Over the past several years I’ve had to clean malware from many PCs for friends and acquaintances. This used to be rather trivial at first, but has grown to be a rather huge, complex undertaking as time has progressed with some cleanings taking several days. The reason for this is two-fold. First, malware writers have gotten much more clever and now put together software that is difficult to impossible to remove. Secondly, attack vectors are much more ubiquitous. At one point in time only ‘naughty’ computer users, those who trafficked in illegal software or pornography, got horrible malware infections but now the attacks are much more subtle. Even though I consider myself somewhat wise in the area of computer security, I’ve seen a few phishing type emails that I’ve almost fell for, and that’s to say nothing a of the virus writers who infect normally safe web sites with their malicious code.
Typically when I get an infected machine it has either has no anti-virus package, or it has the original demo of an anti-virus package that came with computer and is now three years out of date. Needless to say, the best thing that you can do to protect your computer is to have an anti-virus package installed and up to date. I know they are overpriced packages of dreadful software that slows down your computer, but the cure is still better than the disease. It’s worth pointing out as well, that many ISPs now offer a free anti-virus package for their customers to use.
Anyway, since the infected PCs I get have no anti-virus installed, and typically you cannot install much of anything on an actively infected system, the system needs to be manually cleaned to the point of making it operational. What usually makes this easier is having an operational computer available to do web searches and other work on. First, I reboot in Safe mode (press F8 just before XP boots). If possible, I’ll just use a ‘system restore point’ (you’re prompted on doing so when rebooting in Safe mode), but this is only possible if you know the approximate time range of the infection (as well, any apps installed after the restore point will be removed). If that’s not possible then, this is where it gets more painful, I first will manually clean out the ‘Run’ key of the Windows registry while making a note of what files are listed there. More often than not I find myself doing web searches on some files to see if they are legit or not. If they are not legit, I’ll make a note of those malware packages and what other files they rely on so that I can hunt them down in the system. What I have found to be most effective in dealing with malware files is replacing them with an empty read-only file of the same name. This way if the virus tries to recreate itself it will have trouble doing so.
So for instance, if a piece of malware has two files named ’PS1.exe’ and ‘winsysrun.exe’ I delete those two files and copy a blank text document in as those same names. This will confuse/corrupt most malware, particularly if the new files cannot be written to. In order to better ensure this I will (on systems not running XP pro) use a painful program called ‘cacls’ (or the related, very slightly less painful ‘fileacl’) to remove all access rights to the file. The main problem with this whole procedure is that there are typically MANY file names so I’ll wind up creating a custom batch file to do most of the heavy lifting. I’ll do this one of two ways (or both). On my extra, operational computer, I will download a list of files associated with the malware from an anti-virus site and plug those into a batch file and/or I will get a directory listing by date of the \windows\system32 directory where many virus files can be found. To aid in that search I’ll add the ‘company’ item to the columns in the detail view of the directory so that I can determine which date groupings to look for. Any files that do not have a company listed should be viewed with suspicion and ‘googled’.
Once I have my lists of files I’ll then either manually copy in my ‘del’ and ‘copy’ commands (and ‘cacls’ and or ‘attrib’), use search and replace methods (adding in a comma where I want my commands to go and then search/replace the easier to type comma with the commands that I want), or as I did in one extreme case, compiling the list into Excel and adding the commands in columns and exporting it as a CSV and just ‘search/replace’-ing the commas with spaces.
At this point the viruses on the PC will typically be disabled enough that the computer can be booted up and an anti-virus package installed to clean off the system. Typically you will want to do this with the computer NOT hooked to the Internet so that usually means porting the virus signature updates from the clean computer over to the ‘dirty’ computer via, ideally, CD media (as non-read only USB sticks can become infection vectors themselves). I’ll often put the computer through two full scans of at least one package and a third scan through a different package just to verify it’s integrity (such as free web based scanners from Panda or even Adaware).
On a final note, if a computer has a ‘root kit’ malware installed, this means that portions of the OS itself have been replaced with malicious files. Detection of this software is difficult to say the least and cleaning them off is virtually impossible. The only real resolution for a root kit infection is to format the drive. This makes it all the more important to get a system restore disk of some sort from the manufacturer. Unfortunately a fair portion of the malware I have seen recently has been of this sort and the computers I have worked on that were in this state were ‘uncleanable’.