Well that was fun.

I got hit with a case of drive-by malware this week. (serves me right for not keeping my AV up to date).

I’m going to recount the experience here so anyone dealing with a similar issue can learn what is happening to their system, and how they can recover it.

How it starts:
You visit a website that is knowingly or unknowingly hosting a malicious bit of code (most likely Flash), which installs the malware into your system. Once installed, this particular malware closed all of my open programs and threw out a slew of fake error messages that appear to be legitimately from the operating system.

Then comes the hook…another window opens, again appearing to come from the OS, which “scans” your hard drive for problems. This “File Recovery” process then prompts you to purchase the full version to save your data.

This is where I went into search and destroy mode. The malware does a few things to keep you from getting to it. The Task Manager and Registry Editor are immediately closed if you try to open them. The Start menu and Taskbar are completely jacked up, and almost nothing is accessible through the GUI. There are still ways to find out where the malware has hidden itself, though.

Command Line to to Rescue:
There was actually one way to get some information from the GUI. The malware’s “File Recovery” program included a desktop shortcut to itself. Right-click, select properties, and we now know the .exe that’s causing us trouble.
So, I wanted to shut down the processes this malware was using, then remove it. But how to identify the process when we can’t get into the task manager?

Malware in action (highlighted where the malware files and processes are located)

Press Windows key + r to open the “Run…” Dialog.
Type cmd and hit enter
Type “tasklist”

I found the offending processes, and knocked out one with:

taskkill /pid <process ID #>

…then my computer rebooted. Another present from the malware.

Upon loading up again, things look even worse. The Desktop is practically empty.
This is because this malware sets all of your files to be hidden, and resets the setting in folder options to view hidden files. Before the reboot I could still see my files because I normally run with the option to view all files. The settings change to my profile’s folder options could not occur until a reboot.

So first I verified everything was actually ok. Back into the command line, then “dir /a” to see that everything was still where it should be.

At the top, you can see how the “dir” command returns nothing, but adding /a shows your files.

Now let’s remove this malware once and for all.
Windows key + r, then type “msconfig”
Here we can easily disable the malware from running at system startup.

msconfig utility

Those random strings of characters don’t look sketchy at all.

Then I went back into command line to kill the processes (It did not reboot the system this time).
Then I could remove the malware files and have a clean system once more.

The Aftermath:
Even though the malware is gone, the computer is still in sad shape. All of my files are hidden, and all sorts of settings have been modified.
The hidden files are easy to fix.

Go back to the command line, and enter:

 attrib -h /s /d *.*

at the root of your C: drive.  This will unhide everything on your drive.

Now it’s just the matter of resetting Taskbar and Start menu settings, and we’re back in business.


One response

  1. The tools I use on a regular basis to clear out malware like this are : rkill.exe to kill active malware processes, HiJackThis to scan and review where all the hooks are, ComboFix for major problems in a full sweep that basically the best anti-software ever made, and Malwarebytes if I have to go somewhere and I want to leave something working while I am away.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s