Can You Clean a Virus?

If a machine has been running malware, reimage it (see also: Alternatives To Reimaging). Protect the information that was on the compromised machine. Do not rely upon anti-virus software to return the machine to a trustworthy state or make your information private again.Using anti-virus software to “clean” a machine will, at best, stop it from reporting “virus detected” messages.

Anti-virus products are preventative measures (preventive controls). They are meant to detect attacks and prevent your machines from being compromised. Anti-virus products can also be used to reign-in or control the behavior of malware. Using anti-virus products to restore a machine’s security posture, though, is an unreasonable expectation. Anti-virus products are partially effective detective controls. While you have seen them detect malware, that should not convince you that they detect malware of all sorts at all times. To the contrary, you should be convinced that some malware has been missed and will be missed. “Cleaning” a machine gets it to the point where no “virus detected” messages appear. That should not give you confidence in the machine’s state, or give you the belief that account information, including credit card information, is still private.

• Anti-virus products do not find all malicious software.
• If you are attempting to “clean” a machine, you may have just encountered a case of malware that your anti-virus software did not detect. Consider sending information to your anti-virus vendor; see “Simple Malware Discovery Measures“. Since you have just seen an example of undetected malware, it would be unreasonable to expect scanning to detect all malware.
• If anti-virus software always found all malicious software, you would never need updates.
• Malware may enable services that were not previously enabled. File scanning software will not detect a maliciously enabled service. For example, WORM_SDBOT.GY enables the telnet serviceHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr
Start = "dword:00000004"
• Malware may change configuration settings. For example, a symptom of Trojan-Downloader.Win32.Renos are
  • when starting Internet Explorer you get the message:Windows Security
These files can't be opened
Your Internet security settings prevented one or more files from being opened.
C:\Program Files\Internet Explorer\iexplore.exe

    and when starting Acrobat Reader:

    Windows Security
These files can't be opened
Your Internet security settings prevented one or more files from being opened.
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

  • when starting gpedit.msc you get the message:One or more ActiveX controls could not be displayed because either:1) Your current security settings prohibit running ActiveX controls on this page, or
2) You have blocked a publisher of one of the controls.
As a result, the page might not display correctly.

  To remove these symptoms, remove the registry key:

  [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\?]
1601 = 0x00000000

  (where ? is an extended ASCII character). Be sure to remove the other payloads of Trojan-Downloader.Win32.Renos as well.

  The Trojan:Win32/Reveton family makes a variety of registry changes. System recovery would include returning the settings to their previous values.

• Malware may remove system components; it may delete files or registry entries. A post-infection scan using anti-virus software will not detect the missing system components, nor will it restore them. See, for example, Trend Micro’s description of TROJ_VUNDO.BVC.
• Anti-virus products will not report some malicious software as malicious. For example, VNC and mIRC have their legitimate uses. They are used to install a backdoor. Malware can install these packages (opening a backdoor), and anti-virus products will not distinguish between their legitimate and their malicious uses. Scanning with an antivirus package will not discover these maliciously created backdoors. Keystroke loggers also have their legitimate uses. Anti-virus vendors who detect all keystroke loggers as malicious software must accomodate their customers who choose to use keystroke loggers.
• There are many system configuration changes that malware can make that would not be detected by antivirus software. Take, for example, the malware that Microsoft refers to as Win32/Conficker.X, Symantec refers to as W32.Downadup.X and Trend Micro refers to as worm_downad.x. When successfully executed, one of the modifications made (a “payload”) isHKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"TcpNumConnections" = "0x00FFFFFE"No file scanning software would find this payload, since it is not a file.
• Malware can change the hosts file to redirect traffic to spurious web sites. Many antivirus packages will notify you if the hosts file is being modified (that is, they will take a preventative measure). Some antivirus packages will include a scan of the hosts file to determine if it contains suspicious entries. Do not expect an scan to catch all malicious hosts file entries.
• Another payload, similar in effect to the hosts file change, is to change the DNS values of the TCP/IP settings (“DNS Changer” payload). The DNS server will redirect users to malicious web sites. Antivirus packages do not normally warn of this action (take precautionary measures) nor does a scan search for known malicious DNS servers.
• Malware can create scheduled tasks. Anti-virus software cannot be expected to distinguish between intended scheduled tasks and maliciously created scheduled tasks.

