Manually finding and removing malware
This whole virus thing is getting out of hand. Here in Bogota I
encountered a new one. I noticed it because new files and folders
appeared on my USB device. The machine was running an up to date
version of avast! Antivirus. Scanning my USB stick returned no results.
I then used PortableClam and AVGFree, both found nothing to be wrong
with those virus files either. Next I uploaded the virus executable to
virustotal.com, there they use 40+ different antivirus engines to scan
the file, none of them identified it as a virus.
The virus doesn't use autorun.inf and also doesn't add an entry to
the registry's run key, it works as an extension to Windows Explorer.
24 hours later 2 of the 40+ engines at virustotal,com identified the
virus correctly. I installed one of those two, Avira AntiVir Personal
and it found some copies and healed the machine.
Next I checked the USB stick of a fellow traveler who I knew
had used the infected computer. Avira found six different viruses on
it, however there was one, it didn't find.
All this begs the questions whether Anti virus software is any
helpful at all. Personally I never use it anyway, but this prompted me
to write a bit about finding and removing viruses without AV software.
There are free different categories of malware:
- It uses one or multiple programs and is visible in Task Manager or Process Explorer
- It uses existing Windows processes to attach itself to, such as explorer.exe or svchost.exe.
- It uses RootKit technology to hide itself from you and the operating system itself.
How does malware become active:
- It adds itself to one of the various places in the Windows
configuration to autostart when the computer boots up or a user logs
on. All of these all listed in Autoruns.exe
- It attaches itself to Windows Explorer as an component or handler,
(check the autoruns.exe Explorer tab), it installs itself as a service that runs in
the svchost.exe process (check Autoruns.exe Services tab) or takes over the
functionality of another Windows feature such as Task Manager
- It attaches itself to other programs on the harddrive or the USB
device and is launched whenever you start one of these programs. In
some cases it attached itself to dozens of random applications on my USB stick
including some of the tools mentioned below. This is really a pain.
- It uses the autorun.inf feature to start when a removable drive is added, or a CD/DVD is inserted.
- It masks itself with a Folder icon in Windows Explorer and waits for you to click on it.
- It uses bugs in user software, mostly Web Browsers to copy itself onto your machine and executes.
- It uses bugs in the operating system to install and start itself without any user involved.
How to notice malware on your PC:
- The computer is running slow
- There are files and programs on your PC that you do not recognize.
- You can surf the internet, but certains sites such as www.microsoft.com or sites of
AntiVirus Software vendors do not work.
- There are folders in your Windows Explorer but clicking on them, doesn't open them.
- After a reboot Windows reports a Data Protection Violation in
"Windows Explorer", and shuts down Explorer to restart it right away.
How to find malware on your computer
Software tools to use, these are all free and do not require any installation.
The sysinternals tools can be started directly from
, but I would rather download them and put them
into your tools folder.
There are tons of other network monitoring tools, but I like SmarfSniff because it is a small single file and
doesn't need any installation.
Using Windows Explorer
In Windows Explorer's Folder Options-View make sure 'Show hidden files
and folders' is selected and 'Hide extensions for know file types' and
'hide protected operating system files' are NOT ticked. Now Explorer
should show you all files regardless their attributes.
Look for an autorun.inf file on any removalable drives such as
USB thumbdrives, plug one in to see if there is one. If there is one,
open it in notepad.exe and see whether it points to a legitimate
Using Process Explorer
- Under Option, tick 'Verify Image Signatures', this checks whether the software is really from the vendor it says it is from.
- Look at the Company column, if not visible, turn it on by
View-Select columns. Look at all processes that are not by Microsoft
Corporation, Do you know what these processes are? Take special care if
there is no company and if the process has a weird name.
- Check for process names such as csrss.exe, lsass.exe and
services.exe that are not from Microsoft. These are malware processes
that use the names of well known system processes.
Under the 'Options' menu, tick
'Hide Microsoft and Windows Entries' and 'Verify Code Signitures',
press F5 to reload the entries.
On the 'Everything' tab, check all entries for known Software
you have installed. Take special care about entries that don't have a
publisher or where the publisher is not verified. If you have entries
where the file is not found, you can delete them. If you have entries,
that shouldn't really be there, you can at least untick them to disable
them and can later turn them back on.
How can you tell which entries are legitimate and which are
not? Select the entry and press "CTRL+M" to search for it online. There
are many sites that describe all possible entries in the list.
Using TCP View
Look at the list of processes and then the connections they have open.
Are there any connections that look suspicious? Close any of your applications
that do legetimate network traffic when doing this.
If you have found some network traffic in TCP View that look suspicious, you can use
Smartsniff to look at the actual packets. This sometimes helps to identify malware.
Using Rootkit Revealer
Run Rootkit Revealer to find any root kits of your system.
Using Process Monitor
If you have identified files that re-appear on your drives after you delete them,
it is likely they belong to malware. You can use Process Monitor to identify what
re-creates them. The same is true for registry entries.
