Up to date Malware Removal

[Mercutio]

It's back to school time, which for me means getting to look at or hear about the malware that's been on high school and college students' computers since May, the last time they actually looked at a device other than their phone.

I have a standard procedure that works pretty well (install MBAM, Spybot, Avast and do updates by whatever means necessary, do boot-time or safe mode scans, on reboot make sure ABP is on all browsers with at least the Malware Domains subscription and all apps are updated via ninite), but at this point I'm going to say my procedure needs to be better.

Browser settings: IE and Chrome both say they have a "reset all user-defined settings" option. Both browsers are lying about that. And most people still don't even know what an add-on is or where to look for them.

I see a lot of bad applications that use GPOs to enforce bad behavior. If removal apps don't kill the GPO, I have to think it's beyond my ability to explain to anyone other than an experienced IT guy how to fix that.
I also see manipulation of shortcuts and compatibility settings. That's not a big deal as such, but again, forcing someone to an unwanted page that can contain further exploit code AND burying the user settings by running the program in compatibility mode for Windows XP so that it's abstracted out of general user settings? Normal humans are not going to go look at that stuff.

My other new favorite thing is malware that flat-out downloads its own malware-infested version of Chrome, usually called Browser.exe. It looks like Chrome and it still has Chrome branding, which creates a side effect of making impacted persons switch to some other browser (probably IE), which will run them right in to other exploit code. The user can't start browser.exe, but if they're savvy enough to recognize that it IS a Chrome window, it's going to scare them off Chrome anyway.

So, at odds with the cleanup procedure I've written for others, my real cleanup procedure looks more like:
Disconnect from the internet
Run the Norton or AVG or Webroot or Mcaffee remover.
Take a look at services.msc. Disable pretty much everything that I don't know with 100% certainty needs to be there.
Install MBAM, Spybot and Avast from a Flash drive. Copy the whole stupid MBAM folder off my thumb drive into %appdata%\stupidlongpath because the MBAM people can't be bothered with a non-stupid offline installer. Install the other
offline updates.
Run adwcleaner (this will ultimately reboot the machine).
Reset IE. Reset Chrome. Reset Firefox.
Run PC Decrapifier.
Do a boot scan with Avast with Delete as the default detection action.
Boot into Safe mode (this is a HUGE PITA on Windows 8).
Run other scans.
Reboot.
Check Services for crap, look to make sure that Browser Settings are where they should be. Run netshell commands if networking is hosed.
Run ninite to get other crap in order. Install ABP and relevant subs three times.

Yeah, I'd love to say "Just reinstall Windows" every single time, but of course that's not realistic.

So what are people using these days for malware cleaning?

 

[timwhit]

Linux?

 

[Groltz]

ADS Spy by Merijn is a small stand-alone executable that scans specifically for Alternate Data Streams. Very fast. No BS attached. Allows manual deleting of ADS-attached files.

Works in Windows 7 x64 despite its stated OS compatibility 'Windows NT/2000/XP/2003'

http://www.merijn.nu/programs.php

 

[sedrosken]

All I do is exercise common sense with a healthy dose of Adblock plus and noscript and cross my fingers. Oh, and MSE, which installed as part of my Windows Update procedure. Haven't had anything pop up on it yet, though I should probably get MBAM, Avast free, and Spybot.

In fact, I'll be sure to do that tomorrow while I'm on campus. By the way, I started in that Early College program on the 25th. Not having too many problems adapting to the (much) higher workload, though I am a bit distressed at having far less time with which to play Skyrim.

Apparently the whole "schedule's packed" issue gets a lot better once you start actual college courses. Right now, they're trying to cram my last two years of high school into one. Possibly half of one, provided I get "soft-skill credentialed" (basically show a maturity level on par with college students) and pass my classes when my schedule's revisited over Christmas break. It's so high paced right now that we've actually started full lessons, less than a week into school. Back in HS we didn't start with the learning until at least the middle of the second week.

I mean, I also use CCleaner, but I hardly class that as anti-malware...

 

[Mercutio]

Linux?

You know as well as I do that ain't happening.

My goal here is to look for extra, helpful steps to include in a process that I can document and pass along to others so that I don't have to clean up every machine someone tells me has a problem. Right now, I have two versions of such a document: a short version that just indicates steps and is written for people I think might have a clue as to what to do with a computer; and a longer version with shit-tons of screenshots, intended for people I think probably have some extraneous chromosomes.

Groltz, I'm pretty sure ADSspy is included in Hijack This, which was also originally written by Merijn.

