Malware Removal: When to Flatten and Reinstall Windows

---

So, you didn’t protect the system and it got hacked. What to do? Well, let’s see:

• You can’t clean a compromised system by patching it. Patching only removes the vulnerability. Upon getting into your system, the attacker probably ensured that there were several other ways to get back in.

•You can’t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.

•You can’t clean a compromised system by using some “vulnerability remover.” Let’s say you had a system hit by Blaster. A number of vendors (including Microsoft) published vulnerability removers for Blaster. Can you trust a system that had Blaster after the tool is run? I wouldn’t. If the system was vulnerable to Blaster, it was also vulnerable to a number of other attacks. Can you guarantee that none of those have been run against it? I didn’t think so.

•You can’t clean a compromised system by using a virus scanner. To tell you the truth, a fully compromised system can’t be trusted. Even virus scanners must at some level rely on the system to not lie to them. If they ask whether a particular file is present, the attacker may simply have a tool in place that lies about it. Note that if you can guarantee that the only thing that compromised the system was a particular virus or worm and you know that this virus has no back doors associated with it, and the vulnerability used by the virus was not available remotely, then a virus scanner can be used to clean the system. For example, the vast majority of e-mail worms rely on a user opening an attachment. In this particular case, it is possible that the only infection on the system is the one that came from the attachment containing the worm. However, if the vulnerability used by the worm was available remotely without user action, then you can’t guarantee that the worm was the only thing that used that vulnerability. It is entirely possible that something else used the same vulnerability. In this case, you can’t just patch the system.

•You can’t clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies. If that happens, the installer may not actually remove the compromised files. In addition, the attacker may also have put back doors in non-operating system components.

•You can’t trust any data copied from a compromised system. Once an attacker gets into a system, all the data on it may be modified. In the best-case scenario, copying data off a compromised system and putting it on a clean system will give you potentially untrustworthy data. In the worst-case scenario, you may actually have copied a back door hidden in the data.

•You can’t trust the event logs on a compromised system. Upon gaining full access to a system, it is simple for an attacker to modify the event logs on that system to cover any tracks. If you rely on the event logs to tell you what has been done to your system, you may just be reading what the attacker wants you to read.

•You may not be able to trust your latest backup. How can you tell when the original attack took place? The event logs cannot be trusted to tell you. Without that knowledge, your latest backup is useless. It may be a backup that includes all the back doors currently on the system.

•The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).

---

quote:

---

with a rootkit on the system that makes the system no longer trustworthy. Windows Explorer and the command line will no longer show you the files that are actually on the system. The registry editor is now lying. Account manager tools will not show you all the users. At this stage of an intrusion, you can no longer trust the system to tell you about itself. That’s where you get into a flatten and rebuild (some people call it "nuke and pave") scenario. The system is now completely compromised.

---

If Spybot is installed: Before proceeding, disable Spybot Tea Timer and leave it disabled until we're done here.

• See »aumha.net/viewtopic.php?t=32409
  
  If Ad-Aware is installed and Ad-Watch is enabled: Before proceeding, disable Ad-Watch and leave it disabled until we're done here.
  
• See »aumha.net/viewtopic.php?f=43&t=38668
  

Refer the tutorial for your operating system at the appropriate link below.

Windows XP:
»www.bleepingcomputer.com/tutoria···windows/

Windows Vista:
»www.bleepingcomputer.com/tutoria···s-vista/

Windows 7:
»www.bleepingcomputer.com/tutoria···ndows-7/

Windows 8:
»www.bleepingcomputer.com/tutoria···ndows-8/

We need to make sure that word wrap is disabled for log readability.

• Open Notepad;
  
• Click on Format;
  
• Uncheck Word wrap, if checked.
  

If you have Windows Defender installed, we need to disable it before we begin the cleaning process.

