The Basics of Manual Malware Identification and Removal

What do those events have to do with the price of rice in China in the summertime after it rains? Nothing. Just as it has nothing to do with the topic of this thread. But did you notice where I said "bad guys have been concentrating less and less on Windows based home systems and concentrating more and more organizational/corporate servers." And guess what? Most of those hacked servers are running some flavor of Linux or Unix.

Top 22 Favourite Operating Systems of Hackers (2018 List) - all Linux/UNIX based!

As for users clicking on the French automaker's site getting infected, NOT TRUE! The plant was hit by ransomware, and user data was stolen. Users logging in to those website were not infected.

But again that has nothing to do with the topic of the article or topic of this thread, which is protection BEFORE any security is installed.

OMG!!! Are you and guest the same person or related? Here you go now making up falsehoods! What's the matter with you! Have you no integrity?

I NEVER EVER said the article is without use! Why these falsehoods? First you claim the article is about something it is not. Then guest makes up a falsehood about me disliking Emsisoft. Now you say I claimed the article is useless?? Wow! Seriously, why do you and guest have to create such falsehoods? Do you seriously believe the readers of this thread can't see the truth?

I specifically said above in post #8 the article provides some "good information". I never said the article was without use. Nor did I ever say I disliked Emsisoft. If anyone can show where, on this site or any other site, where I have said differently, please post a link and I will apologize profusely. If you can't then IMO, you owe at least Wilders and its readers an apology for these intentional falsehoods.

 

I read the article because of the passion shown by the posters. Now, I freely admit I can read but am not a security expert, hence I come here. My take is the article is about malware removal on a machine that may, or may not, have had security installed. I think Emsisoft didn't want the article to come across as 'knocking copy' (you're having to read this because you installed some sub-optimal competitor's software sounds arrogant, so let's introduce an alternative perspective: the security virgin PC). It was given that you can be infected, with or without some security installed, and the focus was on identifying what's the potential bad-guy and how to remove it using Autoruns. As a mere follower, I enjoyed the article and encourage other non-experts to do otherwise. It didn't come across as Emsisoft marketing to me as I didn't find myself having their product pushed down my throat, because they didn't mention 'the' security scanner, but 'a' security scanner, a scanner which is free and was only mentioned once. If anything, they marketed Autoruns and ProcessExplorer, both free tools from MS.

For the record, I have a GCE 'O' level (JMB 197 in English, and use CFW with Meghan's settings (WD turned off). I also use the free EEK and Zemana scanners every week or so.

Always remember what the answer is: love!

 

I read the article, I cant understand the complains against Emsisoft. They wrote the article, its their blog, in my opinion, they are more than entitled to promote their product. And write what they want.

Bo

 

Just like the disinfection method's completeness is always suspect. The value in disinfection is the possibility of grabbing a handful of files which may have been created/updated since the most recent clean image. Then restore the clean image. Eh?

 

My thoughts exactly and I couldn't have written it better!

 

Ta. I've taken a leaf out of your book and downloaded Avira PC Cleaner. I hadn't realised Avira offered a portable cleaner.

 

Yes, I like their quick on demand scanner.
Here I described a workaround that I use to use it in "portable" mode: https://www.wilderssecurity.com/thr...-demand-av-virus-scanner.380174/#post-2529463
This way you won't have to download whole installer each time you use it. Program will download only new signatures each time you run it.

 

Thanks.

 

Brilliant article, I’m surprised there aren’t more threads and posts about hands on removal and management.

What I see mostly here is the ‘Home Shopping Network’ for computer bling that doesn’t see much actual use. I have a few computers with zero protection, not even Windows updates for many years, and they are fine as they only go to a few trusted sites.

Takes me back to the XP days when I knew every process that should be running in task manager.

You are either just a consumer of products, or you should be able to be the AV if your computer is infected.

I lost all my USB function on Win10 Pro using Autoruns, and found another person on a forum who had the same. Have a fresh image before using it.

 

Hi Guys- First off, thanks to langh for Post 27. Excellent post!

