Cleaning up a compromised system

Got a computer that's acting funny?

Overview/Expectations

This guide is targetting versions of Microsoft Windows that primarily run code that is at least 32-bits. For end users, this typically just means Windows 95 or anything newer. (Such a description may also refer to Windows NT.) Much of this guide might also be applicable to some other platforms, possibly substituing /home/ as a directory to be wary of.

Realistic expectations: what this guide does not do

This guide is not meant to keep out the likes of Stuxnet. (See: expectations of anti-malware.) However, such attacking software is not what is commonly noticed by most end users. As for what is commonly found, sometimes malware damages the software setup substantially enough that the computer cannot effectively repair itself without performing more extensive repair efforts. An example of what is meant by “more extensive repair efforts” would be backing up software, deleting all content on the drive, re-loading the operating system, and performing other steps to get the system pleasantly set up. This guide attempts to get things fixed and operational fairly quickly, and may have some noticeable speed advantages over more thorough approaches, but the quicker steps mentioned by this guide may not always successfully get a system back in good shape.

According to general theory, a compromised system cannot be trusted until it is sufficiently cleaned. (This may be a good time to provide a reference to a discussion about getting the system cleaned so sufficiently that it can be re-trusted. However, the Guide to getting a system trustworthy, is still rather incomplete at the time of this writing.) Compared to a thorough deletion and then reload of the operating system, the processes described by this guide are not as likely to get a system fully cleaned of malware. Those who wish to be very cautious, despite expense, may find this guide to be less useful, or even worthless, or even worse (detrimental/harmful).

Despite the lack of any absolute guarantee, the simple reality and truth is that a lot of malware can be cleaned up without a whole lot of difficulty. There are many cases where some simple steps might just remove a problem, causing a system to once again be in a state where the computer can be used normally. The steps in this guide are meant to try to restore that ability with fairly minimal fuss. In many cases, this type of process can lead to apparent success within a few or several minutes, rather than the timeframe of a more thorough approach that could take twenty minutes (on the short side) or (much more commonly) multiple hours. When people are getting paid per hour, and deadlines are important, and risk is considered low, then many people find this type of approach to be sufficient.

This type of process is probably the type of steps that are commonly implemented by commercial computer companies that provide the service of malware clean-up. So, these steps are not substantially inferior to what is commonly utilized/implemented. (These steps may, in fact, be pretty close to what is typically performed, or may even be superior to what is often done in practice.)

Opinion

It is the opinion of the author of this text that such quick clean-ups are relatively untrustworthy. Far better is to follow an elaborate process of making a computer trustworthy again. (This opinion is based more on theory of computer trust/safety, rather than much solid facts derived from real-world experiences.)

However, it is also recognized that some people may really desire to avoid a process to more fully regain trust. If this guide helps people to get back up and running more quickly, that seems like a positive thing.

Proper handling of problems

This guide is mainly about how to get the computer to stop running malicious software. Note that there may be other steps to take. For instance, a person working at an IT Help Desk might make a good choice by deciding to inform an end user of what will be happening, and making sure that end user has a copy of any data that the user will want to work with while a specific computer is going through the cleaning process.

Instantly deleting all of the files that appear to be relatd to malicious software might ruin an ability to perform some forensics, maybe even including a review of logs that provide details of just what happened.

Exploring the computer, or other components of a network, might provide additional insights regarding just how the computer ended up being compromised in the first place.

All of those steps are beyond the scope of this guide (other than the brief mentions that were just made). This guide is mainly just about getting one computer system to stop running malicious software. However, before following all of the other steps of this guide, do think about what steps are wise to take. Always try to think of the consequences of actions, and make a determination about whether those will be desirable (or not).

As a specific example, the author of this text recalls a situation where a team of college students participated in a cyberdefense competition. Malicious software was placed on a computer. Upon discovering this, the software was instantly feared and deleted. Later, it was thought that the deleted directory of data may have been able to provide some clues about what the malicious software was designed to do, which may have provided more insight about other activities that an attacker may have performed. Simply making a controlled copy of that data, before deleting the only copy, may have provided some options that got lost because of a hasty decision.

In some cases, letting malware continue to run may result in further problems. But, in some cases, taking time to be more careful may provide much better results. This guide isn't trying to say which direction to go. Simply, think about what the consequences are before taking action. Keep those consequences in mind when making a decision about how to proceed.

Preparation

It is a good idea to start by making a disk image. Making such a disk image may take some time. (Perhaps quite commonly this may take a matter of hours.) Also, this requires some space to store the copy, and perhaps a bit of know-how. Making a backup copy of an entire machine could be quite time consuming. However, it often will not take a whole lot of interactive time. This may be a process that a person can just start, and then leave running for hours (and even overnight). If interactive time is expensive/costly, but getting the system clean is less urgent and letting the system perform work over a length of time is a non-issue, then a full disk image backup may be useful.

