Update, March 18 2012: I wanted to add the names of two more utilities I’ve found to work very well for some specific rootkits. The names of the two programs are:
I don’t write blogs much these days but if there’s one thing I’ve learned about writing blogs the golden rule is to make them useful and valuable to people. As a sort of philanthropic gesture I am now going to reveal a few tricks I use in the field when repairing systems that have already become infected with viruses or malware. Perhaps these tips will save you some money during these dark economic times. I can’t promise that these tips will work for you but for the DIY user who’s not afraid to get their hands dirty, it might prove to be very useful. So lets get right to it:
Phase 1: Safe Mode (with networking?)
Almost every version of Windows out there (from Windows 95 all the way up to the most recent Windows 7) have a hidden menu you can access at boot that gives you access to a diagnostic profile called Safe Mode. Safe Mode is a sort of back door mode into Windows that loads the absolute (or nearly) bare minimum of device drivers and background services. It’s sort of a bare bones environment that is suitable to start your repair from primarily because most viruses aren’t auto-started by the system in this mode, but it’s not perfect. More on that in a moment.
To access Safe Mode you need to press the F8 key on your keyboard at a VERY specific time. Typically when you turn your computer on you’ll see a screen that either has the logo of the manufacture of the PC or perhaps some generic startup relating to your BIOS. At some point that all goes away, your screen will be black for about 3 seconds, and then Windows will proceed to boot with the little scroll bar loading away. It’s during (or just before) that 3 second window of blackness that you need to start tapping the F8 key. If done correctly, you’ll be presented with a menu that looks like this:
You’ll use the arrow keys on your keyboard to move the highlighting selector bar. Typically I will select Safe Mode With Networking, as this allows me to access the Internet and download utilities as well as give these utilities access to definition updates for itself later.
After you select Safe Mode With Networking and press Enter your screen will be bombarded with a slathering of strange and mysterious words…
Eventually you will get to the familiar blue colored user login screen and you might see an account called Administrator shown there that you’ve never seen before. If you do, go ahead and select it to log in as “Administrator”. Otherwise, select your own user name.
Once you’re logged in you have a few options you can take. The safest way to get started is to actually bring a copy of your utility software with you on a thumb drive or CD to install it from, instead of downloading via a web browser. The reason it’s not a good idea to try and download via a web browser is because a lot of viruses tend to wrap themselves around a browser’s EXE file so that when the browser starts, so does the virus. This could potentially happen with a lot of other software so it’s best to try and resist the temptation to run any programs except for the cleaning utilities we’re about to install.
Phase 2: Cleaning
There are only three pieces of software I typically use with great success in the field for removing viruses and malware. They are:
All of the above are free with the exception of Malwarebytes, which functions with all its features on a 30 day trial when you first install it (note that you will see an error message appear when you tell it to start the trial while in Safe Mode; this is normal and you can ignore the error by clicking the OK button when it appears). To keep the full version running you have to buy it for the low one-time payment of $25 and I strongly recommend it. Apart from these three the only other tool I use is Google, which I’ll use to lookup exact phrases found within suspicious malware to see if I can find other people talking about that particular virus somewhere online and hopeful discover what unique thing they did to remove it. Fair warning: Your mileage may vary.
I typically start by installing Malwarebytes first (however I have had one experience where I wasn’t able to do this until after I ran Combofix so you might need to flip the order of these two tasks), applying the most recent update for it and then running a full scan, removing all infected objects it finds. A typical scan can take around a half hour to do. When it’s finished, you just need to click the “Show Results” button and then make sure the results listed all have check marks next to them and then click “Remove Selected” in the bottom left. If an object doesn’t have a check mark when you first view the results it means Malwarebytes thinks it could be a false-positive result. Use your best judgment and google to determine if either the file is malicious and/or if the file is a necessary part that can be removed without grief. A reboot will likely be required when it is finished. Be ready to hit F8 again when you do this so you can come back into Safe Mode and continue your work.
One thing I’ll often do while I’m waiting for a Malwarebytes scan to complete is take a look at the MS Config utility and see what items are enabled to auto-start when you boot into the system. To access this, click Start, then click Run (or just click into the search box if you’re using Windows 7) and type in “msconfig” without the quotes into the box and click OK. Then click the Startup tab at the top.
In this startup list are programs that are told to run right away when you first log into your system. Almost all of these items are non-essential and to be on the safest side you could probably get away with unchecking all of these items, but that’s usually overkill and might rob you of some convenient feature you’d like to have. Look carefully down the list for items that have empty path names, or very bizarre characters in their name… I have to admit that at this point experience with this stuff comes in to play. If you don’t know what something is you could look it up by name with google on a separate computer before deciding to uncheck it Alternatively, you could use the uncheck-all-the-things strategy and then go back later to add check marks back into the few items you know you need enabled. You can also check out the Services tab which is to the left of the Startup tab, check the box that says “Hide all Microsoft items” and then use the same judgment to decide if there are third-party services running in the background that don’t need to be. Google is your friend here for helping to determine if a service is useful or not.
Another thing I’ll do while waiting for a scan to complete is open the Add/Remove Program (Programs & Features) applet from the Control Panel to view all the software that’s been installed on the system. I target toolbars of any kind first, next by software that is unfamiliar to the user. Again, google is a useful reference here because you don’t want to remove something that’s known to not be malicious.
