This is part 1 of a 3 part series.Part 2 Part 3
Malware is getting more complicated every day. This is a compiled guide on techniques to identify and remove some rather difficult infestations. Most of this is overkill for easily removable software, and chances are that’s what you have if a simple Malware Bytes scan is all that is required, that is if your installed Anti-Virus didn’t catch it already. Because of this, there is no easy fix and removal can take multiple steps.
Most times malware will disable any currently installed Anti-Virus software as well as stop the OS from allowing you to run removal tools. Before we dig in, I always recommend clearing as many temp directories as you can. Less to scan means less time to spend. CCLeaner is good for this.
- Can you run your currently installed AV or can you download and run a removal tool? (I prefer Anti-Malware bytes in this scenario)
- If not, can you rename the EXE of your removal tool to something that the system might allow to run? Such as svchost.exe or iexplorer.exe?
If neither of the above work, we need to start hunting for the processes that are killing our removal programs. Task manager is the simplest tool to use as its already installed. Sometimes you get lucky and find the obvious malware process. Attempt to kill the processes and install/run the malware software again. If finding and killing these processes allows you to continue with the installation/running of your malware software, you might be out of the woods, or not.
- Run a full scan and reboot. Run another full scan. Do you still see infections? Are these infections returning after every reboot? Potentially you have a root kit installed. We will cover that later.
At this point, lets assume you were not able to successfully find any processes to kill. The next tool we will use is Processexplorer from Microsoft, formerly Sysinternals.
Once downloaded and installed you can use this program to get a more detailed look at all processes running on your system. Big give aways are applications without icons, applications without version information, company information, description information, etc.
Another useful feature of Process Explorer is the ability to track a window down to a process. This feature called WindowFinder allows you to drag over to the window and it highlights the process, which can be very useful. The icon looks like an aiming crosshair and is on the toolbar.
Another give away is if a well known windows process, such as logon.exe or svchost.exe is running from a directory that it does note normally reside in.
In even a healthy machine processes will start and stop on their own occasionally. If this happens to the detriment of your detective work, you can pause Process Explorer by hitting the space bar. This allows you to find something that might be slipping by before you can pull up its properties.
Blue = Processes running in your current login session, Pink = Hosting a windows service, Purple = Process that running with encrypted or compressed images. This is useful to note
Another thing of note is that often Malware will hijack rundll32 or svchost processes. They use this hijacked session to host their processes. Another way that Window Finder comes in useful as you can track it to the legitimate looking process that’s being hijacked.
Hovering over running processes will give you information about the path and any additional services that are being hosted or run. (by the svchost.exe, for example). You can also goto the properties of any running process and goto the Strings Tab, and click down to view in the “Memory” of loaded modules. You can search through this dialog and see if anything suspicious is viewed.
Process Explorer also has something called DLL View that allows you to view DLL’s that are loaded in conjunction with any processes that have it hosted or loaded.
Malware tends to have multiple processes running that watch each other, so instead of killing or terminating processes, you can suspend them, so their buddy processes wont bring them back to life.
Where did these processes come from? At this point they were probably started with Windows when you started up:
HiJackthis is also a good tool, however doesn’t grab as much information as AutoRuns. So much information is provided that it can be a bit overwhelming. One trick is to go to the Options Menu and click on “Verify Code Signatures” and “Hide Microsoft and Windows entries” to show you whats auto starting that isn’t related to Microsoft.
Once identified you can delete them or disable them. Disable them. If you refresh you can see if those keys were recreated by any processes that were running.