Remove a recurring malware infection

[Kathleen Atkins]

LANGALIST PLUS Remove a recurring malware infection By Fred Langa When your PC suffers from the same infection repeatedly, it's time for special-purpose software. Here are 14 free tools that can help rid a PC of even the most stubbornly entrenched malware infections. The full text of this column is posted at windowssecrets.com/langalist-plus/remove-a-recurring-malware-infection/ (paid content, opens in a new window/tab). Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

[jpotelle]

Fred Langa posted info on managing browser cookies as part of this article http://windowssecrets.com/langalist-...are-infection/
but he only covers normal, generic browser cookies, which are easily controlled. There is a far more insidious type of "persistent cookie" that stores info without using normal cookies. Most browsers have no direct control over these. But there are tools to clean them, too. In the Windows Secret website search box, search for "persistent cookies". Also see these WS articles:
http://windowssecrets.com/langalist-...s-evercookies/
http://windowssecrets.com/top-story/...ombie-cookies/
http://windowssecrets.com/woodys-win...-privacy-risk/
http://windowssecrets.com/woodys-win...ivacy-at-risk/

[highstream]

So, I run one of the free rootkit detectors and end up with a list of 44 or 540 mostly or entirely "unknown" hidden files, depending on the app used (Trend Micro & Sophos, respectively). What then? Much of what's listed is obvious or can easily be looked up, but most are files of the form A02091088.exe, buried in System Volume Information-Restore (most on backup HDDs). The Sophos instructions seem to be written more for the premium edition. Suggestions?

[Terry at nz]

In reply to your item Clear up 'smeared' text and images in Win7 I have just solved this one on my computer by accident.
Another symptom was that I could move the monitor cable a little and it would more-or-less solve the problem. But only for seconds.
Experimenting with using a cordless keyboard I noticed the problem was solved.
Re-routing the monitor cable away from the keyboard cable was all that was necessary. Should have thought of this sooner.
Terry

[dchunt15]

FWIW, I have found the program 'Combofix' by Bleepingcomputer.com to be much better at removing root kits than MalwareBytes. It is hard to find the program on the Bleepingcomputer.com Web site because they keep moving it. The best approach is to search for 'combofix download' on Google then look for the link that comes from bleepingcomputer.com. Be careful as there are a lot of fake sites out there with names like 'bleepingcomputer.org', etc., that have hacked versions of the program which will introduce malware instead of removing it.

[pjamme]

Fred,
Have been a subscriber for a long time. I downloaded and ran the exe for Microsoft Safety Scanner yesterday after reading this article. I chose to do a full scan which was still going when i went home at 5PM. This morning it said it had found virus or malware, would I like to remove it, no mention of what it was (very poor in my estimation) anyway I chose yes. When the report came up after removing the bad guys it was a download of the program regcure, which I had never installed and UltraVNC which i use in my job to access NT4 servers that I maintain.
Well i cannot have that, so looked for the uninstall in Add/Remove. Could not find it there or on the start menu. Is it a standalone or what?
Thanking you in advance,

[Deadeye81]

Hi pjamme,

Microsoft Safety Scanner is a standalone tool for on demand scanning that supplement's your active protection antimalware softtware. It does not install in your system, but is a standalone executable. It expires ten days after downloading, so you have to download a fresh copy to continue to use it. See this Microsoft site, this ghacks.net article, and this SevenForums tutorial for more detailed information.

MSS can be a useful second opinion tool. Unfortunately, false positives are a fact of life from time to time with most, if not all, antimalware active and on demand scanning tools.

[bobprimak]

MICROSOFT BETA ANTI-ROOTKIT TOOL

Microsoft has a new BETA version of Standalone System Sweeper. Just released. Microsoft has not officially released this but MS Tech Support are telling people who call in and suspect that they may have malware (especially rootkits) to run this BETA software.

The nice thing about this software is that it does NOT run from your PC. Instead it runs from a bootable CD/DVD/USB drive. The bootable media is created without using any software on your PC.


There is a 32bit and 64 bit version that can be burned to a CD or DVD or installed to a USB drive.

DOWNLOAD the 32-bit and 64-bit OS FILES:
Go to: connect.microsoft.com/systemsweeper

mssstool32.exe
mssstool64.exe

...just open these two files and it will
install the software to a CD/DVD or USB drive.

...OR you can selct the option to download
the ISO file and burn it yourself.

I have had mixed results trying to run this BETA tool. On my WinBook which has flaky drivers, (WinXP Pro 32-bit) the program could not be updated and would not accept manual updating. So the scan could not be run there. On my Toshiba Satellite (Win7 Home Premium, 64-bit) the program, Internet download, and scanner ran perfectly, if slowly.

