Practical computer tips, with a smattering of digital philosophy
Monthly Archives: December 2008
December 8, 2008Posted by on
I had the great honor of becoming acquainted with yet another malicious “anti-malware” program this evening, and in the process, I discovered yet another place where these bugs can hide their files. Actually, the cloaking tactics used by particular scourge were some of the most fiendishly clever I’ve ever seen. First off, the malware piggybacked on a system process (in typical rootkit style), making it impossible (a) to find out the name of the malicious process from the Process Manager, and (b) equally impossible to directly kill the process (without shutting down Windows, of course). But this is hardly atypical malware behavior; the real kicker was where the malware had decided to deposit its files. Here’s how I found them:
The bug in question was one of the ones that hijacks IE and displays bogus “unsafe browsing” warnings at regular intervals – and after a half-an-hour of fruitless poking around, it occurred to me that these alerts might actually supply a way for me to track them back to their source. Sure enough, when I viewed the source HTML for the warning page, I discovered that the page was linked back to a directory in the user’s Application Data directory – to be more specific, a directory named Google. The bug had even been cheeky enough to put an empty subfolder named something like “Saved search results” in the directory – along with a bunch of .dll and .exe files with random names. Tada.
After being thoroughly outraged (and, I must admit, a bit amused) by this program’s sheer audacity, the removal process was a simple matter of moving the entire Google directory somewhere else (I have no idea why this is, but while files being used by active processes cannot be moved, their parent folders can), and then deleting it when Windows was restarted. (Killbox didn’t work on these, by the way).
At any rate, here’s the updated list of all the places I’ve found malware lurking to date:
C:Windows (most often .dll files with random names – though some call themselves things like “sysrestore32.exe” (in case you can’t tell, that’s definitely not what the system restore executable is called)
C:Windowssystem32 (same as above)
%USERPROFILE%Local SettingsTemp (same as aoove; I’ve also seen winlogon.exe and winlogun.exe here).
Generic instructions for manually removing common types of malware (viruses, trojans, even some rootkits)
December 5, 2008Posted by on
This post is really an addendum to one I wrote a month ago on removing a specific family of malware. Since then, I’ve discovered (through some exceedingly fun four hours of “research”) that the method I outlined in that post is applicable to a much wider range of malware infections than I originally thought. Consequently, I’m posting this as both a gateway and supplement to the old post, which contains the core of my manual malware-removal method. So if you’re currently trying to rid your computer of some nasty bug, and your security software doesn’t seem to be able to deal with it, go ahead and take a look at the instructions on this page – but before you actually try to use them, remember to come back here, because there are a couple of extremely important things that I didn’t mention in that post which you’ll greatly benefit from knowing about. See below.
Manual Malware Removal Appendix: the finer subtleties of battling bugs
Chances are, whatever bug you’re dealing with will have abused various settings and security policies to prevent access to certain basic Windows components (ie, the command prompt, the registry editor, Windows shortcut keys, and so forth), thereby making it harder for you to find and remove the malicious files (If you don’t notice anything amiss in this regard, and all menus, control panels, and other basic Windows features seem to be functioning correctly, skip this paragraph).
- To restore any basic functionality that might have been disabled, you can either try mucking around with the group policy editor (invoke a “Run” dialog, and then type “gpedit.msc”, then spend 30 minutes sorting through all of the available settings until you find the one you’re looking for), or you can use any combination of free utilities designed to reverse the malicious changes. The one that I’ve had the most success with is, unfortunately, very difficult to find; simply called FixPolicies.exe*, the utility is apparently little more than a lengthy script – sans GUI, and options – that restores a ton of Windows policies to their default settings. Simply download the thing, run it, and then see if you can now access the features that were disabled by the bugs. I know there are many others, but I don’t seem to have any of them in my gigantic list of links, so if this one fails to fix your problem, go consult the Master Index of Everything (aka google).
*Because this link takes you directly to the file itself, and there’s no documentation on the server that’s hosting it, the best I can do to prove that this is what I claim it is (if you were skeptical, bravo) is to point you to other sites that have recommended the use of this program: here’s one from Expert’s Exchange (sign-in required), and here’s another from some random forum.
