BIT Consultants » Malware http://www.bitconsultants.net Sun, 25 Jul 2010 21:54:45 +0000 en hourly 1 http://wordpress.org/?v=3.0 Fighting Difficult Viruses http://www.bitconsultants.net/2009/fighting-difficult-viruses/ http://www.bitconsultants.net/2009/fighting-difficult-viruses/#comments Tue, 06 Oct 2009 20:18:00 +0000 Rob http://www.fangledcontraption.com/?p=37 Let’s face fact, most commercial AV publishers can’t get everything. They do a good job keeping known viruses off your system by scanning for the existence of certain files (not checking content), certain registry entries or running processes/services. So how do you get rid of a virus that your AV vendor doesn’t know about? Here are the tactics I use, with a high rate of success. Please not that the order is of no consequence, all of these tasks are fine to be performed atomically.

Fix 1: Get the computer to boot:

Does the computer boot? If not, what messages (if any) are you getting? If you are getting error messages, Google them; most likely, you are not the first person to experience this problem. Careful where you click, though. Assuming you have eliminated the possibility of hardware failure (and that you have properly backed your important documents up): if the computer doesn’t boot, you could have a boot sector virus. To get rid of these, load the Windows CD and press ‘R’ when prompted to enter the Recovery Console. Type these commands:

  • fixmbr
  • bootcfg /list
    • If no entries are listed, type bootcfg /rebuild
    • Enter the numerical identifier for your Windows installation (likely the number 1)
    • Type Y or Yes to add installation to boot list
    • Provide a load identifier (e.g. Windows XP)
    • Enter /fastdetect

Fix 2: Finding the culprits:

If it’s possible, hook the infected hard drive up to a different machine and scan it using MalwareBytes, removing any infected objects it finds. Now, knowledge of an approximate time the virus was contracted is REALLY helpful here, though not necessary. If you can’t hook it up to another computer, boot the computer into safe mode (press F8 as the computer is booting) and choose Safe Mode (with Networking).

Whether you have booted to this hard drive or are viewing it from a different computer, take the following actions:

Open My Computer > C:. Go to Tools > Folder Options > View tab > Check “Show hidden files and folders”; uncheck “Hide extensions for known file types”, “Hide protected operating system files” and “Use simple file sharing”. > Change to detail view and sort by Date Modified, more than likely, all of the virus files are going to have the same date in this field. Now is the tedious process of looking (and deleting/renaming), be sure you aren’t deleting important system files by using Google. Here are the important places to look, though they can be anywhere:

  • C:\
  • C:\WINDOWS\
  • C:\Recycler\S-1-{RANDOM}\
  • C:\WINDOWS\Tasks
  • C:\WINDOWS\system32\
  • C:\WINDOWS\system32\drivers\
  • C:\Program Files\{ANY RECENT SOFTWARE THAT IS NEW AN YOU DIDN’T CHOOSE TO INSTALL}
  • %TEMP% (Start > Run > %TEMP% > OK)
  • %USERPROFILE%\Desktop (look for installer files)
  • “%USERPROFILE%\Local Settings\Temporary Internet Files\”

Open Windows Firewall through Start > Control Panel > Windows Firewall, click on the Exceptions tab and check for any programs that you didn’t specifically authorize, remove the exception if there are unknown entries.

Fix 3: Stop the rogue processes from loading at startup

Download Autoruns from Sysinternals. Run the program and select the Logon tab. Check for malicious software under the headings listed below, unchecking each malicious item:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • C:\Documents and Settings\All Users\Start Menu\Programs\Startup
  • C:\Documents and Settings\username\Start Menu\Programs\Startup

Move to the Services tab and look for items where the Publisher is missing, these items are frequently (not always) suspect. Remove malicious services by unchecking them

Select the “Image Hijacks” tab, the only item that should be present is “Your Image File Name Here without a path”. If anything else is present, uncheck it.

Close Autoruns

Cleanup

Download CCleaner, install and run it with the default settings to remove all of your temporary files. If you don’t have a good Firewall and don’t have money to spend, download Comodo or ZoneAlarm. Turn off System Restore by right-clicking My Computer and selecting Properties. Select the System Restore tab and check the Turn off System Restore checkbox > Select Apply (may take a moment or two). Once it is responding again, uncheck the box and it will create a new restore point (that doesn’t have the virus files).

Disclaimer

I cannot be held liable for you bricking your computer. It is your responsibility to take the necessary precautions when altering system files and folders. I make no guarantee about the fitness of these instructions, their application to your computer system and settings and accept no liability for any system errors, serious or not that result from following these directions. The riskiest items in this posting are:

  • the fixmbr command could cause some problems (warning is given when command is run)
  • Deleting files in the WINDOWS, system32, drivers directories is extremely risky, check files if you are unsure
  • Using Autoruns can be risky; if you uncheck important system processes your computer may no longer boot.

That being said, if you have problems, post in the comments section and I will try to help.

