ERADICATE MALWARE

malware

If someone says that he never encountered a malware infection on his PC, probably he is lying. What ever antivirus you use, at some point of time, you will face this occasion that PC gets infected and your antivirus never detected it. Modern day heuristics enabled antivirus have reduced such chances, but most of the time its not so. The strangest thing about malware is that you feel their presence without any diagnostics! May be that’s because of the resonance that we develop with our PCs over time…!

Let’s first learn what malware are…

Types of malware:

  1. Virus: A virus is a malicious program that can replicate itself and affect normal operations of a system without knowledge or permission of the user. It attaches itself to executable code and runs every time the code is run, making multiple copies of itself. It corrupts the files, denies access to data and hence renders data useless.
  2. Worm: Unlike a virus, a worm is independent and doesn’t attach itself to any file or code. It is capable of spreading without need of any host file. It replicates by copying itself through network. Worms prominently attack only networks, sending its copies to all users in your address book, causing DoS (Denial of service) attack and affecting your internet functionality.
  3. Trojans: As the name goes, it hides inside a seemingly legitimate program and runs malicious code from there. Once run, the host computer gets infected and it starts replicating. It performs various activities like sending your data to its creator, or logging what you type (your passwords, bank account details) and sending them to its creator without your consent. It can even cause damage to your data by simply deleting it. Trojans have capability to change their code to trick the antivirus programs into not detecting them. Some are even scheduled to strike at preset dates.
  4. Spyware: Very similar to Trojans, these applications are solely designed to steal your data. But unlike Trojans, they don’t have the capability to replicate themselves.
  5. Cloaked malware: These are the new generation malware that are becoming a nightmare in computing sector. Cloaked malware are Rootkits that are invisible to windows explorer and hence to antivirus. They run hidden from task manager making it difficult to mark its presence. Its files are hidden on system and thus antivirus doesn’t detect them.

So, these are malware. Once executed by us, they go active in system memory, multiplying and applying constrains to privileges and adding entries to registry to make sure that are run at least once when system starts. They add malicious entries to registry to make sure that they are masked by disabling task manager, registry editor and folder options.  They make files that enable them to be executed when drives are opened and continuously monitors ours system to gain chance to spread. But how do we identify their presence in our systems?  These are the symptoms….

Identification:

i. Unrecognised processes and files: The presence of unrecognised processes running in task manager or presence of unrecognised files on drives marks presence of malware.

The key to identifying the presence is to keep vigil on the processes that run in back ground. This begins from day you install a software, see what process it runs. Also remember what all files you have present on your hard drive. Any new file or folder with .exe extension, anything with provocative name or cute icon can potentially be a result of infection. In event of task manager being disabled, process explorer by sis internals can be used to analyse processes running.

 

ii. File and system behaviour: If you ever notice that drives open in new windows, system taking more time during startup, CPU showing excessive activity even on no load or files or folders reappearing even after deleting them or not getting deleted at all, there is a high probability that your system is infected.

Files in pendrive disappearing and being replaced by smaller folders (with .exe extension if noticed) very clearly indicated presence of malicious code.

File activity can be detected by using the application filemon. An expert view on file activity can easily uncover malicious activity.

iii. Network activity: If you get complaints that some of your friends are getting strange e-mails from you, with links to unknown sites or strange file attachments, this could be a worm at work.

Increased network activity noticed in portmon etc also implies presence of network worms.

iv. Reduced privileges: Getting error messages of “ ….disabled by administrator….” on running RUN , Task manager or accessing Registry editor etc plainly implies your system is infected and malicious entries made in registry.

v. Malicious entries in registry: Same implies when you get errors on startup like file not found etc. This is because of malicious programs making entries in registry to auto start at system startup. This can also be analysed by using the application autoruns from sis internals suit. Or simply run MSCONFIG in run menu and check startup applications.

These symptoms confirm presence of malware in your PC. Now that you know that you two aren’t alone, how do you zero in on the culprit, keeping in mind that your loyal antivirus let it in? Here under is a step by step procedure to catch the culprit and to kick it out. Stop all other applications and disconnect the internet. Keep your weapons handy…….. War has begun!