 

[Howell]

Combofix has worked well for me in the past. Have not had to use it recently.

 

[ddrueding]

Used Combofix 2 days ago. Did successfully remove several viruses. Also left enough damaged system files that the machine require a reinstall anyway.

I'm not saying that that always happens, or that Combofix caused the damage, just pointing out that it is capable of "cancer removed from corpse" levels of cleaning without any explicit permission or warning.

 

[Bozo]

ADS Spy by Merijn is a small stand-alone executable that scans specifically for Alternate Data Streams. Very fast. No BS attached. Allows manual deleting of ADS-attached files.

Works in Windows 7 x64 despite its stated OS compatibility 'Windows NT/2000/XP/2003'

http://www.merijn.nu/programs.php

Interesting program. I ran it on my Win7 x64 virtual machine and it came back with almost 500 hits, most from Comcast. It cleaned all but a few of the hits. Said they were in use.

 

[snowhiker]

/facepalm

Once again my pop has had his brower hijacked. By the quick start browser hijack.

/facepalm

He's on Win8 (or 8.1 not sure). He's in he's 80s. I think he or his wife are too trusting and are installing shit, probably shit they don't even know about. They use Facebook. They read all kinds of "news" sites. By news I mean Drudge Report type of shit. They need flash to watch all their bullshit videos, etc, etc, etc.

I tried last time to get him to use Firefox more, but Firefox was just not working with HTTPS sites like Facebook. Some security certificate/authentication bullshit (I posted about it a while ago when I couldn't get https://www.schneier.com/ to come up correctly on my computer...works now) so he was using Chrome. I removed the IE icon but they probably found and used it too.

Any way to "protect" his computer? I'd like to set up something where at boot the whole O/S and apps are virtualized, he does his shit, then it's wiped clean when he powers down. Although I don't think I have the know-how to set something up like that.

I don't think he can follow those removal guide obtained from googling the hijack. Sigh.

Any ideas?

Thanks again.

 

[Stereodude]

Linux or a ChromeBox?

 

[timwhit]

Get him a Chromebook and install adblock.

 

[snowhiker]

Linux or a ChromeBox?

Get him a Chromebook and install adblock.

I'm temped by both of those suggestions but he just bought his new desktop when winXP support ended so he'd be upset "wasting his new computer" and having to learn something new. Plus he actually likes Win8 and he thinks it's easier to use.

I dunno. Maybe get an external HDD and create a backup he could restore from or something?

Thanks for the suggestions.

 

[ddrueding]

Back when I was running the computer gaming center I found a device that sat between the hard drive and motherboard that effectively cached all writes to the drive during an entire session. By default all these writes were discarded on reboot. In order to make permanent changes to the drive (install software, updates, etc) you had to change a physical jumper on this little box.

I wish I could find it again, I'd have a hundred uses for such a thing.

 

[P5-133XL]

That is a real useful device. I''d never heard of something like it.

 

[Mercutio]

Any way to "protect" his computer? I'd like to set up something where at boot the whole O/S and apps are virtualized, he does his shit, then it's wiped clean when he powers down. Although I don't think I have the know-how to set something up like that.

Here's my list of proactive steps:
1. Adblock Plus in every browser. Also the Easylist TPL in IE and the High Security level for the Internet Zone (this will make IE annoying to use so it won't get used). Make sure Easylist, Fanboy's Annoyance Removal, Malware Domains, Social Blocking and Spam 404 lists are subscribed.
2. Spyboy Search and Destroy's immunizations.
3. Spywareblaster.
4. Web of Trust or Avast's browser plugin.
5. Noscript is a judgment call.
6. Remove Java and Acrobat Reader from the machine. Use Ninite with scheduled tasks to keep Flash, browsers and helpers updated.
7. Use decent AV software. Avast is probably the best of the free options, though I do a custom install so it bothers the end user less.
8. Maybe Malwarebytes Exploit Protection? I'm still messing with it. I haven't decided if it helps or not.

These things put together will probably stop most drive by downloads and passive attacks.

 

[ddrueding]

Does anyone here bother with user permissions or policies to try to save the user from themselves? I don't know enough about that stuff to try, just curious.

 

[P5-133XL]

Every time I've played with policies at a personal level, I just burned myself repeatedly by forgetting what policies I've done and then later finding some subtlety that I didn't anticipate which produces a bunch of diagnostic time wasted. When I've done business policies everything is thoroughly vetted, documented and tested before enacting and thereby many fewer problems.

