Win8 Malware Removal

[slgrieb]

Yessir, got to do my first Win8 malware removal today. Machine was a Christmas gift, and it has already required cleaning. Fortunately (since there still isn't a version of ComboFix for Win8), it didn't turn out to be anything too intense. TDSSKiller came up clean, and MBAM 1.7 found 119 PUP, almost all of which where MyWeb related, but there were several entries for software (toolbars, etc.) related to GamingWonderland.com, as well as Incredibar, and a couple of coupon toolbars and related stuff.

None of that was particularly difficult to remove, but I also noticed that TVFanatic.com's player was installed. That installs two or three nasty things (variable, but always including Yontoo), that MBAM still fails to detect, but both ComboFix and NOD32 (including the Online scanner) do remove.

Well, just for grins, I decided to run the computer's bundled AV software, McAfee, before I ran Eset's online scan. Amazingly, McAfee found no threats

One really interesting thing stood out when I compared the MBAM and McAfee scans. I ran full scans with both programs, and McAfee reported 191,310 items scanned, which included processes in memory, registry entries, files, etc. MBAM reported 368, 623 items scanned. Perhaps the term "full scan" doesn't mean what I thought it did?

[Niclo Iste]

Sadly, I forgot to bring with me the utility I made that wipes Yontoo out of the system or I'd offer it to you for future use. I am mildly interested in fixing a Win8 machine to see what works and doesn't work from both the cleaning and the infector sides since Win8 is supposed to be a lot different under the hood.

[slgrieb]

I really haven't looked at any of the Yontoo specific tools, since ComboFix and NOD32 seem to do the trick, and, I pretty much run 'em in every removal. Still, it might be interesting to do an A/B comparison with a standalone tool.

The biggest change I would expect in 8 would be freedom from rootkits; at least if Secure Boot is enabled. Or until it's cracked. I would say that anything that generates any kind of advertising should automatically be considered malware, due to the danger inherent in un-screened ads. But, most malware removal tools see the majority of this stuff as PUPS rather than outright infections, of course. As if anyone would really want any of this crap on their system if they understood everything it did and the associated risks. Still all this stuff looks like standard add ons to the system, so no serious redflags are raised by Windows or your browser. Personally I think MS and all browser vendors should make it much more difficult to install this junk.

Anyway, on the same note, it's interesting to look at a couple of the default settings in IE and Chrome. Internet Explorer 10 lets you block changes to your search engine by third party software, but you have to turn on that feature; it's off by default. Likewise, by default, Chrome doesn't check a web site for a revoked certificate. Once again, you have to enable that feature if you want it. It just seems to me that all browsers should be more restrictive by default, and provide clearer explanations of their security alerts, instead of adopting the attitude that "Heck, users won't understand this alert anyway, so let's just keep it 'usable'".