Manually finding and removing malware

This whole virus thing is getting out of hand. Here in Bogota I encountered a new one. I noticed it because new files and folders appeared on my USB device. The machine was running an up to date version of avast! Antivirus. Scanning my USB stick returned no results. I then used PortableClam and AVGFree, both found nothing to be wrong with those virus files either. Next I uploaded the virus executable to virustotal.com, there they use 40+ different antivirus engines to scan the file, none of them identified it as a virus.

The virus doesn't use autorun.inf and also doesn't add an entry to the registry's run key, it works as an extension to Windows Explorer.

24 hours later 2 of the 40+ engines at virustotal,com identified the virus correctly. I installed one of those two, Avira AntiVir Personal and it found some copies and healed the machine.

Next I checked the USB stick of a fellow traveler who I knew had used the infected computer. Avira found six different viruses on it, however there was one, it didn't find.

All this begs the questions whether Anti virus software is any helpful at all. Personally I never use it anyway, but this prompted me to write a bit about finding and removing viruses without AV software.

There are free different categories of malware:
  1. It uses one or multiple programs and is visible in Task Manager or Process Explorer
  2. It uses existing Windows processes to attach itself to, such as explorer.exe or svchost.exe.
  3. It uses RootKit technology to hide itself from you and the operating system itself.
How does malware become active:
  1. It adds itself to one of the various places in the Windows configuration to autostart when the computer boots up or a user logs on. All of these all listed in Autoruns.exe
  2. It attaches itself to Windows Explorer as an component or handler, (check the autoruns.exe Explorer tab), it installs itself as a service that runs in the svchost.exe process (check Autoruns.exe Services tab) or takes over the functionality of another Windows feature such as Task Manager (Winlogon\TaskMan)
  3. It attaches itself to other programs on the harddrive or the USB device and is launched whenever you start one of these programs. In some cases it attached itself to dozens of random applications on my USB stick including some of the tools mentioned below. This is really a pain.
  4. It uses the autorun.inf feature to start when a removable drive is added, or a CD/DVD is inserted.
  5. It masks itself with a Folder icon in Windows Explorer and waits for you to click on it.
  6. It uses bugs in user software, mostly Web Browsers to copy itself onto your machine and executes.
  7. It uses bugs in the operating system to install and start itself without any user involved.
How to notice malware on your PC:
How to find malware on your computer
Software tools to use, these are all free and do not require any installation.
The sysinternals tools can be started directly from live.sysinternals.com, but I would rather download them and put them into your tools folder.

There are tons of other network monitoring tools, but I like SmarfSniff because it is a small single file and doesn't need any installation.
Using Windows Explorer
In Windows Explorer's Folder Options-View make sure 'Show hidden files and folders' is selected and 'Hide extensions for know file types' and 'hide protected operating system files' are NOT ticked. Now Explorer should show you all files regardless their attributes.

Look for an autorun.inf file on any removalable drives such as USB thumbdrives, plug one in to see if there is one. If there is one, open it in notepad.exe and see whether it points to a legitimate program.
Using Process Explorer
- Under Option, tick 'Verify Image Signatures', this checks whether the software is really from the vendor it says it is from.

- Look at the Company column, if not visible, turn it on by View-Select columns. Look at all processes that are not by Microsoft Corporation, Do you know what these processes are? Take special care if there is no company and if the process has a weird name.

- Check for process names such as csrss.exe, lsass.exe and services.exe that are not from Microsoft. These are malware processes that use the names of well known system processes.
Using Autoruns
Under the 'Options' menu, tick 'Hide Microsoft and Windows Entries' and 'Verify Code Signitures', press F5 to reload the entries.

On the 'Everything' tab, check all entries for known Software you have installed. Take special care about entries that don't have a publisher or where the publisher is not verified. If you have entries where the file is not found, you can delete them. If you have entries, that shouldn't really be there, you can at least untick them to disable them and can later turn them back on.

How can you tell which entries are legitimate and which are not? Select the entry and press "CTRL+M" to search for it online. There are many sites that describe all possible entries in the list.
Using TCP View
Look at the list of processes and then the connections they have open. Are there any connections that look suspicious? Close any of your applications that do legetimate network traffic when doing this.
Using SmartSniff
If you have found some network traffic in TCP View that look suspicious, you can use Smartsniff to look at the actual packets. This sometimes helps to identify malware.
Using Rootkit Revealer
Run Rootkit Revealer to find any root kits of your system.
Using Process Monitor
If you have identified files that re-appear on your drives after you delete them, it is likely they belong to malware. You can use Process Monitor to identify what re-creates them. The same is true for registry entries.
Using Notepad
Open the file 'C:\WINDOWS\system32\drivers\etc\hosts' in Notepad.exe, there should be a single entry:

127.0.0.1 localhost

If there are other entries, it may mean that malware has changed the file. This file can be used to route certain host-names to malicious computers.
How to remove malware
After you have identified processes that are malware or mailware related, you need to get rid of them.
There are three steps involved:
  1. Stop the running malware processes
  2. Remove the files from the system
  3. Change the configuration to remove autostart behaviour
'Good' malware tries to prevent you from doing any of those, by keeping locks on files, having secondary processes to restart itself and other measures.