It's been a long time since I enacted any user permissions on my personal machine.

 

[snowhiker]

Back when I was running the computer gaming center I found a device that sat between the hard drive and motherboard that effectively cached all writes to the drive during an entire session. By default all these writes were discarded on reboot. In order to make permanent changes to the drive (install software, updates, etc) you had to change a physical jumper on this little box.

I wish I could find it again, I'd have a hundred uses for such a thing.

You know, I also have vague memories of such a device. Or maybe it was a jumper on the drive or controller itself that disables writes. Who knows...

But in today's Windows world I don't see how such a device could work. Every time you move the mouse, click on an element or simply burp up that soda you drank too fast Windows has to write to the disk or some shit and if the write is not allowed Windows will die/complain/make my life more miserable than it already is.

I'm being facetious of course but damn I'd like one of those boxes on a remote control. Pop calls up and wants to write to HDD and I'd say "nope," then hang up.

Here's my list of proactive steps:
1. Adblock Plus in every browser. Also the Easylist TPL in IE and the High Security level for the Internet Zone (this will make IE annoying to use so it won't get used). Make sure Easylist, Fanboy's Annoyance Removal, Malware Domains, Social Blocking and Spam 404 lists are subscribed.
2. Spyboy Search and Destroy's immunizations.
3. Spywareblaster.
4. Web of Trust or Avast's browser plugin.
5. Noscript is a judgment call.
6. Remove Java and Acrobat Reader from the machine. Use Ninite with scheduled tasks to keep Flash, browsers and helpers updated.
7. Use decent AV software. Avast is probably the best of the free options, though I do a custom install so it bothers the end user less.
8. Maybe Malwarebytes Exploit Protection? I'm still messing with it. I haven't decided if it helps or not.

These things put together will probably stop most drive by downloads and passive attacks.

OK Merc, once again you are a wealth of knowledge listing the multiple things that need to be done to prevent "crap" from happening to a computer. I'll be printing this out and planning my attack on his computer.

1, 2, 3, 4 check.

5, Installing Noscript would kill every site he goes to and deciding what to unblock would be too much for him I think.

6, Is Java used by casual/facebook games (or is that Javascript?) He uses and needs a PDF reader. Foxit plugin then? Or?

7 check.

8 until it's Merc approved I'll not waste my time.

What about a HOSTS file? Or is that more trouble than it's worth?

Again thanks for all the help.

 

[snowhiker]

Maybe this site needs an update?

 

[Bozo]

Isn't there a setting in 'gpedit' that says 'do not save changes on shutdown'?

 

[Mercutio]

Maybe this site needs an update?

I actually update that document periodically, though the last few revisions have lived on my Google Drive instead of the web.

FWIW, both Firefox and Chrome read PDF files without any additional software now. This is fine for probably 95% of web users.

The NTFS permission or GPO settings that most naturally occur to me with regard to malware prevention would probably be to disallow execution of programs from %appdata%, but that would also kill a lot of programs that have some sort of internal update mechanism, like Malwarebytes or Flash. It would cause more problems than it would solve. Same with white-listing executables. You'd miss something important and eventually that would hose the system.

 

[Howell]

We have many xp based windows embedded thin clients at work and while we don't encourage surfing from them I like that the use of the enhanced write filter means a restore is just a reboot away.

I am swears that people had hacked regular xp with ewf for use as car pcs and to preserve cf memory.

There might be a way the hack the new unified write filter for Windows 8 or a similar alternative product may exist.

 

[sedrosken]

The only reason I still use Java is because I still occasionally play Minecraft or Runescape (insert "no life" or "run, escape" joke here). Runescape can run on HTML5, but Minecraft is a whole different ball of wax, being a locally stored application. Wish Mojang would cut the crap and either release a standalone version of it or include a minimal Java runtime or something like that. Otherwise I would have no need for Java. Oh, wait, Libreoffice requires it. Sigh. Why, exactly?

Of course, the best defense is to stay out of the warzone. Being a student, that's not an option for me. I need to be able to do research, email, etc. Plus I like to derp around on here and other places.

 

[timwhit]

Java is not a security risk unless you install the browser plugin.

 

[sedrosken]

Hmm. I may just ignore that little snippet on my todo list that says to reinstall java so I can get the plug in in SeaMonkey. I bet the desktop RS client uses IE as a runtime, so I don't think I need to worry about it. I imagine it's already installed in my copy of IE, as I've installed java already.

