[bizzybody]

I had a PC which had been hit by a drive-by malware attack. It was loaded down with several browser hijack/redirectors and a bunch of other malware, much of which was very stealthy and self repairing, all of it also able to protect itself in Safe Mode too. The client only realized how big the mess was when their AV software and firewall suddenly shut down and a fake antivirus "scan" popped up. So she yanked the plug.

I booted with various rescue disks and scanned it every which way but couldn't eradicate everything. There was still something doing random redirects from search sites.

My solution. I connected a second hard drive and installed her XP Pro to it (editing boot.ini so I could choose which install) then updated it with everything possible. Then I booted with a CD and copied D:\windows to C:\windows I also deleted the folders for Firefox and Google Chrome (of course saving copies of the bookmarks).

Upon rebooting to C: I had to reinstall the video driver, for some reason it came up in 16 color mode. Reinstalled Firefox and Chrome and every other app installed still worked. I ran CCleaner to clean up the Registry then NTREGOPT (reduced the Registry size nearly 25%!) and it ran great, much quicker than it had when loaded down with malware and a bloated Registry. A scan with Malware Bytes, Spybot S&D and Avast 6 each found a few now-orphaned and unprotected nasty files to delete.

As long as the malware is only in Windows files from Microsoft and not hiding out in NTUSER.DAT, this should cure it without the inconvenience of having to take the drastic measure of "nuke and pave" with a fresh reinstall of everything. It also leaves Documents and Settings untouched. (Should probably create exact copies of all existing user names before copying the new Windows folder.)

If the malware is hiding in non-windows files and being launched from commands in NTUSER.DAT, then replacing that file with one from the clean install (I used the exact same user name as the original install) should stop it but apps would have to be reinstalled.

I'm moving this to the top of my list for working on @#%@^#'ed up PCs, it'll save tons of time on scanners that don't find and remove everything, especially the ever changing "vundo" family of malware. It worked better than installing Windows 95 over itself, which would always fix any intractable problem, at the cost of having to reinstall every app.

I have yet to try this on Vista or 7, the majority of my work is still with XP.

[Ponch]

bizzybody, on 10 May 2011 - 12:39 AM, said:

a fake antivirus "scan" popped up.

Have you tried this ?

[Tripredacus]

Without using the manual ways, and the more fun setacl trick, I have found most success with Malwarebytes. A last resort is combofix. Reinstalling is never an option for me, it is the boring way to fix things.

[bizzybody]

Malwarebytes is quite good, but there's always new stealth malware popping up it can't eliminate or even detect. Much of the time I find Spybot can *find* problems nothing else can, but it can't remove them, even when scanning the infested install from another Windows install on a secondary drive or partition. Is there a scanner which can load an inactive Registry?

Something I've been experiencing recently on infested PCs is malware that can protect itself from plug pulling, and that doesn't foul things up to the point where the system won't boot because the malware didn't have a chance to replace bad critical files with good ones during a normal shutdown.

Yanking the plug then connecting the drive to a clean system or booting it with a CD with scanners, or even just going in and manually deleting the files the malware couldn't delete as it hid during shutdown used to be a nearly 100% successful treatment. Then came the malware which replaced some critical files during boot, and put the originals back during shutdown to hide from offline scanning. Plug pulling on those made Windows unbootable yet a repair install wouldn't eradicate the malware. It'd get it booting but still infested.

I doubt there can be a way for malware to survive a direct copy over of the entire Windows directory tree by a squeaky clean and fully updated install, other than through an NTUSER.DAT infection that would launch a non-Windows/Microsoft provided file to re-infest the rest of the Registry and some Windows files. 'Course that can be fixed by copying over the NTUSER.DAT file(s) and *sigh* reinstalling all the applications.

Oh, rootkits, rootkits and ye olde bootsector viruses could survive such measures, but I've found those generally much easier to get rid of.

[Tarun]

Give the Anti-Malware Toolkit a try, it has great apps in it to help clean a PC.

[Pauldog]

If you have a spare hard drive, I still favor using a utility like XXCLONE to keep a backup clone of your system when it's working. Then you can swap it in as the main drive and use it to "pave over" the infected drive very quickly.

[JedClampett]

Whenever I do a new installation of Windows, I wipe the whole drive - sector by sector first, so it's totally clean and virus free. I use a program called Vivard, that is on the Ultimate Boot CD, under HDD Utilities:

http://www.ultimatebootcd.com/

On version 5.0.3 Vivard is under:

HDD->Diagnosis->Vivard, at the end of the available programs.

Obviously I boot vivard from the UBCD, so the whole drive can be erased.

In this case, this might not be a suitable option to wipe the whole drive, but you might find usefull in at other times.

Jed

[JorgeA]

Tripredacus, on 10 May 2011 - 08:07 AM, said:

Without using the manual ways, and the more fun setacl trick, I have found most success with Malwarebytes. A last resort is combofix. Reinstalling is never an option for me, it is the boring way to fix things.

Tripredacus,

I just stumbled on this thread and found your reference to the "setacl trick." I found SetACL on the Web, but didn't come across anything that suggested what this "trick" might be. Can you elaborate?

Thanks! Oh, and BTW -- Merry (belated) Christmas and Happy New Year!

--JorgeA

[Tripredacus]

A lot of trojans like to make files and do *something* with them. One of the head-aches of dealing with these is that people are usually able to find the files that are made, but not necessarily find what is making them. So changing the ACLs on files like that to stop them from working, but leaving it so that the virus itself doesn't try to make new ones.

[bizzybody]

The hard part of finding the source files of stealth malware is they can protect themselves from being detected, or can protect themselves from being deleted. The especially nasty ones can even hide when Windows is in Safe Mode then come back when the PC is booted normally.

Some I've encountered appear to replace some critical system files during boot, and put the real ones back during shutdown. That foils offline scans. What I haven't figured out is how/where they hide the commands to do the swap during boot. The first one of those I ran into didn't have the scheme perfected because pulling the power cord got it into a no-boot situation so I had to do a repair install of XP. What was rather amazing about that was the repair install did not eradicate the malware.

Much of these malware tricks would not be possible if the Safe Mode of 2000, XP and later was more like the Safe Mode of Win9x where *everything* is locked down and cannot be changed. Safe Mode should be a self-repairing setup where all the files used to run it are checked multiple ways for corruption and automatically replaced if they are.

It should be possible to have Safe Mode actually be safe. Microsoft just hasn't bothered to do it.

[JorgeA]

Tripredacus, on 27 December 2011 - 10:03 AM, said:

A lot of trojans like to make files and do *something* with them. One of the head-aches of dealing with these is that people are usually able to find the files that are made, but not necessarily find what is making them. So changing the ACLs on files like that to stop them from working, but leaving it so that the virus itself doesn't try to make new ones.

Thanks, Tripredacus. Looks like I've got some homework to do.

--JorgeA

P.S. I just saw that with my 500th post, I ascended to the lofty title of "Senior Member."

[Ponch]

JedClampett, on 18 December 2011 - 12:45 PM, said:

Whenever I do a new installation of Windows, I wipe the whole drive - sector by sector first, so it's totally clean and virus free.

It's a waste of a few hours.
What your install cd can see and what your soon to be OS can see and what any booted OS will be able to see on your drive is the master boot record, possible malware in it, and any partition defined in it. Whiping the mbr (few sectors) will make any defined partition unvisible to any program other than programs specifically made to seek them, like data recovery thingies, which is not the aim of an install cd nor any malware (not that you're planning to get infected later anyway).
If the mbr is zeroed, it does not make any difference to the next booted OS if the drive is full of 1s or of 0s or anything. The drive is seen empty, nothing "possibly hidden to search for". Unless you boot with malware.

[JedClampett]

Ponch, on 28 December 2011 - 06:25 AM, said:

...
Wiping the mbr (few sectors) will make any defined partition invisible to any program other than programs specifically made to seek them, like data recovery thingies, which is not the aim of an install cd nor any malware (not that you're planning to get infected later anyway).

If the mbr is zeroed, it does not make any difference to the next booted OS if the drive is full of 1s or of 0s or anything. The drive is seen empty, nothing "possibly hidden to search for". Unless you boot with malware.

Granted, yes. But I'm talking about wiping the whole drive from start to finish - sector by sector - not just the MBR. But this is only if I decide to do a fresh installation of Windows - IIRC the OP wanted to avoid this, and I'm following this thread with much interest. Thanks to all the others that have posted in this thread so far. Surely if the whole drive is wiped - then nothing can survive that?

[bizzybody]

If you zero out the MBR then do a quick format, followed by installing the operating system, there's no malware or virus that will survive it because there won't be any nasty code able to run. To pick up any possibly surviving bad code laying about in clusters marked empty... first the partitions and file system would have to be exactly the same as before the reformatting, second the clusters containing the malware's critical files would all have to be untouched by the new OS install, third there would have to be a new malware infection designed do data recovery looking for the other malware.

In short that ain't never gonna happen ever. Much easier to post some banner ads to an unscrupulous or incompetently run website advertising provider and attempt "drive by" infestations.

There's a forum I used to frequent quite a bit until they went with an advertising provider who provided ads that attempted all kinds of nastiness. When informed of what was going on and what to do about it (dump their ad provider and find an honest one ASAP) they shut the site down and spent three days thoroughly checking their servers for contamination. Finding none they put the site back online *with the same malware spewing advert service*. The admins wanted logs etc to show to the ad provider. Yeah, sure, like anyone has time for logs and screen caps while their browser is being hijacked in an attempt to shanghai their PC in order to spread the disease and/or steal personal info. The ad service was crooked, dump it, find an honest one. Dead. Simple. Fix... which they spent months not doing.