Eradication of malware:

i. Identification of process in memory: Once executed, the conventional malware tend to be active in system memory, running a process that carries out the task the malware was designed to do. Nowadays it is common that malware alters registry to disable task manager, Run and registry editor, hence use process explorer to view active processes in memory. Tips to identification includes-

a. Usually a few malware are easily identified by very high CPU usage even when you aren’t running any CPU consuming application.

b. Many carry names that are suspicious to even laymen. Some include Khatarnak.exe, khatra.exe, music.exe, new folder.exe, soundmix.exe, etc. Most of them run under the explorer section in process explorer.

c. Smart viruses today carry names that are spoofs of windows processes. Like Regsvr32.exe is a windows application, but virus carry name Regsvr.exe. Similarly a malware spoofs the name of windows service host svchost.exe and run a process svcshost.exe. In such cases identification becomes tough and depends more on your experience and logical approach. Obviously a process Regsvr.exe isn’t expected to run always in your system. And a service host with odd spelling that runs under explorer is suspicious. Assistance can always be taken on-line regarding any suspicious process.

d. Repetitive processes of same name present in memory, when just one or no such application is running, also points out that the process is malicious code. But svchost.exe is one exception, with 5 such processes running at a time.

e. Reverse analysis can be made by identifying all legitimate processes and their triggering applications to identify the left out applications as suspicious.

f. Cloaked malware aren’t easily identified since they run hidden from explorer. Their files and memory residency isn’t visible. Hence, their presence is hard to verify. The sis internals tool Rootkit revealer does a good job in detecting Rootkits. It scans registry and file system for discrepancies and lets us know possible Rootkits that are actually present but not mentioned in windows API. Extreme caution should be taken while taking any action based on its result, since it just gives a probable result and not certain. Rootkits are those set of malware which I suggest are better removed using antiviruses.

Having identified the malicious process in memory, the next task is to know where it is executing from. This can easily be verified from process explorer.

ii. Stopping the malicious code execution: The next step is to stop the execution of malicious code. The malicious code as long as active in memory can keep multiplying, and monitors system to maintain its malicious action and keeps vigil on registry, not allowing it to be rectified. This task can simply be done by task manager/ process explorer or may even need a boot from secondary device.

Note: Now on, don’t open any drives by double clicking on them, since this can trigger drive autorun which is usually linked to auto running malicious code using an autorun.inf file. Open drives by address bar or explore instead. Do not open any new folders etc, since they can probably be masked Trojans having folder icon!


a. The basic step is to end task the identified malware to stop its execution. This can be done directly by process explorer .In case a new malicious process pops up on termination of the first process, probably its running from another location. End task that process too. Preferably end task the process tree, but be sure you have noted down where from it is executing.

b. In case the process keeps on starting again and again, it probably got another file backing it up. In that case, using killbox, end process and delete the file. To use killbox, it is required to know the location of the file, which is obtained from process explorer.

Note: Even if file was end tasked in step a. , it has to deleted using killbox. The reason killbox isn’t given priority to end explorer shell is that while deleting the file with ending explorer shell, it restarts the windows explorer, which is often accompanied by malicious code executing again. The best way is to end task the process using process explorer, delete it using killbox. If file is in use, unlock it using the tool Unlocker, and then delete it.

c. Some smart malware can’t be deleted even using killbox, sighting privileges issues. Then it is required to boot from a secondary device, preferably Bart’s PE live CD and delete the malicious files.

d. Rootkits once identified can be deleted the same way as above using killbox or by boot through a secondary device. Since the process they run is hidden, it becomes tough verifying if the malware execution has stopped or not. Rely on your instincts to see if every thing is ok or assume at this stage that malware is not active in memory now.

iii. Regaining authority: Malware usually limits our privileges to make sure it is hidden or cant be detected. These include disabling task manager, Run, registry editor or disabling registry import etc. The next step is to regain control of our system.

a. In run type,

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f

And run the command. This removes the entry in registry that had disabled registry editing. Now registry editing is allowed, though windows registry editor may still be disabled.

