how-to block ads
|
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs: 
 ·Verizon Online DSL
edit:
April 12th, @11:01AM
| reply to trparky
Re: Using Process Explorer to remove hard to remove malware
For malware that hooks in the userland space, there are some excellent generalist tools to use to make the identification of these easier.
Lets take Virtumonde, as an example. It might hook through Notify keys, through LSA entries, through obscure autostart locations, but its identification is now fairly reliable -- not only by examining the userland space, but by MD5 hashes, naming conventions, and even still the date/time stamps. Run a renamed version of HijackThis (or use Deckard's System scan) to see the autostart locations.
The question should not be whether Process Monitor is a great tool; it is. But it would not be the first thing I ran if I suspected Vundo or anything in userland. MalwareBytes Anti-malware, VundoFix by s!Ri, and Combofix are all good choices. As are some on-line scanners, such as the one offered by Kaspersky.
Mark Russinovich (author of Process Explorer/Monitor) has been my colleague at the last two TechEd sessions, and has given each time a lecture on using Process Monitor for malware identification; and I very much encourage you to watch the Video of one of his lectures if you have never seen him play Process Explorer/Monitor like a piano virtuoso:
»www.microsoft.com/emea/spotlight···eoid=359
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
trparky
Bite My Shiny Metal Ass
Premium,MVM
join:2000-05-24
Cleveland, OH
clubs:
| I take a different approach to malware removal. My thinking is that if I don't know what it is... out it goes.
Look at it this way... I know how the internal processes of Windows should look like. I know what sub-processes should be running and what threads should be running as well. I've practically memorized all the important system processes and their respective DLLs so much so that if I were to look at a readout from Process Explorer, I'd be able to tell you whether or not something is good or bad.
Half the time I don't care about looking up something, I don't have the time... I just dive right on it and start ripping things out of the startup routines, drivers, BHOs, services, etc. I try to get the machine that I'm working on back to a sterile environment in which at that point, I let loose the tools of automated removal.
My favorite automated tools are AVG AntiSpyware, AdAware, Spyware Doctor, and SpySweeper. Most of these tools are trialware apps so that you can install it and then when you are done you can then remove them.
--
Tom | |
Woody79_00
join:2004-07-08
| IMO I definitely think Process Explorer is a good tool for anyone to have in their malware fighting toolkit. that being said, don't bother memorizing everything, your wasting your time. As it is impossible to memorize them all, sure know all the essential windows processes, services, etc.
The Best tool i have found in my fight is a good Linux Live CD...especailly against the Likes of Vundo...the newer variants are not completly impossible to remove from inside of windows, but even in safe mode it is more effort than it is worth.
This is why i use Process Explorer and other tools to "identify" the type of infection and what not. then i use a Linux Live CD(of your flavor) and boot into it, then i mount that Windows Partition and Delete the files in question straight from outside of Windows, Once that occurs and i kill the .exe, .dll, and the Service, then i boot into Windows and Use a combo of Trend Micro's sysclean package with the latest Definitions and Vundo fix and others to "clean up" I do all of this while the machine is "not" connected to the internet, once this is done, I reset the firewalls, update the security software, and insure they are all working properly and properly patched and up to date, then it seems all is well
in the end though, If its a rootkit, even though i can remove it, theres no way of knowing what has been changed even if i could remove it, in that case, i simply backup important files, and nuke the drive and start over...
this is why im an advocate of a "known" clean backup...can't stress it enough...this is your number 1 fight against malware, get Acronis True Image or some other backup tool, and create a clean image, that way if you even havea "hint" you may have some sort of malware, restore the known clean image.
that is the best thing you can do, I just wonder how long it will be before malware authors find a way to stop people like me from using a linux live Cd to mount the drive and delete their pesky files.... | |
bcastner
Premium,MVM
join:2002-09-25
Chevy Chase, MD
clubs:
·Verizon Online DSL
edit:
April 12th, @10:05PM
| reply to trparky
Start first, not last, with the "Automated Tools". You mentioned several of note, although SpySweeper Trial will not remove anything. Many here have liked "SuperAntispyware", so I note that for userland issues of Vundo, and some Zlob.
In any case, this is just wrong in my opinion:
quote:
Half the time I don't care about looking up something, I don't have the time... I just dive right on it and start ripping things out of the startup routines, drivers, BHOs, services, etc. I try to get the machine that I'm working on back to a sterile environment in which at that point, I let loose the tools of automated removal.
There are so many things that are perfectly legitmate entries, that using HijackThis or MSCONFIG to "rip out" entries" is a serious mistake. If you had written instead:
quote:
I start with Add or Remove Programs, and remove any entry that is non-critical or unknown to me...."
I might have had some sympathy.
Please do not use HijackThis or MSCONFIG as removal tools. You can, with training, use them as an AutoStart entry editor, a kind of friendly REGEDIT. But nothing more.
Finally, as this Forum and many others offer friendly, one-on-one, malware removal, please take advantage of this. I can assure you that most of the folks who respond can do this better than you can. I know this for a fact, as many can do it better than I can.
Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users
| |
-
|
