Friday, May 25, 2012

Malware 101: My Own Experiences and Successful Endeavors in The Removal of Shitware


I first want to explain that some of this article may contain some technical jargon, and I will try to explain as much of it as possible, and include links when I feel it is necessary. I apologize ahead of time for anything technical that cannot be easily explained or for which I felt no explanation was necessary.



Although the term spyware didn't make an official appearance until the year 2000, accounts of possible reporting software seem to have occurred in the early 90's. In a ZoneAlarm press release, the term found its footing and became synonymous with technology that could be used to report information secretly back to the software publisher. Although many software publishers were in fact doing this as a matter of analysis, the use of such software became a tool of malicious agents soon enough. Later that year, Steve Gibson of Gibson Research Corporation (GRC) found his own personal computer seemingly infected by two pieces of software that he didn't install himself, and could not be easily removed.

Gibson disassembled the software and was able to track it back to two companies Aureate and Conducent. Gibson alleges that these two companies had designed software that was capable of being installed in secret and able to report information about the user, his or her habits and the kinds of data that user kept on their computer, back to the companies. Although no proof of this could be ascertained, the allegations led security firms to begin looking into the problem, and the information world would never be the same.

Although there are many different types of malicious software out there and I will take some time to explain a few of them, none are more pervasive than spyware but for the purposes of simplifying things, I will refer to all of these kinds of software as malware, and only refer to them as their specific class when needed.


A study done in 2007 referred to the publishing of malware as a possibility of outnumbering the publishing of legitimate software, and as of 2011, Microsoft has asserted that 1 in every 14 downloads from the Internet is infected with some kind of malware. That is an alarming statistic and one everyone should pay attention to.

Computer viruses are nothing new, I have even been known to create a few myself, but make no mistake the malware of today is nothing like the malware of the past. When I was younger, before the Internet became a world-wide phenomenon and rooted its way into the homes of every citizen on this planet, there were the Bulletin Board Systems (BBS). In those days you had a dial-up modem, usually quite slow, and you would use it to call a BBS which would connect you to a console and you would logon and interact with the system.

My first BBS experience was an interesting one as it was then that I found out what porn really was. Of course in those days downloading a single image would take minutes and unless you wanted to run up a ridiculous phone bill, you tried not to spend too long on the system. In those days no one had a second phone line in their homes dedicated to the computer, such things were really unheard of at that time, so frequently you would find yourself browsing a board to find you were suddenly disconnected, someone in the house has picked up the phone. I can still hear my brother now screaming at me to get off the computer.

It was in that first BBS that I was introduced to some interesting software: compilers, listeners, phreaking tools, coding manuals, disassemblers, password crackers, etc. I was even able to find several posts by users who wanted to learn more about some of the software tools and like everyone else I left a post of my own. After days of waiting I received a reply with a number I could call to get to another BBS, and when I dialed the number I was introduced to the shady world of the hacker. There I found numbers for other boards as well as all the tools and information I needed to do a little hacking of my own.

At first I used the tools to create some interesting software that would do some meaningless thing like rewrite your start-up files. A person with this piece of software installed would be informed they had been hacked by jsauce. Of course, I hadn't really done anything at all, my intent was never to be malicious, but rather just be known. Like the rest of the users I met while frequenting these boards, we all had much the same intent, and it was never to actually cause harm.

My first experience with a virus was one called Tentacles or some variant of it. This was back around 1995, as I remember having upgraded my computer from Windows 3.1 to Windows 95. I was still using dial-up to access the boards, and this was around the time I was also introduced to the word of warez. Warez is a term for software that is distributed freely and illegally, as it violates copyright laws. Of course I was 17 at the time, and I could give a shit about copyright laws, as much as I do today.

I remember that not long after installing Windows 95 I began working on a new program I called Registry Backup, which I wanted to use to backup the registry in case of corruption. On two previous occasions the registry had become corrupted and with a little ingenuity I was able to fix this, but it gave me an idea and I wanted to see if I could find a solution. So I created my first Registry Backup tool and I posted it all over the bulletin boards. Upon posting the tool I began to look for other utilities I might find useful now that I was using Windows 95. I don't remember the name of the tool or what it was supposed to do, but this was my first interaction with a virus and it left me flummoxed. Upon executing the program, I noticed it did not do as it was supposed to do, but instead one of my desktop icons changed into an octopus or something like it.

It was kind of interesting so I did nothing at that point, but it would only take a few days before most of my desktop icons were now baring tentacles. I realized I must be dealing with a sophisticated piece of software here and it was then that I discovered the world of viruses. I knew that it must be attaching information to the executable, each time it were executed which would explain why its icon would only be changed after it were run. I was a programmer but by no means capable of writing any kind of disinfection software so I looked back to the boards and was pointed to something called McAfee.

