Virus Removal

Holly is infected.

Symptoms:
“Been running funny for a day or so. Now winlogon.exe error as I am entering my username and password.”

Initial Findings:
Can get to Safe Mode
No System Restore Points available
RUN Command not available in Start Menu
No sign Symantec is running.
Event Logs are “corrupted”
Browser is hijacked. Redirected from Antivirus and other misc sites
MSCONFIG shows at least a half dozen bad guys.

Diagnosis:
“You are infected. If you have gone on Facebook or banking sites in the last week, I would change your passwords and watch those accounts carefully. Also, we are going to change your network password.” The goal of some infections is to capture and transmit authentication traffic in order to exploit you.

Repair:
My first move is always to shoot for a good System Restore Point. This is often a quick way to reverse the virus installation. Then you can scan out the bad executables and other instances.
Log in to Safe Mode as Holly (an Administrator) -I would not use my Domain Admin credentials for fear of capture. If I must, I would create temporary credentials that would be disabled later.
I would try System Restore from Safe Mode first -In this case, the virus has disabled System Restore which removes restore points.
If I can’t get into Safe Mode, or the the virus launches in Safe Mode (yes i have seen this), I will try running System Restore from Command Prompt Mode. F8 at boot, and select Command Prompt. Run C:\windows\system32\restore\rstrui.exe
But again, no help here. Moving on…

Delete Temporary Internet Files -I do this to speed up scans and get rid of cookies
Reset Internet Explorer Settings with Delete Personal Settings -I do this to disable bad Browser Helper Objects
Disable System Restore -(After I have used it) to speed up scans and remove bad stuff
Empty Recycle Bin

HiJackThis -create a log before cleaning
MSCONFIG -disabled 7 bad items
Vipre -“The System Administrator has set policies to prevent the installation.” (virus did this)
MalwareBytes -removed 17 object infected (backdoor.bot, adware.comet, malware.trace, rogue.antivirsolutionpro, hijack.userinit)

Did not survive the removal… BSOD in Safe Mode… Format and Re-install…

Would have been my next steps:
Update and Scan with the existing AV. Run and rerun until it comes back clean
Remove existing AV to install Vipre
Vipre Antivirus – 30 day free trial run and rerun until it comes back clean
MalwareBytes – Download free version. Run and rerun
SuperAntiSpyware – Download Free Version Home Users

RootkitRevealer

Remove Vipre
Install AVG Free

Reset Internet Explorer Settings with Delete Personal Settings

ESET Online Scanner
TrendMicro HouseCall
Kaspersky Online Virus Scanner
Webroot Antivirus with Spy Sweeper (Run Free Scan) -Without buying it, you will have to manually remove any findings.

HiJackThis

Re-enable System Restore

Five Tips to get rid of Rootkits

A rootkit is a piece of software that enables the continued, privileged access to a computer, all the while hiding its presence from users and administrators. Although rootkits themselves might not be dangerous, the software or processes they hide almost always are. Unlike a virus, a rootkit gains administrative privileges to your machine. Rootkits are the Mac-daddy of viruses, causing the most damage and headache. The biggest issue with rootkits is that once on a system, they are a challenge to detect and remove, because their main purpose is obfuscation.

But you don’t have to be at the mercy of rootkits. You can be prepared to deal with these nasty pieces of software should they show up. And even better, you can keep them from happening in the first place.

1: Protect those machines

You’re not going to stop everything all the time. But that doesn’t mean you should forgo protection. One of the first things I do on a new Linux system is install rkhunter. This tool is an outstanding defense against rootkits. If you’re not using the Linux operating system then you need to use trusted tools like AVG Anti Rootkit or ComboFix [edit: link corrected] to take on the task.

2: Be on the lookout for signs

Although rootkits don’t actively give you signs you are compromised, there are ways to tell. If you’ve received reports from various sources that you are sending out massive amounts of spam, you most likely have a botnet, which is probably being hidden by a rootkit. If your server is a Web server, and you are seeing strange redirect behavior, you might be a “winner.” For UNIX and UNIX-like systems, look for altered versions of executables or directory structures. If you issue the ls /usr/bin or ls /usr/sbin command and see that your normal applications seem to be named incorrectly, there is a high possibility you have been hit by a root kit. Of course, the easiest method of detection is to regularly run rkhunter (or a similar tool, as described above).

3: Turn it off

If you have been infected, the first thing you should do is shut that machine off! Then, remove the drive, mount it on another system (preferably a non-Windows system), and get your data off the drive. There is a chance that the OS will have to be re-installed, so you want to make sure you have your data off. But having that infected system up and running is only doing more damage, especially if there is a spam bot or the like running.

4: Never go without Tripwire

Tripwire is designed to monitor changes in files/directories on a given configured system. One of a rootkit’s primary purposes is to conceal malicious software. Oftentimes, they will do this by renaming files or folders or installing similarly named files/folders. You can detect such behavior at any time using a tool like Tripwire. It is critical that you install Tripwire immediately upon installing the OS. Otherwise, rootkits could already be installed and Tripwire will be less than effective.

5: Consider memory dumping

This is a far more challenging method, and it’s most often left to specialists who have access to non-public tools or code. You can force a kernel (or even a complete) memory dump of the infected — or possibly infected — system that will capture any possible rootkit in action. That memory dump can then be analyzed with a debugging tool. During the analysis, the rootkit can’t obfuscate its actions and will be detected. Of course, at this point, you are most likely going to have to just pull off your data and reinstall.

Prevention

Rootkits are the “big nasty” of infections. The best possible strategy is to install software to prevent their installation in the first place. The biggest issue with rootkits is that they can be heinous enough to require you to remove your data and reinstall anyway. Be proactive on this front and install every necessary precaution you can.

Advertisements

One thought on “Virus Removal

  1. Good list. On the one hand, it’s good to have post a good list like this to refer to, but on the other hand it’s not so good, because the crooks will read the list and strengthen their own attacks and defenses. Oh well…

    A few more ideas to add to the list…

    For prevention: WinPatrol = it stops things from installing in the first place. Pay for the license = it’s well worth it.

    On infected systems…

    Vipre Rescue: download the latest version from http://live.sunbeltsoftware.com/ .
    Read their instructions to run it from Safe Mode with Command Prompt.

    GMER: Not for a novice. A bit, confusing at first, but it’s a great tool for removing rootkits once you learn it.

    The Avast Free Boot Scan does a great job at removing most of the garbage. In one case, while it couldn’t remove the rootkit, it did identify it for me so that I could go find the right tool that I needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s