 

[Mercutio]

Regarding the hosts file: Windows 8 and 8.1 ignore the contents of the hosts file if Windows Defender is running. I have a script that grabs the MVPS.org hosts file and puts it where it goes, but I've observed that Windows Defender will re-enable itself occasionally after Windows Updates. I think I could kill it using an Administrative Template or GPO, but just going in to services.msc and disabling it doesn't seem to do the trick. Enforcing the GPO feels like using a bazooka to kill cockroaches and really does enter the realm of an unsupportable configuration change, so I'm thinking the greater wisdom is accept this new state of affairs.

I'm somewhat less concerned about using a hosts file on Windows nowadays since it's actually pretty unusual for most users to run desktop internet software other than a web browser at this point, and Adblock Plus works on everything as far back as IE6.

Regarding Java: My standard spiel is to just tell people to remove it, since that's easier than explaining that you can kill the BHO, Extension or Addon for your browser and you'll probably be perfectly safe on a known-clean PC. Java exploits are common enough than removing all of Java removes a lot malware, which is why I advocate for removal.

Regarding Flash: I more or less rely on Ninite executables and Scheduled Tasks to maintain it in a fully updated state. I have a bunch of different combinations of the .exe files, including several that include Flash. I can put up a link to them if anyone is interested.

 

[Mercutio]

I need to do more editing but here's a link to the current file that's sitting on my Google Drive. I'll throw it back on my web site after I get it in better shape. Feedback appreciated.

 

[sedrosken]

So in order to get Macrium Reflect Free to backup directly to my other (not connected to the internet, about 5 different kinds of nope with an unpatched sp0 Windows 7...) machine, over a null ethernet cable, I finally had to figure out how to mount a network location as a drive. Not as hard as I thought.

What really sucks is that the machine I'm backing up to only has a 250GB HDD. Barely enough to hold the backup, after the personal files backing up I did to it a few days ago. I'm going to need that 1TB external HDD sooner than I thought, if I want to have a sort of catalog of disk images to choose from when my install decides to croak. Heck, if I ever get the money, I'll set up that Sempron (what I'm backing up to) with a couple 1 TB HDDs and set it up as a FreeNAS box over our LAN.

We have HughesNet now. We still have a limit, but instead of overage fees they just throttle our bandwidth after we go over. :colors: And there's even a time period (2AM - 10AM EST, AFAIK) that we can do unlimited downloads. (squee) We're finally back in business, more or less. Speed easily matches that of our old 4G unit. Bet I still can't play Asheron's Call over it, heh.

Sorry for the (somewhat) unrelated post, but this was the most related place I could think of for the first part, and the second part came out as a sort of "now that I think about it" kind of thing.

 

[snowhiker]

I need to do more editing but here's a link to the current file that's sitting on my Google Drive. I'll throw it back on my web site after I get it in better shape. Feedback appreciated.

Again great info. MUCH THANKS. Any links you can provide to specific tools would be appreciated as well.

 

[snowhiker]

I pick up pop's computer tonight for the grand.....Decrapifying

Hopefully I'll be able to pick up pop's computer tonight for the grand.....Decrapifying.

I'm gonna Merc-ify the machine in the hopes it lasts a few weeks before he finds a way to install another browser hijack. LOL.

So what's everybody feelings on browser cookies? Allow/dis-allow/prompt? Delete daily? Weekly? I have my browser set to "keep until: "ask every me time"" and I white-list all my know safe sites: bank, financial stuff, 4-5 web forums, etc.

But a lot of sites just don't work without cookies so I'll probably leave them on for my pop.

 

[snowhiker]

Holly crapware Batman!

Well I got my pop computer at my house up and running, no internet access or access to my other computers. Here is a screen cap of what's in add/remove programs:



Holly crapware Batman! Looks like there are at least 15 programs that are complete bullshit without having to check Google to see what they are.

/facepalm

His hardware: Lenovo H500 57324055

CPU: Pentium J2850 @ 2.41 GHz
HDD: 1 TB
RAM: 4 GB
Optical: DVD-RW
o/s: Win8.1 x64

Anything that jumps out that looks like crapware but isn't? Other thoughts?

Interesting that there is a power brick that plugs into the back of the computer. I wonder if there is a power supply inside or what? I'll have to open that sucker up to check the insides. I'm not up to speed on the current state of vomit-box hardware.

Thanks again.

 

[snowhiker]

Holly crapware Batman! Looks like there are at least 15 programs that are complete bullshit without having to check Google to see what they are.

Looks like at least 27 crap programs installed.




