Stop the Bleeding: First Aid for Malware!

AID: 5124

Status: Published

62890 points

Byyounghv
TypeBest Practices
Posted on2011-03-28 at 16:51:03

Awards

Community Pick
Experts Exchange Approved
Editor's Choice

The intent of this Article is to provide the basic First Aid steps for working through most malware infections. The target audience includes experienced IT professionals and the casual user who just wants to make the infection go away.

****************
For those familiar with basic “First Aid” principles, one of the first steps in a medical emergency is to “stop the bleeding”.

If you come upon an injured person, you don’t splint a broken leg first, right? You make sure air is flowing into the lungs, stop the bleeding, and then treat for shock.

After getting the basics out of the way you can then move on to address any other problems that exist.
*******************

Fighting Malware (http://en.wikipedia.org/wiki/Malware) must start with:

“Stop the Rogue Processes”

Most variants of malware will make your computer do something that you don’t want it doing. It might be a simple ‘re-direct’ problem; where you type in www.abc.com and your browser goes to www.xyz.com – not a big deal, right?

Well, maybe it is a very big deal. You didn’t end up at the web site you intended, and who knows what is waiting for you when to get to that re-directed site. It's not uncommon for malware to direct users to sites where they can pick up other "drive-by downloads" or even to install additional malware directly.

You might click on one of your favorite applications, but instead of “MS Word” opening up, totally different functions start happening.

Worse than annoying, some of these rogue processes/applications can be stealing information from your computer or allowing your computer to be used for improper/illegal acts.

Many of the current malware infections will prevent even the best scanner programs from running properly. Some can even recognize the executable name of these scanners when you try to install them on an infected computer - then prevent the installation or alter the results of the scan.

“The Rogue Stoppers”
Three known effective tools are:
1. RogueKiller - http://www.geekstogo.com/forum/files/file/413-roguekiller/
2. RKill - http://www.bleepingcomputer.com/download/anti-virus/rkill
3. TheKiller - http://maliprog.geekstogo.com/explorer.exe

At each of those links are additional instructions that you need to review carefully before using the tools. REMEMBER: it's best to access these via another computer, copy the file(s) to a CD (or - not preferred - a USB drive), and transport them for installation on the infected computer.

RogueKiller is discussed at the link given above and for more information about RKill, read the information here: http://www.bleepingcomputer.com/forums/topic308364.html

Of the three, I prefer RogueKiller because of the additional functions/fixes it provides after stopping the processes. "TheKiller" has had great reviews from some very high level anti-malware experts and has some automated functions that make cleaning up even easier.

**************

Continuing the treatment.

Once the rogue processes are stopped (DO NOT re-boot your computer), you can scan for malware with your favorite scanners.

My first scanner of choice is always Malwarebytes (MBAM) (http://www.malwarebytes.org/mbam.php)

The team of developers at Malwarebytes is among the most dedicated in the business and they update the scan (DAT) files several times a day.

When I download MBAM from the link above, I always use the Internet Explorer “Save As” function to rename the executable from “mbam-setup-xxxx.exe” to something like “mb.exe”. Some malware variants can recognize the actual executable file name and prevent it from installing or functioning correctly.

After you have installed Malwarebytes, be sure to update it from this tab:

MBAM-Update.bmp

1.3 MB
MBAM_Update

After updating, run a “Full Scan” from this tab:

MBAM-Scan.bmp

1.3 MB
MBAM_Scan

If MBAM finds any malware, it will display it as in the screen below. Simply click on the “Remove Selected” button and the infection will be removed.

MBAM-Sample.jpg

76 KB
Sample

A Log will be generated and you should review the information carefully.
If you already have a question pending on Experts-Exchange, attach the log to a post in your question.

If you haven’t yet started a question, do it now and post the log as part of the process.

At this point I will usually shut down the system for a few minutes and then do a cold boot.

When you re-start your system, go ahead and do another “Complete Scan” with Malwarebytes. You will almost never find additional infections, but this scan will only take a few extra minutes and is well worth it.

Depending on your results, it may be necessary to run another tool such as ComboFix ("ComboFix" (http://www.bleepingcomputer.com/combofix/how-to-use-combofix), but don’t take any further actions until your MBAM log has been evaluated.

