As 2011 draws to a close I am reflecting on the compromised computers that I have dealt with in the last few months. In April I went to work for a company that is the IT Department for a number of small businesses in our area. One of the things that I do is deal with machines that are not working correctly. The majority of the complaints were first identified with Security Popups. These were pretty easy ones to identify - AntiMalware 2011, AntiVirus 2011, and the latest one Security System (vclean.exe). In all of these cases the users said that they were on a website and clicked on a link or an image file. They said that the computer immediately started popping up with various messages about computer instability. I have found that most of these types of infections are easy to cleanup and most required simple Malware Bytes and a good anti-virus program to clean them up.
Others have not been so easy. I have dealt with several that had been infected that had some or all of the files on the hard drive hidden. These are the difficult ones to deal with. Tools like Combo Fix are required to even identify these infected files. I have found several tools that have helped with the identification and removal.
I have also had several machines that were unable to install Windows updates. The customer has no recollection of any virus infection - the updates just stopped working with a pretty generic error. On the first machine I worked with Microsoft to attempt to figure out what was going on. After several back and forth emails and following procedures provided by Microsoft I discovered that the directory used to write temp install files and install logs was missing. It looked like the directory had been deleted however, if I searched for the file I would find older versions of the log files. Continuing to investigate I discovered that the directories and files had been changed to hidden and read only when using the attrib command. Running the UNHIDE.EXE tool returned the file structure to normal. I ran the Windows updates again and all was well. Running a virus scan and MalwareBytes scan several malicious files were detected and removed.
Some of the machines have not been so easy. Cases were operating system files, network files, and other critical files had been altered are best handled by a format and reload. Formatting and reloading requires that the customer have the original install CD's.
My goal for 2012 is to educate all of our small business customers on the importance of Windows Updates and having a good Anti-virus program. Having these two items go along way in minimizing the number of compromised computers the customer will have to deal with.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.