• Open Windows Defender by clicking the 'Start' button
  
• Click 'All Programs', then click 'Windows Defender'
  
• Click Tools', then click 'Options'
  
• Under 'Administrator options', select or clear the 'Use Windows Defender' check box
  
• click 'Save'
  
  If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
  

• Please make sure not to run CCleaner until we're done here, unless the following is unchecked
  
• See screenshot:
  

• Ad-Watch
  
• Tea Timer
  
• Windows Defender
  

• For Ad-Aware 2007 & 2008, see the first post here: »www.lavasoftsupport.com/index.ph···ic=19804
  
  
• For Ad-Aware AE, see the second post here: »www.lavasoftsupport.com/index.ph···ic=19804

• Open Spybot Search & Destroy
  
• In the Mode menu, click Advanced mode if not already selected
  
• Choose Yes at the Warning prompt
  
• Expand the Tools menu
  
• Click Resident
  
• Uncheck the Resident TeaTimer box
  
• Click File then Exit to close
  
• 
  
• NOTE; You must reboot for these changes to take effect
  
• 
  
• A step-by-step tutorial can be found here: »www.malwarehelp.org/how-to-enabl···mer.html

• Avast
  
• AVG
  
• McAfee
  
• Norton Internet Security or Personal Firewall
  

• See instructions here: »service1.symantec.com/SUPPORT/ni···15220236
  

quote:

---

C:\Program Files\Holt_old Note: Random Named Folder in Program Files 13/11/2005 17:37 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\ace.dll 26/10/2005 15:46 568.00 KB Hidden from Windows API.
C:\Program Files\Holt_old\AI_07-11-2005.log 07/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_08-11-2005.log 08/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_09-11-2005.log 09/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_10-11-2005.log 10/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_11-11-2005.log 11/11/2005 00:05 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_12-11-2005.log 12/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\AI_13-11-2005.log 13/11/2005 00:00 3 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache 13/11/2005 17:58 0 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436ee411_0000b71b 07/11/2005 00:20 3.81 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\0000001c_436fd078_000ec82e 07/11/2005 17:08 5.38 KB Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435febb3_0007270e 26/10/2005 15:48 2 bytes Hidden from Windows API.
C:\Program Files\Holt_old\Cache\00000029_435fed33_0002dc6c 13/11/2005 19:07 3.54 KB Hidden from Windows API.

quote:

---

etc. The log itself will be very long with lots of entries similar to the above)

The Fix

Please download AproposFix from here:

»Security Cleanup FAQ »Security Clean-Up Approved White List

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post the entire contents of the log.txt file in the aproposfix folder into a New Topic.

Thanks to Swandog46 for developing this fix tool :)

1/6/07 --- fixed broken link to RootkitRevealer ~lil~

[*]From the main ewido screen, click on update in the left menu, then click the Start update button.

[*]After the update finishes (the status bar at the bottom will display "Update successful")

[*]Exit Ewido. DO NOT scan yet.

[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.

[*]If ewido finds anything, it will pop up a notification. You can select "remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

[*]Uncheck "Cookies" under "Internet Explorer".
[*]If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
[*]Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

[*]Double-click on rr-free-setup.exe to install in C:\Program Files\RogueRemover.
[*]Navigate to the folder and double click on the file named RogueRemover.exe or use the icon that was created on your desktop.
[*]Once the program runs, select Check for Updates.
[*]When prompted, select Check for Updates.
[*]If prompted again, click Download to receive the latest updates.
[*]When completed, close the update window.
[*]Finally, select Scan and the program will walk you through the remaining steps.

quote:

---

According to the bulletins you need at least:

* Version 1.3.1_16 or later
* Version 1.4.2_09 or later
* Version (1.)5 update 4 or later {insert My Note: We are now on update 6 in this version)

to be safe.

---

quote:

---

Vince told it's also necessary to remove the old java environments, not just get the new ones as an attacker can target the old environments when they are still present.

---

quote:

---

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. Use the exe not the beta installer! See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.

---

said by TonyKlein:

---

SO, HOW DID I GET INFECTED IN THE FIRST PLACE?

You usually get infected because your security settings are too low.

Here are a number of recommendations that will help tighten them, and which will contribute to making you a less likely victim:

1) Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself.

