- Joined
- Apr 6, 2011
- Location
- OH-IO
It seems like any time someone has contacted me lately in regards to a virus / spyware infection, they are all the same - Rogue / Fake AV, makes your computer run incredibly slow, and proceeds to hide many of your desktop files/folders, Documents, Photos, etc. so they look like they have been deleted.
I figured I would post this guide to help others overcome some of the challenges that you may face if you have the pleasure of working on one of these machines.
_________
1. If the machine you are working on is infected and has an antivirus product already, assume the product has been compromised - try to use it, but don't rely on it as your only means to remove the virus. There's a reason the machine was infected; the AV may be out of date, the subscription (if any) may have expired, the AV just doesn't detect the new virus/malware, etc. New malware is designed to disable things like Real Time Protection, or may prevent AV services from running.
2. If you CAN get into Windows and manuver around / download and install programs:
- Download and run rkill - this will help terminate many malware processes - it's not the end all / be all, but it will help.
- Download and run Malwarebytes - it's free, it works very well, and will take out most of your malware infection.
- Remediate existing AV protection - either fix the existing AV product, or go with another. Free options include MSE, Avast, Avira, etc. Paid options include Kaspersky, BitDefender, NOD32, and F-Protect.
3. If you CANNOT get into Windows and/or cannot download and install programs:
- Attempt to boot into Safe Mode, download and install Malwarebytes. Try running Malwarebytes while you are in Safe Mode - sometimes this will work.
- If you can't run Malwarebytes in Safe Mode, use the BitDefender Boot CD. This has saved me multiple times, and is a great tool to have.
- Between the two options above, you should be able to resurrect the crippled machine to work in either Safe Mode or Normal Startup. If you cannot use the machine still, it may be in both you and your user's best interest to backup their files and perform a full reinstall. Chances are you have a virus / malware that is not detected by any signatures / heuristics. Unless you can reverse engineer the malware, a format / reinstall is your best bet.
- Remediate existing AV protection - as seen above.
4. With the threat removed, you'll now need to restore all of the hidden files. There is another program called unhide.exe, which will remove the 'Hidden' attribute from your files. Sure, you could go folder by folder to unhide everything - but the batch file is a lot faster. You can find this program typically from the same places you can download rkill from.
5. Make sure the Proxy settings haven't changed as the result of an infection. Regardless of your browser, you can go into the Internet Options - Connections - LAN settings - unless you are expected to be using a proxy, you shouldn't have one defined there. With Windows XP, you can also open a command prompt and type 'proxycfg' to make sure no rogue entries were added that way. If you see one, just type 'proxycfg -d' to delete them. In Windows Vista / 7, open an administrative command prompt and type 'netsh winhttp show proxy' and 'netsh winhttp reset' to reset the proxy settings.
6. By now, the machine should be virus free with all of the user files now revealed. It wouldn't hurt to run some cleanup on it - use ccleaner to remove all the garbage / temp files, and defraggler (or something like it) to defragment the hard drive.
_________
Bonus Options
1. When I come across a new piece of malware or something that has little documentation - one of the best things you can do is submit a sample to the AV vendor that you use. You can usually put the infected executables into a zip / rar file, and submit it safely. Include any logs or other information you might have; this will help with detection methods and virus removal in the future for others.
2. Eliminate the scope of possible threats - use tools like Secunia PSI (for personal) to scan for vulnerable applications - Adobe Reader, Adobe Flash, Windows (missing patches), etc.
3. Use the most secure version of Windows - i.e. if you can run Windows 7, it would be in your best interest to do so. UAC does help, and you can educate your users - if you didn't download something or expected to install something, make sure users know to click NO.
4. Make sure firewall(s) are in place - Windows firewall is fine for most people; make sure it's enabled. Make sure that people don't have a computer connected directly to the Internet - 99.9% of home users should be using a router with NAT and built-in (or standalone) firewall to secure themselves from the Internet.
5. Make sure any wireless networks are secured with the strongest protection possible - for home users, this will most likely be WPA-PSK2 with AES 256bit encryption. If you are in an enterprise, you should be using certificate based authentication from client -> WAP.