Sure enough after running McAfee in DOS, and booting back to Windows, everything was normal again. I was fascinated by this virus, and so I began to study different kinds and look for software that I could use to write my own. Over the next few years I had several successful attempts at writing a virus, but nothing quite as cool as tentacles. The best I could ever do was write a virus that would cause a Blue Screen of Death (BSoD), upon a reboot you would find all of your desktop icons had been deleted and in its place you would find a picture of a dog taking a crap. Obviously not a true virus in the sense, after all, it didn't write propagating code to executables but it was annoying enough, much like the tentacles, later I would come to know this as the trojan horse type of virus.

Besides my own attempt, I was first introduced to a nasty bit of software back in 1998 called Back Orifice. Back Orifice was created by a hacker group called Cult of the Dead Cow and it made its debut at DEF CON 6, August 1, 1998. The group declared that Back Orifice was only created to show Microsoft its lack of security in Windows 98. By that time I had a computer with Windows 98 and Internet in the form of CompuServe, AOL and Prodigy. With the introduction of the World-Wide-Web (WWW), I saw no need for the BBS anymore and stopped using them almost immediately.

I can tell you that my days as a Windows 98 user were some of the most fun I ever had with a computer. I spent most of my time, port scanning users and compromising their systems. My friends and I even shared some of the information we got, though we never used it maliciously and on one occasion having gotten the bank information for a person, which contained thousands of dollars we called the person immediately. Even in those days hacking was fun, but never malicious. It never occurred to me that you might want to steal from someone else, and this may have been one of the first occasions when I realized that something needed to be done to stop this kind of thing.

At that time Back Orifice had been installed on thousands of computers from what I could tell with just a small port scan of the computers on my subnet. You see in those days, security was quite lax and computers advertised themselves to everyone else on the same network. So a person with a port scanner could easily find computers with an open port, and if you knew the port you were looking for, it made it that much more efficient.

So this friend and I, having full access to the computer in question, searched it thoroughly looking for anything that would indicate a phone number. I'm not sure if we were able to find one through this method but we found one nonetheless. We called the phone number and a kid answered the phone, someone around our age. So we asked him if he were, and we recited the name found on the account in question, and he said that it was his father. We asked if we could speak to his father, and he said that he was at work.

So at that point we informed the kid that his computer was infected with a trojan horse called Back Orifice. He had no clue what the hell we were talking about, so we took a minute to explain. The kid got his father on the phone who apparently worked for some financial institution and we explained the situation. I asked him if this was his account number and his name and he said that it was. I told him that not only did I have access to his accounts but I had access to any and all information contained on that computer. I could hear the anxiety in his voice, and I reassured him we had no intention of being malicious but merely wanted to inform him of this problem and to give him a solution. So we spent probably 15 minutes explaining how to remove the trojan horse and change the passwords on his accounts, as well as try to explain how he likely got infected in the first place.

Neither of them seemed to grasp the severity of the situation until I explained that I was in full control of that computer, not only could I steal all his information, but I could if I choose delete key system files and restart the computer, resulting in startup failure. In those days unless you were a savvy person, doing this resulted in a complete reinstall of the operating system. In fact, and I hate to say I've done this, with a 3 ½ inch floppy and a few keystrokes I could render a computer inoperable in a matter of seconds, as I did on any occasion in which I was able to access one.

A trip to the local Walmart, Kmart, or RadioShack, and those computers were my bitches. Reinstalling a system in those days was no trivial thing like it is today, it took many hours to just get the OS installed and many hours after that to get all the devices of the system working. Although plug&play was a concept worth including in Windows 98, it worked successfully far less often than it does today. A computer-illiterate person as we called them would likely be unable to reinstall a system even if they had all the disks. It is my believe that companies began including restore disks with simple 1-2-3 interfaces based entirely on the fact that Windows was too difficult for most users to install themselves. Of course when I think now, this kind of act was malicious, but I didn't consider it malicious at the time, I wasn't stealing anything, or hurting anyone and with a little knowledge a person could fix the problem within a few minutes.

It was around that time that I switched gears and began helping people with their computer problems. I never asked for anything as compensation though I never turned down a soft-drink or if I were lucky enough a beer. It wasn't until around the time that Windows XP was released when I began to see some nasty stuff in the way of software. While working on a computer, I noticed that it was using a lot of resources. You have to remember back in 2001 a computer would normally come equipped with 256MB of ram if you were lucky, and it was easy to see when a computer was under-performing.

