Tag : ccleaner

Expand Your Anti-Malware Toolkit

When dealing with malware and viruses on Windows systems, often one tool is not sufficient.  You may need to expand your tool set to include multiple applications in order to effectively clean off an infection or threat.

  • Turn off System Restore. This can be done in the System control panel. Don’t forget to turn it back on when you’re finished!
  • Clear temporary internet files (IE cache) for all profiles.  If you’re only dealing with a single-user computer, this is easily accomplished with the Internet Options control panel. If multiple users login to the infected computer, rather than manually deleting for each user, you can use ICSweep to view and delete the IE cache for all users.  Originally designed for terminal server environments, ICSweep works well on desktop operating systems, too.  You can download it here:  http://www.ctrl-alt-del.com.au/CAD_TSUtils.htm
  • CCleaner is also effective at cleaning out the IE cache, but only for the currently logged in user. http://www.piriform.com/
  • Boot the computer into Safe Mode with Networking, if possible, and launch your anti-spyware application. Safe Mode prevents many unwanted services & processes from running, but if you use the networking version, you can still update the definitions for your apps.  However, this isn’t always possible, depending on the nature of the infection, so you may need to boot to Safe Mode (with no networking) and manually update from another source (eg. USB drive).
  • I have had success using Malwarebytes’ quick scan for basic infection & removal. http://www.malwarebytes.org/.  Recently, I’ve found Hitman Pro to be very effective in detecting and removing root kits and boot sector viruses, such as Alureon.  http://www.surfright.nl/en/hitmanpro
  • You may need to boot to a CD, or use another method to scan externally, if you’ve got something that’s really entrenched.  There are many Linux-based “Live” CD images available for free download: http://www.knoppix.net/ or you can manually create your own Windows Preinstallation Environment (PE) CD http://technet.microsoft.com/en-us/library/cc766093%28WS.10%29.aspx Microsoft’s Diagnostic & Recovery Toolset (DaRT) includes ERD Commander disc images, and also includes Microsoft Security Essentials for offline scanning.

Removing Fake Microsoft Security Essentials

In today’s world of spyware, viruses, and malicious attacks, there are very few that have given me the thought that they could actually be real. Typically you get the one that pops up saying you have 95 viruses and that you need to pay to clean your system, which is an immediate red flag. Most of the time the spyware looks really fake, and by fake I mean they have no company name, or they just use a generic names like “Windows Security 2010,” and “Antivirus 2010.” I thought this always to be the case until just recently.

The call came in like any other, the user was describing that Microsoft Security Essentials had detected an infection and needs to be cleaned. I told the user to go ahead and click the clean option in Security Essentials and it will clean the file. When she did this, it said it could not be cleaned and the apply now button on the bottom changed to a “Scan Online” option.  It took me a second but I realized that I had never seen this option in security essentials ever before.

If you click on the Scan Online button, it will list a total of 35 antivirus programs, 30 of which are real and 5 which are rogue. The 5 rogue ones are:

  • Red Cross Antivirus
  • Peak Protection 2010
  • Pest Detector 4.1
  • Major Defense Kit
  • AntiSpySafeguard or AntiSpy Safeguard

When these are allowed on the system they will perform a fake virus scan and say you are infected. Each one is the same, but slightly different interfaces. They also block certain applications from running (ex. Internet explorer, Malwarebytes, etc…). Below are the steps I took to resolve my issue.

Removing fake Microsoft Security Essentials.

Because I was offsite, I had to remote into this particular computer from another PC on the network, but if you are in front of it you can use the same methodology. I immediately checked add/remove programs and Microsoft Security Essentials was not even installed!

I downloaded the process explorer tool (procexp.exe) from live.sysinternals.com on a separate machine and put it on a network share (you can put it on a usb drive if you are in front of the PC). You can also try Ctrl+Alt+Del if it will work because it did not work for me. I opened the network share on the infected PC and copied procexp.exe onto the computer and ran it. NOTE: It is not usually best practice to open network shares when infected with spyware or viruses as they sometimes spread via those means but I had no other choice.

Here I found the fix.exe file was running on the system and I killed the process. I noted the path of the fix.exe file that procexp.exe shows you:

Documents and Settings(username)Application Datafix.exe

I then went into windows explorer > tools > folder options > view and made sure show hidden files and folders was selected. I browsed to the folder listed above and removed the fix.exe file. While in there I also noticed another interesting file with a randomly generated name.

Documents and Settings(username)Application Datajsdfgs.bat

I opened this file with notepad and saw the code in the picture below. This looked very suspicious, so I removed this as well.

Note: This may/may not be related to the Fake Security Essentials

I then thought I had the issue resolved and opened IE which worked fine, but then when I tried running Malwarebytes to scan the system, it still would not start. This alerted me that there is still a bigger issue. I also tried doing Windows update and this would fail as well. I began looking at my internet connection settings and found that there were static IP addresses that had been put into my TCP/IP settings. I checked on the location of these IP address and they appeared to be coming from the Ukraine. I removed them from my internet connection settings and then Microsoft updates worked fine again.

I also loaded up the real Microsoft Security Essentials and ran a full scan where it found and removed a rootkit.

Win32/Alureon.H

Upon removing this file, Malwarebytes and all other antivirus/spyware scans worked properly.

And just for good measure I downloaded the Piriform ccleaner utility from  www.ccleaner.com and ran the cleaner utility to remove all temporary files. I also ran the Registry tool in the application as well to fix all broken links in the registry.

After the full completion of all the afore mentioned tasks, the computer was running great and had no issues.

NOTE: Some of the symptoms in these email such as the file with the randomly generated name, DNS pointint to the Ukraine, and the rootkit may not necessarily be on your computer. These were found on mine during the cleanup. They may have been their previously, that is why it is always good to do a full scan with a legitimate antivirus/spyware program. It is also recommended that you consult a trained professional or be fairly tech savvy before trying to accomplish this yourself.


The tools I used are listed below:

Process Explorer (procexp.exe)

www.live.sysinternals.com (you can download the full suite of tools here for FREE!)

Malwarebytes

http://www.malwarebytes.org/

ccleaner

www.ccleaner.com