Note: Type the above command in a notepad and store it. Change extension to .bat , you get your own registry editing enabler tool!

b. Download the RatsCheddar tool and run it. This enables registry editor, task manager, folder options.

At this stage if you realise that restored defaults are altered once again to impose restrictions, this means malware is still active in memory. Repeat the identification and stop its execution.

iv. Removing supporting restart mechanisms: Now that malicious code isn’t active in memory, the next step is to remove its supporting mechanisms. Every malware once executed, makes sure that it is executed at least once on every system start up. This is achieved by entries in registry or modifying autoexec.bat or config.sys etc. Entries in registry are the most preferred option by malware, and we will go by it.

a. Many malware leave behind triggering files in drives that restarts the malware in full force once the drives are double clicked. They work by making a autorun.inf file linked to triggering malware file such that every time drive is autorun, the malware is triggered again. Our first priority is to remove such kind of start mechanisms.

Open my computer, go to folder options and enable view hidden files and folder, un-tick hide extensions of known file types & hide protected operating system files. Upon un-ticking hide protected operating system files, a confirmation is asked, confirm positive. Once finished, apply the settings. Now enter C: drive by address bar or by right clicking and explore. You will now see many files that were hidden earlier.

Check presence of any autorun.inf file. Open it by double clicking it (it wont hurt!!) and if readable, check what file was meant to be auto run.

Caution: There are many system files visible that are responsible for booting your system. Do not go on a random deletion spree, lest your system doesn’t boot again!! Some of the system files and folder are:

Autoexec.bat, config.sys, hiberfil.sys, pagefile.sys, IO.sys, MSDOS.SYS, boot.ini, NTDETECT.COM, ntldr and config.sys folder, system volume information folder, recycler folder etc.

Delete the file mentioned in autorun.inf file and also the autorun.inf file itself. Also delete anything like a folder of any name with an .exe extension. Also delete any other .BAT or .COM file other than those mentioned above. Repeat the process for all drives, opening each of them without double clicking them. In event of confusion, take help online, preferably on another system.

Entries at registry are made to make sure that malware executes at every system startup and stays in memory. Use the tool autoruns from sys internals to check start-up keys in registry. It lists all processes and files scheduled to be autorun at startup, in the logon tab. Search and delete any suspicious entries.

Another useful tool is HijackThis from trend micro. This tool lists all non windows processes starting at startup making it possible to have a clear picture of scenario. It has a tool called ADS scanner that can be used to detect Rootkits as well. All such malicious entries are to be simply deleted.

v. Finishing with cleaning all scrap: By this time you will know what had struck you. Search on net for more details regarding the infection and delete its sister files as well. Had there been any entries that were left ignored by you, delete them too, verifying them from net.

Clean all temporary files, type temp, %temp%, prefetch in run command (one at a time!)  and open the locations. Delete all files stored in them. Use Unlocker to unlock any locked files. Delete all cookies and other files in download folders. Go for a manual hunt in documents and settings folder and delete any last traces of infection.

Delete all previous system restore points, since they may be hiding infection.  Keep an antivirus handy. Restart your system now. Check startup time, verify task manager is working and check processes running in it. If all things work fine, congrats!! You just won the battle!!

Any cryptic error messages like file not found means start up entries for malicious code are still present though code is not. Simply run autoruns and in logon tab, search for a entry which has a file missing error besides it, simply delete it. Install a good antivirus and update it. Preferably re-install the web browser too.

Now that your system is malware free, make a commitment to her that now on you play clean, play safe. Keep updating your antivirus and be cautious online, avoid dirty sites, install an antivirus with site advisor, be extra cautious with removable media.

Hope you live happily hereafter!!

Note: A case study- Remove System security fake antivirus.

Due to popular demand noticed, I have posted the specific procedure to remove system security malware manually.

Kill processes:
Open Process explorer and kill the process named 1632575944.exe .  It may also carry some other number as name. Kill it, after you note the location it is executing from.