I would get calls and emails from people asking me why their computer was so slow, so I would head over and take a look. It became immediately apparent that the computer was infected with something, and the task manager was a great place to start. Bringing up the task manager you could easily see that there would be 50 or 60 processes running on the machine, something unheard of with so little ram. The slowness was caused not by the malware itself, but rather it was merely an indication that there was too much going on at one time. With so little ram available, a program that required more memory to run would have to get it from the pagefile, a file generated on the disk that can be used by the system as a source of virtual memory.

Storing and Retrieving data in ram is a whole lot faster than on a disk, and so when something was paging memory from the disk, it automatically meant it would naturally be slower. There are a few solutions to this problem, you could add more memory. In all cases adding additional memory to a system will make it more stable and run faster if the problem it has is a lack of memory. You could also reduce the number of programs that run on the system in parallel. Each program takes up a specific amount of memory and anytime you exceed the amount of physical memory available, the system automatically pulls it from virtual memory slowing it down. Since ram was still expensive for the average person, most people would ask me to clean the system up, removing unnecessary programs.

I had started to see this software called Kazaa all over the place, on many machines I worked on though I had not used it myself. I knew that it was being used to get warez, and music for free but I liked more private means for getting my stuff, frequenting the Internet Relay Chat (IRC) channels of the undernet and efnet for shit. One thing I noticed about the software was that it was always running in the background and taking up quite a lot of resources. I also noticed that it was loaded with advertisements when it was opened.

I would advise the user that this program was whoring their computer and if they wanted it back, they would need to part with the software. I'd of course advise them of alternative ways to get the stuff they needed without needing to use Kazaa, and they would agree and ask me to remove it. The problem was it could not easily be removed. First I would try removing it through the standard add or remove programs, and although this appeared to remove the contents of the folder in which it was installed, many programs were continuing to run in the background. I would attempt to kill the process using the task manager only to find it would restart itself, with no other means to solve the slowness on the system I would advise them it would need to be reinstalled. A horrible measure indeed but with no other recourse, necessary nonetheless.

I began to notice other pieces of software that displayed similar problems and it was at that point I began looking for solutions. One of the first solutions was developed by Steve Gibson, he dubbed it Opt-Out and it removed some of this crap but not all of it. Not long after, Ad-Aware and Spybot search and destroy hit the scene and were quite effective in removing this stuff for sometime. At some point, however these assholes began to get the memo that people didn't want this stuff installed on their system and there were tools out there that could remove it.

People often ask what the point of malware is, and like all things it comes down to money. A compromised system can be used for so many things but earning money is by far the biggest reason. In the old days people compromised systems just to do it, now its all about the capital. In the old days it was a couple of kids in a basement hacking away at a machine, now its a corporation rooting a machine with an exploit that allows them to gain complete control in a matter of seconds.

Over the last decade I have seen the progression of this spyware into more and more malicious code, and shortly I will explain a few reasons why this has happened and how it can be stopped. I have seen the software evolve from a simple trojan to a seemingly innocuous piece of software with hidden code to web exploits and even into tools that are advertised as able to remove malware, so called Rogue software. I will attempt to explain the different types of infection vectors as well as some ways to protect yourself, and ways to clean a clearly infected machine.

In the end some systems may be too compromised to be saved and must be reinstalled. I reserve such an action for only the most heavily infected machines and only those where the time that must be dedicated in cleaning the machine out values the contents of the machine itself. I understand wiping a computer and reinstalling everything is a horrible thing for most people. Today most people have thousands of programs installed on their computers that take up hundreds of gigabytes of space, and the prospect of reinstalling everything is never a good thing.


PART ONE: INDICATIONS


There are a few indications that might point you to a believe that you have an infected machine. So first let's look at a few of them:


Slowness

Everyone knows what it was like when you first purchased your computer, and everyone knows what its like now. Having a slow computer by itself is not a true indicator of a malware infection. Like people, as computers age, they get slower usually as a result of updates, application installations, and over all bit rot. Years ago it was customary to reinstall a system at least once a year to make it faster, though on modern systems such practices are not necessary.

A person who has a slow computer should consider the computer's age, how much memory it has, and how fast its processor is. Is the processor a modern processor? Does it have multiple cores? These are things to consider when asking yourself why your computer is slow. Modern applications require modern processors. Anyone who has ever run an old program on a modern processor will notice how fast it is and anyone who has run a modern program on an older processor will notice how slow it is. This is merely a result of the instructions available to the program at the time it was written. Older programs do not require the same kind of resources, after all, when they were written such resources were not available.

Pop-ups

Pop-up windows like system slowness are not by themselves indications of a malware infection. Most websites that advertise their services do so through pop-ups and banners found all over the web. A website wanting to monetize its content usually does so by placing these banners and pop-up ads through script included in their page. When a person visits a site, the script is executed through an interpreter built into the browser and the pop-up ad appears.