I would like to bring together the last few posts (about manual malware removal and Avira PC Cleaner) with a quick test I made earlier (and I hope the Mods will allow this- if not, I totally understand).

Materials and Methods- I ran some malware files- a few Worms with high persistence mechanisms, an WMI Ghost, a Powershell Rat with a 2 week sleep function, a mshta RAT, and something that somehow messed with xnacc.sys (I asked Ophelia what it actually did but she just hissed at me in disgust). All were zero-day and all connected out doing God (and Ophelia) knows what.

I then rebooted and ran Avira PC Cleaner with a quick scan- although this finished quickly, it also found nothing. I then did a Full scan which took like FOREVER. It found all of the worms as well as the PS thingy. I let Avira clean things up and rebooted. On system start, all of the worms repopulated (Avira couldn't detect the persistence mechanism), but the PS malware was indeed gone. I then started Autoruns and unchecked things that showed up there; in addition I opened MSCONFIG and deleted stuff there. On reboot all malware, although still extent on the system, was not active in memory and so was not connecting out.

Moral of the Story- sometimes the easiest and quickest manual removal routines are superior to the Professional and Slooooooowest routines.

 

I will also add that downloading and running Autoruns even if "Display Microsoft Entries" is enabled is not enough to find "steathly" malware. This DerbyCon 7.0 presentation goes through detecting those in detail: https://github.com/huntresslabs/evading-autoruns . Download the .pdf of the presentation. A must read.

 

Thank you @cruelsister for your quick test. I guess that I will have to switch to full scan mode with Avira (which as you said takes forever). I always thought that quick scan would check locations where malware is usually present. I guess I was wrong.

Thnx @itman also. Those evasion techniques look interesting. There's a lot of ways to run code on Windows system it seems hard to cover them all.

 

Huh? I just don't get this. How can your "take" be about a machine that "may, or may not have security installed" when the author clearly states the article is about a machine, that "gets infected before you’re able to install security programs"?

Did the author say after security is installed? No! Did she say it may be after security is installed? No! She specifically said, "before you're able to install security programs".

That's pretty clear - before you're able to install security programs does NOT suggest security may be installed!

We as readers don't get to change the meaning and context of - especially of non-fictional technical articles (or another poster's comments ) just because we want them to say or mean something else.

Again, does the article contain some good information? Yes. Is it spam? No. I never said it was. However, does it have an ulterior motive of promoting their products? Yes, but I never criticized it for that either. In fact such marketing "campaigns" are common and widely expected in blogs hosted by product makers. BUT to that, it is widely accepted and understood (or should be understood anyway), that there is or could be at least "the appearance" of some bias in the article. Though I am not suggesting there is in this case.

Unlike others in this thread, I am not going claim Brummelchen said something he didn't. But what I am "guessing" he meant when he said "spam" was the article (or notice of the article) likely came from an email sent out by Emsisoft. If one has not subscribed to receive such emails, that could easily be considered as spam.

This is not about Emsisoft. I never said I disliked Emsisoft. Nor did I ever say the article was without use.

****

Frankly, IMO there are already millions of excellent malware removal articles out there. There are sites and forums and experts dedicated to malware removal. We don't need any more. What we need is more education on malware prevention. Something I do, BTW, for my clients so they never need the services of a malware removal program or expert.

 

Sysinternals has one tool that was not mentioned in article that can be used after cleanup to check all files (or all executable files) and can use Virustotal to identify possible remnants. It's called sigcheck: https://docs.microsoft.com/en-us/sysinternals/downloads/sigcheck

 

Hourly seems excessive unless you have critical data that is added or modified that often (as might be on a busy file server). I do daily incrementals but even that is probably excessive - for me anyway. That said, too many backups is much much better than none at all - which sadly is still too often the case.

