Virus Cleanup

[lupi]

Was given a laptop by someone to try and salvage stored data as they weren't sure what was going on. After running it myself for a couple minutes I thought it was probably a virus issue. On some further testing I found that the memory modules also had gone bad. I swapped out some of my own memory sticks and get the laptop stable but still infected.

Installed avast, rebooted, and after the laptop connected on its own to some local unsecured access point starting getting all types of warning messages from avast about programs trying to connect. Avast them wanted to do a dos boot and scan and found tons of tracking/trojan ie temp files.

Left the machine running when I went to work on an avast full system scan. Only real problem I've noticed so far is that I can't get malwarebytes installed so figure something is still present. Wasn't getting the network warnings anymore though.


I plan on working through to get MB running, have already done a clean spybot sweep, and a rootkit scan. Once I get all those reporting clean, what else would be needed to verify clean. And for laughs, the machine had absolutely 0 AV items installed on it when I started.


Another question, my router has a guest mode that allows internet access while making my home network blind to the guest, any problem connecting this way for getting patches and such on the bad machine?

 

[lxskllr]

I'd have a hard time trusting a badly infected machine. My preference would be backing up the data and reinstalling. If that can't be done, I'd use bootable media to scan, and include rootkit detectors. I don't know what's good these days.

Using your network is fine for patches. Using Wireshark to see if anything interesting is being transmitted wouldn't hurt.

 

[MontyAC]

Try this online scanner from eset:

http://www.eset.com/us/online-scanner/

 

[mikeymikec]

You could also try Kaspersky's TDSSKiller. It's a free app to download and it has helped me pick up rootkits before.

I would also consider removing the disk and scanning it while connected to another machine.

As far as reinstalling goes, the first (hopefully obvious) point to consider is that you can't prove that something doesn't exist. You may think that you have got rid of the malware and it turns out that you missed a bit and it regenerates later.

An extension of that "cannot prove that something doesn't exist" point is that theoretically a piece of malware could be designed to survive a drive wipe (it could hide in the BIOS or in other places one might not normally consider, or it could be on a separate partition that the person doing the work assumed as an OEM partition). It's unlikely IMO, but it is possible. My personal opinion on this particular topic is that the malware has to be more and more specifically tailor-made for the victim/target rather than something spread automatically across many unrelated machines, and as malware gets more specific/clever there is a greater chance that there's a bug in its design and it gives itself away through bizarre system behaviour.

In case people think I'm bordering on paranoia, there's malware in the wild that I've encountered more than once that edits the partition structure and MBR so that it loads in straight away ('alureon' IIRC). I personally haven't knowingly encountered the 'hide in BIOS/other' type, but I've read about it in professional circles.

Whether to wipe is a question that depends on the symptoms (or lack/intermittency thereof), and the competence and (self-awareness of competence) of the person doing the work. I consider myself to have a fair bit of experience in malware removal and I can't remember a recurrence/reinfection ever occurring when I've considered with reasonable confidence that a machine is clean, however there have been occasions when I've recommended a wipe even though the machine seems to be clear of symptoms because the tactics that the malware has used have stretched my abilities to the point where I can't be sure that it doesn't have yet another trick up its sleeve.

Another consideration is the end user's needs. If they want to take no chances then you may want to investigate, possibly even remove the malware, then wipe.

One thing about security compromises is that there's a tendency to over-estimate the cleverness of the compromise. When working for a hosting company, I remember a time when a server dedicated to a particular customer had apparently been compromised (lots of unauthorised data storage and lots of network traffic). It turned out that the customer had enabled anonymous read/write FTP access

 

[SecurityTheatre]

The "hide in BIOS" type of malware would probably need to be device-specific. I could see it used in targeted instances of high-end espionage, but I don't anticipate generic malware authors to use this type of technique, at least not on any sort of commodity PC hardware.

I second the best practice of wipe/reload when infected with anything more than trivial.