The next step is to run Combofix which you can find a tutorial about by clicking here. It is pretty strait forward: double-click on the combofix.exe file that you downloaded and follow the on screen instructions. It’s own scan will also take about 30 minutes or so but it is very sensitive so once you kick it off, don’t touch the computer until its finished. There is almost no interaction required with the software and it will automatically remove anything malicious it finds, producing a log with a lot of interesting jargon at the end that you can forward on to an expert for further analysis if you’d like.
After all this I’ll typically reboot the system and let it boot normally and then install Microsoft Security Essentials, running a full scan with it right after and checking to make sure the trial mode has been enabled on Malwarebytes.
If all of the above didn’t work, something I’ll try next is to reboot back into safe mode and use the control panel to create a new user account, then log off and log back in under that new account and repeat all the same steps above. The reason this might help is because viruses tend to damage registry entries for accounts that existed when it found and infected the system. Because we’re creating a new account in an environment that hopefully didn’t auto-launch the virus, we can then create a fresh account with it’s own default settings and preferences that hopefully won’t be manipulated by the virus. This kind of problem could also be reversed using the System Restore utility but I’ve found that a lot of times (not always) I try to use this utility none of the restore points are any good. I wouldn’t be surprised if previous restore points are destroyed by certain viruses making it even more difficult to undo the damage done. In situations like that I’ve occasionally just created a new user account and migrated all the important user data (documents, etc.) from the old account to the new account, deleting the old one in the end because it’s irreversibly broken.
One last tip I’ve run across in a training video for a competitor of mine who will remain unnamed is to shut the system off by force instead of doing a soft reboot during this cleaning process. In other words, hold the power button down for 5 seconds and then turn the computer back on after 20 seconds. The reasoning behind this is that there are a few viruses out there that alter the shutdown script of events that take place during an ordinary shutdown and one of the events it injects into the script is to reinstall the virus during shutdown from a rogue location, as a Plan B so even if the live version of the virus is caught and removed it might be able to recreate the file from an encrypted copy of itself elsewhere. If you decide to do this my only advice would be to backup the entire hard drive before doing so. It’s technically dangerous… but probably not THAT dangerous… it’s best to remain on the safe side and not use shortcuts.
Finally a word about a couple of common viruses in particular I’ve run into in the last year:
A few of these viruses going around exhibit the symptom of making all your files and shortcut icons on the desktop vanish. This is often done with a combination of changing the file attributes to enable the hidden flag, or by moving the files to a hidden location. It is sometimes also conjoined with malware that tries to frighten you into thinking your hard drive is on the verge of failure, or at the least, claims to be antivirus software itself. The goal of all such attempts is to get you to give up your credit card number. Please don’t.
I’ve had great success removing the virus that causes these files to go missing but after it’s been removed it’s not always so easy to reverse the damage and restore the missing icons. Fortunately there is one program out there that, for the most part, has been able to do this for me very simply and it’s simply called “Unhide”. Use this program after going through all the above steps to be sure you’ve removed traces of the virus and hopefully it will get all of your stuff back for you. You can download Unhide from here.
One other common symptom I’ve seen certain viruses exhibit is hijacking certain registry entries to alter file associations, specifically one which makes your computer forget what to run EXE files with, asking instead what program you’d like to open another program with. I have found that in Windows 7 one trick of working around this is to right-click on a program shortcut and then click Run as Administrator. This uses a separate registry association which hopefully has not been affected by the virus. Using this Right-Click>Run as Administrator trick you should be able to run your scanning utilities like Malwarebytes and Combofix from within Safe Mode.
Phase 3: Prevention
Now that we know how much of a pain these kinds of viruses can cause we should talk a little about where they come from and the different ways they can end up on your computer. I wrote a much longer blog about this topic which you can read here. Basically it boils down to this:
- Make sure you install all available software updates for Windows itself as well as 3rd party software and plugins like Adobe Flash, Acrobat and Java (among others). Updates are your friend and help to patch recently discovered security vulnerabilities.
- Pay attention to links people send you in emails. It’s quite possible their email account has had its password stolen and is being used by a robot to send spam email with links to malicious websites out to everyone in their address book. Warn your friends if you suspect their account has been compromised and suggest they change their email accounts password before following the steps above to attempt to remove a potential infection.
- Use good anti-virus software. As recommended above, I prefer MSE and Malwarebytes. Combofix is only to be used as an emergency utility; it doesn’t have a real-time monitoring feature.
- Consider using a software firewall to block unwanted inbound traffic and unexpected outbound traffic. Zone Alarm Free is an excellent choice for this.
- Use an ad-blocking plugin to further reduce the chances of a virus sneaking in through a flash-based advertisement. Ad-Block for Firefox is a great option. You can also get it for Google Chrome from here.
- Along with these plugins, consider using a better browser. Mozilla Firefox and Google Chrome have both become superior to Internet Explorer, especially in terms of security.
- Avoid installing “toolbars” for your browser. If you install one by accident, disable it in your browser or better yet uninstall it via your control panel.
- Avoid using P2P file-sharing software like Frostwire or MP3Rocket. These methods of file sharing do not have any form of user moderation and anybody can wrap a virus inside a file then name it something innocent/sensational looking to trick people into downloading it and installing a virus.
- Consider adding a parental filter to your computer; you don’t need kids for this. Having a web filter like K9 Web Protection can be helpful to block your computer from accidentally trying to connect with a known malicious server.
- Lastly, though this is too extreme for most people: Consider switching to Linux on your desktop. Linux is free, open-source and is even more secure than MacOS. Seriously.
I hope this advice has been helpful. Please leave comments or suggestions about other tips and tricks you use to help remove malicious software in the comments section below!