Pre-Scan downloaded files for viruses and malware at one of these multi-engine single file scan sites for free! Each one uses a dozen or more well-known AntiMalware scanners in one quick easy scan with a report of results from all.

Virus Total (10mb limit)
»www.virustotal.com/xhtml/index_en.html

Jotti's Malware Scan (15mb limit)
»virusscan.jotti.org/

2) Go to IE > Tools > Windows Update > Product Updates, and install ALL Security Updates listed.
It's important to always keep current with the latest security fixes from Microsoft.
Install those patches for Internet Explorer, and make sure your installation of Java VM is up-to-date. There are some well known security bugs with Microsoft Java VM which are exploited regularly by browser hijackers.

Windows Update:
http://v4.windowsupdate.microsoft.com/en/default.asp

3) Adjust your security settings for ActiveX

Go to Internet Options/Security/Internet, press 'default level', then OK.

Now press "Custom Level."

In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

Now you will be asked whether you want ActiveX objects to be executed and whether you want software to be installed.
Sites that you know for sure are above suspicion can be moved to the Trusted Zone in Internet Option/security.

So why is activex so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

And some more advice:

4) Install Javacool's SpywareBlaster.

SpywareBlaster
»www.javacoolsoftware.com/spywareblaster.html

SpywareBlaster will protect you from all spy/foistware in it's database by blocking installation of their ActiveX objects. Download and install, download the latest updates, and you'll see a list of all spyware programs covered by the program (NOTE: this is NOT spyware found on your computer)
Press "select all", then "kill all checked", and you're done.
The spyware that you told Spywareblaster to set the "kill bit" for won't be a hazard to you any longer.
Although it won't protect you from every form of spyware known to man, it is a very potent extra layer of protection.
Don't forget to check for updates every week or so. Let's also not forget that SpyBot Search and Destroy has the Immunize feature which works roughly the same way.
It can't hurt to use both.

5) Another brilliant program by Javacool we recommend is SpywareGuard.
It provides a degree of real-time protection solution against spyware that is a great addition to SpywareBlaster's protection method.

SpywareGuard
»www.javacoolsoftware.com/sgdownload.html

An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware! And you can easily have an anti-virus program running alongside SpywareGuard.
It now also features Download Protection and Browser Hijacking Protection!

6) You can use a customized HOSTS file to block known bad sites. This is accomplished by blocking these sites through the hosts file. For more information and recommended sources see here:
»Security »What is a Hosts file and where can I get it?

said by CalamityJane:

---

To add to Tony's excellent advice above, you many find the additional programs and Security Sites helpful in malware prevention and removal:

7. These free programs are available to remove spyware from your system:

Windows users (English versions only):
Download, Update and Scan with Windows Defender (free)

Download here:
»www.microsoft.com/athome/securit···ult.mspx

Complete instructions on using Windows Defender can be found here:
Using Windows Defender
»www.microsoft.com/athome/securit···ult.mspx
*Validation of genuine Microsoft Windows Required*

8. Scan for Viruses and common trojans online and free

»Security »What are some web based virus scanners and encyclopedias?

9. If you still have problems and think you are infected after following the various scans and help above...... See: »Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance before posting in our »Security Cleanup forum for assistance:

10. Some Security Sites worth reading and bookmarking for reference and to help you get started in your PC Security.

Security At Home:protect your computer
Spyware

Home Computer Security
http://www.cert.org/homeusers/HomeComputerSecurity/

Protecting Your Home Network
http://www.microsoft.com/windowsxp/pro/usi...tecthomenet.asp

Home Network Security
http://www.cert.org/tech_tips/home_networks.html

Malicious Code Propagation and Antivirus Software Updates
http://www.cert.org/incident_notes/IN-2003-01.html

National Institue of Standards and Technology
Computer Security Resource Center
http://csrc.nist.gov/

