How to remove malware the re-creates itself

tianh

Hello Tech Exam members!

I'd like to learn more and read up on how to remove adware/malware/viruses in a more in-depth manner. Currently I just run Malware-Bytes, but I want to learn to remove/troubleshoot on a deeper level. Plus this topic will be asked in a future job interview that I have as well. Here is what the question is:

"Troubleshooting!!! Know how to troubleshoot and recognize malware! This is crucial and requires experience. For example, know about hash functions, how to read the checksum or MD5 hashes of files and how to remove malware that recreates itself and uses a different checksum every time it spreads (which makes it virtually impossible for an anti-virus program to catch the virus based on the definition file)"


Thank you for all your help!

GreaterNinja

Removing malware is definitely possible, however it can be very time consuming. Usually I'll just pull the hard drive, reimage a new hard drive and then migrate the data back on the new hd. my documents, favorites, desktop, lotus notes, outlook stuff, etc. Using malware bytes, spybod s&d, ccleaner, etc does not always remove the malware. Usually once a computer gets malware, its on that computer like herpes...it never goes away.

MTciscoguy

One of the things that I used to learn how to get rid of Malware, was to learn how to write it, if you understand how it infects and propagates, it is much easier to learn how to dis-infect and get rid of it, in other words, learn how to hack and infect, then learn how to dis-infect. I always have a small isolated network set up with a couple of computers, that I can infect and dis-infect so I figure out what is going on, I learned this many years ago, when I lived in OR before I went into the Military, some of the friends I had, were the original group that started Nortons, I was also good friends with a lot of people who worked at Intel in Hillsboro, OR.

Priston

If running a scan on your antivirus, MalwareBytes, SUPERAntiSpyware, Spybot S&D, and AdAware in Safe mode doesn't work.
A rescue disk will usually do the trick. https://www.avast.com/en-us/faq.php?article=AVKB114#articleContent

Of course when viruses infect important systems files and the software your using can't repair them, deleting them might not always have the outcome your looking for.

markulous

It really depends. For something like this I would go to safe mode and immediately run rkill hoping that gets rid of any root level access that is causing the spreading. From there I usually go ADWCleaner --> Rogue Killer --> Combofix. Combofix can be a little aggressive so I save that for last if the others can't get rid of it.

If I can get more info about the specific malware, I'll try to do a little research on it too and see if anyone has any other recommendations or if there's an AV vendor that's already come out with a fix for this.

This is why it's important for companies to have backup services. Because after the above has been done, it's probably been over an hour and they usually don't want to spend much more time on it if they don't have to, especially if it's a MSP doing the work and they are being billed hourly. At that point it'd be better just to reimage the machine and restore their data.

BTW, I am not a big fan of MalwareBytes. It's usually decent for adware and really light malware, but beyond that it doesn't seem to detect a lot of malware and/or get rid of it.

Deathmage

Here is a checklist I created of the things I did when I used to work at Geek Squad and then perfected further more when I had my own IT consulting company:

Virus Removal Guide - I.T.HINK ...So you don't have too...

My friends ask me all the time what I do to clean there PC's so well.

mrhaun03

Agreed, Rogue Killer and ComboFix have always worked well for me.

tianh

Thank you to everyone who replied to this thread! It was very helpful. What about the part of the topic question that mentions learning how to read has functions, checksums and MD5?

d4nz1g

boot on linux

Hondabuff

Always, Always, Always, Always boot in Safe mode with Networking first. Install Malware bytes and run it. Run CCleaner and also use the Reg cleaner. Run TFC by Old Timer. Reboot computer under users account and run Malwarebytes again. If it comes back clean then your good to go. This works 99.9% of the 4000 computers we managed in our Enterprise environment. If the computer was still acting up then we Pull the HD and reimage the computer with new HD and then restore the Data with a USB3 SATA dock. Whole process to reimage is under 1hr to get it back to the user. We have had Desktop guys waste 2 days fighting a infection on a machine. If your doing friends or families you obviously cant reimage but these steps work every time. They key is to get Malwarebytes on the machine so when you start the computer in normal mode it will catch the startup dll files and replication extensions. Malwarebytes Chameleon works well on rootkits.

Verities

Deathmage wrote: »

Here is a checklist I created of the things I did when I used to work at Geek Squad and then perfected further more when I had my own IT consulting company:

Virus Removal Guide - I.T.HINK ...So you don't have too...

My friends ask me all the time what I do to clean there PC's so well.

+1 - I used a similar list. I recommend adding RKill to your steps. The .com file can be run if .exe's get hijacked, that is usually the first tool I used to initially shut down malware tasks while the computer is running. I had to use it a lot with Windows XP when computers would get infected with something similar to ransomware, leaving the desktop locked, unable to navigate anywhere in the computer or run any .exe's.

Deathmage

Verities wrote: »

+1 - I used a similar list. I recommend adding RKill to your steps. The .com file can be run if .exe's get hijacked, that is usually the first tool I used to initially shut down malware tasks while the computer is running. I had to use it a lot with Windows XP when computers would get infected with something similar to ransomware, leaving the desktop locked, unable to navigate anywhere in the computer or run any .exe's.

I'll add that to the list, always improving it.

mikeybinec

The best course of action I have viewed for several years is at this website:

Windows BBS - Help and Support forum for Microsoft Windows. "A Wealth of Windows Knowledge".

Go to the malware removal section. Broni does have a predictable pattern of tool use except for the occasional ones that are tough

netsysllc

on top of things already mentioned Autoruns, ADWcleaner, HitmanPro and ESET online scanner are very useful

LionelTeo

The easiest way is to boot safe mode and try system restore first, to bring the PC back to a known good setting and then re install the missing updates. Most sys admins had a checklist and a way to quickly rebuild the system back to the latest updates.

To learn more about the infection, you can use **** sheet like.
https://zeltser.com/security-incident-survey-****-sheet/

Intrusion Discovery **** Sheet
https://www.sans.org/media/score/checklists/ID-Windows.pdf

To clean the persistent malware
Pick up process explorer to check the strings, autorun.exe to see where the watch dog file is, terminate the persistent malware with wmic and then proceed to clean with hijack this. Usually ADWcleaner does this for you.

aash

tianh wrote: »

Hello Tech Exam members!

I'd like to learn more and read up on how to remove adware/malware/viruses in a more in-depth manner. Currently I just run Malware-Bytes, but I want to learn to remove/troubleshoot on a deeper level. Plus this topic will be asked in a future job interview that I have as well. Here is what the question is:

"Troubleshooting!!! Know how to troubleshoot and recognize malware! This is crucial and requires experience. For example, know about hash functions, how to read the checksum or MD5 hashes of files and how to remove malware that recreates itself and uses a different checksum every time it spreads (which makes it virtually impossible for an anti-virus program to catch the virus based on the definition file)"


Thank you for all your help!

Hello tinah can you please get back to me or send me a private message. it's urgent.

Thank You

tmtex

Reimage, its faster then dealing with it

TechGromit

My companies policy it to nuke the computer by formatting and re-image. If you don't have backups of your files on the network, sucks to be you. If your files are in the My documents folder and they are under 5 GB, they are automatically backup up to the network daily.

Giv2

It was good to see methods other than the usual Format or Reimage. Thanks all.