Hi Community,
We have received reports from several customers that believe they may have been infected with a virus when the Auctiva.com site was infected within the last week and we have asked one of our engineers with experience in this area to compile a list of things that may help and posted that information below. We cannot guarantee this information will help everyone who may have been affected in this manner and we assume no risk or liability for providing this information, so it is up to you to decide whether you would like to try what is being mentioned here. If this information helps even one customer, the effort required to compile it will be worthwhile.
One of the problems most of you may have noticed is that even after your anti-virus software says your computer is clean, you keep getting messages that you have been re-infected. This is not what is happening (technically it is, but not in the way you might think). The problem is that most of the anti-virus programs out there do not know the originating file for the virus yet, there are only 3 known versions that are currently detecting and removing the host-virus files. When your current software detects the files, it is detecting “distraction” files to make you think the machine is clean, and these files are generated by the host-virus. In order to completely clean the machine, you will need to locate and remove the host-virus files and all of its associate components. It is more important to remove the host file so that it does not re-generate itself, which will give you time to back up your files, gather your software licenses and get your computer the latest updates or re-install your operating system (not a re-format, a re-install to replace files that may have been deleted or lost to the virus). The tools below are in order for how you will need to use them depending on how complex things get for removing the infection.
Before doing anything here, you should try to restore to a previous point in time (if you are using Windows XP) using the System Restore functionality, and that point in time should be prior to the day you first recognized the infection. Most of the time, this will fix the problem or at least get things good enough for you to run the other programs and remove any remnant files. If you still have the infection, you’ll need to start with the tools below to get started. The links provided here are from highly trusted sources that you can independently verify.
Tools that you will need or want to have
1. There are only 3 programs right now that are detecting and removing the host files (choose one):
a. Avast Anti-Virus
b. Sophos
c. VBA32
Again, the files that the other anti-virus programs are currently detecting are the “oil slick” for the anti-virus programs to make you believe the files have been removed. Usually, this is not the case and the above 3 programs are the only ones currently identified as having the definitions to remove the file where the other files are originating from. Some of the variants of this infection are called (this will help with Googling):
a. Mal/Dropper-AE
b. Troj/Agent-IWW
c. Mal/Generic-A
d. Trojan.Rincux.AW
e. Win32:Refpron
f. Trojan_Gamethi.eal
g. Trojan_WoW.cs
h. Trojan_GameThief.AW
2. HijackThis – This software is completely free and is the industry standard for identifying files, processes and registry keys that should not be there. A majority of the time, you will not see these items in the standard views within Windows or Task Manager, so you’ll have no idea that they are even there. This software identifies with incredible precision, those items that you will not recognize and assist in the process of removal.
3. Blacklight by F-Secure – this software is a free Root Kit detection program. A Root Kit is a set of files and programs designed to hijack your entire computer and the majority of virus and malware sites use this to further inject things into your computer or capture your data. Blacklight is free and is used to detect and remove a root kit if you have one. There are others out there, but this one has never let me down and I highly recommend it.
4. Combofix.exe –This is a very reputable program for removing malware/spyware/virus software and may be a little advanced for most, but it has the highest effective kill rate of malicious software, including most root kit detection. If you are serious about getting rid of your problem, you will need this utility to do it.
5. ProcessExplorer (SysInternals) – This software is very popular in the business computing world… it helps find rogue processes running on your computer that shouldn’t be and is a good tool for identifying things that don’t show up in the Task Manager or other common places. It is currently hosted and maintained by Microsoft.
6. Microsoft Recovery Console – this is not required for Combofix to work, but definitely recommended for recovering a fatal crash on your computer and it can save you when your system restore point is corrupted. Combofix will automatically download this for you if you require it.
7. SmitFraudFix – This is also a well-known hacker-unfriendly application that identifies a huge variety of malware/spyware/virus and removes them. This is more effective for some of the older malicious software that has been resurrected and some of the more recent variants, but has worked in cases when other software didn’t.
For all of these programs, you can do your own independent research and make a decision to use them or not, but they are all free and have worked in every instance thus far for removing infections.
Steps to Detect/Prevent/Remove Malicious Files
These steps MUST be followed in the order that is explained here or there will be much less certainty of cleaning your computer. Please make sure you print this out and that you understand the steps. If you do not understand them, there is a list of resources below that will further explain things for the individual pieces listed here.
1. NUMBER ONE – GET ALL MICROSOFT UPDATES BEFORE ANYTHING ELSE! This is the key to getting infected or hacked is not having the updates that Microsoft specifically puts out to safeguard against these kinds of attacks. In most cases, when an exploit has been identified, Microsoft will patch it fairly quickly. This is 95% of how people get infected, the other 5% is people who are insane enough to have no anti-virus or anti-spyware software on their computers while they surf the internet. If you can’t get the updates online, you will need to download them to a thumb drive or burn them to a CD and install them.