 

[lupi]

I did try the kaspersky recovery disk, but couldn't get the computer to boot to it either as a usb or cd. Although that was before I used a different dos boot disk and did hardware testing and found the memory bad but not sure if that makes a difference.

 

[Mushkins]

I did try the kaspersky recovery disk, but couldn't get the computer to boot to it either as a usb or cd. Although that was before I used a different dos boot disk and did hardware testing and found the memory bad but not sure if that makes a difference.

It definitely makes a difference, considering how any sort of live cd works is that it loads the whole OS into RAM. If the RAM is bad, it certainly cant load anything into that RAM.

 

[xgsound]

Rkill and tdsskiller often stop malware enough to be discovered and removed by other programs. If you reboot, rkill must be run again.

On the left in the "Most downloaded" section find rkill, malwarebytes, and tdsskiller links at this link. http://www.bleepingcomputer.com/download/windows/ There are also numerous other utilities there. Their site is the only comprehensive virus removal site left of the many I used to visit.

Jim

 

[bruceb]

You should always do virus scans in Safe Mode as they may not be detected or removable in regular mode. And as to Malwarebytes, it is a good program, but some viruses will detect it if you try to run it. So just rename it to something else and then try to run it.

 

[SunnyD]

You should always do virus scans in Safe Mode as they may not be detected or removable in regular mode. And as to Malwarebytes, it is a good program, but some viruses will detect it if you try to run it. So just rename it to something else and then try to run it.

Not even this. You should ALWAYS do a scan from a known/trusted 3rd party boot device/disc. I understand the OP is having issues with this, but even in Safe Mode you'll have malware that has rewritten various services or injected modified filter drivers in place of actual Microsoft/ISV drivers that will still prevent you from finding a good chunk of the really bad malware and rootkits in place.

If you suspect a compromised OS, Safe Mode isn't going to help you one bit. Find yourself a live recovery tool and boot from that.

Honestly lupi, you've already gone past the point where I would have told the owner, "I can pull the drive and copy off documents, pictures and any other specified data you might want. But as far as the OS being runnable again - my one and only suggestion is to wipe the drive and reinstall the OS from scratch." Once compromised, always compromised imho.

Nuke it from orbit. It's the only way.

 

[lupi]

Got the eset scan done. Found 3 more in the temporary folder. Also nuked out a couple hidden start ones, but think that was just bad detection as they were part of some dell utility thing,

Did get the kaspersky rescue disk running but that proved worthless as when I tried updating after starting it would fail and give a database corrupted message. Guess I need to find a different brand and try that. Think I'm going to wait till friday when the new memory comes in as running a 64bit OS on only 2gb ram sucks (all I had of the same type to get it booting stable).

 

[lupi]

Looks like I've got the machine "clean". Seems the last holdout was something called z.access. Once I got the out I was able to rename maleware bytes back to default and run it fine. Went back with the ~7 programs I had been using and on second go around everything came back clean.did have a problem getting a rootkit scan though, seems most I found wouldn't work in 64bit os. Did notice while looking through the MB optional utilities their rootkit scanner and that worked getting the last couple things out, then ran some from kaspersky and they came out clean.


Next task, since it is used by people other than the admin account holder, with their own separate user accounts, what settings can I go and change to minimize such an infection from taking again (short of actually having an AV program installed and firewall turned on, doh!)

 

[MontyAC]

If you still need a rootkit scan, use the Malwarebytes Anti-Rookit scanner.

 

[lupi]

That's the one I got to work when I mentioned "MB".

Any info/help on settings for non-admin accounts?

 

[MontyAC]

For Win 8, you can check this from MS:

http://msdn.microsoft.com/en-us/library/windows/desktop/jj155495(v=vs.85).aspx

 

[lupi]

This would be for 7.

 

[G@briel]

To get get of a virus, I always use rkill, along with TDDSKiller, and MB. Boot into safe mode, and run them, in that order. Hasn't failed me yet

 

[John Connor]

To further add to the list try Avira AntiVir Rescue System and Avira Boot Sector Repair Tool. http://www.avira.com/en/downloads#tools