]]> http://www.bitconsultants.net/2009/fighting-difficult-viruses/feed/ 0 Malware Appears on New York Times Homepage http://www.bitconsultants.net/2009/malware-appears-on-new-york-times-homepage/ http://www.bitconsultants.net/2009/malware-appears-on-new-york-times-homepage/#comments Thu, 10 Sep 2009 09:40:28 +0000 Rob http://www.bitconsultants.net/?p=4
Matryoshka Doll

http://mediamemo.allthingsd.com/20090913/home-delivery-the-new-york-times-serves-up-some-malware/

I have already seen this trojan three times in the past week, it is called “Windows Police Pro”. To remove it perform the following actions (appx. 20 minutes):

* Turn off System Restore
* Ctrl Alt Delete – end task Windows Police Pro.exe, also
svchast.exe or svchasts.exe if they are running
o If you can’t open task manager, run FixExe.reg
* Navigate to the Windows Police Pro folder within program files and
delete the entire folder
* Download Malware Bytes here
<http://dw.com.com/redir?edId=3&siteId=4&oId=3001-8022_4-10804572&ontId=8022_4&spi=3426e77389633e655850b415cc3640d6&lop=txt&pid=11102549&mfgId=6290020&merId=6290020&pguid=qf7KTAoPjF0AAEIGeqEAAAEr&destUrl=http%3a%2f%2fsoftware-files.download.com%2fsd%2fda0BZEbQkGOVDsTmrswO8tb-0gEwKNG-rq3Fk9783HJsdPVgE9pMw_9oifebezAdxZfBihT197GCE-0KGRJcM7QZyYHRWyCi%2fsoftware%2f11102549%2f10804572%2f3%2fmbam-setup.exe%3flop%3dlink%26ptype%3d1901%26ontid%3d8022%26siteId%3d4%26edId%3d3%26spi%3d3426e77389633e655850b415cc3640d6%26pid%3d11102549%26psid%3d10804572>,
install, update and run a quick scan
* Remove all found viruses when it is finished
* Check for the presence of C:\WINDOWS\system32\dddesot.dll and/or
C:\WINDOWS\svchasts.exe, delete if they are there
* Reboot computer
* Turn on System Restore

It is really important that you get rid of this trojan as quickly as possible because a more insidious (and much more difficult to remove) virus I have been seeing a lot of is using this easy-to-remove scareware as its vehicle for getting onto computers. I guess this is more of Matryoshka doll rather than a trojan horse, in that the visible trojan is masking itself as the real virus. After you have removed the virus, make sure that there is no autorun.inf in root C (remember, right-click > Explore). If there is an autorun file, run the attached batch script (it’s from Trend Micro).

Questions?

P.S. Did you know that if a virus is blocking you from running programs (regedit, task manager, add/remove programs, etc.) you can typically run them through command.com?

Start > Run > command.com > OK
Type regedit to open… well, you know. appwiz.cpl to open add/remove programs, etc. I found this out recently and it has been extremely helpful.

fixtm.reg



REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-


FixExe.reg



REGEDIT4

[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

Batch file

<@echo off
:: SET_NO_DRIVE_OTORUN
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun /t REG_DWORD /d 0x0ff /f

:: GET_DRIVES
for /f "tokens=1 delims=:" %%j in ('reg query hklm\system\mounteddevices ^| findstr \DosDevices\') do (
echo %%j >> drives
)

:: REMOVE_\DosDevices\_PREFIX
for /f "tokens=3 delims=\" %%j in (drives) do (
echo %%j >> drives.txt
)
del /q /f drives > nul

:: REMOVE_SPACE
for /f "tokens=1 delims= " %%j in (drives.txt) do (
echo %%j: >> drives
)
del /q /f drives.txt > nul

:: CHECK_DRIVE_TYPE
for /f %%j in (drives) do (
fsutil fsinfo drivetype %%j | findstr "Fixed " >> fdtype
fsutil fsinfo drivetype %%j | findstr "Removable " >> frtype
)
del /q /f drives > nul

:: GET_FDRIVES
for /f "tokens=1* delims= " %%j in (fdtype frtype) do (
echo %%j >> dtype
)
del /q /f fdtype > nul
del /q /f frtype > nul

:: REMOVE_SPACE1
for /f "tokens=1 delims= " %%j in (dtype) do (
echo %%j >> drives
)
del /q /f dtype > nul

:: DEL_DRIVE_A_FROM_LIST
sort drives >> sort
type sort | findstr "A" > nul
if errorlevel 0 for /f "tokens=1 skip=1" %%j in (sort) do (
echo %%j >> sorted
)
del /q /f drives > nul
del /q /f sort > nul

:: CREATE_OTORUN_FOLDER
for /f %%j in (sorted) do (
md %%j\AUTORUN.INF
attrib +s +h +r /d /s %%j\AUTORUN.INF
)
del /q /f sorted > nul

echo Press any key to close this window..
pause > nul>
]]> http://www.bitconsultants.net/2009/malware-appears-on-new-york-times-homepage/feed/ 0