Spring Cleaning Computers (of Malware)

If you’re like me, when you visit (or are visited by relatives), you’re asked about computer problems. If you’re like me, this can be ridiculously fun and entertaining for you. As luck would have it, family visited this past weekend and brought with them two machines profoundly besieged by malware, hoping I might restore them to proper working order. One of the machines would crash dump into the fabled blue screen of death within five minutes of boot up, the other had well over 4,000 infections and was unable to function at a super-glacial pace. Good times.

win8BSoD

Why bring this up here? If your public access computers aren’t well secured, you will inevitably need to go through a similar process, so I thought I’d share it with you (also: once they are clean, take steps to secure them and your patrons, by gum!) While the following routine will only be necessary in its entirety for deeply compromised machines, you may find parts of it useful for handling more mundane encounters with software malfeasance.

As a matter of self-preservation, it is common for malware to disable anti-virus software and your ability to download or update it. Subsequently, I use a portable toolkit (executable from a USB stick) to mitigate infections of this nature. Obviously, you’ll have to build and update this kit using a clean machine. Here’s the part of my kit I made use of for this round of cleaning and the order I employed it in:

1. SUPER AntiSpyware (can be run in Safe Mode) – A few notes about this gem of a program before I begin. One: it finds spyware like nobody’s business. Two: it has an embarrassingly stupid name. Three: it is portable, but it tries hard not to be–here’s what you have to do in order to have a USB-executable version of it: download the installer from the link above (do this on a clean machine shortly before you need it, as you won’t be able to use the native updater without rendering it non-portable) and save it to your USB-drive. Run the installer and select a folder on the USB-drive as the install destination (this is not the default behavior). Do not agree to update it at any time or it will senselessly install itself in non-portable fashion. Admittedly obnoxious, but this program rooted out some hardcore infections, improving machine performance all on it’s lonesome, so it is definitely worth the extra effort (it removed over 3,000 infections from one of the computers).

SAS

If you’re at the point where you’re running anti-malware programs from a USB-drive, you’ll probably want to select Complete Scan and Enable Rescue Scan, as shown above. Then click Scan Your Computer and start catching up with your relatives (it will take some time to complete). Note that you may want to change Windows’ power settings so that the computer won’t go to sleep on you while the scan was running…

2. Emisoft Emergency Kit (can be run in Safe Mode) – The Emergency Kit Scanner bundled here is a robust seeker of all manner of nastiness.

emisoft

Before running a Deep Scan (this is another time consuming operation) I changed the On scan end setting to Quarantine detected objects (note that if you plan on kipping out after you start the scan, you may as well check Shut down PC, too).

emisoftConfig

Once SAS and EEK had done their thing, a handful of critical infections had been removed from each machines as had hundreds to thousands of less serious ones. Great headway had been made, but I believe in being thorough, so…

3. Bitdefender Rootkit Remover – This scan only takes a few seconds and will snag known Rootkit/Boot-kit infections that persistently reinstall themselves from the Master Boot Record during start up. Note that I was unable to run this program from Safe Mode.

rootkitRemover

I didn’t find anything with it, but I can’t say those scant seconds were ill-spent.

4. Autoruns – Autoruns is a great little program from Microsoft technicians that lets you see EVERYTHING that gets run during your computer’s start up and log in cycle and allows you to toggle off any you wish to remove from these proceedings.

autoruns

If you know what you’re doing, you can both speed up your boot process and identify nefarious programs, preventing them from running automatically.