But yeah, an early image is a great policy - and I like Reflect for that too. But in reality, I don't do it as a precaution for malware infestation - but hardware failure. This is because it is typical for electronics, IF it is going to fail prematurely, to fail within the first 72 hours of use. That's why all electronics, especially computers, used to go through "burn-in" periods at the factory before being shipped. But today, electronics hardware is so reliable, and premature failure rates are so low, conducting such burn-in tests is just not economically, or logistically feasible.

 

I agree @Peter2150 and also prefer detect and restore procedure over detect and clean. But sometimes that is not an option and in that cases knowing how to clean a system can come in handy.

 

Overall, restoration via image backup is the fastest and most effective means to eliminate a malware incident. The downside to it is you have to know with certainty when the infection occurred.

In multi-stage advanced attacks we are seeing more and more of these days, a backdoor for example could have been set days, weeks, months, and it some cases years prior to being activated to be used in the payload delivery attack. So overall, detail forensic analysis needs to performed after any malware attack to ensure all its components are fully removed.

 

Right. Detect and restore is fine, if you know how back to go to be clean again. And that can be a problem as some malware behave like sleeper agents - totally dormant for weeks, months or longer, just sitting there until some event activates them. If you don't know exactly when the code came to rest on your system, you could easily restore the malware back on.

So again, I think such backups are great for hardware problems, accidental deletes, or some file corruption, but not necessarily for malware unless you know exact when you became infected. But still, I think the better idea is prevention in the first place. And IMO, that is not hard to achieve. Keep Windows and your anti-malware solution current, don't be click-happy, and odds are greatly stacked in your favor - especially if you sit behind a router - even a basic router. Bad guys are lazy opportunists. Unless they are specifically out to get you personally, if they see any resistance or barriers, they are going to move on to easier pickings. Most are like car thieves trolling parking lots looking for unlocked cars with keys left in the ignition. If the doors are locked and no keys in sight, they move on to the next car.

Whatever works, I'm for it. And yeah, that's the beauty of incrementals. If a file does not change, no need to back it up again.

 

In another forum I frequent, there have been multiple incidents where corp. endpoint users were infected by the same malware after successful and complete removal. Why? Because the sys admins didn't followed recommended advice on properly securing and locking down their servers. So it is not just the average end user to find fault with and whose actions are at least understandable. But for corp. sys admins., there is no such excuse other than pure incompetence and negligence.

 

But, sadly user (or in this case, admin) error is almost always the case, which I said way above when I noted more and more Linux/UNIX based organizational/corporate servers are being targeted by the bad guys - they know there are a bunch of lazy sysadmins, and clueless Chief Information and Chief Security Officers out there.

Look at the Equifax hack from last year where nearly 150 million people had their most sensitive personal information stolen. The software developers identified the vulnerability and released a patch several months before the breech, but neither system admin or system security people did anything about it. IMO, that is criminal negligence! And to make matters worse, those people (which included me! ) are not customers or clients of Equifax. We did not signup or join their site voluntarily. We did not provide that personal information to them. We had no opportunities to opt out of anything.

To add insult to injury, none of that personal information was encrypted! That makes no sense to me. And sadly, much of this data is information that really does not expire. So in 10, or 15 years, the bad guys can use it open up accounts. Yeah, we can change our driver's license number or get a new Social Security Number. But there are always links back to your old numbers. Same with addresses. And of course, we cannot change our birth dates.

 

Because that's what I read. Everything is an interpretation is what have I learnt. Some people agree with me, others see something else. I accept that. It's not life or death so I'm not going to get excited about you seeing a focus on 'before' - you're not attacking my democratic principles and threatening to make me a serf. I'm not the only one seeing what I wrote. You have made your point clear and I accept it, as it's no skin off my nose. I did not write my comments to have a go at anybody, I was intrigued by the different interpretations and read it to see what I made of it. It turned out to be a very interesting article for a noob like me, and I directed my comments to 'before or after' and to whether it was a marketing play. I entered the debate with an opinion praising the article for what it is: a nice piece of general knowledge for those with a limited security knowledge.

 

Anyway i don't see the importance of being infected before of after , you are still infected.
Being infected before may just hamper the installation of an AV, except that no differences.