Presentation on theme: "Cosc 4765 Cleaning up.. So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…"— Presentation transcript:
Cosc 4765 Cleaning up.
So… The Windows machine has been infected/comprised or just “acting funny”. How to clean it up. Hope you have backups…
Reformat and reinstall. The only way to truly know it’s cleaned up and “secure” again. “I say we take off and nuke the entire site from orbit. It's the only way to be sure.” – Ripley, Movie: Aliens, 1986
Baring that… Disconnect it from the network – Hope you have several hours and this may not remove the infection anyway. Get a set of tools you can run on the machine to see if you can clean it up. – Put them on a none writable device USB device with a read-only switch is the best. The malware may infect your USB device and then you spend it to other machines.
How to attack it. Running in standard windows mode – May work, but the malware may prevent the tools from running – The malware is active and will attempt to defend itself. Can recreate itself via parasite like properties Running in windows safe mode – Press F8 as windows is booting, select safe mode – Better chance of cleaning off the malware, especially if it only running in the “user space” instead of kernel space
How to attack it (2) Find a live CD/DVD – Best chance of removing the malware, since it is not active at all. Linux Disk works best if you know what you delete from the windows file system. Remove the hard drive and plug it in as a USB drive to anther machine – Dangerous! May infect another windows machine, but … – If the malware is not active, then you can remove the it.
Tools Cleaners – Spybot Search and Destroy Can clean spyware and some rootkits, lots of other useful stuff in the advanced mode – Malwarebytes: Anti-Malware – Super AntiSpyware – If possible then get the current definition files as well Remember, no network!
Tools( 2) Rootkit finders. May not be possible to find rootkits while the system is live But you can try – Trend Micro RootKitBuster – Sophos Anti-Rootkit rootkit.html rootkit.html – Panda Anti-Rootkit – Down on the right side under free downloads
Tools (3) Not cleaners and you have to figure some things out. HiJackThis – – Displays all the things that will start up when the system is booted. Maybe able to remove them from startup – But, the malware maybe watching and just add it back!
Tools (4) Sysinternals Suite – – Process Explorer – RootkitRevealer – Just to name a few of the useful tools. – And just for fun, BlueScreenOfDeath screen saver.
Tools (5) More – Definitely, this is in no way a complete list.
Clean up. Once you think you have got it cleaned up – Time to dump the junk and clean up the registry. ATF Cleaner – Doc’s say Windows XP only, but I used on Vista and Win7 successfully. Cleans up cache and temp space. CCleaner – It can clean the registry Also clear cache and other areas of windows where junk may have been placed.
Wait it didn’t work!!! ? Off line cleaners – Boot to a live Disk so that the OS is not running, but more specifically the malware is not active. – Linux live CD/DVDs to delete files off the file system – Ultimate Boot CD for Windows – Create a live Windows XP disk to boot from, then clean up the hard drive (with many of the same tools that are on the CD/DVD/USB) – winPE for Windows Vista and 7 How to create Bootable USB with WinPE – usb-drive-with-rescue-tools-part-1/ usb-drive-with-rescue-tools-part-1/
Other things Malware – May have damaged your AV – Sometimes called “hollowed out”, it runs, but does NOTHING. May need to deinstall it and reinstall it – Check your MS updates are turned on – Firewall, Bit Defender, UAC, security settings, etc. “What doesn’t kill us, makes us stronger” – In computers, what weakens the computers security and it maybe even easier for the next malware.
Other things (2) Scan the whole computer one more time with AV and anti-Malware software – Until it comes back clean. Repeat until it says nothing found. Where else may you have spend this malware? – Other USB devices – Backups, etc. – Depends on how long your system has been infected. Take the time to scan everything with AV and Anti-Malware software.