One of the cautions in fighting malware is to use the minimum number of tools possible. If you can effectively stop the rogue processes (1) and clean the infection with Malwarebytes (2), the only other routine tool I would load would be CCleaner (www.ccleaner.com) to delete all of the Temp/Junk files that accumulate in your browser.

In specific instances there may be tools targeted for a certain variant of malware that you have. In those cases, the Experts can provide you with additional instructions.

If you used a USB drive, be sure to scan it before using it again - remember that some malware can spread via USB drive.

Below are some general comments about frequently recommended tools in the Virus & Spyware Zones.

In the past I have used SpyBot (http://www.safer-networking.org/index2.html) and SuperAntiSpyware (http://www.superantispyware.com/), but they (IMO) don’t begin to compare with the effectiveness of MBAM.

You might also see recommendations for TDSSKiller (http://support.kaspersky.com/viruses/solutions?qid=208280684) or HitmanPro (http://www.surfright.nl/en/hitmanpro)

TDSSKiller is an effective tool for fighting “Rootkit” type infections, but I’ve tested HitmanPro and haven’t found to do anything beyond what MBAM has already done.

There is really no way to provide a comprehensive list of all the recommendations you might see, but you definitely need to be in “Caveat Emptor” mode. Before using any recommendation, go to the linked site and read about it. Read the FAQ’s and Forums, then evaluate how well the developers respond to their users. Some tools are very well known and have been used by millions of people all over the world, but most are not that well known.

Educate yourself about the product – and also about the “Expert” who is recommending it. Feel free to ask the Expert "why" they are making the recommendation they've posted. After all, it is YOUR computer – and you need to be prudent about the actions you take.

Some other valid Articles here on Experts-Exchange that I highly recommend you read are:
2012-Malware-Variants
MALWARE - "An Ounce of Prevention..."
Basic Malware Troubleshooting
Rogue-Killer-What-a-great-name
Latest-Malware-Threat-Windows-Stability-Center

Desktop icons missing - Empty program files
Viruses in System Volume Information (System Restore)
THINGS YOU NEED TO DO WHEN YOUR PC IS INFECTED:
IF YOU CAN'T RUN .EXES IN AN INFECTED SYSTEM:
Can't Install an Antivirus - Windows Security Center still detects previous AV:
HijackThis - Some Tips & Tricks:
HijackThis reports missing files on 64-bit Systems:
"Google Hijack" - Google Search Gets Redirected:

Asked On: 2011-03-28 at 16:51:03ID5124
Tags
Topic: Anti-Spyware
Views: 4833

About The Author

younghv

I enjoy hanging around EE - just watching some of the giants of the IT industry work their magic.
I learn more than I teach here every day ... and all of these teachers work for free.

More Articles From younghv

Comments

Expert Comment

by: BillDL on 2011-03-29 at 02:58:54ID: 25217

Thank you for an excellent article. I love the "First Aid" metaphor, which is perfectly applicable to an ailing computer.

I have noticed on quite a number of occasions recently how you were able to halt the speculation and overlapping suggestions by different experts to "try this program", and were then able to steer the asker back to a logical "First Aid" approach via initial diagnosis, triage, and finally application of a prescription to prevent recurrence. In so doing I have noticed that you have sometimes questioned the validity of a suggestion made by another expert to use a particular anti-malware product at that stage. Please don't assume this to be a criticism, I have been in full agreement and support of your comments on each of those occasions.

It is clear from many of your answers that you try to guage the asker's technical expertise at the outset, and never recommend a product or course of action unless it is relevant and useful at the time and you are going to be around to support the results or findings with further suggested actions. Sometimes "malware" questions become a "free for all", and are not unlike a hypothetical scenario where somebody suddenly collapses in a bar or similar place and you might hear the following suggestions from "barrack-room doctors":

- "Give him a brandy ..."
- "Turn him on his side and stick a spoon in his mouth to stop him swallowing his tongue."
- "Smack him hard on the sternum, that will make him breathe again."
- "Do the Heimlich Manoevre!"

Yes, "First Aid", correctly applied of course, is what really works.

