Dealing with malware
I am often asked by friends and family to help remove malware from their computers. In doing so, I have built up a collection of tools and a process for removing malware. I thought I would share some of these in the hope that they may be of use to other people.
The process I employ for removing malware is based on advice from Mark Russinovich one of the developers of the Sysinternals Suite of tools.
I’ve listed the steps below but you can check-out Mark’s excellent presentation which he has been giving for some time now at TechEd the latest one from 2012 is here: http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/SIA302. If you just want to remove the malware (as opposed to analyse the malware to for research purposes or forensics etc) the steps provide a pretty good high level approach.
- Disconnect from the network – you’ll want to do this to stop the malware from exfiltrating (stealing) information from your computer and to prevent it from downloading and installing more malicious software on your computer. Of course if you've disconnected from the network you’ll be unable to download updates or virus removal tools directly.
- Identify malicious processes and drivers -
- Terminate identified processes
- Identify and delete malware autostarts – malware often adds registry keys to start the malware upon reboot often from multiple locations so you will want to remove autostart entries to prevent it from coming back on reboot.
- Delete malware files
- Reboot and repeat – if you have not uncovered all the malicious files and the ways in which it autostarts you may have to repeat the process.
Note this is not an exhaustive list of such tools simply the ones that I use most often.
I often use this tool to scan computers for malware on top of any antivirus product that might already be installed. Be warned it can take a fair amount of time to scan a PC (especially if it has a pretty large hard drive with many files).
Icesword, Gmer & Tuluka
These can be very useful for finding rootkits and other malware that buries itself deep into your computer; however, you need to know what you are doing to use these tools effectively.
Icesword is a rootkit detection tool that provides a number of useful features including:
- A list of running processes
In the example above you can see there are several processes used by Google Chrome and the process IDs PIDS) and the location of the executable on disk (PathName)
- Open network connections
In the screenshot above you can see the highlighted TCP network connection has been opened by Google Chrome.
- Kernel modules
- Registry editor which can show hidden keys
- File browser from which you can forcibly delete files that cannot be deleted in Windows explorer.
- System start up programs
- Message hooks - A hook is a mechanism by which an application can intercept events, such as messages, mouse actions, and keystrokes. Icesword lists information on hooks and which process has registered the hook (including its path on disk).
Gmer is another tool for finding malware with some similar features to Icesword, including
Tuluka is an anti-rootkit tool, which you can use to inspect processes, drivers, various types of hooks etc. Tuluka will flag potentially suspicious items in red – note the emphasis on potentially. Just because it flags something doesn’t mean it is malware. For example, antivirus software often registers various hooks in the operating system to prevent malware from easily disabling antivirus software. These hooks will often be highlighted by tools like Tuluka, Icesword or Gmer! So how do you know that it really is your antivirus software that has registered these hooks? Well Sysinternal’s process explorer (discussed below), can verify digital signatures of processes so you can be reasonably certain that they are legitimate. Assuming the AV software company digitally signs their files.
Okay so this isn't a tool but a suite of tools which can be used to obtain detailed information about processes, services and other system objects. The tools in this suite can be useful if you are trying to understand what a particular piece of malware is doing, which registry keys it is writing to, which directory it was launched from etc.
This tool can be used to log file system, registry and network related activity on your computer, which can be useful in trying to determine what a piece of malware is doing. The filtering functionality is particularly useful to zero in on activity related to a particular process name or on other attributes.
Process Explorer is an advanced replacement for Task Manager and provides a wealth of information on processes running on your system from:
- The location of the executable file on disk; so you can find and delete the file on disk
- The command line options it was started with,
In the example above you can see where the Google Chrome executable is located on disk. You can also see that it runs with a heck of a lot of command line options!
- Any handles it has open (select Show Lower Pane from the View menu item); if it’s dropping other malicious files you can find these too.You can also find out which process has a handle open to a particular file from by selecting Find > Find Handle or DLL
- Strings contained within the executable etc.
Process explorer not only shows you the strings contained within the executable on disk (by selecting the Image radio box) but also when it has been loaded into memory (Memory radio box). Malware executables are often packed so strings output may not show anything interesting, but are unpacked once loaded into memory and therefore you may see a difference in strings output.
Malware often hides within the legitimate svchost.exe process, which Windows uses to host the processes of some common Windows system services. Process Explorer will show you the services svchost is hosting.
Another standalone tool that provides this information is svchostviewer.
In some cases if you terminate a malicious process another “buddy” process detects this and spawns a new process. A common counter tactic against this is to suspend a process; clean up registry entries other malicious files etc then terminate a suspicious process.
An alternative to Process Explorer is ProcessHacker.
HiJackThis inspects your PC and generates a report of registry and file settings. It’s useful for identifying potentially suspicious registry entries, BHOs etc.
Some malware will disable regedit, stop you from running ms-config, cmd.exe, Task Manager and other utilities. This tool allows you to quickly re-enable these.
Not a tool as such but a website where you can upload a file for VirusTotal to scan with multiple AV engines and display on report on which engines found the file to contain malware.
Common Registry and File System Locations
There are a number of common locations where malware hides/reside in the filesystem and in the registry that you can check if you're trying to remove malware; these are listed below.
- C:\Documents and Settings\[Username]\Local Settings\Temp
- %Program Files%\Internet Explorer\[ FileName].dll
- %Program Files%\Movie Maker\[ FileName].dll
- %All Users Application Data%\[ FileName].dll
- %Temp%\[ FileName].dll
- %System%\[ FileName].tmp
- %Temp%\[ FileName].tmp
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify
Some malware attempt to disable antivirus software, prevent the installation of AV software or prevent updates to such software.
The simplest method I’ve seen of the later is to add entries to the C:\Windows\system32\drivers\etc\hosts to point AV update domains to the localhost. The hosts files is also sometimes used to redirect requests to common sites such as google.com to a fake website hosting malicious content. I’ve seen some malware keep this file open to prevent you from editing it. In this case you can use a tool like ProcessExplorer or OpenedFilesView (http://www.nirsoft.net/utils/opened_files_view.html) from NirSoft to determine the process that has a handle open to the file and close it.
Another trick for when malware is preventing you from using AV or other tools you can use Desktops (part of the Sysinternals Suite) to create a new virtual desktop and use the tool. This trick works because malware is usually only aware of the Window Station of the currently logged on user.