci. This particularly nasty piece of malware hides in several places in the computer, and is hard to eradicate.

The evidence she’d contracted something nasty happened right after she accidentally clicked on a page that “looked” like a normal Windows Explorer pane, but was actually a hot link to a downloaded Trojan. The Trojan, containing the Virtumonde.sci code, executed, and made several insidious changes to her system… In fact, I’d only ever seen one piece of malware harder to remove, and that’s saying a lot (I’ve seen a lot of junk in my day!).

Well, my first job was to get SpyBot Search & Destroy. I highly recommend it and it’s free, but I recommend you support the developer by donating. Unfortunately, I couldn’t just fire up Internet Explorer and go download it. The thing about Virtumonde is that, what it does is hide in your computer and download OTHER malware that you have to contend with. Most of these involve clickjacking and pagejacking in Internet Explorer.

Luckily, I’d downloaded and installed both Google Chrome and Mozilla Firefox on her computer a couple of months ago (I don’t care for IE), so I fired up Chrome and went looking for Spybot. I downloaded it from download.com, and installed it on her computer.

The initial run of the software took forever, interjected with sounds of “You’ve won!” or “Contact us for your winning number”, or some other such drivel, from web pages being served up in the background on her computer, which had been taken over by a piece of malware that Virtumonde had called into existence. This other software fired up IE clients in the background (hidden), and sent them to pages containing web ads, including vocal ones (ARGH!!!!).

After running Spybot, which takes a while, I had several hundred things for it to fix. It fixed 99% of them, but there were five or so elements (malware, registry entries, etc), that it needed a reboot and rescan to try to eradicate. So I did that.

That fixed 4 of the problems, leaving me with just one. I performed the reboot and rescan process again, but was unable to get that dang thing removed. On my contemplation of ritual suicide, I thought about the “Tools” menu in Spybot. These help me by showing me what Browser Helper Objects (BHOs), ActiveX objects, startup elements, processes, etc. are set up on the machine. Of course! I could go there to figure out what the deal was.

So, upon scanning the BHOs, I found some things that didn’t look right, and I deactivated them (I didn’t remove them, yet, because I wasn’t sure if they were bad or not, at this point). I did the same thing for browser help pages, host file information, and other elements. But what really jumped out at me was the recurrence of a program in the process list (like what you see in Task Manager, but with more information). It would disappear when I killed it, but come back a few minutes later. That meant that something else was re-calling it into existence!

Going through the help for the different pieces of malware, I found that Virtumonde hides in a web page that is coded to be the background page for Windows “Active Desktop”. So it’s basically always running, and gets loaded on system startup, but not from the “Run” or “RunOnce” registry entries. So I went to my display properties to change the background… and couldn’t! The ability to change the background was grayed out! Why in the frak would Microsoft make it so that this couldn’t be adjusted easily is beyond me, but it’s simply stupid.

After doing some research, and comparing my wife’s settings to mine (I have an identical laptop), I figured out what the registry entries were for “Background” and it’s settings in the registry, to have it editable, and not use the Active Desktop.

I rebooted the computer and re-ran the scan, but it kept coming up with new and interesting pieces of malware every single time! I finally figured out that Virtumonde had downloaded and installed the malware I was seeing NOW on the previous reboot, before I removed it. Therefore, to ensure that nothing was compromised, I rebooted in Safe Mode, without networking support, and re-ran Spybot.

While it was running, I checked the registry, to see if anything jumped out at me… and something did. I noticed that there were waaaay too many users for the system, and they had funky user names. And several pieces of malware that used Winlogon or Run / RunOnce entries in the Registry, were doing it from these other, nonsensical user names. I decided to just eliminate them.

They weren’t in the Users control panel applet, so I switched back to the registry to simply delete them. That turned out to be easier said than done – the permissions were all set to read-only, and on some of the entries, even after I’d set the permissions otherwise, I couldn’t delete them. Very frustrating, but not crippling, so I checked in on Spybot.

I had to eventually run Spybot several times, but it finally came up clean! Woo Hoo! I had finally slain the beast… or so I thought…

…I rebooted the computer into regular mode, and told my wife I had it fixed. Five minutes later, all kinds of ads started popping up on her computer. The malware was back.

Despondent, I contemplated if it would be simpler to beat myself to death with her computer or re-install the operating system (a tough choice). I decided that the simple solution was to ignore it… for now.

Fast forward 1 week, during which time my wife has been using my computer to do all of her internet surfing. Now, you remember me mentioning that she’s not exactly the safest surfer in the world? Yeah… well, this concerned me to no small degree. I mean, if she wants to use her computer on the internet in an unsafe manner and gets bitten for it, that’s her choice. But not mine! She knew that was the best way to get me to work on her computer (and she was right). So I tackled the problem again yesterday afternoon…

I again used my favorite tool, Spybot Search & Destroy. I started immediately from Safe Mode, logged in as Administrator (which no one uses on her computer, so there’s less crud in it), though, and disabled every single Startup entry, including ones that I knew were OK (baseline). I ran the checker, and had it remove all of the malware it could find. I rebooted several times during this process, finally getting not one, but two clean bills of health from Spybot before I continued to my next plan.

Next, I started the computer in Safe Mode, and logged in under my wife’s account. I again ensured that there were no Run, RunOnce, WIN.INI, SYSTEM.INI, Background, Classes, or Winlogon elements being loaded by checking the Startup Items in the Tools menu in Spybot. I then ran the checker.

The first time, it came up with a problem, but it was just a cookie – no big deal, there. I rebooted, checked the startup elements again, and re-ran the checker, and it came up clean. I then did it AGAIN, and it again came up clean.

“All Right! I’m on a roll!”, I said, and decided to take the plunge. I rebooted the computer, and let it start up normally, under my wife’s user account. I had set Spybot to run on startup (the only thing set to run at startup), and it went along it’s merry way. Man, it’s interesting how much longer that scan takes on “normal” rather than “safe” mode!

However, when it was done, another perfectly clean bill of health! I rebooted one final time, re-ran Spybot one final time, and still showed no malware!

So, finally, I re-enabled the startup elements that I KNEW were good (like the Trackpoint controller, etc), and rebooted, and then re-ran the scan one final time.

Finally clean, I shut the computer down and went for some liquid refreshment – well deserved, I believe.

May this help you in your struggles with the lowlife black hats in our industry…

Todd Fuder