A person who finds their computer is frequently getting pop-up ads even when their browser is closed, may have an infection, though I should point out that legitimate software that uses these kinds of ads to monetize their software may also be installed. Advertising something does not indicated malicious intent by itself, so although you may see some of these pop-up ads more investigation is warranted.




Toolbars

Toolbars are one of the most irritating pieces of software ever devised and by themselves though annoying for certain, are not always malicious. Many companies like Google, Yahoo and Microsoft have used the toolbar over the years to add some function to the browser, however useless this function may be. Over the years toolbars have also been a great source of infection or at least a good indication of one.

A good explanation of why toolbars are so frequently used in malware is that it is an easy vector for gaining information about browsing habits. A user with a toolbar installed would typically visit a dozen sites a day, and all of the information that user typed in that browser could be tracked by the toolbar and uploaded back to the company as the browser was closed. A slightly more malicious toolbar could be used to intercept and redirect queries, resulting in a user getting information they did not want or need.


Shortcuts

Quite often malware will install shortcuts on the desktop that link to software that has been dubiously installed. Though almost every piece of software installed on a machine today also installs a shortcut, you should pay attention to shortcuts that indicate software you did not install yourself, or software that you have no knowledge about.


Suspicious processes

The Windows Task Manager queries the NT Kernel for a list of active processes, and can help to indicate a malware infection. Although for the not so savvy user this is a little more difficult technique for identifying malware as it requires a knowledge of existing benign processes and a knowledge of what kind of processes might be malicious just by their name alone, or by the resources they consume while running, or by the function they have on the system.



Rogue software

Rogue anti-malware programs are a dime a dozen now, and having one of these installed is a sure indicator of a malware infection. Though as the name implies unless you are familiar with these kinds of programs you may assume that its a useful program designed with the intention of helping you. Later I will explain an easy way to tell when you have a rogue piece of software installed as opposed to something that actually cleans malware.





Any one of these things by itself, with the exception of the rogue software, isn't always an indication of infection though educating yourself as to what to look for will greatly help find and remove this kind of software.


PART TWO: REMOVAL



Removing malware can be a daunting task. Ask anyone who has spent anytime doing it and you will find someone who has at one time or another pulled some hair from their head or screamed. It can often be so challenging a task that most people simply format a system and start from scratch. Most malware compromises a system through one of the many 0-day exploits currently in the wild or installed as part of another innocuous program, the very definition of a Trojan horse.

Malware can carry with it viruses that attach themselves to your favorite programs, hook into vital system processes and bind themselves to networking components all in an attempt to make it more painful to remove than to just leave it. Again there is an incentive to keep this stuff on your system as long as possible and the designers of this stuff are going to make it as hard as they possibly can for you to remove it. Not doing this would be detrimental to their business.

If you have the right tools and enough time you can remove any infection. Let me say this, there is no infection of malware that cannot be removed if you know what you are doing, at least none that I have ever encountered.

It’s a good point here to remind you that before you begin the process of removal you should remember this will not be something you can do in five minutes. If you are cleaning a machine for someone, never accept a deadline. There is no way you can give them any real idea of how long this will take and its pointless and worse disappointing when you are not able to get it cleaned by a specific deadline. The time it takes to remove malware depends entirely on the kind of infection and the amount of infected files on the system. It also can depend heavily on how rooted it is on your system, but I’ll talk about that later.

Now for most users they are going to want automated tools and for those users such tools exist. I now find that I myself use more automated tools for removal than I once did, however to give you a better understanding of this stuff I want to be as thorough as possible and explain as much in detail as I can. Because of this I will first explain how malware can be removed manually with a few well designed and simple to use tools and then explain how it can be done with a more automated set of tools.

For manual removal of this crap I recommend a set of tools available from Microsoft called the Sysinternals Suite created by Mark Russinovich. Once you have downloaded the Sysinternals Suite of software, I recommend keeping them on a usb thumb drive or other form of removable media making them portable.

It should also be noted that having these tools available on portable media or downloading them from a machine that is not infected is the best option because malware has a tendancy to redirect URL queries. A person who is trying to download software that may be used to remove malware may find the link no longer works or is redirected to more malicious software or advertising instead.

So the first tool I want to talk about is a tool I like called Process Explorer. At first glance Process Explorer looks very much like the built in windows task manager, however they are very much different.

Process Explorer

Process Explorer displays processes in a process tree list. This has the advantage of showing you which processes are forked from other processes. Since malware relies heavily on background processes, ending these processes could cause them to not function. For this reason malware uses a technique called process forking. A single process upon executing also executes several other processes.