The first thing you should try is to 'kill' the process in Process Explorer. This may include killing Windows Explorer if the malware has attached itself to it.

If the process re-appears soon after you killed it, there is another process running that re-starts it. If you can identify several malware processes, use DTaskManager, select them all and kill them it one go.

Then delete the files you have identified as malware.

Finally delete the startup configuration for the malware using Autoruns.

nextGen: Conficker
Modern malware even if it is not a rootkit, hides itself very well. Conficker is a good example. It doesn't show up in process list and even though it is a Windows Service it also doesn't show up in the services list. It uses random file names that could not be found in autoruns.exe. However it was still fairly easy to detect it; by pinging www.microsoft.com and getting no answer while pinging www.google.com worked. To remove Conficker I actually use specific removal tools that are available on the net.
What if the malware is aware of your tools and prevents you from using them?
Some malware monitors any process start up and shuts down the new process or the whole OS if you start an application that could be dangerous to the malware.

If some cases it is possible to just rename the tools and the use them, because the malware looks for commonly known executable names.

In one case I couldn't start any of my tools, not even custom vb scripts, everything was shut down right away. In that case I used pslist.exe and pskill.exe (part of the PsTools Suite) from a second machine to kill processes on the infected machine.
Rootkit Case study in Santiago de Chile
In a hostel in Santiago after plugging in my USB drive I noticed a new hidden autorun.inf and system.dll in the root of my drive and all other drives. Nothing new here right? So I killed explorer.exe to get rid of any malware that had attached to it. I deleted the two files and they came back within seconds. I killed all other user processes and a bunch of services but the files keep coming back.

So I started Process Monitor to find out which process is writing these files. It was a process with process ID 960, however over in Process Explorer there was no such process. I used TCPView to look at the network traffic and a " 960" kept ports open.

I tried to kill 960 with pskill.exe but got an "Access Denied", using pskill.exe /t 960 says "success" but does not actually kill the process.

In comes Rootkit Revealer, right? It does show one issue but it looks harmless.

One other thing I noticed is that in Process Explorer I did not see a svchost.exe for all the Network services. Thats the one process that hosts over a dozen services, however these services where running. Also Process Monitor says the executable for process 960 is svchost.exe /netsvc.

I looked around and found some tools that show hidden processes, the one I ended up using is "ptree.exe" It shows one extra process marked "hidden" and that is the missing svchost.exe one. Even though the tool has the option to kill a hidden process it did not work in my case. I guess because it runs all those network services along with the malware service, there was no way to kill it.

I looked for the service in the registry using OORegEdtor.exe (because regedit.exe was not present on the system anymore) but could not find an unfamiliar service.

I looked into svchost.exe a bit, when started it takes its parameter, in this case "netsvcs" and looks up the registry value "netsvcs" in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost", this is known as a service group, a list of all the services to be started as long as they are set to autostart. Again though, that list looked okay.

At this point I downloaded some root kit removal tools like Blacklight from FSecure, it found the hidden process but to remove it, it would rename the executable file on the next system startup. This is problematic because svchost.exe is used to host many other essential Windows services.

I looked at Autoruns.exe again with the "Verify Code Signitures" option enabled, on the services tab there were three Microsoft services that were not verified. This means the executable files were different from the original signed Microsoft versions of the files. In this case the services were "W32Time", "Schedule" and "srservice".

After a bit more online research I found a tool called RootKitUnhooker, which also showed the hidden process and was able to kill it.

The two files in the root could now be deleted and there was no longer any network activity.

I installed AVG Free which found a whole bunch of viruses on the system but could only delete some of them. It refused it delete the three infected services files listed above "Object is white-listed (critical/system file that should not be removed)". I made sure those services were not running and then replaced the files with the copies from the "C:\WINDOWS\ServicePackFiles" directory. The dates and sizes of the files were the same but they were indeed different.

Threads found by AVG:
  • Trojan horse Dropper.Generic_c.ANE
  • Trojan horse Agent.ATAT
  • Trojan horse Agent.ATAS
  • Trojan horse Generic12.WWC
Is this bullet proof?
In my experience it is possible to remove most malware using the methods described above, but you can never be 100% certain.

However, if there are no unwanted processes running and no unwanted network traffic for a long period of time, you can be pretty sure your system is now clean.
Related articles on my blog

Pages in this section