The idea of running a scanner from a boot environment (rescue CD or DVD) is to run outside of Windows. This allows an accurate "raw" disk scan, free from the interference of rogue malware processes or Services. Then, a simulation of the Windows Explorer GUI is brought up to compare what Windows sees with what is really on the hard drive. The Definitions (and sometimes predictive heuristics) components help avoid false positives. (Not all hidden processes are bad.) This takes the guesswork out of selecting what to remove. Removal from outside of Windows is nearly always successful. Then your normal antivirus programs (Malwarewbytes, Super Antispyware, or Avast are the only ones I would trust when confronted with a stubborn rootkit infection) can usually scan and remove additional components successfully. This method has worked for many of the Fake Antivirus infections, which are among the most persistent rogues in terms of coming back and hiding themselves with rootkits.

I hope this Beta tool from Microsoft goes through to public release (with improvements, of course!). Rootkits are a growing problem, and are very diffficult to find and remove in some cases.

My thanks to George Zahorodny of the Chicago Computer Society's West Side Computer Club for the announcement and information for this BETA product from Microsoft.

One more thing -- BE PATIENT when downloading the disk image, the program and the definitions. These are large files and take some time even over a fast Internet Connection. And as BETA software, it may or may not run on your hardware, even if you are not infected.

[highstream]

Essentially same experience with XP/SP3 Home/32 bit. MS Sweeper scan wouldn't run.

[pjamme]

Thanks Deadeye,
It still would be nice to see what I was removing before I do it, wouldn't it?

[bobprimak]

Essentially same experience with XP/SP3 Home/32 bit. MS Sweeper scan wouldn't run.

Well, it is Beta, as I posted. One thing to try is to download the definitions onto a USB stick and try to get the program to update manually. This did not work in my WinBook (WinXP Pro 32-bit SP3). Your Operating System version should have no effect, as this CD runs outside of Windows. Your number of bits is important -- only run the 32-bit CD on a 32-bit system, and 64-bit on a 64-bit system. All else depends on your hardware -- mine has special drivers for Internet and other functions.

My Toshiba Satellite (Windows 7 Home Premium 64-bit, then at SP0) had no hardware limitations, and the CD ran perfectly, if slowly.

[bobprimak]

Clear Type is needed for most laptops to get clear text displays. Clear Type can also help a bit to sharpen the images on some web pages. Right-click on any empty space on the Windows 7 Desktop, and go to Properties>>Display>>Adjust ClearType text. First, make sure Clear Type is enabled. Then go through the whole setup process. See if things clear up that way.

Otherwise, the video display may be set up incorrectly. Screen Resolution may need to be changed as well as actual Video Properties like brightness and contrast. Leave "Gamma" alone -- this is for photo enthusiasts mostly.

Clear Type is part of Windows. Video Display Properties are controlled by the graphics driver and software. So, what you can do with Graphics Properties will vary from one laptop to another. But screen brightness and contrast are almost always under your control.

[highstream]

Well, it is Beta, as I posted. One thing to try is to download the definitions onto a USB stick and try to get the program to update manually. This did not work in my WinBook (WinXP Pro 32-bit SP3). Your Operating System version should have no effect, as this CD runs outside of Windows. Your number of bits is important -- only run the 32-bit CD on a 32-bit system, and 64-bit on a 64-bit system. All else depends on your hardware -- mine has special drivers for Internet and other functions.
My Toshiba Satellite (Windows 7 Home Premium 64-bit, then at SP0) had no hardware limitations, and the CD ran perfectly, if slowly.

What do you mean outside of Windows? I burned the 32-bit onto a CD, which loads before Windows. However, the first thing MSSS does is say, "Windows is loading files...," and when that's done, "Starting Windows." After a greyish designed screen with a box runs for awhile, the error message comes back: "MSSS cannot be started. Please contact support. Error Code: 0x8004cc05." Searching on that code shows others are getting it too with 64-bit and XP/Win 7. Seems it works for some and not for others. Like you say, it is a Beta.

[bobprimak]

What do you mean outside of Windows? I burned the 32-bit onto a CD, which loads before Windows. However, the first thing MSSS does is say, "Windows is loading files...," and when that's done, "Starting Windows." After a greyish designed screen with a box runs for awhile, the error message comes back: "MSSS cannot be started. Please contact support. Error Code: 0x8004cc05." Searching on that code shows others are getting it too with 64-bit and XP/Win 7. Seems it works for some and not for others. Like you say, it is a Beta.

Outside of Windows means that the Windows installation on your hard drive is not starting up. The CD says"Windows" but this refers to WinPE (or something similar), a totally independent memory-resident operating environment. It uses its own drivers and system files, and this is where the System Sweeper CD can run into trouble. Not every OEM system modification or special driver can be supported, and many Windows Services are not available in the stripped-down operating environment of WinPE.

Again, this is beta software. If it works, it could save an infected system from reformat and reinstall. If it doesn't work, there may be no other choices.

[highstream]

I go back to my original question: So I run one of the free rootkit detectors Fred suggested and end up with a list of 44 or 540 mostly or entirely "unknown" hidden files, depending on the app used (Trend Micro & Sophos, respectively). Beyond the obvious file names, what then?