Thursday, August 26, 2010

Malware and Virus Scans

So, a lot of my associates are Windows users out of necessity.

Got an email this morning:
"Our pc's fans started goin off again on full blast. We already did the virus detection and surprisngly it found viruses and deleted them. But today it started on full blast again. Any ideas?"

... Stop letting people use Internet Explorer? ;)

There's some .PDF, Flash, and JAVA vulnerabilities going around now; make sure you patch up your Adobe Reader and Flash Player to current, Update your JAVA to 6u22 or higher, run TFC.exe and then run a malware bytes scan.

After MBAM finishes cleaning up; go into the Windows Scheduled Tasks in control panel and remove any suspicious jobs (Lot of the nasty ones are untitled and look like a GUID like
"{21EC2020-3AEA-1069-A2DD-08002B30309D}")

Then fire up process explorer, Options Menu -> Verify Image Signatures, View -> Select Columns and make sure "Verified Signer" is checkboxed, View -> Show Process Tree, click the - by wininit.exe to hide system services and kill off anything that doesn't have an entry in the Company Name field. (Kill *Any* Unsigned EXEs, even stuff from Logitech mouse drivers and Realtek audio controls)

In fact, you can usually prune every user process off except for the root Explorer.exe process.
If you're careful, you can even kill off most services other than svchost.exe and
anything with "(Verified) Microsoft Windows" in the Verified Signer column.

Then fire up autoruns.exe and remove any suspicious startup entries. Heck, if you can, remove everything but the nvidia/ATI driver autoruns.

Now run TFC.exe once more to make sure all the tempdirs are emptied.

Alternatively, you can run an offline scan with a bootcd like AVIRA's Rescue CD -- the ISOs are updated weeklyish.

http://dlpro.antivir.com/package/rescue_system/common/en/rescue_system-common-en.exe

AVAST's also a good option.
http://www.avast.com/free-antivirus-download

Your best choice is to get ChromeChromium, or Firefox and load them with the Adblock and PDF Download extension that prompts you to download PDFs -- just click cancel if the prompt comes up unless you intentionally clicked a PDF link yourself.

Myself, I use Chromium and Chrome Adblock. Chromium has an internal PDF renderer that doesn't rely on Adobe, and it's sandboxed by default. You can enable it from chrome://plugins/ which also will warn you if other plugins are not up to date.



Still, it pays to be careful.
If you'd like to see how sophisticated some of these attacks are, check out this series of articles:
http://www.h-online.com/security/features/CSI-Internet-HQ-1050609.html

No comments: