This was a problem I encountered today. I set a customer’s homepage to what she wanted, but every time I opened Internet Explorer, it would go to one of those suspicious websites, this one was www-searching.com. The customer’s brother loaded a bunch of those junk free but not free potentially-unwanted-programs. Even after cleaning with Malwarebytes and Rogue Killer, the malicious website remained.
It turns out that one of those programs modified the shortcut for Internet Explorer. With IE and Google Chrome and Mozilla Firefox and Opera and, well … any browser, if you add a website to after the program, it will load that website. So if I type “C:\Program Files (x86)\Mozilla Firefox\firefox.exe” www.google.com, the browser will open up and go to google.com ignoring what my homepage is set to. If the shortcut is modified so that a malicious website is added after the program name, then whenever you click on the icon to load the browser it will load that malicious website. Simply remove anything after the program file name and you will be good to go.
This is a problem that can have multiple causes. In the computer I was working on, the Bamital trojan had made it impossible to do anything. The trojan would prevent you from doing anything and wanted you to pay a ransom. This was different than Crytowall, which holds your files for ransom, in that this trojan held your computer for ransom. In the process of removing the trojan, I also removed a legitimate Windows file which caused the problem.
These antivirus recommendations are personal opinion based on my experience. I will list many common ones below in alphabetical order. This post will occasionally be updated. The last update was March 17, 2015.
One important note: Regardless of which antivirus program you use, you should never ever use automatic renewal. This will prevent accidental renewals in case you want to use a different antivirus program. Make the company earn your business; don’t be loyal to any one product.
I have seen a rather nasty virus lately: poweliks. Of the 4 times I have seen it in the past week, 2 were related to the Cryptowall malware. Poweliks is very hard to detect and once it is on your computer, it can actively hide from many antivirus and antimalware programs. Poweliks has the following tale-tell signs:
- Several legitimate Windows files will have high CPU usage. Some variants load several dllhost.exe files (most likely the 32-bit version). Some will constantly load other legitimate files.
- The registry will be modified so that certain keys are not accessible with the regedit.exe program or antivirus or antimalware software.
- There is no actual virus file. The file itself is stored in the registry and using a few tricks (and what I call design flaws of Windows), it loads the file straight from the registry. Sometimes the tricked used will make it impossible for anything except Windows to read the bad registry key.
Sometimes, a virus or malware will modify the registry so that when you log in, a malicious file is processed instead of the standard windows file. There are several types of viruses that do this. Fortunately, the fix for all is the same. This is different than when Windows immediately restarts in Safe Mode. If that happens, you have malware that you will need to remove without Windows running.
Another old problem I had noted. I cleaned a computer that was infected with two rootkits, one in the Master Boot Record (MBR) and the other that dread UAC rootkit. These rootkits were modifying files as they were executed or when the file performed some action it did not like. For example, on this person’s computer, the rootkits corrupted McAfee files and would corrupt anti-malware scanners like HijackThis when it tried to scan. The MBR rootkit was very nasty. When you have a rootkit that corrupts anti-malware files, you will need to change the file name to something random (provided your file is not corrupted) or use the Windows disc to rebuild the MBR and manually remove the files or both.
I encounter a problem that happened when you right-click a program. As soon as you right-clicked a program, a pop-up box appeared that said “There was a problem starting C:\users\owner\AppData\local\Temp\[random letters]\[different random letters]\wow.dll. A dynamic link library (DLL) initialization routine failed”. Or something like that.
Repeated searches of the registry for wow.dll found absolutely nothing. There was no trace of wow.dll in any of the startup entries. Internet searches weren’t very helpful either. I had already cleared all the temporary files, or so I thought, and so I thought the malware was removed.
It turns out there was a hidden, system folder that had its permissions taken away so that it was difficult to find and delete. After using Explorer to show hidden and system files, I had to right-click to get the permissions of the folder and take ownership of the now visible folder with the random letters. The error message came back, but I was still able to select the folder properties. After changing permissions and taking ownership of the folder, I discovered there was a wow64.dll file in that folder. Very sneaky. I deleted all those files and folders and the error message went away. Next I checked the registry for any references to wow64.dll and cleared those out.
The lesson is to always check for hidden, system files when you cannot figure out where the malware file is.
After I cleared out the malware, I did find this article which is also helpful. http://weirdwindowsfixes.blogspot.com/2013/06/wowdll-right-click-error.html
Here is a new trick of malware, booting only to the command prompt. Since malicious software changes daily to stay ahead of antivirus programs it has a one-day window to cause havoc. Further, the black hats are always two-steps ahead. They probably know Windows better than the programmers at Microsoft do. This new trick is to boot into a command prompt and not load the explorer.exe file. Most programs that start when you boot are loaded only when the explorer.exe file does. Many antivirus real-time scanners and update procedures are only loaded when explorer.exe is. By preventing that file to open, the antivirus does not update. If the antivirus does not update, it does not know about the new malware on the computer.
The fix is simple enough. You will first need to remove the file that starts the malware. Try safe mode first. Although a new trick of some malware is to cause the computer to immediately reboot when starting in safe mode so you may need to use the Windows Vista/7/8 DVD to manually remove the file in the places malware like to hide.
Once the malware is removed, open the registry editor: regedit.exe. Navigate to the registry hive HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Look for the keys shell and ParseAutoexec. The ParseAutoexec key is probably set to 1, that is the default value. You might want to change it to 0 so that the autoexec.bat is not run by default. If you see the shell key, you should either delete it or change the value to explorer.exe. If the shell key is absent, Windows defaults to global entry. Next, check the global entry by navigating to the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon hive and make sure the shell key’s value is explorer.exe.
After that, in the command prompt run the explorer.exe file and then do a malware scan to clean out any remnant files.
If the Master Boot Record (MBR) or partition information has been damaged by a virus, Windows will not boot. Variants of the TDSS rootkit, for instance, will infect the MBR and remove the system and active flags on all partitions. The purpose of that is to make sure the boot process must active the TDSS rootkit. You’ll know this has happened when all you get is a flashing cursor when attempting to boot from the primary hard drive. It can be easily fixed with the Windows 7 DVD. This process is easier with the Windows 7 DVD than with the Windows 8 or Windows Vista DVD. This solution only works if the hard drive has a MBR. The MBR replacement, GUID Partition Table (GPT), requires a computer with the UEFI instead of the BIOS. GPT is more secure than the MBR.
- Boot into the Windows 7 DVD and choose Repair Your Computer.
- Startup Repair may run, if it does, let it fix the problem. If it doesn’t, then run startup repair immediately. Then immediately reboot back into the Windows 7 DVD.
- Open a command prompt.
- If using Windows Vista or later, run the following commands:
chkdsk c: /f /x (NOTE: The Windows DVD may have the Windows partition another drive letter. Make sure you use that drive letter.)
bootsect /nt60 sys /force /mbr
bcdboot c:\windows /s c: (NOTE: The Windows DVD may have assigned the Windows partition another letter. Use the drive letter Windows assigned for c:\windows.)
select disk # (use the list disk command to get a list of drives and use the # of the boot drive.)
select partition # (use the list partition command to get a list of partitions on this drive and choose the partition with Windows on it, likely the largest.)
- If using Windows XP or earlier, use the same commands except replace /nt60 with /nt52 in the bootsect command and do not use bcdboot.
- Reboot and run TDSSKiller.