There are many other system configuration changes that malware has been known to make, but which you should not expect anti-virus software to modify. The following list is illustrative, not exhaustive (examples, not the whole catalog):

• Malware can modify Internet Explorer security zones; it can modify the nature of the zones (e.g., allow untrusted sites to run scripts) and modify membership with zones (e.g., add malicious sites to the trusted zone).
• Malware can disable automatic updates:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
AUOptions = "dword:00000001"
• Malware can modify registry entries to disable Security Center functions:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify = "1" (Default: "")
AntiVirusOverride = "1" (Default: "")
FirewallDisableNotify = "1" (Default: "")
FirewallOverride = "1" (Default: "")
UacDisableNotify = "1" (Default: "")
UpdatesDisableNotify = "1" (Default: "")
• Malware can create registry entries to disable Task Manager and Registry Editor:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system
DisableRegistryTools = "1" (Default: "0", not normally found)
DisableTaskMgr = "1" (Default: "0", not normally found)
• Malware can modify registry entries to disable Windows File Protection:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SFCDisable = "ffffff9d" (Default: "0")

In short, once a system has been successfully infected the modifications it can make are legion. Plan to reimage or use another measure to return the system to a trustworthy state. Do not plan to be able to clean an infected machine.

Assume your information has been stolen.

Change your passwords as well. A copy of your account information may have been taken. Any plain text username and passsword, or any plain text credit card information, should be considered public knowledge. Get them changed.

Repair

These repair measures do not make a system trustworthy.

SystemRescueCD is a Linux system rescue disk available as a bootable CD-ROM or USB stick for administrating or repairing your system and data after a crash. It aims to provide an easy way to carry out admin tasks on your computer, such as creating and editing the hard disk partitions. It comes with a lot of linux software such as system tools (parted, partimage, fstools, …) and basic tools (editors, midnight commander, network tools). It can be used for both Linux and Windows computers, and on desktops as well as servers. This rescue system requires no installation as it can be booted from a CD/DVD drive or USB stick, but it can be installed on the hard disk if you wish. The kernel supports all important file systems (ext2/ext3/ext4, reiserfs, btrfs, xfs, jfs, vfat, ntfs), as well as network filesystems (samba and nfs).

Microsoft has a Solution Accelerator called “Malware Removal Starter Kit: How to Combat Malware Using Windows PE“. This describes how to create a bootable CD using Windows PE; said bootable CD would contain unspecified software to detect and remove known malware.

Consider including GMER, Malwarebytes’ Anti-Malware, Sunbelt Software’s VIPRE Rescue Program, F-Secure Rescue CD or ComboFix to detect and remove known malware. Consider including Trend Micro’s System Information Collector (SIC) utility to detect unknown malware. (See A Simple Measure.)

These components are frequently updated, making any CD created obsolete soon thereafter.

When you are convinced that a machine has been compromised, don’t cut corners during the restoration  process.

A Windows platform is not a trustworthy platform, in that it does not build upon a trustworthy kernel with elements that can be shown to be trustworthy. Instead, a “standard image” is created and this image is assumed to be trustworthy. Once compromised, a Windows machine is returned to this trustworthy state by reimaging. Strictly speaking, a Windows machine is never trustworthy.

Tim Mugherini presents NTFS MFT Timelines and Malware Analysis

Among the utilities which can be used to make a system stop producing “virus detected” messages are McAfee’s Stinger, Sophos’ Virus Removal Tool and Emsisoft Emergency Kit. This step does not make a system trustworthy.

Avira Rescue System