Cleaning malware software when you can't format?

[smakme7757]

and for those not running any kind of antivirus/firewall/security patching, to this day and age -
...the underlying question is, if ebay, target, banks and other small/large organizations were compromised at one point for a number of exploits, what makes us think that current/future exploits aren't going to target "less-secure" operating systems/hardware? any kind of security is better than none, even if you're going to run absolutely no AV on a VPN-tunnel router, the VPN is still better than nothing. even the default router firewalls are better than being on straight open DMZ. that is, for baseline usage.

The malware sent to Target or others would have been a hand crafted exploit which means that an AV would not have picked it up. I made an undetectable trojan in about 4 hours (a night) by picking code from the net and mashing it together. I ran it through Virus Total and it came back clean. I'm not a good programmer, but with some techniques I found online I could do it.

A decent programmer would have no trouble developing a piece of malware used in a spear phishing attack. The biggest problem wouldn't be circumventing the AV it would be how to get the malware to the target.

The only real mitigation technique is to run as a standard user. It's by far the most effective way to negate malware.

 

[MustISO]

I fix a lot of infected machines and I've found with the more serious infections the damage done to the OS isn't easily repaired. In many cases the system files have been damaged and can't be recovered.

I typically just backup the users data and restore to the factory image.

I usually start with Kaspersky's rescue CD since it runs outside of Windows. That lessens the chance that the malware can hide or infect the files I copy to it. Once I've scanned with an offline scanner or two, I boot to safe mode and run MBAM and TDSS Killer.

 

[inachu]

One I am about to say is hard but I did it and in the long run helped out out great for any future infection.


If you have to reinstall the OS then visit every folder after a fresh install.

This is before you even install all the native drivers for the motherboard.


This way you have less folders to glance over. Just get used to the folder sizes and what lives in those directories.

Once you are familiar with each folder then go ahead and install all the drivers then see the changes and lots of folders made.


So once you see what a clean system looks like then you know files that mispelled or sound out of the ordinary then you can just boot into safemode and delete the alien files by hand.

Some times a virus is just a few files and sometimes there are many many many files so truly cleaning a system by hand is nearly impossible as also many times the infected fil would be marked invisible.

But the best way to treat a system so you do not have to reinstall everything owuld be to make an image clone of the hard drive like using NORTON GHOST which is a great tool for your OS.

 

[code65536]

One I am about to say is hard but I did it and in the long run helped out out great for any future infection.


If you have to reinstall the OS then visit every folder after a fresh install.

This is before you even install all the native drivers for the motherboard.


This way you have less folders to glance over. Just get used to the folder sizes and what lives in those directories.

Once you are familiar with each folder then go ahead and install all the drivers then see the changes and lots of folders made.


So once you see what a clean system looks like then you know files that mispelled or sound out of the ordinary then you can just boot into safemode and delete the alien files by hand.

Some times a virus is just a few files and sometimes there are many many many files so truly cleaning a system by hand is nearly impossible as also many times the infected fil would be marked invisible.

But the best way to treat a system so you do not have to reinstall everything owuld be to make an image clone of the hard drive like using NORTON GHOST which is a great tool for your OS.

That is... rather Draconian. Not to mention ineffective. Anything that involves the user memorizing tens of thousands of filenames so that they can recognize which ones don't belong is... a Bad Idea (TM). Not to mention, there is a lot of malware that mimic system filenames (e.g., a "svchost.exe" that lives in \Windows instead of \Windows\System32) or that don't reside in the Windows installation directory at all (a lot of malware these days install themselves somewhere in the user profile, to avoid UAC). And looking for size discrepancies won't work because good, well-written malware can fit under 1MB. Hell, it can even be under 100KB, depending on what the malware does and the competency of its author. That's a rounding error as far as extra disk space goes.

I think it's worth reminding people of the Cardinal Rule of Malware: All code is inert, harmless data until executed.

I.e., I can load up a hard disk with thousands of samples of malware--something that would make an AV program wet itself with joy because it finally has something real to delete instead of the usual false positives. And it would pose absolutely no harm to me whatever, as long as I don't go and execute one of them.

With that in mind, the key to efficient manual detection and removal isn't some unwieldy disk scan or monitoring, but rather, the targeting of that execution bottleneck. I.e., careful observation of what is loaded in memory (procexp with signature verification is very nice) and the ways in which code can load and execute without explicit user action (which is what autoruns is for).

Of course, if you get really, really bad malware--the rootkit kind that goes to extreme lengths to hide itself--then all bets are off, and I wouldn't trust anything short of an orbital nuke. But those things are very rare (unless you're a high-value target like a computer with government or corporate secrets) because they're very hard to correctly pull off, and most forms of malware do not have anywhere near that level of sophistication.

 

[Ichinisan]

• Close any programs and tray icons.
• Control Panel > Add/Remove Programs (or "Programs and Features," or "Uninstall a program")
• Sort by "Installed On" date. This makes it easier to tell which product was originally installed to bring in the rest of the malware.
• Working back from most recent, uninstall each piece of malware that was kind enough to have an uninstaller.
  If they're nice enough to properly uninstall, it's less likely to leave something behind versus forced removal via anti-malware software. Some may even have a CAPTCHA to make sure it's not an automated removal tool.
• Reboot.
• [Win key]+[R] to access the Run menu.
• "MSCONFIG"
• Boot > Safe Boot > OK (Restart again)
• Being careful not to launch IE (so its plugins don't load), Control Panel > Internet Options > Programs > Manage Add-Ons
• Highlight an add-on and press [Ctrl]+[A] to select all. Then click "Disable All."
• Internet Options > Connections > LAN Settings > (uncheck all proxy server settings)
• [Win key]+[R] to access the Run menu.
• "REGEDIT"
• HKLM\Software\Microsoft\Windows\CurrentVersion\Run
• HKCU\Software\Microsoft\Windows\CurrentVersion\Run
• Remove startup entries for malware AND unnecessary bloatware.
• In command line, I browse to the Startup folder for the user and for All Users and look for hidden files to delete using the "attrib" command.
• [Win key]+[R] to access the Run menu.
• "MSCONFIG" > OK > Normal Startup > OK (reboot)
• Install legit antimalware, scan.

I also clean up the homepage, plugins, and search provider settings in all installed web browsers.

Even following that process, a heavily infested system may still have signs of malware, but it's usually much easier to trace / identify / remove what remains after that procedure.

 

[Thebobo]

I really gotta wonder how people are surfing if statements like this are being made. Because in my 20+ years of Windows computing, I've never gotten malware, adware, or even shady-but-not-quite-so-bad-ware. Oh, and I also think that anti-virus software is heretical and haven't used them since '96 or so.

Do people just click through confirmation dialogs without seeing what they are?

Agree with you there. I have had Malware once but I was stupid and I knew it the moment I clicked the link. Never owned antivirus software