Oops
Yesterday we did routine scans and such on 16 client computers. One of them was thoroughly infested with malware and was getting popups constantly, so I had to spend extra time and effort cleaning it. Apparently the user knew it, as someone had made an effort to clean the obvious aspects already. I succeeded where they did not.
Anyway, this morning it turns out one of the next machines we’d have done had we kept going is even more heavily afflicted and acting so funky it’s essentially unusable. I just had the user look in the Run key under HKLM and start reading me off the list. It’s bad. I told her I’d hurry, but she can plan on borrowing someone else’s computer all morning.
Malware (adware/spyware) went from being a non-problem a few years ago to being a huge component of my work. It’s pretty sad.
Update:
In answer to people’s questions, I typed a comment. It’s more than double the maximum comment length, so I will post it here instead.
My attacks on malware involve, in no great detail and not always in this order or including every item:
Look in the task list to see if anything obviously rogue is in the list of processes. See if killing it results in a new process immediately spawning, which means a tough one. Obviously this means having an idea what belongs and doesn’t, which is an inexact thing. Multiple instances of rundll are a bad sign. So are more than the first 1 to a few instances of svchost.
Running Ad-Aware and purging what that finds.
Renaming the run keys in the registry, and checking the run once keys to be sure nothing is launching there. Later seeing if anything recreates and adds itself back to the run key in either HKCU or HKLM.
Lately I have been checking an item in HKLM software microsoft WinNT Windows because that is supposedly a vector used for app initiation of a randomly named DLL by the newer Cool Web variants, but I have yet to find anything.See if anything odd seems to be loading as a service.
I have been known to try to identify the processes that are rogue and kill them then delete or rename the file they go with before they can restart, but now I tend to just…
Reboot and use F8 for the options, then go into safe mode command prompt, logging on as administrator.
Check all the usual places for known or apparent bad stuff, using DOS commands. Attrib is your friend. dir/ah (most of all), dir/as and dir/ar are your friends. Also dir/o-d/p is your friend.
I do an obligatory dir and the attribute variants at the root of C, but normally nothing is there. Looking under program files gives directories that sometimes cry out by name that they are bad, like BargainBuddy. Sometimes the root of program files will have actual files. You do have to know what is legit. Usually it’s okay if you don’t kill everything, because not everything loads and if the right stuff buys it and there is minimal respawned stuff telling things that aren’t there to load, great.
Under program files a lot of the crud gets put into common files to hide it better.
Somewhere along the line I have emptied the temp directory and any temp directories that might ever be used by anything on the machine, be it the user-specific temp under documents and settings, user name, local settings, temp, or windows temp, or temp off the root of C. I’ve also gone to internet settings and told it to empty files, and gone to the advanced tab and made sure both install on demand options are unchecked, and add-ins are not allowed. That’s your things like IE toolbars no longer able to take root.
Anyway, back to command prompt safe mode, I check the windows and system32 directories for strange stuff, usually in the form of files rather than folders, but you never know.
Dir/ah gives you a mix of valid and invalid stuff. See the ones named things like e8xUz.exe that are HIDDEN? Yeah, they probably are bad. Usually it is DLL and EXE files. I have also seen DAT and INI files that are there as or in support of malware. Rename or delete, depending on confidence level, after changing attributes to make that possible.
Other indicators are a bunch of files all with the same recent date, coinciding as far as you can tell with when you got infested with some of the crud, especially if they have similar names and are the same size. They are different copies of the same file that got spawned and cloned under new names. Most of them are probably harmless because they were used and discarded, but why make it easy for the spawning program elsewhere, if you didn’t manage to catch it.
What you have to watch is that you don’t kill a legitimate driver. Something with a date of 2001 is probably okay. OTOH today I saw a series of files I did not kill that were all dated the same date, otherwise looking suspicious, but in 1997. As if they got backdated to avoid suspicion.
When booting back up, check the run keys again, and I always check the startup on the start menu in case, and I check the INI files to see if anything is weird or using the load= or run= lines as a launching point nobody thinks to check anymore.
Lately I have been checking for wininit.ini and renaming it if anything was in it, even seemingly a harmless “remove when done” type of command.
Today there was an issue that may or may not have been related, where MS installer was spawning multiple instances and trying to install a program long since installed. I ended up killing the original install and reinstalling to help kill off the urge.
I also ran into malware having put odd files into the mspclnt folder on C, which is proxy client for passing through MS Proxy Server on a Windows NT server. I killed the whole thing and reinstalled it. Sometimes malware or the act of Ad-Aware and, apparently more so, other such programs removing malware can damage TCP/IP or winsock, and I recently had a machine that could not see the internet and, if I looked at it wrong, the network, until I carefully wiped out proxy client completely and remarked out its entries in win.ini and system.ini. Seeing what I saw today made me more sure it was the malware, not removal of same, that may have done that. Kind of like a virus killing the host, since this stuff presumably wants an internet connection of its ad or spyware.
Anyway, that’s an idea of the stuff I can get into to de-scourge a machine. I’m sure it’s completely clear and you can run with it...
Next entry: Operation Get It Back
Previous entry: Carnival of the Capitalists Is Up