TR Forums

So I just got done cleaning off my father's PC. He had one of those "fake anti-virus" things (Internet Protection Firewall), and a couple of other questionable ones as well (Paretologic PC Health Advisor, and Advanced Registry Optimizer). System was totally bogged down, and he was getting nag messages from IPF telling him he was infected with all sorts of other crap, to try and get him to pay their "protection" money.

Nuked 'em all, ran Malwarebytes, got him up-to-date on patches, and installed MSE.

Guess we need to have another talk about installing random crap off the Internet...

But it scans the links and says internet is secure :confused:

Funny thing is that if you don't do silly stuff you can live without AV software just fine.

I'm a bit surprised you did a "clean up" rather than a total wipe. In these situations I usually format the hard drive and start fresh; safer and (potentially) less irritating.

Yeah, wipe and reinstall was an option. But since Malwarebytes seemed to have no trouble getting things cleaned up I figured it was worth it to not have to reinstall all his other stuff. Not sure he even knows where the install media is for all his other software...

Suspenders wrote:

I'm a bit surprised you did a "clean up" rather than a total wipe. In these situations I usually format the hard drive and start fresh; safer and (potentially) less irritating.

Actually, it's safer, but the approach most applications choose to save their data makes sure you can't just reformat the HDD.

There is application data in C:\AppData\, C:\Program Files\, My Documents, c:\%userprofiles%\appdata, registry, C:\program files\common files\, c:\windows etc.

For the last few formats I've found that only way you can be sure you have all your previous data intact is to uninstall everything, clone the HDD to VHD, and then back it up, so that one month later you can get, say your outlook folder that wasn't copied properly out of their program files directory or something.

Reformatting is nightmare nowadays if you care for the data.

I would use another RootKit scanner in safe mode just to be sure. Or it may really be NFO time.

Madman wrote:

Reformatting is nightmare nowadays if you care for the data.

IMO it is actually *less* of a nightmare than it used to be, since most newer apps tend to store their data in the "Documents and Settings" area by default. This is more like how *NIX does things (all user files in the /home area).

Flying Fox wrote:

I would use another RootKit scanner in safe mode just to be sure. Or it may really be NFO time.

Yeah, I plan to do a rootkit scan as well. But it looks like most of the alleged malware was actually fake stuff that IPF was reporting just to try and get the user to pay for their "product".

I find the name "Internet Protection Firewall" somewhat amusing, given that the product's only purpose is to get people to pay "protection" money. Maybe the scammers actually had a sense of humor...

re Madman,
I agree, it can certainly be quite a nightmare because of where application data gets saved, but there's little choice if you want to use your computer afterwards for eg. doing your banking online.

For myself this problem is greatly mitigated by using mostly portable apps and saving files and things Im working on in one location to make backups easier. Still, things like user configurations, game save files and the like get obliterated unless I make a point of looking for those files and backing them up before any reformat.

Most of the scam security products I encounter are really easy to remove as they're just using local user privs and running an app from the HKCU standard startup key. Sometimes they're even more simple to remove as they allow Task Manager to kill them

I do plenty of checks afterwards, and on XP you've got to tread more carefully as sometimes the malware detects XP and uses the almost-standard-admin privs to wreak havoc (commonly in the boot sector), but I haven't seen a piece of malware get more than just user privs on Vista/7 in quite a while.

The odd thing is, the first scam security product I encountered (on XP) was a real bugger to remove, and instead of the usual arms race I would expect between the good and bad guys resulting in more complex techniques being used, the malware designers IMO have just gotten sloppy. Having said that, I think the anti-virus companies have gotten sloppy as well, because if all it takes is safe mode (sometimes not even that), an executable rename and a registry key deletion to stop it, then why the hell haven't the AV companies caught up? I've seen every popular AV scanner / Internet security product get taken out by the scam security product. I just don't get it. Surely malware before the era of scam security products was trying the same tactics.

There's a scam security product doing the rounds on XP at the moment that deletes the Automatic Updates service, but forcing the windows update agent install on it fixes that.

I advise customers that since I can't prove that malware isn't still on the machine and is just being extra-sneaky, that a data backup and clean install is the only way to be sure, but I think (at least in my line of work) it's important to "keep my hand in" and get some practice in detecting and removing these threats.

Speaking of rootkits... what do people generally use to scan for them these days? The original RootkitRevealer is getting a bit long in the tooth; do newer rootkits have countermeasures that prevent it from detecting them?

just brew it! wrote:

Speaking of rootkits... what do people generally use to scan for them these days? The original RootkitRevealer is getting a bit long in the tooth; do newer rootkits have countermeasures that prevent it from detecting them?

Stuxnet.

This blog has few very interesting investigations:
http://blogs.technet.com/b/markrussinovich/

But the general rule is:
If malware had admin access any time during it's lifetime
If malware uses any sort of zero day vulnerability

The system might be toast.

This is probably also the reason why I absolutely despise the nowadays practice of home pinging software. The systems are super complex, work with admin privileges a lot of the time, generate gigs of background traffic. The computing has gone so far that you can't trust your PC anymore.

Has anyone of you run security audit tools on your systems recently? I tried once, and the conclusion was, oh F* it, there is no way one person can understand how safe their PC is in a lifetime. There are millions of registry entries under HKLM that are guest writable, that do millions of different things, you just can't protect your PC anymore.

And yea, I think I read somewhere that few rootkits are not picked up with rootkit revealer.

One thing you might do to verify if the spyware is safe to just delete is to find what it is, disassemble it, and see what it does, and clean what it did. That will take year or so. So.... Meh...

RootKitRevealer hasn't picked up anything in ages for me.

I top off any malware disinfection routine with a full MLB, assuming that I found and disabled the original symptom and any other typical symptoms I look for. If a malware infection has managed to evade my usual tactics, as well as taking the machine home, disconnecting the disk and scanning it on my own machine with anti-virus and MLB and I've had zero or only partial success in removing it, I tend to recommend a reinstall to any customer at that point. My logic being, if it has exhausted most of my usual tactics and I've spent quite a while on it already, then how much longer do I need to spend to be confident that it is then malware-free, or whether I can actually be confident in my work at that point.

But the general rule is:
If malware had admin access any time during it's lifetime
If malware uses any sort of zero day vulnerability

The system might be toast.

I don't know about your experiences of dealing with malware*, but IMO a lot of customers refuse to admit that they realise they did something wrong**. Based on that, it's very difficult to answer either of those questions, and I think my customers would look elsewhere if I started handing out reinstalls like expensive parking tickets with the added annoyance of losing settings and "how things worked". I think my reinstall price is quite reasonable (£60), which includes bringing the computer back and setting it up on-site, and IMO it's a subsidised service. There's also the fact that I would have to spend some time attempting to remove the malware before going for the 'nuke it from orbit' strategy, either I have to give that attempted service away for free or it becomes an expensive malware removal job.

* - I'm not meaning to devalue your experience with this comment btw.

** - Yes, I realise that a lot of malware gets through purely via software vulnerabilities, and I've seen demonstrations where there isn't any outward sign that a malware infection just took place.