I hope you don't mind, but I have one thing to add to the metaphorical "First Aid" approach. I worked in an Emergency Service for many years, and the first priority we were taught to observe is the prevention of another catastrophic event caused by the current ongoing one. You must make the scene safe to work in before attending to the casualty, and this would include closing or coning off a highway so that passing "rubber-neckers" don't cause an accident that could affect you, the casualty, or others. In context with applying "First Aid" to a stricken computer, I would suggest that the first action should be to isolate the computer from further infection by disconnecting it from the Internet.

The downside to this is that a program like Hitman Pro (mentioned in your article) will not work as intended because it uses the "cloud" (I hate that expression, but it is theirs), and that some malware will only be alive and detectable while "online". Nevertheless, that would still be my first suggestion to anyone who believes their computer may be infected.

Thanks again for a great article.
Bill

Author Comment

by: younghv on 2011-03-29 at 04:00:39ID: 25223

Hi Bill,
I'll start by saying that I think you give about the most comprehensive advice of any Expert posting here on EE - and you manage to keep your comments interesting.

Your 'isolation' metaphor is a good example - valid, use-it-now advice - that provides a good chuckle too.

Let me play with the sentence structure above and I'll see what I can do to work it in.

I learned the hard way to set up an isolated (and firewalled) sub-net between my repair shop and our home network. Doing so protects my home computers from the infected ones I'm fixing...and my customer's computers from my grandson's prying eyes.

I also take your comments to heart about the way I will sometimes wade into the middle of an on-going discussion.

We have several solid Experts posting in the malware Zones and I tend to avoid questions in which they have already started helping. In particular, I love to see a question where 'rpg' has started one of her technical diagnoses and just marvel at her level of expertise. I have a pretty solid handle to most of the tools available to us, but she has the whole enchilada.

Unfortunately, we also have a couple who - sincerely - have no personal knowledge at all, but run around copy/pasting advice they have seen other Experts post. Literally, nothing but WHAP!..."Run this and this and this and this..." - with no regard for the actual symptoms being displayed.

Those are the questions that tend to cause me to pull on the hip-waders and jump right in - although I will frequently wish that I had pushed away from the keyboard for a few minutes...before hitting that damn "Enter" key.

I appreciate your extended comments and am still chuckling at this one:

collapses in a bar...so... "Give him a brandy ..." (I think you and I may have been in some of the same bars).

Vic

Expert Comment

by: BillDL on 2011-03-29 at 11:44:51ID: 25243

Hi Vic. I totally agree with the comforting feeling of seeing the name "rpggamergirl" (http://www.experts-exchange.com/M_3598771.html), plus a few others like yourself, in a Malware-related question. I always find it quite hard to walk away from a Malware-related question that has yet to receive any attention, but there are many occasions when it is just not fair to start something when I know full well that I will not have the time to stick with the question.

Expert Comment

by: willcomp on 2011-03-29 at 17:23:53ID: 25255

Good job Vic.

Will RogueKiller run when Rkill is blocked? I haven't tried it yet -- appears to be a similar tool.

Author Comment

by: younghv on 2011-03-29 at 17:35:49ID: 25256

Hey Dalton,
Good question.
I'm kind of treating them (RKill and RogueKiller) as an 'over/under' and trying both if one fails.

So far, I have had to re-start RogueKiller a few times before I can get the menu selections up. The developer mentions that this might happen, but just to keep trying.

The guy (Tigzy) is really open to discussion and questions about his product and I've been swapping email with him about every day.

Vic

Expert Comment

by: Ramgkrish on 2011-03-30 at 18:40:23ID: 25286

Thanks for the excellent article.
I often use malware bytes and super anti-spyware. But on rare occasions, after i reboot the system after a scan, the OS gets corrupted. most of the time a FIX-Repair Installation will do the job but worst case, i have re-install the whole OS .

why that happens?

Expert Comment

by: BillDL on 2011-03-30 at 23:38:50ID: 25293

This is a clear example of what Vic's article was written to address. In many cases an anti-malware product discovers an "infection" in an operating system file or important registry entry, and to "cure" the infection it has to quarantine, delete, or try to remove data from, that essential file or registry key. Sometimes the "infection" is actually in the file, and sometimes it is only injected into the space in memory used by legitimate running processes.

