My experience lately has been that many viruses/malware only infect the profile of the user that was logged on at the time of infection. This is due mostly to the security of the operating system and browser which generally limit activity to the user profile. However, even older XP machines with users running as a local administrator benefit when the malware assumes that it needs to infect the user profile rather than system files.
If malware is limited to a profile, it makes removal of the malware much easier. Log off as the infected user and log on as a user that is not infected. If the malware is only in the user profile this is just as effective as scanning the hard drive externally from another computer.
Today I had the pleasure of dealing with System Progressive Protection. It is very aggressive fake antivirus software. Once it is in the system, you can't run most tools because it blocks them. However, it was limited to the user profile. When I logged on as another user the system was fine.
My preferred tools for removing this type of malware is MalwareBytes Antimalware (http://www.malwarebytes.org). It removes most of the malware many antivirus programs miss. In this case it picked of some instances of System Progressive Protection, but when I logged on as the original user the malware was still there.
To identify the startup of this malware I used the Autoruns tool from Microsoft (http://technet.microsoft.com/en-ca/sysinternals/bb963902.aspx). Autoruns shows all of the potential startup locations for an application and goes well beyond the locations shown in MSConfig. You can run this tool as one user, but view the autoruns for another user. This is what allowed me to find the location of the malware.
In autoruns, in the runonce key for the infected user, there was a path that pointed to a location in the Application Data folder of the All Users profile. When I went to view the files, they were created with today's date. So, I removed the runonce key and all was good.
Just to test it out, I updated the definitions in MalwareBytes (they update several times per day) and scanned the folder. The folder came up clean even though it was obviously the source of the malware. Not only was the malware no longer running, but when you browsed to the files in Explorer, they displayed with the same icon as the malware used in the system tray. Lucky me, I found a variation of System Progressive Scan that wasn't recognized yet.
No comments:
Post a Comment