The virus doesn't use autorun.inf and also doesn't add an entry to the registry's run key, it works as an extension to Windows Explorer.
24 hours later 2 of the 40+ engines at virustotal,com identified the virus correctly. I installed one of those two, Avira AntiVir Personal and it found some copies and healed the machine.
Next I checked the USB stick of a fellow traveler who I knew had used the infected computer. Avira found six different viruses on it, however there was one, it didn't find.
All this begs the questions whether Anti virus software is any helpful at all. Personally I never use it anyway, but this prompted me to write a bit about finding and removing viruses without AV software.
- It uses one or multiple programs and is visible in Task Manager or Process Explorer
- It uses existing Windows processes to attach itself to, such as explorer.exe or svchost.exe.
- It uses RootKit technology to hide itself from you and the operating system itself.
- It adds itself to one of the various places in the Windows configuration to autostart when the computer boots up or a user logs on. All of these all listed in Autoruns.exe
- It attaches itself to Windows Explorer as an component or handler, (check the autoruns.exe Explorer tab), it installs itself as a service that runs in the svchost.exe process (check Autoruns.exe Services tab) or takes over the functionality of another Windows feature such as Task Manager (Winlogon\TaskMan)
- It attaches itself to other programs on the harddrive or the USB device and is launched whenever you start one of these programs. In some cases it attached itself to dozens of random applications on my USB stick including some of the tools mentioned below. This is really a pain.
- It uses the autorun.inf feature to start when a removable drive is added, or a CD/DVD is inserted.
- It masks itself with a Folder icon in Windows Explorer and waits for you to click on it.
- It uses bugs in user software, mostly Web Browsers to copy itself onto your machine and executes.
- It uses bugs in the operating system to install and start itself without any user involved.
- The computer is running slow
- There are files and programs on your PC that you do not recognize.
- You can surf the internet, but certains sites such as www.microsoft.com or sites of AntiVirus Software vendors do not work.
- There are folders in your Windows Explorer but clicking on them, doesn't open them.
- After a reboot Windows reports a Data Protection Violation in "Windows Explorer", and shuts down Explorer to restart it right away.
- Process Explorer (SysInternals/Microsoft)
- Autoruns (SysInternals/Microsoft)
- TCP View (SysInternals/Microsoft)
- Rootkit Revealer (SysInternals/Microsoft)
- Process Monitor (SysInternals/Microsoft)
- PsTools Suite (SysInternals/Microsoft)
- SmartSniff (Nirsoft)
- DTaskManager (Dimio)
- O&O RegEditor O&O Software
- Rootkit Unhooker, kills hidden processes, google or bing for it.
There are tons of other network monitoring tools, but I like SmarfSniff because it is a small single file and doesn't need any installation.
Look for an autorun.inf file on any removalable drives such as USB thumbdrives, plug one in to see if there is one. If there is one, open it in notepad.exe and see whether it points to a legitimate program.
- Look at the Company column, if not visible, turn it on by View-Select columns. Look at all processes that are not by Microsoft Corporation, Do you know what these processes are? Take special care if there is no company and if the process has a weird name.
- Check for process names such as csrss.exe, lsass.exe and services.exe that are not from Microsoft. These are malware processes that use the names of well known system processes.
On the 'Everything' tab, check all entries for known Software you have installed. Take special care about entries that don't have a publisher or where the publisher is not verified. If you have entries where the file is not found, you can delete them. If you have entries, that shouldn't really be there, you can at least untick them to disable them and can later turn them back on.
How can you tell which entries are legitimate and which are not? Select the entry and press "CTRL+M" to search for it online. There are many sites that describe all possible entries in the list.
127.0.0.1 localhostIf there are other entries, it may mean that malware has changed the file. This file can be used to route certain host-names to malicious computers.
There are three steps involved:
- Stop the running malware processes
- Remove the files from the system
- Change the configuration to remove autostart behaviour
The first thing you should try is to 'kill' the process in Process Explorer. This may include killing Windows Explorer if the malware has attached itself to it.
If the process re-appears soon after you killed it, there is another process running that re-starts it. If you can identify several malware processes, use DTaskManager, select them all and kill them it one go.
Then delete the files you have identified as malware.
Finally delete the startup configuration for the malware using Autoruns.
If some cases it is possible to just rename the tools and the use them, because the malware looks for commonly known executable names.
In one case I couldn't start any of my tools, not even custom vb scripts, everything was shut down right away. In that case I used pslist.exe and pskill.exe (part of the PsTools Suite) from a second machine to kill processes on the infected machine.
So I started Process Monitor to find out which process is writing these files. It was a process with process ID 960, however over in Process Explorer there was no such process. I used TCPView to look at the network traffic and a "
I tried to kill 960 with pskill.exe but got an "Access Denied", using pskill.exe /t 960 says "success" but does not actually kill the process.
In comes Rootkit Revealer, right? It does show one issue but it looks harmless.
One other thing I noticed is that in Process Explorer I did not see a svchost.exe for all the Network services. Thats the one process that hosts over a dozen services, however these services where running. Also Process Monitor says the executable for process 960 is svchost.exe /netsvc.
I looked around and found some tools that show hidden processes, the one I ended up using is "ptree.exe" It shows one extra process marked "hidden" and that is the missing svchost.exe one. Even though the tool has the option to kill a hidden process it did not work in my case. I guess because it runs all those network services along with the malware service, there was no way to kill it.
I looked for the service in the registry using OORegEdtor.exe (because regedit.exe was not present on the system anymore) but could not find an unfamiliar service.
I looked into svchost.exe a bit, when started it takes its parameter, in this case "netsvcs" and looks up the registry value "netsvcs" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", this is known as a service group, a list of all the services to be started as long as they are set to autostart. Again though, that list looked okay.
At this point I downloaded some root kit removal tools like Blacklight from FSecure, it found the hidden process but to remove it, it would rename the executable file on the next system startup. This is problematic because svchost.exe is used to host many other essential Windows services.
I looked at Autoruns.exe again with the "Verify Code Signitures" option enabled, on the services tab there were three Microsoft services that were not verified. This means the executable files were different from the original signed Microsoft versions of the files. In this case the services were "W32Time", "Schedule" and "srservice".
After a bit more online research I found a tool called RootKitUnhooker, which also showed the hidden process and was able to kill it.
The two files in the root could now be deleted and there was no longer any network activity.
I installed AVG Free which found a whole bunch of viruses on the system but could only delete some of them. It refused it delete the three infected services files listed above "Object is white-listed (critical/system file that should not be removed)". I made sure those services were not running and then replaced the files with the copies from the "C:\WINDOWS\ServicePackFiles" directory. The dates and sizes of the files were the same but they were indeed different.
Threads found by AVG:
- Trojan horse Dropper.Generic_c.ANE
- Trojan horse Agent.ATAT
- Trojan horse Agent.ATAS
- Trojan horse Generic12.WWC
However, if there are no unwanted processes running and no unwanted network traffic for a long period of time, you can be pretty sure your system is now clean.