A process that is forked from and depends on a parent process is called a child process and exists within the process tree. When terminating a process, one of the forked processes will very often respawn the terminated process. Because of this you cannot end this kind of malware using the task manager While the Windows XP task manager has the ability to end a process tree it cannot show you the child processes of a parent or show you any process that was forked from another.




Process Explorer also has the ability to suspend processes by making the process inactive preventing the ability of the process to send or receive resources such as network, CPU, or disk. In effect, the suspended process has been killed but remains as a pointer to prevent another process from detecting it’s not there. Processes are not able to tell a process has been suspended and this allows you to suspend all suspicious processes before killing them each one at a time.



Process explorer also includes a function that allows you to search for any dll or handle that is currently active on the system, a function that the task manager does not include.



*** It should be noted that although the resource monitor that is included with the Windows Vista and Windows 7 task manager can see child processes, it still lacks the capability of suspending any active process, leaving it incapable of being a useful way to kill malware infections.

Autoruns

Autoruns is another fantastic program included in the Sysinternals Suite that allows you to see a complete list of programs that are installed and configured to start when the system boots. It also has the ability to disable processes you do not want to have started when the system boots.



It also has the function of allowing you to hide entries in your startup that are signed by Microsoft, thus allowing you to eliminate from the list all entries you know to be safe. This is highly effective in reducing the list of stuff to something a lot more manageable.


Autoruns also features the ability to open a startup entry in process explorer to see if its active and show you what child processes are also running



Process Monitor

The third tool in the suite of tools I recommend is one called Process Monitor. Process Monitor is not for the faint of heart, it is a highly complex tool and requires a little understanding of windows processes to be able to use it correctly. Process Monitor works by observing in real-time the process and thread activities of the system as it runs.


One of the features of Process Monitor is the ability to filter those things you know are not a problem or you do not want in the list. This allows you to quickly get a real-time view of the things you know are causing you a problem by removing those that you know are not.



Rootkit Revealer

The last tool in the suite I recommend is one called Rootkit Revealer. Although many more powerful tools exist for discovering rootkits this one isn't terrible and does what it advertises.

Rootkit Revealer is an advanced rootkit detection utility. It runs on any Windows NT based kernel and its output lists Registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.



Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, Rootkit Revealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format).

Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by Rootkit Revealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures.


Process of Removal

*** I have used a virtual machine that has Windows XP installed on it as an example, although I could have used Windows Vista or Windows 7 as well, I used what was available to me and what was a more prevalent OS for infection at the time I took these screenshots. The steps are identical between operating systems.

The only differences that might pose a problem are the use of the UAC in Windows Vista and Windows 7 and the difference in location of system shortcuts between Windows XP and Windows Vista/7. A person competent enough to attempt this kind of malware removal should be able to figure out these differences and adjust for them. Also it should be noted that the UAC should be disabled if it interferes with the execution of any of this software.

As you can see this virtual machine has pop-ups, shortcuts, browser-redirects, toolbars, and its resources are being consistently consumed. If this were a real machine it would be almost unusable.




The first step to removing this junk is locating the running processes and stopping them in their tracks. The way to do this is with process explorer’s suspend function.

Identify those processes that are not legitimate applications


The easiest way to do this is by suspending those applications you know are not Microsoft core applications or legitimate applications you want running on your system. Microsoft applications will be identified as coming from Microsoft Corporation. You can access the context menu by selecting the application and right-clicking on it. Select Suspend from the list.



Continue this process until all applications that are suspect have been suspended. Not doing this may result in a single leftover application restarting the bunch when they are killed.



Suspended applications appear in gray. Make sure you go over this list a few times to make sure you have suspended everything you suspect to be malware.

Once you are sure you have suspended all suspicious applications it’s time to kill them one at a time.




Continue this process until all suspended applications have been killed.



You are able to see that the process tree above looks pretty clean. There are no unusual applications running with the exception of Unlocker that is not malware, and which I’ll talk about later. In the process tree you can see there are no bad programs running but like task manager the application list is generated by the kernel and can be fooled very easily. So the next step is verifying our initial results with a more thorough list.

Open Process Monitor and let it run for a few seconds. Any residual active malware is surely going to create something in the list.



The first step is to remove those applications we know are not infections. Below you will find a list of standard applications you would find on a running Windows XP machine.

*** This list will contain many more entries for a Windows Vista or Windows 7 machine. I suggest familiarizing yourself with those processes on a known clean machine before going further.

Explorer.exe
Lsass.exe
Csrss.exe
Services.exe
Smss.exe
Winlogon.exe
Wscntfy.exe
Wuauclt.exe
Svchost.exe
Spoolsv.exe
Alg.exe
Wmiprvse.exe

Pay particularly close attention to how these processes are spelled and whether they are signed by Microsoft Corporation. Bogus applications are often spelled very similarly to real Microsoft applications, usually only off by a single letter, or replaced with a number.