5. Geek Uninstaller – Geek is a brilliant little program that truly works wonders. It’s the best uninstaller I’ve ever encountered and I’m yet to meet a program it can’t remove.

geek

Geek also does some nice tidying up after each uninstall completes. You may be asking yourself, “why did he need an uninstaller?” Well, sometimes someone you love will download a free games platform that happens to be a notorious browser-hijacking malware delivery service (here are 39 million articles about one of the programs I removed in seconds with Geek). Sometimes people won’t pay attention while installing things and will inadvertently install additional bloatware that they never intended to and really don’t want or need. Sometimes you just want to ensure that Java isn’t installed. Another thing to be aware of: you really do not want to have more than one active Anti-virus program on any given machine, as they’ll often get into conflicts, degrading performance and security. If you have more than one, uninstall all but your favorite and most trusted (definitely uninstall any trial versions). I’m partial to Microsoft Security Essentials, but there are other fine free options out there. Note that you may need to restart your computer after some uninstalls.

6. Avast! Browser Cleanup – Many of your browser-based woes should already be hashed out, but those that remain can likely be remedied with this tool.

avastBC

Avast!’s Browser Cleanup will allow you to reset browser homepages and search providers (these are frequently hijacked) and will also help identify malicious toolbars and extensions, enabling you to remove them. Keep in mind that not everything it identifies is dangerous or undesirable, some may simply be unknown or uncommon.

7. CCleaner Portable – CCleaner is a powerful and much beloved temporary file and registry cleaning utility (and so much more!) Some people use Task Scheduler to automate sweeps with its non-portable form, and I like those people just fine. For our purposes, we’ll want to do two things with it now:

Thing One: Cleaner.

CCleaner

This sweeps away all your temporary files. You may wish to look over everything that’s set to be wiped under both Windows and Applications to ensure you don’t accidentally toast something you fancy. If you’re cleaning Public Access Computers, I would encourage you to err on the side of thoroughness. Once you’re prepared, click Run Cleaner.

Thing Two: Registry.

CCleanerRegistry

Normally you don’t need to do much in the way of preventive registry maintenance, but if you’ve just mopped the floor with a bunch of malware, bloatware, and nogoodniks, you may have some malingering remnants that you’d be better off without (especially if you’ve been seeing crash dumps). Click on Registry and then click Scan for Issues. Next click Fix selected issues… When prompted, make sure you backup changes to the registry, just in case things go pants up (for the record, I’ve never had that happen, but I’m not one to take chances). Finally, click Fix All Selected Issues.

At this point, I was done with my portable apps and decided to move on to final precautionary measures: running the Microsoft Malware Fixit and then executing a full scan with Microsoft Security Essentials (or your AV of choice).

MSE managed to find a few more infections in one case and set my mind at ease that I’d steered the other clear from harm.

[In the unlikely event that malware has made changes to your system that the Malware Fixit cannot revert, Windows Medkit may provide the last bit of support you need. It’s capable of fixing an inability to view hidden or system files, folder options, and all drives in My Computer; it can enable Regedit, Taskmanager, Msconfig, CMD, Run, Control Panel, and Start Menu if you’ve been blocked from using them; it can fix Taskbar issues. It also has some management and system tools bundled with it.]

Once I purged my relatives’ computers of infection and tidied up, I took steps to help curtail risks of future infection. This involved making their default browser and one that self-updated (Firefox or Chrome are nice) and extending it with both Ghostery and Adblock Plus. I also removed shortcuts to other browsers and unpinned them from the Taskbar and Start Menu, to help remove the temptation to live dangerously.

Next, I ran Windows Update routine (tip: if you create a new shortcut and point it to cmd /c wuapp.exe you will have created a convenient shortcut to Windows Update!) An update was necessary as both machines had been unusable for a few weeks and infections may have been preventing security patches for much longer than that.

Finally, I generated a Ninite installer and set up Task Scheduler to automate 3rd party application updates with it, as I detailed here.

I’d love to hear your suggestions, questions, horror stories, and concerns in the comments!

Advertisements

4 responses to “Spring Cleaning Computers (of Malware)

  1. Pingback: Automating More of Your Public Access Computer Maintenance | Field Notes

  2. Pingback: Promising Practices for Public Access Computers, Part 3 | Field Notes

  3. Pingback: Increasing Security on Public Access Computers with EMET | Field Notes

  4. Pingback: Placing Trust in a Badger | Field Notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s