In many cases the anti-malware application is set (by program default or user choice) to automatically remove or quarantine the file or registry value without prompting. If you take a look at Vic's 3rd screenshot down from the top you will see that the MalwareBytes software has stopped and presented the user with its findings, and is awaiting a decision about what to do.

Most users will trust that any "suggested" action is going to cure the problem without any adverse effects, but unless the user has some knowledge of exactly what file or registry value is going to be removed when they click the "Remove" button, then the file or setting removed will often only become a problem when the computer is next rebooted.

Most Anti-Virus and Anti-Malware producs use some form of "heuristics" to detect a pattern of behaviour from files or other data which closely resembles the patterns observed from viruses and malware. That is the reason why some genuine system utilities that perform certain "deep" interrogation of your system are often flagged as nasty processes. This is referred to as a "False Positive", and occasionally some producs will remove valid files from your system if allowed to.

No product can ever be perfect, and sometimes the educated guessing they do can be wrong and cause problems with your operating system. So, I suppose what am saying here is that you should never just allow an anti-malware application just to automatically delete everything it finds. Always set it to show you first what it has found, and try to find out exactly what it is going to remove before clicking that "remove" button.

Expert Comment

by: mbizup on 2011-03-31 at 05:00:08ID: 25305

BillDL,

Could removing "False Positives" cause problems like key sequences to not work as expected? I got rid of "Smart Internet Protection 2011" on a desktop the kids use earlier this year. I noticed recently that the ctrl-alt-delete combination is no longer working on that computer.

I've found resources that I think might fix it, but am just curious about whether removing a False Positive along with the virus might have caused it, or whether that's a symptom of a virus still present on that computer.

(Let me know if I need to post a seperate question about that... :) )

Author Comment

by: younghv on 2011-03-31 at 05:22:14ID: 25307

mbizup,
"Smart Internet Protection 2011" changes some file associations and you need a couple of additional tools to put the system right again.

I am pretty sure I responded to one of these infections not too long ago, so let me see if I can find the link.

This variant is probably from one of the "Name Changer" class of malware that is discussed here:
http://www.bleepingcomputer.com/virus-removal/remove-antivirus-vista-2010

If you posted an EE question for that problem, let us see the link and I'll review the suggestions you received.

Thanks,
Vic

Expert Comment

by: mbizup on 2011-03-31 at 12:27:41ID: 25330

Hi Vic,

I never actually posted an EE question about it. Should I post a thread with the steps I followed to remove the virus?

Author Comment

by: younghv on 2011-03-31 at 14:56:02ID: 25341

You can do that - or simply follow the instructions at the link above.
There are no adverse affects (TMK) for running any of the tools listed - even on a healthy computer.

Expert Comment

by: CraigSNYC on 2011-04-03 at 19:07:40ID: 25468

Fantastic article!

Author Comment

by: younghv on 2011-04-04 at 02:31:46ID: 25472

CraigSNYC:
Thank you for the comment.
I see that it helped you solve your malware infection and that is music to my ears.

Expert Comment

by: Jonvee on 2011-04-04 at 05:57:20ID: 25480

An excellent article with an interesting medical analogy! Comprehensive, well researched, and accurately detailing the thoughts of those of us who are already quite familiar with the capabilities of Malwarebytes, and other reliable scanners. It correctly emphasises the need to run in normal mode for most efficient infection removal, and includes links galore to other valuable articles.

Good comprehensive advice from BillDL.

Definitely my yes vote! Thank you.

Author Comment

by: younghv on 2011-04-04 at 06:23:34ID: 25481

Jonvee - thank you for the comments and vote.
I heartily concur with your thoughts about BillDL - he posts some of the most thorough/well-researched advice on EE (or anywhere else).

Expert Comment

by: BillDL on 2011-04-04 at 12:43:39ID: 25500

Is there a text-emoticon for <blushing> ?

Expert Comment

by: lherrou on 2011-04-04 at 18:12:07ID: 25504

BillDL: It's =^_^=

("=" are the red cheeks)

(but the praise is deserved)

Expert Comment

by: BillDL on 2011-04-04 at 23:27:13ID: 25507

He, he. Looks more like Para Wings. Thanks. Where's this article? ;-)