For example Explorer.exe may be Exp1orer.exe where the letter L is replaced with the number 1. In a process view you may not notice this kind of thing and that’s exactly what they are counting on. Pay particularly close attention to those Microsoft applications because it is those applications that are most often targeted.



Right-click on the process you wish to exclude, i.e. the good process and select Process Name. This will allow you to filter out the processes you do not want in the view. Be careful, some malware can attach themselves to system processes. Look at what the process is doing before excluding it.

Continue doing this until you are only left with things you’re not sure about. Google is your friend. Use it to search for process names. Doing this may be one of the better ways to get familiar with names used for malware infections.



If you’ve done it correctly you should not have anything left. This means that you have excluded all the processes you know to be safe and there is nothing left in the list that is suspect. It’s now time to stop this stuff from starting back up when you reboot.

Start up Autoruns

When Autoruns is first started it creates a very large list of boot entries. The first thing you’ll want to do cut this list down. Click on Options, and then Verify Code Signatures. Autoruns will connect to crl.microsoft.com to validate the digital signatures. A Microsoft entry not being verified does not mean it’s infected; it just means Microsoft hasn’t digitally signed it yet.




Next Click on options, and then Hide Signed Microsoft Entries. This will allow Autoruns to hide all the entries which are known to be verified by digital signature. This will clear out a significant portion of the list.




Finally you can either hit F5 or click File then Refresh to refresh the list.


It’s time to begin removing startup entries. To do this, uncheck the boxes next to any entry that you know to be malware or find suspicious. Be very careful not to uncheck anything that is a system file. Doing this may prevent Windows from loading properly.




Continue down the list until you have unchecked all suspicious entries. If you have done everything correctly hit F5 again and none of the boxes you’ve unchecked have reappeared or checked themselves again. If everything looks good you can Exit Autoruns.

It’s now time to reboot your computer to see if the bad stuff comes back.

After you have restarted your computer you should run Process Explorer again to verify its all gone.
If everything is clean your process list will look similar to mine.



Remember that in my test computer I have not loaded any other applications than the tools I use and the malware itself. You could have some of your own applications running. As you can see in the process list all of the malware is no longer loading with Windows. Now you can remove it like any other application.

Now we will head to the Add or Remove Programs


Click Start, then Run, then put Control in the box and Hit OK.



Once the Control Panel loads, click Add or Remove Programs

After the list loads, click on the first suspect entry and click Remove.



Continue down the list removing everything that could be malicious. Be careful not to remove something that is needed or that isn’t really malware. Again use Google to help you determine the good from the bad.
When you are left you should see something very similar to what I have below.



You will probably have a lot more programs on your computer than I have on this test computer. So your list is likely to be quite a bit longer than this one.

Finally let’s get rid of those shortcuts that these programs sometimes leave behind.


Close out the Add or Remove Programs.

Begin removing the desktop shortcuts by clicking on them once to highlight and then clicking the delete button your keyboard. Windows will ask you if you are sure and you choose Yes.



Sometimes malware changes your default internet settings so the last thing you will want to do is restore the default settings. Click Start, right-click on Internet and choose Internet Properties.



Click on the Programs tab and then click the Reset Web Settings button.



It will ask you to confirm you actually want to reset your web settings. Click Yes.



Click Ok when prompted, and Click Ok again to close the Settings dialog.

You can now open Internet Explorer and confirm everything is back to normal.

For a more automated removal there a couple of tools I use exclusively and find them very effective in removing malware of all kinds.

Bleeping Computer's Combofix
MalwareBytes Anti-Malware

*** You should only download these tools from the sites I have linked to, as these tools are often exploited by malware developers and put up on the web to fool people. Such versions will certainly not clean a system and only help to infect it further.

Both of these tools are available with varying degrees of automation. I find Combofix is a tool I most often run first, as I have found it to be more effective in getting rid of the really nasty stuff like Rogue Anti-Malware applications that have just infested the machine.

The advantage of Combofix is that if for any reason applications will no longer run in Normal mode, Combofix can be run from safe mode and safe mode with command line, making it a very powerful tool in the arsenal. Combofix comes with plenty of warnings and I should give them to you as well. It has been known to cause damage not because the software is malicious but because it removes malicious software so effectively that the normal action of doing so can cause malware that has perniciously invaded your system, by rooting itself into important system components, to break things when removed.

I recommend only someone who is experienced in malware removal or tech savvy use this utility. Otherwise use it at your own risk, if you don't care either way, it works and usually between 15-30 minutes.