With any data that is really valuable, this process is recommended. After all, the phrase malware comes from the nature of the software being malicious. Sometimes quick clean-up processes may actually make a system operate worse than before. Having a backup copy might be the only way to revert back to a less damaged state.

It is often a good idea to make sure that end users have access to any data which was on the machine. Ask the user what data will be needed during this time. Get that data copied to a location where it will be accessible. (See: backing up data. Details about transferring files might also be useful, although if a machine is known to be infected then quarantining it, by keeping it off of any network that needs to be trusted, may be more sensible.)

Using pre-existing anti-malware software

If software has already detected an issue, then that software may have the ability to clean up the software. Even if that is not true, the software that detected a problem will often be able to assign some sort of identifier to the problem. That identifier can often be used to locate online information, sometimes accessible as easily as clicking on a hyperlink in the anti-malware software. Check out the options provided by the vendor who creates the anti-malware software that detected the issue, because that information will often be useful in recovering from a problem.

How to see what is running

View the full path for the executable of everything that is running. Details are at: identify the command line for software that is currently running.

Make sure to view processes of all users. (For users of Microsoft Windows, this tip can apply when using the approach of running Windows Task Manager in Windows Vista or newer.)

Note: If a system's graphical interface is fully blocked, trying to use WMI on a remote system might be helpful. (See Checking CPU usage of command line programs shows how to do this on a local system. WMI has details about remote usage.) Although, intrusive malware might prevent executables from running, including affecting WMI.

Identifying problems

Look for any executables that are being run from known problematic areas, or even executables that are being run from unauthorized locations.

Overview: what to look for
Directories for Microsoft Windows

As a general rule, programs that are authorized and running should be in either “%windir%\ (which is generally “\Windows\”) or “%ProgramFiles%\” (which is generally “\Program Files\”) or, if a 64-bit operating system is used, 32-bit software may be installed to “%ProgramFiles(x86)%\ (which is generally “\Program Files (x86)\”). (In all of these cases, these directories are generally on the C: drive.)

In general, it is NOT good for programs to be running from

  • %LOCALAPPDATA%\” (e.g. “C:\Users\MyUsrNam\AppData\Local\”)
  • or “%APPDATA%\” (e.g. “C:\Users\MyUsrNam\AppData\Roaming\”).

Many pieces of malware have been sited in one of those two locations.

Other locations which are often bad are:

  • anything else under “%USERPROFILE%\” (e.g. “C:\Users\MyUsrNam\”)
  • or “%PUBLIC%\” (e.g. “C:\Users\Public\”)
  • or “%TEMP%\” (if that directory location is set under “%LOCALAPPDATA%\”)
  • or “%TMP%\” (if that directory location is set under “%LOCALAPPDATA%\”)

The example directories given have been under C:\Users\ which is where user directories are typically stored under Windows Vista and newer. On older operating systems, such user data is typically stored under C:\Documents and Settings\

In all these examples, the reference to “MyUsrNam\” is meant to be customized for the currently logged in user. Actually, to be more thorough, these checks could be done for any user who has logged into the machine. (Conceptually this is like \Users\*\AppData\, although a typical built-in Microsoft Windows command line is not likely to expand the wildcard for the names of directories.)

Running:

systeminfo | find /i "System Type"

may be able to identify whether the operating system is 32-bit/x86? Otherwise, the System control panel applet will identify if a system is 64-bit. The significance there is to see whether to check for “%ProgramFiles(x86)%\ (which is generally “\Program Files (x86)\”). (Or, another way might just be to check if %ProgramFiles(x86)% has been set.)

Stopping unwanted programs
See: adjusting what is running. Some fairly malicious malware may resist being stopped. One approach may be to try to move its executable file (possibly by moving it into non-existance, by deleting the file), and then restart the computer. Hopefully that will prevent the program from effectively starting up. If necessary, see handling a file that is in use. In some cases, moving the executable may not be easily done while the computer is running. Booting from an alternate operating system (such as a Live CD, or a CD that lets the user run Microsoft's Recovery Console) may be needed to modify the data.
Reviewing startup process

See: automatically started processes. Again, look for any executables that are being run from known problematic areas, or even executables that are being run from unauthorized locations.

Also check the publisher of any running files that are running, or that get started. This can be done from Windows Explorer by viewing the Properties of an executable file. On the Details tab are lines such as the one that says “Copyright”. However, that approach will be tedious to do for every executable that is running. (It may be a reasonable approach to double-check a single executable file that seems suspicious.) MSConfig's Startup tab has a column called “Manufacturer”. Process Explorer (see: information about Process Explorer) has a column called “Company Name”. If using Sysinternals's software called Autoruns, then also check for the name of the Publisher column for any files that get automatically started.