Delete registry values:

Open registry editor and delete the value. You may need to restore defaults using my restore default tool to enable registry editing and other defaults( Go to home page and download it from downloads section).
%UserProfile%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “1632575944”

Else you can use the autoruns tool and delete this key from logon tab.

Delete files:

Search and delete the following files. You can use windows search too.
1632575944.exe, config.udb, init.udb, English.lng, German.lng, Spanish.lng, System Security.lnk

Delete directories:
c:\Documents and Settings\All Users\Application Data\538654387
c:\Documents and Settings\All Users\Application Data\538654387\Languages
C:\Documents and settings\All Users\Start Menu\Programs\System Security

Reboot and check if every thing is ok.

<< Check this post on pendrive based autorun viruses >>

New generation malware

Though I don’t like telling stories, this one is really adventurous and I suggest you reading it since its about an encounter with a deadly malware and I am the hero!

As I had described in my previous posts, the conventional way  of zeroing in on a virus, seemed to be really apt to me for all kinds. This was the same until I saw new viruses in my college digital library ( I would rather call it virus vault!). They were a breed apart, unlike normal viruses, they didn’t have any visible process running in task manager. This made it really tough to mark their presence in PCs. For a while I was tricked into believing that they didn’t exist on the PC and it had slowed down because of other issues. When I brought back home my pendrive, I noticed a new file U.COM in it, which didn’t execute thanks to my folder autorun.inf which is always present on my pendrive. Now I was sure the virus was present at college PCs, but didn’t have enough patience and time to go back there to try busting it, the place being public in nature.

A few days ago I was at my friends place, whose system gave a whole lot of problems ranging from slow start up, net getting disconnected, and browser hanging with errors. He was pleading to format his system and repartition it to remove any malwares hiding in other drives. FORMAT!!! The word I hate the most! I sat there with determination that its either the malware or me that’s getting screwed, and was able to ultimately fix it. Here is how I did it…..

  1. Opening task manager didn’t do much help since it showed no presence of any suspicious process.
  2. Upon opening a drive, it opened in a new window. This made me certain that some code was being executed prior to opening the drive, marking presence of an autorun.inf file, which will be super hidden.
  3. Initially I tried restoring registry defaults, but it didn’t worked, indicating malware was active and was monitoring registry changes and re-writing the malicious keys if original entries were restored.
  4. Since the only thing I was certain of was presence of a autorun.inf file, I went for the kill. Using killbox,  wrote address of file as C:\autorun.inf and was able to find the file and deleted it. Since killbox takes backup of deleted file in a folder in C: drive, I accessed the file. Opened it by double clicking it ( don’t be afraid, these files wont eat up your system when opened!). I found code to execute a U.COM file on drive autorun. This made me happy since I got another chance to take my old revenge with this guy!
  5. Using killbox, I gave instruction to delete the file C:\U.COM. I was able to find the file and deleted it. I repeated steps iv and v for all drives.
  6. To be certain to delete all files, I searched internet for details on malware named U.COM and was able to find what all files it creates. I deleted,

c:\windows\system32\drivers\klif.sys

c:\windows\system32\olhrwef.exe

c:\windows\system32\nmdfgds0.dll

and delete the registry key-

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cdoosoft C:\WINDOWS\system32\olhrwef.exe

  1. Having cleaned the mess, I restored windows registry defaults, entered each drive, created a dummy autorun.inf folder and deleted suspicious files as well. Also delete all files that killbox had taken backup after deleting. I deleted all files from all temp locations and using ccleaner, deleted the start up entries of U.COM. Search in registry editor for U.COM entries and delete them all. Usually there are other related entries in the same sub key, delete them too. Restart your system and check if every thing is OK.

The malware U.COM comes in the category of CLOAKED MALWARE, the new generation viruses. They run hidden from task manager, inside a back ground service, like svchost, along with other system processes. They write to other programs virtual memory, also called as process hijacking. They are packed and/ or encrypted to be invisible to our eyes. It is added as a Registry auto start to load Program on Boot up. It creates various files inside system32 folder and also in all drives and alters registry to hide its files from user.

PC slow and don’t see any reason why, beware, you could be a victim!!