Even after following all the steps above, all it takes is for one user to click 'Install' - 'Ok' - plug in an infected USB drive. If you can educate your users to make smart decisions, you're well ahead of the game.
I figured I would post this guide to help others overcome some of the challenges that you may face if you have the pleasure of working on one of these machines.
_________
1. If the machine you are working on is infected and has an antivirus product already, assume the product has been compromised - try to use it, but don't rely on it as your only means to remove the virus. There's a reason the machine was infected; the AV may be out of date, the subscription (if any) may have expired, the AV just doesn't detect the new virus/malware, etc. New malware is designed to disable things like Real Time Protection, or may prevent AV services from running.
2. If you CAN get into Windows and manuver around / download and install programs:
- Download and run rkill - this will help terminate many malware processes - it's not the end all / be all, but it will help.
- Download and run Malwarebytes - it's free, it works very well, and will take out most of your malware infection.
- Remediate existing AV protection - either fix the existing AV product, or go with another. Free options include MSE, Avast, Avira, etc. Paid options include Kaspersky, BitDefender, NOD32, and F-Protect.
3. If you CANNOT get into Windows and/or cannot download and install programs:
- Attempt to boot into Safe Mode, download and install Malwarebytes. Try running Malwarebytes while you are in Safe Mode - sometimes this will work.
- If you can't run Malwarebytes in Safe Mode, use the BitDefender Boot CD. This has saved me multiple times, and is a great tool to have.
- Between the two options above, you should be able to resurrect the crippled machine to work in either Safe Mode or Normal Startup. If you cannot use the machine still, it may be in both you and your user's best interest to backup their files and perform a full reinstall. Chances are you have a virus / malware that is not detected by any signatures / heuristics. Unless you can reverse engineer the malware, a format / reinstall is your best bet.
- Remediate existing AV protection - as seen above.
4. With the threat removed, you'll now need to restore all of the hidden files. There is another program called unhide.exe, which will remove the 'Hidden' attribute from your files. Sure, you could go folder by folder to unhide everything - but the batch file is a lot faster. You can find this program typically from the same places you can download rkill from.
5. Make sure the Proxy settings haven't changed as the result of an infection. Regardless of your browser, you can go into the Internet Options - Connections - LAN settings - unless you are expected to be using a proxy, you shouldn't have one defined there. With Windows XP, you can also open a command prompt and type 'proxycfg' to make sure no rogue entries were added that way. If you see one, just type 'proxycfg -d' to delete them. In Windows Vista / 7, open an administrative command prompt and type 'netsh winhttp show proxy' and 'netsh winhttp reset' to reset the proxy settings.
6. By now, the machine should be virus free with all of the user files now revealed. It wouldn't hurt to run some cleanup on it - use ccleaner to remove all the garbage / temp files, and defraggler (or something like it) to defragment the hard drive.
_________
Bonus Options
1. When I come across a new piece of malware or something that has little documentation - one of the best things you can do is submit a sample to the AV vendor that you use. You can usually put the infected executables into a zip / rar file, and submit it safely. Include any logs or other information you might have; this will help with detection methods and virus removal in the future for others.
2. Eliminate the scope of possible threats - use tools like Secunia PSI (for personal) to scan for vulnerable applications - Adobe Reader, Adobe Flash, Windows (missing patches), etc.
3. Use the most secure version of Windows - i.e. if you can run Windows 7, it would be in your best interest to do so. UAC does help, and you can educate your users - if you didn't download something or expected to install something, make sure users know to click NO.
4. Make sure firewall(s) are in place - Windows firewall is fine for most people; make sure it's enabled. Make sure that people don't have a computer connected directly to the Internet - 99.9% of home users should be using a router with NAT and built-in (or standalone) firewall to secure themselves from the Internet.
5. Make sure any wireless networks are secured with the strongest protection possible - for home users, this will most likely be WPA-PSK2 with AES 256bit encryption. If you are in an enterprise, you should be using certificate based authentication from client -> WAP.
Even after following all the steps above, all it takes is for one user to click 'Install' - 'Ok' - plug in an infected USB drive. If you can educate your users to make smart decisions, you're well ahead of the game.
Last edited:
