Malware and web browser hijackers

[Alex Eisenhut]

Anyone can recommend known-good removal tools? At work my win 7 machine's MS Security Essentials is constantly all day detecting and removing the same exact trojan over and over. Googling the name of the trojan yields no specific results whatsoever for win32/texsafea. Probably it's a randomized executable name. Trying to delete the file is not possible, turning off the related service in msconfig doesn't stop it either.

Another thing that happens is that Waterfox and Internet Explorer randomly open tabs to a 7nt.com website, a Chinese site. I added that hosts and it blocks whatever that connects to but the tabs keep trying to open.

I've tried several tools like Malwarebytes, Spybot, Norton, Avast. Either they detect nothing, or remove a bunch of stuff... only for the same things above to start again. Running the scans in safe mode doesn't change anything either.

Googling for removal tools seems to point to weird tools that may themselves be malware in any case.

This is such a jungle that you can spend all day (and night) looking into it to no avail.

What tools do you use?

[MarkF]

Isn't this a problem for your IT department?

At home, I simply backup all my data files if my backup is not up to date.
And then reformat the hard drive and install a clean copy of the operating system.  It's a pain but it takes less time in the long run and then I'm sure the virus has been removed.  I just don't trust those removal tools and then I'm never really sure something isn't left behind.

[Alex Eisenhut]

Isn't this a problem for your IT department?

What's that?

[MarkF]

Isn't this a problem for your IT department?

What's that?

I take it that your business does not have a group of people who maintain your computers and networks.

[johnh]

The IT  department for the company i work for, installs all other wares like avecto to detect and stop thing like this.
We don't have admin privileges, need to ask for permission if you want to install something that's not approved.
Have to use application that are outdated, because it take them some so long to approve a new version of application they can be pushed to you pc. 
Some problem you used to able to fix yourself, but not now.
Ring up IT support, go into the queue,with usual problems,  Call back later, to many in the queue. blah blah
Now it one size for all, dumbed done for the powerpoint pusher.

Something goes wrong. Can't fix it quickly. Do a rebuild,  several day lost

[Karel]

This is the price you sometimes pay by using windows.
Use Linux to avoid this, but then then you pay a price when you need to run some windows only software.
Pick your poison. Probably your boss already picked it for you...

[Rerouter]

as a starting point, you would need to try deleting your malware related files before the OS is running, the easiest way is generally running command prompt and reg edit from a windows setup disk,

For things like windows 7 and up you can use resource monitor to get an idea what Exe's are accessing web resources, then many many regedit flags for IE defaults, run on startup, and others you will likely find by using keywords based on the related files you can find,

The other big way to make progress on a longer tern would be to upload the example malware files to a company like malwarebytes, etc, that way they can later on add it to the malware they can deal with.

To be clear a trojen is a program that lets other programs in, it can be allowing literally anything else in.

[Halcyon]

Firstly, a good anti-virus tool should really do nothing more than alert you to a threat and block it from running in the first place the moment it even touches your machine, but even a decent anti-virus program is no match for a determined human who doesn't know any better. If you've already managed to get a virus/trojan/worm onto your machine, the safest thing to do is just format it and reinstall everything from scratch.

You could spend many hours or days trying to "remove it", all the while it's in the background stealing your data and login details.

It should take someone no more than a few hours to reinstall Windows 7 on a machine with all drivers and updates installed.

[rjp]

You can use a simple dns management tool like pihole to close off known malware sites.

[Halcyon]

You can use a simple dns management tool like pihole to close off known malware sites.

Excellent suggestion (I use Pihole myself, it's a brilliant product) but I think it's also important to point out that this is not a remedy to the malware. You still need to remove it.

[Muttley Snickers]

Windows just rang and they want their malware back or else you are going to get it.   

[rjp]

You can use a simple dns management tool like pihole to close off known malware sites.

Excellent suggestion (I use Pihole myself, it's a brilliant product) but I think it's also important to point out that this is not a remedy to the malware. You still need to remove it.

OP stated

At work my win 7 machine's MS Security Essentials is constantly all day detecting and removing the same exact trojan over and over.

which indicates maybe its not a removal problem or just a removal problem , it may benefit the problem to block the sites these things come from.

[DimitriP]

Add a new user. If it stops happenning, Copy your stuff . Disable the original user.
Or you could "just" wipe the existing installation and reinstall everything

It should take someone no more than a few hours to reinstall Windows 7 on a machine with all drivers and updates installed.

Reinstalling windows is the fast and easy part.  It's all the programs you need to install afterwards that take almost forever.

[IanMacdonald]

By far the most common form of malware these days is that spread by social engineering. The typical ploy is to send you a convincing-looking email with a malicious attachment, or which points you to a website which will offer a malicious download.

The best protection against this is a software restriction policy, because this will stop the executable from being launched from the download folder.

The problem with traditional AV software is that it relies on the threat being known in advance, and it's so simple to code a new executable for this class of malware that the bad guys just keep putting out new ones to avoid detection. 

Non-admin user working, whilst advisable, offers little protection because there is a lot of damage a user-level program can do anyway.  Like deleting your documents, which are probably of more worth to you than the OS anyway. 

I'm not entirely convinced that Linux IS any safer from this class of exploit. Most installations have wine, and will therefore run any double-clicked Windows executables. The difference in stats is more likely because Linux users tend to be more tech-savvy and therefore less easily duped.

The one really, REALLY bad development in this area is Microsoft's obsession with 'Packaged Apps' which run inside user profile folders. The presence of these 'Apps' severely restricts the security protections that you can put in place.

[MT]

Anyone can recommend known-good removal tools? At work my win 7 machine's MS Security Essentials is constantly all day detecting and removing the same exact trojan over and over. Googling the name of the trojan yields no specific results whatsoever for win32/texsafea. Probably it's a randomized executable name. Trying to delete the file is not possible, turning off the related service in msconfig doesn't stop it either.

Another thing that happens is that Waterfox and Internet Explorer randomly open tabs to a 7nt.com website, a Chinese site. I added that hosts and it blocks whatever that connects to but the tabs keep trying to open.

I've tried several tools like Malwarebytes, Spybot, Norton, Avast. Either they detect nothing, or remove a bunch of stuff... only for the same things above to start again. Running the scans in safe mode doesn't change anything either.

Googling for removal tools seems to point to weird tools that may themselves be malware in any case.

This is such a jungle that you can spend all day (and night) looking into it to no avail.

What tools do you use?

You need to use the "dangerous" malware tools to be able to even poke at certain nasty malwares .
Else erase HD and new install.Else anew HD and new install.

[Karel]

I'm not entirely convinced that Linux IS any safer from this class of exploit.

I am.

Most installations have wine, and will therefore run any double-clicked Windows executables.

I guess we engineers don't simply double-click on everything we download, specially if it has a .exe extension.
If an engineer is that ignorent, well, then there's no solution.

The difference in stats is more likely because Linux users tend to be more tech-savvy and therefore less easily duped.

But this is a tech-forum, most of us are engineers and are tech-savvy. So, lets keep it in this context.

The most important factor is that Linux desktop marketshare is somewhere around 2%. As a result, almost all mallware is targeted to windows, Android and Mac.
This alone is already a good reason to use Linux on the desktop.

And no, the argument "but if everybody moves to Linux, mallware writers will follow" is nonsens because we all know that desktop Linux marketshare will not go
anywhere for the foreseeable future. So, the few that move to Linux profit from that.

[metrologist]

Is combofix still a thing?

I used it once to remove a trojan/rootkit that had embedded itself in a driver utility or something like that. While the malware was removed, the ultimate solution was to format and reinstall.

[Cyberdragon]

Is combofix still a thing?

I used it once to remove a trojan/rootkit that had embedded itself in a driver utility or something like that. While the malware was removed, the ultimate solution was to format and reinstall.

It is possible to entirely remove a rootkit, but not from within the infected machine itself. You have to use repair discs and external tools as most likey it has embedded itself into the OS and other critical files. There should be some sort of bootable anti-virus you can put on a disc or USB drive to clean a corrupted OS.

[IanJ]

Hi all,

Don't forget full system backups.......it makes life a LOT easier and minimal downtime, say 1hr typically instead of "several days".

I backup my Windows drive C with Image for Windows once a week or so, it's a few clicks using Image For Windows and it's done...….and so in the event of drive failure or other such catastrophic problem......it's just a case of swapping out the drive for a fresh one (if you want to), boot the Image For Windows USB stick and restore the drive C from the single backup image file.
Backups take about 20mins typically and you can work while it’s doing it’s thing.
Restoring takes slightly longer.
I typically have stored away up to 5 or so image files of my main Dev PC drive C covering the past few weeks/months.......then there's the image files for my web server, laptops, logging PC etc.

The pain and time it takes to format/re-install an OS then re-install the apps/data etc just doesn't need to happen IMHO.......

Ian.

[madires]

Several vendors of antivirus software offer free bootable "rescue disks", e.g. https://support.kaspersky.com/viruses/krd18 or https://www.avira.com/en/support-download-avira-antivir-rescue-system.

[coppercone2]

ask your co worker to take a peak 

[jmelson]

I'm not entirely convinced that Linux IS any safer from this class of exploit. Most installations have wine, and will therefore run any double-clicked Windows executables. The difference in stats is more likely because Linux users tend to be more tech-savvy and therefore less easily duped.

Well, DON'T use Wine.  Use VirtualBox, and only have the Windows guest OS running when you need it, and ONLY run specific Windows-only apps on it.  NEVER get on the net from the guest OS except to load those apps when you set up the Windows system.  This has worked FINE for me for years.
I have a couple CAD packages that are Windows-only, and that is all that is ever run on the Windows guest OS.  Never had a problem with it.

As for Linux apps, they all seem to be pretty robust, and detect malware such as spreadsheet or word documents with macros in them.
And, of course, if you download a .exe file, Linux will be totally unable to run it, as the binary format is incompatible.

Jon

[metrologist]

Is combofix still a thing?

I used it once to remove a trojan/rootkit that had embedded itself in a driver utility or something like that. While the malware was removed, the ultimate solution was to format and reinstall.

It is possible to entirely remove a rootkit, but not from within the infected machine itself. You have to use repair discs and external tools as most likey it has embedded itself into the OS and other critical files. There should be some sort of bootable anti-virus you can put on a disc or USB drive to clean a corrupted OS.

My understanding and experience was that is exactly what combofix can do. I think earlier versions did not run on the OS at all, but that was many years ago.

And now I come to Hiren's BootCD. I'd never be able to pull that out of my head.

[Alex Eisenhut]

My favorite part so far: getting windows 7 to create a repair CD. It writes to a blank CD, reports success, you can see something happened to the CD in the drive because now it shows 0 bytes free, eject the disc, insert it again.... it's magically blank.
This from the tool in Windows 7 in another PC.
Genius.

[Karel]

Hi all,

Don't forget full system backups.......it makes life a LOT easier and minimal downtime, say 1hr typically instead of "several days".

I backup my Windows drive C with Image for Windows once a week or so, it's a few clicks using Image For Windows and it's done...….and so in the event of drive failure or other such catastrophic problem......it's just a case of swapping out the drive for a fresh one (if you want to), boot the Image For Windows USB stick and restore the drive C from the single backup image file.
Backups take about 20mins typically and you can work while it’s doing it’s thing.
Restoring takes slightly longer.
I typically have stored away up to 5 or so image files of my main Dev PC drive C covering the past few weeks/months.......then there's the image files for my web server, laptops, logging PC etc.

The pain and time it takes to format/re-install an OS then re-install the apps/data etc just doesn't need to happen IMHO.......

Ian.

No matter which OS you are running, if your business depends on it, Ian's solution is the best.