When seeing the publisher, think about whether they make sense. Mark Russinovich's “Hunting Down and Killing Ransomware” has a screenshot showing malware that had a “Publisher” of “ZZZZZZ ZZZZ”. Also, if the executable says that it is by a computer manufacturer, but this computer does not use any equipment by that manufacturer, then that is probably fairly unlikely. For example, if the software says it is by “DELL”, but the computer is an “HP” (made by Hewlett-Packard), that may be cause for questioning that software.

Note that removing problematic startup processes is very often a key way to successfully fix things. However, removing critically needed files may prevent the system from starting up successfully. This is one reason why backups are good. When possible, don't just delete files. Instead, if possible, uncheck a box that is needed to let them load (this might be doable in MSConfig or Autoruns). Or, adjust the path in the registry (have the registry load some-folderDISABLED\filename instead of some-folder\filename). Or, move the file to a location so that the registry won't be able to find the file. The point of all these examples is that these actions may all be relatively easy to undo, if necessary. Completely deleting an entry from the Registry may be harder to restore.

Sometimes, the creator of malware is not super thorough in trying to hide software from experts. Some malware authors just have the operating system load up the malware automatically, using simple methods just like other software that typically loads up automatically. Preventing that, and then restarting the system, is a simple process that is actually suitably sufficient for disabling some of the malware that has been spread about.

Check for any other changes

At the time of this writing, this process is usually not an option, because file integrity checkers are often not routinely installed. However, if this is an available solution, consider using file integrity checker software to determine what undesirable changes have occurred.

Additional clean-up methods

Some software has been known to be fairly successful at performing the task of cleaning up a system, often using methods that are rather automated.

Such software might, or might not, provide any decent protection to prevent a program from infecting the computer in the first place. (Some of this cleaning software might not even be intended/designed to perform that task at all.) However, the cleaning software may have a track record of fixing computers that aren't as easily fixable using other anti-malware software. The point here isn't trying to say that such software is bad, or good, at protecting the system. The point being made here is simply that this software has been known to do a good job of cleaning up messes that have occurred. So, using the software for that purpose may provide positive resuilts.

Some industry professionals have made some positive claims about the following software. (This is based on conversations with people at a local level, and so there is no web page for a citation to point to.)

  • SUPERAntiSpyware
  • MalwareBytes Anti-Malware (MBAM)
  • ComboFix (perhaps best used after other cleaning software has made their attempts).

Details about this software may be found from anti-malware section. (Multiple pieces of that software may be in the anti-malware section: “clean-up software” that fixes malware section.)

Prevention

Make sure that some current Anti-Virus software is installed. (See: Protection software.)

In addition to setting up automated scanning, running an immediate scan may be worthwhile.

Even if one anti-malware software does not resolve the problem, may anti-malware companies will often use similar names for specific, known pieces of software. So, getting information from other anti-malware software companies could be helpful. The section on anti-malware provides references to some of the different vendors, and even has informaiton about locating some of the online information shared by these vendors. Even if anti-malware software doesn't remove a threat, having it successfully detect a threat may provide a name that can help searches for information that may be online (on the Internet).

What to do if this process does not work well

Take the longer approach which is more likely to work well.

Let the end user know that this is going to take a while longer.

Make sure that all data can be accessed fairly easily, even without relying on this computer. (Back up all data that people are likely to use. Information on that may be discussed in the section about the topic of data backup.)

Identify all desired software that has been installed onto the system. Make sure there is a plan on how to re-install such software. For commercially sold software (such as a Microsoft Windows operating system), that may involve having available optical discs and licensing keys.

Perhaps pursue some additional resources/guides. For example, Mark Russinovich's “Hunting Down and Killing Ransomware”.

If no solutions seem to have resolved the issue yet, then the more ambitious steps may be called for. After making sure that all necessary data is backed up, thoroughly erase the operating system. (Directions for thoroughly “Zeroing a drive” are available in the section about how to wipe data from a drive.)

Re-install the operating system. (Relevant information may be available from the tutorial on installing an operating system.)

Perform other software restoration/configuration. (A guide for this may be at setting up the operating system.) Also, restore backed up data. (Presumably, information on that may be discussed in the section about the topic of data backup. Also, presumably the method to doing this was understood after performing the data backup, and before erasing the data.)

Some additional ideas/resources

See: Mark Russinovich's technical blog @ TechNet: article on “Hunting Down and Killing Ransomware”.