Open the file 'C:\WINDOWS\system32\drivers\etc\hosts' in Notepad.exe, there should be a single entry:
If there are other entries, it may mean that malware has changed the file.
This file can be used to route certain host-names to malicious computers.
How to remove malware
After you have identified processes that are malware or mailware related, you need to get rid of them.
There are three steps involved:
- Stop the running malware processes
- Remove the files from the system
- Change the configuration to remove autostart behaviour
'Good' malware tries to prevent you from doing any of those, by keeping locks on files, having secondary processes to restart itself and other measures.
The first thing you should try is to 'kill' the process in Process Explorer. This may include killing
Windows Explorer if the malware has attached itself to it.
If the process re-appears soon after you killed it, there is another process running that re-starts it. If you can
identify several malware processes, use DTaskManager, select them all and kill them it one go.
Then delete the files you have identified as malware.
Finally delete the startup configuration for the malware using Autoruns.
Modern malware even if it is not a rootkit, hides itself very well. Conficker is a good example. It doesn't show up in
process list and even though it is a Windows Service it also doesn't show up in the services list.
It uses random file names that could not be found in autoruns.exe. However it was still fairly easy to detect it; by pinging
www.microsoft.com and getting no answer while pinging www.google.com worked. To remove Conficker I actually use specific
removal tools that are available on the net.
What if the malware is aware of your tools and prevents you from using them?
Some malware monitors any process start up and shuts down the new process or the whole OS if you start an application
that could be dangerous to the malware.
If some cases it is possible to just rename the tools and the use them, because the malware looks for commonly known executable names.
In one case I couldn't start any of my tools, not even custom vb scripts, everything was shut down right away. In that
case I used pslist.exe and pskill.exe (part of the PsTools Suite) from a second machine to kill processes on the infected machine.
Rootkit Case study in Santiago de Chile
In a hostel in Santiago after plugging in my USB drive I noticed a new hidden autorun.inf and system.dll in the root of my drive and all other drives. Nothing new here right? So I killed explorer.exe to get rid of any malware that had attached to it. I deleted the two files and they came back within seconds. I killed all other user processes and a bunch of services but the files keep coming back.
So I started Process Monitor to find out which process is writing these files. It was a process with process ID 960, however over in Process Explorer there was no such process. I used TCPView to look at the network traffic and a " 960" kept ports open.
I tried to kill 960 with pskill.exe but got an "Access Denied", using pskill.exe /t 960 says "success" but does not actually kill the process.
In comes Rootkit Revealer, right? It does show one issue but it looks harmless.
One other thing I noticed is that in Process Explorer I did not see a svchost.exe for all the Network services. Thats the one process that hosts over a dozen services, however these services where running. Also Process Monitor says the executable for process 960 is svchost.exe /netsvc.
I looked around and found some tools that show hidden processes, the one I ended up using is "ptree.exe" It shows one extra process marked "hidden" and that is the missing svchost.exe one. Even though the tool has the option to kill a hidden process it did not work in my case. I guess because it runs all those network services along with the malware service, there was no way to kill it.
I looked for the service in the registry using OORegEdtor.exe (because regedit.exe was not present on the system anymore) but could not find an unfamiliar service.
I looked into svchost.exe a bit, when started it takes its parameter, in this case "netsvcs" and looks up the registry value "netsvcs" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", this is known as a service group, a list of all the services to be started as long as they are set to autostart. Again though, that list looked okay.
At this point I downloaded some root kit removal tools like Blacklight from FSecure, it found the hidden process but to remove it, it would rename the executable file on the next system startup. This is problematic because svchost.exe is used to host many other essential Windows services.
I looked at Autoruns.exe again with the "Verify Code Signitures" option enabled, on the services tab there were three Microsoft services that were not verified. This means the executable files were different from the original signed Microsoft versions of the files. In this case the services were "W32Time", "Schedule" and "srservice".
After a bit more online research I found a tool called RootKitUnhooker, which also showed the hidden process and was able to kill it.
The two files in the root could now be deleted and there was no longer any network activity.
I installed AVG Free which found a whole bunch of viruses on the system but could only delete some of them. It refused it delete the three infected services files listed above "Object is white-listed (critical/system file that should not be removed)". I made sure those services were not running and then replaced the files with the copies from the "C:\WINDOWS\ServicePackFiles" directory. The dates and sizes of the files were the same but they were indeed different.
Threads found by AVG:
- Trojan horse Dropper.Generic_c.ANE
- Trojan horse Agent.ATAT
- Trojan horse Agent.ATAS
- Trojan horse Generic12.WWC
Is this bullet proof?
In my experience it is possible to remove most malware using the methods described above, but you can never be 100% certain.
However, if there are no unwanted processes running and no unwanted network traffic for a long period of time, you
can be pretty sure your system is now clean.
Related articles on my blog