For the rest of you who don't want to tempt fate, or just want to run something after running Combofix just to be sure, you can also run MalwareBytes Anti-Malware. This has been another tool in my arsenal for many years and it is also one of the most effective means at removing malware. There is almost nothing that Malwarebytes Anti-Malware cannot remove.

You will need install this program, and although licensing is available for commercial use, it is free for personal use. During the install it will ask you if you want to run an update, and then it will run when its done installing, doesn't get any easier. Once it runs, I recommend a Full scan, it will take longer, but its worth the wait. If it finds anything it will present you with it and an option to remove it.

Both of these tools may require reboots after removing stuff, just let them reboot to finish the process.





Both of these tools are capable of removing a ton of malware even some rootkits, and that brings me to the next part.

Part Three: Rootkits


No matter how good a job you do removing this stuff sometimes it just doesn’t want to be removed.  Following all the steps above you can clean 99% of all the infections that are likely to infect a machine. Sometimes there are infections that are simply too hard to remove, infections that take advantage of rootkit technology and those that hook into system processes preventing their easy removal. I’m going to talk about some of these technologies and an effective means for removal. In the end any infection can be removed given dedication and time.

Rootkits are very powerful tools that are used to stealth something from the OS. Root is a UNIX term that we give to the highest privileged account on a machine. It is literally the one account that has direct access to all aspects on the system without restriction. Any command coming from a root account is considered trusted. This is important as you will find out. And although this is a UNIX term it also applies to windows as windows has adopted user permissions as well in its NT environment suite of Operating System software. (Windows NT, Windows 2000, Windows XP, Windows 2003, etc)

To understand what a rootkit does we must first understand a little about operating systems. In every operating system there exists something called the kernel; it is essentially the brain of the OS. All things must go through the kernel before they are run on a system. Think of your system as having a house with different levels, and at the very bottom, the first floor is the kernel. The kernel is mom or dad. Applications do not run on the first floor they run on the levels above.

In this house there is no front door, the only doors come from the above floors. If the kids want to run around screaming and jumping above, they will have to get permission from mom or dad below. When you run an application like Internet Explorer that application is a client, which accesses the kernel asking permission to run. Now the kernel is somewhat smart, it won’t run any program that it doesn’t understand. You may have encountered an error once or twice that said something to the effect of “this application is not a valid 32-bit application.” When you see this error, it is an error that has been generated in response to an application that the kernel objects to running, simply because it doesn’t understand what language it’s speaking. In this case it’s not a Windows application. Some of you may have encountered the BSoD. The BSoD is nothing to be feared but many times this occurs as a direct result of an improper call to the kernel. Many badly written programs can cause kernel born BSoD errors.

In the early days of spyware intrusion, there was no need for software makers to hide their software as no one even knew that this software existed. However, soon people started to discover the software lingering on their systems, associated with the reception of irritating ads on their desktop. With no explanation as to how this happened most users assumed it was just some function of windows. 

Removal tools started to spring up and people started to take notice. And now when you think of spyware you think, no problem I use Ad-Aware, Spybot search and destroy, Spyware Doctor, Microsoft Security Essentials, etc, I’m protected, nothing can get me. If you think that, you are wrong.

The fact is the stronger anti-malware companies fight, the stronger the malware developers fight back. To say that Windows is inherently flawed, is true but this is true of all operating systems including those that are UNIX based. All operating systems to date have been written with the idea that at the very core of the system, things can be trusted. The assumption being the highest possible permissible user data should and must be trusted without exception. This is a huge flaw, even in UNIX.

If we think of the OS as a bank, we think of the root permissions as the Bank President. He has all the keys to the doors, all the codes to the alarms and the combination to the safe. Are we to believe that the Bank President simply because he is the Bank President, would not steal from his own bank? We assume trust where we shouldn’t assume it. And it is the same in any operating system. At the core of the operating system there is the ability, with proper permissions, to access all the functions of the system and thereby if desired, the ability to compromise the system’s security. Hackers have been using rootkits on UNIX systems for quite a longtime and only because of savvy UNIX administrators were they discovered.

So how does a rootkit actually work? A rootkit is a tool which attaches itself to the kernel in such a way as to intercept information coming in and going out from the kernel. Let’s say you want to get a list of the contents of a directory. The system performs this with two operations, FindFirstFile and FindNextFile. As an example if you wanted to search for all files (*.*) the system would perform the FindFirstFile function and list the first matching file. The system would then perform the FindNextFile function listing the next and then perform the FindNextFile again listing files until no more files matched the terms of your search. Rootkits intercept those file finding functions so that each time a file that the rootkit is hiding would be listed, the rootkit simply sends back a FindNextFile function therefore skipping over the rootkit hidden file.