I'll delete the old "CCleaner" and "Java 7 Update 67". Not sure about "Driver & Application Installation" and "LVT" as they seem to be part of the Lenovo suite of programs and I don't want something to stop working? Unless all the Lenovo stuff is crap. Also not sure about "Nitro Pro 8" and "Pl-usHD" but I'll probably wipe those as well.

 

[ddrueding]

That is significant. I haven't seen one that bad in a while. You haven't even gotten to the actual viruses yet...

 

[snowhiker]

That is significant. I haven't seen one that bad in a while. You haven't even gotten to the actual viruses yet...

Avast didn't find much as it looks like most of it was just adware/crapware type stuff. I just uninstalled "Nitro Pro 8" and "pl-usHD" so 29 crap programs. I need to make sure things are auto-updated and figure out the procedure my pop needs to do on a daily/weekly basis to prevent re-infections.

Note to self: READ INSTRUCTIONS COMPLETELY BEFORE STARTING. I downloaded all the programs on Merc's list, but I got some of those from Download.com. MISTAKE. Sweet Jesus, WTF. One program I was installing said, "by installing this you agree to install...." there must have been 6-8 add-on BULLSHIT programs/toolbars/etc. F-ME!!! I'm trying to remove that crap not install it. --Merc, lol, place DON'T USE DOWNLOAD.COM in the first sentence so people who can't read past the first sentence of instructions don't use it.

Issues:
1) All but 4-5 programs were un-installable via the windows control panel. Had to use the Revo-Uninstall for those bastards.

2) I had a bitch of a time installing Adblock Plus for Chrome, kept saying "Network Error" or something but finally just re-installed Chrome and it's ok now.

3) I couldn't get Spybot to work initially without an internet connection and couldn't find the "manual update file" for the newer 2.4 version so I just did Spybot (in SAFE-MODE) last after Avast, adwcleaner, malwarebytes, etc.

4) After I used Spywareblaster and protected everything and rebooted windows crapped out on restart because the hibernation file was deleted? Oh crap. But started in safe mode, then immediately rebooted and it reset. So fixed.

5) Still have a bunch of notification area icons from old/deleted crapware that CCleaner didn't remove. Still working on this. Might have to registry hack it out.

6) Few other I forgot about as I was up till 6am working on things. LOL.


Thanks again Merc for the "must do" list.

 

[Mercutio]

Spywareblaster basically prevents some bothersome toolbar and ActiveX control installations, and stops some cookies from being written. It's like a cherry on top of Spybot's immunizations, but the program is tiny and has zero impact on system resources, so I still install and use it.

Spybot 2.4's manual update files are maintained by a third party on I think techradar.com or majorgeeks.com. New versions of Spybot and Malwarebytes have god-awful offline update procedures otherwise. Missing out on Spybot's updates hurts pretty bad, since the default definitions are all the way back from whenever the hell Spybot 2.4 was released, but MBAM is my go-to removal tool so that's the thing I emphasize getting most of all.
Also, I still deliberately use Spybot 1.6 on older PCs. Spybot 2.x has a measurable impact on XP-vintage machines.

NitroPDF is a completely legitimate application. The Pro version has a very high level of utility, to the point that it's my full feature PDF authoring software of choice, and it was probably part of the default software load from Lenovo.

If your dad has Windows 8.x, the easier thing would have been to use the Advanced Troubleshooting mode and then use "Reset my PC" (which leaves user files but is otherwise a standardized factory reset), followed by the initial wave of security craps.

Finally, Revo Uninstaller has a "Hunter Mode" that can get rid of any crap you can drag its "scope" icon over.

 

[snowhiker]

I think it was SD that mentioned it before, but any thought on SuperAntiSpyware.

And yeah, I could have wiped his 8.1 box and started over.

 

[Mercutio]

It's certainly another detection option, but it's a file-based scanner that does about the same thing as Malwarebytes.
I primarily recommend Spybot because of its immunization function, but it's also a signature-based scanner that updates regularly, so there's some distinction from the feature set of MBAM.

 

[snowhiker]

Goofy problem with Malwarebytes.

On one of the three machines I installed it on, if you rename the desktop ICON and re-boot it will no longer show the correct icon. It shows the windows default icon. I can right-click the icon, go into change icon, and click on the blue MWB icon, apply, etc but it won't change?

 

[LiamC]

Try clearing/deleting the icon cache

 

[Mercutio]

FileHippo seems to have started repackaging binaries in the same way that download.com does. Sigh.