- A word of warning: some of the more sophisticated nasties will actually continually “reset” (read: foul up) your policies to their liking every five minutes or so – so running any of the above fixes will won’t do you much good in the long run until you’ve killed the malware’s running processes. Which brings me to my next point…
In my original post, I detailed how to go about identifying the individual files that constitute and/or support the malware that’s hijacked the system, and suggested that all such be moved to some quarantined location – but I didn’t make any mention of the fact that these files may very will be impossible to delete if any remnants of the bug are still actively running (for the same reason Windows screeches whenever you try to move any other kind of file that’s “in use”). What’s more, if you’re dealing with a particularly noxious kind of infection, leaving even one of the bug’s component files in place is often enough to allow the thing to regenerate itself the next time Windows boots. In short, here are my two fundamental axioms of malware removal:
- To completely remove malware from a computer, one must quarantine and/or delete all of the malicious files that the bug(s) installed.
- To quarantine and/or delete all of the malicious files on a computer, one must first ensure both that no running process are actively using the files, and that no running processes are capable of regenerating the files.
The point here is that you need to either:
(1) identify and kill every single process that is either actively using or was spawned by the files in question, or
(2) switch to an environment in which it’s totally impossible that any such process could be running.
The first option allows you to work within windows – but probably won’t help you if your computer is infected with a rootkit, which cloaks itself so well that the system thinks the rootkit code is actually part of a system process (which means that as long as that system process – explorer.exe, say – is running, you’re not going to be able to delete the malicious files. Period). The second option, by contrast, is guaranteed to allow you to delete/move any file you wish – but requires the use of a Linux boot CD. Depending on which option you choose, here’s some additional helpful information
1. If you elect to try the first option (which, being more straightforward for most people, is probably a good first step), there are two utilities that will make your search-and-removal task a great deal easier: ProcessExplorer, and KillBox:
- Process Explorer is a souped-up version of the standard Windows Process Manager, which can (among many other things) tell you the name and location of the files that spawned each running process (useful if the malware on your computer is accessing its files by means of rundll32.exe calls, which just appear as multiple instances of “rundll32.exe” in the regular Process Manager).
- Killbox is utility that allows you to force-delete any file on the system – even if there are processes still accessing it. I used ProcessExplorer extensively during the process of deriving the base procedure that all of this rambling is intended to supplement.
I’m afraid I don’t have the time or energy at the moment to detail the various ways in which you might use these applications to your advantage – but the programs are both fairly intuitive, and ProcessExplorer has excellent documentation, so you shouldn’t have much trouble.
2. As for the second option, I can only say that I do plan on writing a primer on how to obtain and use a Linux Boot CD for a wide variety of system-rescue purposes – but not right now. So if you know exactly what I’m talking about, and just need help with mounting your system drive, go for it (don’t forget to specify -t ntfs -o rw, since you want to delete stuff). Otherwise, if you really cannot find any other way to permanently delete the files in question, you’ll either have to consult an online Linux tutorial, or consider the possibility of reformatting your hard disk and reinstalling Windows.
Last, here are a list of symptoms that my solution has been repeatedly proven to be effective against (this is here primarily for the purpose of ensuring that this page will be one of the entries that comes up when anyone does a search for the following symptoms. I know, I know: I’m shameless.):
Browser hijacking, which prevents any web browser from being able to get to anti-malware websites, and causes the browser to be redirected to random shopping websites whenever you try to click on a link from a search engine (google, yahoo, you name it).
Disappearance of the “Display”, “Screen Saver”, and “Advanced” tabs in the Display Control Panel.
Disappearance of the Folder Options Control Panel
Crippling of Windows Security Center
Disabled Windows-key shortcuts (Winkey-R; Winkey-D, etc.)
Disabled Command Prompt
Disabled Registry Editor
Appearance of cockroaches on the desktop, accompanied by a warning informing the user that that there “are bugs on the system” I’m not kidding.