Windows is a really efficient operating system, it is written to be powerful and yet very compatible. It does this with the use of the Application Programming Interface (API). When an application is executed, it goes through one of three windows sub-systems, the Win32 subsystem, the POSIX subsystem or Interix, or the OS/2 subsystem. These subsystems provide an interface to system services that reside in kernel memory.

Therefore, unprivileged applications must go through these subsystems to access privileged kernel memory. When a Windows binary is loaded into memory, the loader must parse a section of the file called the Import Address Table (IAT). The IAT lists the Dynamic Link Libraries (DLLs) and the corresponding functions in the DLL that the binary will use. The loader will locate each of these DLLs on disk and map them into memory. Then, the loader puts the address of the function in the IAT of the binary that calls the function. By modifying the entries in a binary’s IAT, a rootkit can alter the execution flow of the program and influence what the original function would have returned to the caller.

All a piece of software has to do is alter the location of the IAT to point to another location like the rootkit, instead of the kernel and now you have the ability to hide any file you like. Rootkits do not access the kernel as a normal application which must run unprivileged but instead access it as something called a filter driver. The filter driver virtually sits at the same level as the kernel hooking itself into the FindNextFile calls any application makes.

Part Four: Random Problems


CoolWebSearch


If you find that no matter what you do the machine is still infected, you may have a coolwebsearch infection. Coolwebsearch employs very low level kernel filter drivers and rootkit technologies to hide and protect its files. It is by far the hardest piece of malware I have had to remove. Even most anti-malware software applications have trouble removing it. If the steps already shown in this document don’t prove effective in removing this, using anti-rootkit technology may help. Both Combofix and Malwarebytes Anti-Malware can remove some rootkits so it's possible running either or both of these tools may clean this kind of malware.

Access Denied Errors

I have found that some malware cannot be easily removed because of locking mechanisms in windows the malware has hooked itself into that prevent a file from being removed. For this type of problem I recommend a piece of software called Unlocker. You can find both 32bit and 64bit versions of the software. The site is kind of a mess and if you are not careful you may click on something you didn't want to click on, so I recommend going straight toward the bottom of the page until you reach something that says:

Download for Windows 2000 / XP / 2003 / Vista / Windows 7 - Unlocker is Freeware

Under there you should find the links to download Unlocker for 32bit and 64bit windows.

Final Notes

There are a ton of anti-malware programs out there, some cost money and some are free. I believe that the best software isn't always the software you pay for and in my experience this tends to be true. I find a lot of people who have Norton or McAfee installed on their system only to find that after their subscription ends it no longer updates.

Any kind of anti-virus or anti-malware software that does not update is essentially useless and should be removed. Replace it with a free alternative that is not only free but is highly effective in protecting a system from infection. The tool I recommend the most is Microsoft Security Essentials, free and it works. A great tool that you can also pick up from Microsoft that can be highly effective in removing specific kinds of malware and especially rootkits is the Malicious Software Removal Tool.

Other companies offer free rootkit removal tools and they should also be considered if you believe you have a rootkit. Sophos, and Kaspersky offer free tools and AVG has incorporated it into its free and pay antivirus solutions. Again, I do not believe one should pay for an anti-malware solution when there are many free available for download. However, people often fooled into believing they are downloading reputable AV software often download malicious rogue software instead.

A couple of things to remember, if the software is highly intrusive and insists that you pay for it before it will clean anything, it is probably malware. There are literally thousands of malicious rogue software programs out there that are designed to look like legitimate software programs and you must be very careful when downloading and installing them. Make sure they are trusted, google them to find out, and don't trust just the first site you visit.

If you are using Internet Explorer as your main browser, you should consider moving to something a little more security oriented like Google Chrome or Mozilla Firefox. Either of these is considered a much better alternative to Internet Explorer, although I prefer Chrome myself.

There is a simple mantra everyone should follow when browsing the Internet, Trust No One. If you follow this you will already be ahead of the game. And a little common sense, don't click random links in chat, on websites, and in email. Don't think a link is safe simply because you trust its host.

Many sites are compromised every single day, and the host never even knows about it. Be wary of strangers offering you free software, or free products, and never give out your credit card information to anyone unless you are absolutely sure that the site you are using has a valid SSL certificate. All browsers can verify a valid SSL HTTPS connection, so don't be fooled. And now I will leave you with a short video that documents the cold call of a Fake AV Scammer who tried to pull the wool over the eyes of a random person, the only problem was this random person was a security consultant. He immediately began recording the session and this is the video he posted:

This should be important for everyone to watch, so they may see how this kind of thing is done. You may think someone foolish if this happens to them, however it happens all the time. If it didn't, then there would be no business reason for these scammers to try this.

Pages - Menu