Stay Safe Online
http://www.staysafeonline.info/

Protecting Your Privacy & Security on a Home PC
»www.spywarewarrior.com/uiuc/

IE-SPYAD: Restricted Sites List for Internet Explorer
»www.spywarewarrior.com/uiuc/reso···#IESPYAD

»Microsoft Application Tips and Tweaks »Concerning Internet Options Security, what do some of the settings mean

Internet Explorer 9 for Windows is available now
»www.microsoft.com/windows/ie/default.mspx
Internet Explorer works with Windows Defender to help prevent spyware from sneaking onto your computer in common ways, such as part of a larger software download

quote:

---

Beware - Desktop Hijacks on the Rise Again
Security Forums have been deluged with daily cries of help from victims of the "Smitfraud" desktop hijackers that are using fake codec to infect their prey.

Watch out for the Zlob Trojan that poses as a codec needed to view a video, then installs a fake virus and urges its victims to download a rogue anti-spyware program to remove it. Lavasoft has also confirmed that this malware takes advantage of unpatched systems using exploits on web pages. Visit Microsoft Update to ensure that ALL of your critical Windows security pages are updated.

Other victims have been infected by a fake e-card greeting, or even a spoofed e-mail that claims to be Windows Update (Microsoft never sends updates via e-mail). Still more unassuming victims received an e-mail asking them to open a link to see the message (these can be fake e-mails, intended only to infect), or even a link from your 'buddy' in instant messages - but don't trust it if you aren't expecting it. Even your buddy could be infected without his/her knowledge and the virus on their computer is sending you the link with one purpose, and one purpose only - to infect you!

A few of the fake codecs out there include:

braincodec (added 28 Nov2006)
EliteCodec (added 08 Nov 2006)
Emcodec
eMedia Codec
Gold Codec (added 23 Nov 2006)
HQ Codec
iCodecPack
iMediaCodec
iVideoCodec
IntCodec
KeyCodec
Media-Codec
MediaCodec
MMediaCodec
MPCODEC
PCODEC
PerfectCodec (added 15 Nov 2006)
PowerCodec
PornPass Manager
PornMag Pass
QualityCodec (Added 08 Nov 2006)
SilverCodec (added 23 Nov 2006)
SoftCodec
strCodec
Supercodec (added 15 Nov 2006)
TrueCodec
vaxsetup
Vccodec
VideoCompressionCodec
VideoKeyCodec
VideosCodec,
WinMediaCodec
X Password Generator
X Password Manager
ZipCodec

We urge you to be aware and watch out for fake codecs. This is one of the favorite methods used by the authors of malware to lure you into downloading a file that infects your computer. If you receive a link for a video that says you need a certain codec in order to view it, be careful! Today, it could be a fake codec that is actually a Trojan just waiting to infect your system.

New variants are being released daily, even faster than Security Products companies receive new samples for detection. And because it does take time for due diligence on detection for the newer variants, it is important to remember that prevention is the key!

---

• Save HJTInstall.exe to your desktop.
  
• Open Notepad > Click on Format > Uncheck Word wrap, if checked.
  
• Double-click on the desktop icon for HJTINstall.exe.
  
• By default it will install to C:\Program Files\Trend Micro\HiJackThis
  
• Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
  
• 
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
  
• At the final dialogue box click Finish and HijackThis (HJT) will launch.
  
• 
  
• Close any/all browsers, messenger, mediaplayer, Office and mail client windows and applications.
  
• Click on the 'Scan' button. When the scan is finished, press the 'Save' button. HiJackThis will open a Notepad document with scan in it. Save the log to your Desktop for ease in locating it.
  
• 
  
• Click on Edit > Select All then click on Edit > Copy to copy the contents of the log to your clipboard.
  
• Come back here to this thread, right click your mouse and select Paste to paste the log in your next reply.
  
• DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
  
• Make certain your post shows the entire log, please.
  

To see a tutorial with screenshots on using HijackThis you can click on the link below:
How to use HijackThis to remove Browser Hijackers, Malware, & Spyware

• Operating Systems: Windows NT/2000/XP/Vista/Windows 7 - 32bit & 64bit
  
  
• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.