2. Now that you have the operating system updates, make sure you’ve downloaded the tools and printed the directions here. You should now run a complete scan of your machine using one of the anti-virus programs mentioned above. This has a higher degree of success in removing the infected files instead of manually going through steps to do it yourself. Even after a full-scan, you will probably want validation of the removal by following the manual steps. If your anti-virus software does not detect the programs that are running, you will need to go on to the next step. If it does, remove the infected files and restart the computer. Do another full scan to verify that the computer is clean after reboot. To be safe, you should do one more scan within a 24-hour period since some infections will “sleep” for a period of time to increase their chances of not being detected.
3. Go to www.opendns.com and follow the steps for signing up there. It is 100% free and keeps a current list of malware/spyware/virus websites which will automatically plug in to your computer’s DNS lookup or home router (or DNS servers if you are a business) and BLOCK all of these sites from you being able to access them intentionally or otherwise. It puts a layer of prevention and protection on your computer that is almost impossible to beat. It has incredible benefit and is used by millions of people and businesses. If your computer tries to go to a known infected site/address for any reason, your browser will display a re-directed page to opendns.com and not allow you to become infected. Before doing anything else, I recommend this because if requests are going out to the internet from your computer without you knowing it, and they are downloading more malicious software, than this service will prevent it the minute you complete the set up process. It will ensure that you aren’t allowing anything else through the internet to get to your machine (providing it has been identified as a known malicious site). Again, it is added protection that is free. After setting this up, go to the next step. At this point, you have taken the biggest steps in preventing further infection, but now you have to contend with the one you have.
4. Open up the ProcessExplorer software and keep it open so that you can monitor any processes that are running (usually within svchost.exe). You will want to look for processes that are not part of any programs you recognize or do not have the same properties as the other processes (such as Microsoft specific properties). This can sometimes be hard to detect, but if you leave it open while going through the next steps, there is a chance you can find the process or file that the virus is running from. From there, you can make much more progress at removing dependent files that it creates or uses. If you don’t see anything in this program or don’t understand how it works, just move on to the next step.
5. Do a search in Windows for all files that have been modified in the past few days since you were infected. The list should include only files that you know have been changed. Anything else, you will want to put into a list of some sort and keep it handy because you will likely need to come back and clean up these files once you’ve found the host that is creating them. More detailed information on what kinds of files to look for, names, locations, etc. can be found below. Once you have the list of all files modified since your infection started (or slightly before), you can start looking for patterns between the files that helps identify if they are associated with a known infection and you can google the names of them to see if anyone else knows. This helps narrow down looking for the needle in the haystack.
a. The following files are known to be host-infection files for the more common type of infection that people are infected with:
i. Msrstart.exe
ii. Nxtepad.exe
iii. Afisicx.exe
iv. W.exe
b. If any of the above files show up on your computer, you are likely infected. These will reside in the System32 folder and you can check the properties of them to see if they are related.
6. Open HijackThis and run a full scan of your system. Usually, the report from this can be shared with forums and communities to identify the culprit for infections ( there are experts that are very familiar with this). These reports can sometimes be very long, so posting them into this Auctiva community for review is not recommended. The log file from HijackThis will reveal a lot of information about what is running on your computer that you might not even be aware of. Using this log, experts in this area can further assist you. Identify anything in the list that is not familiar to you.
DO NOT take action on this list yet, we will return to that in another step. The things to be particularly suspicious of is anything that is located in the registry in the “****/Software/Microsoft/CurrentVersion/Run” sections. This is the most common place for a virus to execute from because it will run every time you start Windows, so even if you get the contaminating files, the one referenced in this area is usually the originating infection so that it can re-infect the computer after a reboot, even after a virus scan comes up clean. You should compare this with the next step to determine if this is the case and especially be looking for any of the files mentioned in the previous step.
7. In Windows, go to Start -> Run and in the box that comes up, type in “msconfig” and enter. The screen that comes up will have tabs at the top of it and you will want to look in the “Services” and “Startup” tabs for items that do not match installed software or bear a Microsoft or verifiable signature. The suspicious items will usually not have a directory location for the files listed, or they will be running out of the “Windows\System32” folder. This is the common place where these types of infections linger and wreak havoc on the operating system. There are some files in this folder that should run at startup from the system folder as part of the operating system, but they will usually have a reference to a program that you’ll recognize. In some very rare cases (depending on the variant of the virus), they can mask themselves as legitimate programs, but in those circumstances the anti-virus software is pretty good about catching them. What you are looking for in this list is anything suspicious but more importantly, anything that is suspicious AND matches an entry from HijackThis or is listed as one of the known malicious files of this virus. Those will be the areas of focus. The file listed in msconfig under the “Startup” section will likely reside in system32, so you’ll want to open up that folder for the next step.
8. If at this point, you have identified something that you think may be the root infection, you will need to validate it prior to doing any kind of removal. The first and best thing to do is to Google the file and see if it is known to be part of Windows or other known software. If not, go to the location where the file(s) exist. Make sure you are able to view hidden files and system files by going to “Tools -> Folder Options -> View tab” and checking those off in the list. This will allow you to see files that are hidden by default, which is where infections like to stay hidden but still might not be visible to you. Once you can see the file, you should right-click on the file and go to “Properties”. In most cases, you should see detailed information about what that file belongs to. Usually, for the majority of products, there is author, copyright, version, etc. information. If it is a malicious file, it will rarely contain any of these features. If you have successfully identified one of files to match this type of profile, you will need to remove them. This is not as simple as just deleting the file, there are several steps that will need to happen. What is important is that you document the names of the files that you suspect, the locations of those files, any registry keys associated to those files and any information you may have gained from the above steps that can assist you or someone else trying to help you.
NOTE: Make sure you backup any important files before attempting to delete system files!
9. Boot into Windows Safe Mode by pressing the F8 key repeatedly while Windows is loading. This will bring you to a loader that will give you a selection to choose from. You’ll want to choose “Safe Mode” or “Safe Mode w/Networking” if you will need to access the internet for any reason. If asked to continue to stay in Safe Mode, click “Yes”.
10. At this point, you will want to run the Combofix.exe utility. Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix! Please visit HERE if you don't know how to disable them. You should not be running any programs or doing anything on the computer while this runs. Follow the instructions when running this program. It will reboot your computer to finalize the cleaning, so you must log back in to safe mode when rebooting by pressing F8 again on reboot. After the reboot, it will finish and write out a log file. You will need to save this log file, similar to saving the HiJack this log. You should keep all log files and records of what you are doing in one place. If someone asks you for this file, you’ll want to send it to them for analysis to see what was removed in case anything was a Windows component that needs to be replaced. In some cases, it also resets the clock in Windows which can be a little annoying, but it doesn’t happen to everyone.
11. After Combofix.exe has completed, you’ll want to run Blacklight again to make sure there is no Root Kit on the computer. It should come back clean, but if not, it will remove it providing it finds it. After getting rid of any root kits that could be there, do a full anti-virus scan again. All of this should be done in Safe Mode because nothing external will be running. This is important because if you scan clean, but show re-infection after a restart, it means that the original host file made copies of itself or is still lingering when booting up. If you found a malicious file previously, you’ll want to check to see if the file is still there after the Combofix utility ran. If it was not removed, chances are that the utilities will not catch it (this happens if it is a very very new variant of infection that hasn’t had time to be identified by the people who maintain these programs). This is where things get much more advanced and difficult, but not impossible. With a few simple utilities and basic knowledge, you can resolve the problem yourself but you will need to have some patience and it would help to have an uninfected computer to browse the internet with. If the files that you were originally suspicious of were removed by Combofix, there is a good chance you are infection free.
12. Run another HijackThis scan and compare it to the original scan paying specific attention to the suspicious files or registry keys. Again, you want to see that they were removed from the list. If not, you will need to try these steps again before attempting a more advanced fix.
13. Reboot your computer normally providing that the HijackThis log looks clean, that your anti-virus software produced a clean scan and that the Root Kit detection was clean. At this point, you are ready to verify that the infection is gone by booting into Windows normally and seeing if any of the removed files re-appear. Now that you are in Windows normally, you’ll want to do one last final scan using all of the above mentioned products. If those scans do not show infection, than there is fairly high degree of confidence that you are infection free.
If these basic steps above haven’t helped you, here is a lot of additional information that can be used to step through an advanced manual removal process as well as some other helpful resources:
http://novirusthanks.org/blog/?p=994 - specifc to variants of virus discussed here
http://novirusthanks.org/blog/?cat=35 - list of detections and workarounds for other infections
http://support.microsoft.com/kb/307654 - installing the ms recovery console
http://mvps.org/winhelp2002/hosts.htm - hosts file that blocks all known ad sites and malicious sites
http://www.threatexpert.com/re...1a47ff208ef47a348f27 – info on infection
http://www.prevx.com/filenames...1/MSRSTART2EEXE.html - info on infection
http://download.bleepingcomput...om/sUBs/ComboFix.exe - download Combofix (trusted)
http://www.download.com/Trend-...8022_4-10227353.html - download HijackThis (trusted)
http://www.bleepingcomputer.co...sources/link243.html - download SmitFraudFix (trusted)
http://download.sysinternals.c.../ProcessExplorer.zip - download ProcessExplorer (trusted)
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe - download BlackLight from f-secure
http://www.bleepingcomputer.com/forums/forum22.html - spyware removal forums
-Mike