Re: Using Process Explorer to remove hard to remove malware in Security

Re: Using Process Explorer to remove hard to remove malware in Security http://www.dslreports.com/forum/r20323146 en Thu, 21 Aug 2008 00:52:02 EDT Thu, 21 Aug 2008 00:52:02 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20324543 rawwhide : I use AutoRuns as well. AutoRuns, then boot with Bart PE is very effective at cleaning! Even rootkits do not stand a chance against PE. ;) Now hardware rootkits are another story, not much you can do besides flash.
--
Tin-Foilers Union of America!!
Tin-Foilers Union Local 101...]]> http://www.dslreports.com/forum/remark,20324543 Sat, 12 Apr 2008 20:10:04 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20323229 bcastner : Start first, not last, with the "Automated Tools". You mentioned several of note, although SpySweeper Trial will not remove anything. Many here have liked "SuperAntispyware", so I note that for userland issues of Vundo, and some Zlob.

In any case, this is just wrong in my opinion:

quote:
Half the time I don't care about looking up something, I don't have the time... I just dive right on it and start ripping things out of the startup routines, drivers, BHOs, services, etc. I try to get the machine that I'm working on back to a sterile environment in which at that point, I let loose the tools of automated removal.

There are so many things that are perfectly legitmate entries, that using HijackThis or MSCONFIG to "rip out" entries" is a serious mistake. If you had written instead:

quote:
I start with Add or Remove Programs, and remove any entry that is non-critical or unknown to me...."

I might have had some sympathy.
Please do not use HijackThis or MSCONFIG as removal tools. You can, with training, use them as an AutoStart entry editor, a kind of friendly REGEDIT. But nothing more.

Finally, as this Forum and many others offer friendly, one-on-one, malware removal, please take advantage of this. I can assure you that most of the folks who respond can do this better than you can. I know this for a fact, as many can do it better than I can.

Bill Castner
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20323229 Sat, 12 Apr 2008 14:27:42 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20323146 Woody79_00 : IMO I definitely think Process Explorer is a good tool for anyone to have in their malware fighting toolkit. that being said, don't bother memorizing everything, your wasting your time. As it is impossible to memorize them all, sure know all the essential windows processes, services, etc.

The Best tool i have found in my fight is a good Linux Live CD...especailly against the Likes of Vundo...the newer variants are not completly impossible to remove from inside of windows, but even in safe mode it is more effort than it is worth.

This is why i use Process Explorer and other tools to "identify" the type of infection and what not. then i use a Linux Live CD(of your flavor) and boot into it, then i mount that Windows Partition and Delete the files in question straight from outside of Windows, Once that occurs and i kill the .exe, .dll, and the Service, then i boot into Windows and Use a combo of Trend Micro's sysclean package with the latest Definitions and Vundo fix and others to "clean up" I do all of this while the machine is "not" connected to the internet, once this is done, I reset the firewalls, update the security software, and insure they are all working properly and properly patched and up to date, then it seems all is well

in the end though, If its a rootkit, even though i can remove it, theres no way of knowing what has been changed even if i could remove it, in that case, i simply backup important files, and nuke the drive and start over...

this is why im an advocate of a "known" clean backup...can't stress it enough...this is your number 1 fight against malware, get Acronis True Image or some other backup tool, and create a clean image, that way if you even havea "hint" you may have some sort of malware, restore the known clean image.

that is the best thing you can do, I just wonder how long it will be before malware authors find a way to stop people like me from using a linux live Cd to mount the drive and delete their pesky files....]]> http://www.dslreports.com/forum/remark,20323146 Sat, 12 Apr 2008 14:09:17 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20322929 trparky : I take a different approach to malware removal. My thinking is that if I don't know what it is... out it goes.

Look at it this way... I know how the internal processes of Windows should look like. I know what sub-processes should be running and what threads should be running as well. I've practically memorized all the important system processes and their respective DLLs so much so that if I were to look at a readout from Process Explorer, I'd be able to tell you whether or not something is good or bad.

Half the time I don't care about looking up something, I don't have the time... I just dive right on it and start ripping things out of the startup routines, drivers, BHOs, services, etc. I try to get the machine that I'm working on back to a sterile environment in which at that point, I let loose the tools of automated removal.

My favorite automated tools are AVG AntiSpyware, AdAware, Spyware Doctor, and SpySweeper. Most of these tools are trialware apps so that you can install it and then when you are done you can then remove them.
--
Tom]]> http://www.dslreports.com/forum/remark,20322929 Sat, 12 Apr 2008 13:07:01 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20322349 bcastner : For malware that hooks in the userland space, there are some excellent generalist tools to use to make the identification of these easier.

Lets take Virtumonde, as an example. It might hook through Notify keys, through LSA entries, through obscure autostart locations, but its identification is now fairly reliable -- not only by examining the userland space, but by MD5 hashes, naming conventions, and even still the date/time stamps. Run a renamed version of HijackThis (or use Deckard's System scan) to see the autostart locations.

The question should not be whether Process Monitor is a great tool; it is. But it would not be the first thing I ran if I suspected Vundo or anything in userland. MalwareBytes Anti-malware, VundoFix by s!Ri, and Combofix are all good choices. As are some on-line scanners, such as the one offered by Kaspersky.

Mark Russinovich (author of Process Explorer/Monitor) has been my colleague at the last two TechEd sessions, and has given each time a lecture on using Process Monitor for malware identification; and I very much encourage you to watch the Video of one of his lectures if you have never seen him play Process Explorer/Monitor like a piano virtuoso:
»www.microsoft.com/emea/spotlight···eoid=359
--
============
MS-MVP 2004 - -2008, ASAP Member
Users Helping Users

]]> http://www.dslreports.com/forum/remark,20322349 Sat, 12 Apr 2008 10:42:07 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20321419 Elite : I'm not so sure about that, actually.

AV vendors make money. We're debugging malware. What are AV vendors doing?
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,20321419 Sat, 12 Apr 2008 01:27:46 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20321416 NanDog : Hmmm...I think Process Explorer is a great program but I'm not so sure it's the best way to defeat malware. It's a great diagnostic and perhaps a good first step in determining what's going on with a possibly infected box but I think better tools exist.

Why?

Well, I follow both the Security and Security Cleanup forums pretty regularly. Admittedly, I'm no expert but I can't recall any of our anti-malware gurus recommending Process Explorer as a primary tool to remove nasties.

Generally, more target-specific tools are used (e.g. Combofix, ATF Cleaner, et al).

TheJoker, CajunTek, CJ and the other DSLR security helpers will know more about this than I. I hope some of them can chime in and shed some light on this subject.

BTW SCU helpers, muchas gracias for all your work!! :)

--
See ya across the Rainbow Bridge, my good and faithful friend!]]> http://www.dslreports.com/forum/remark,20321416 Sat, 12 Apr 2008 01:26:24 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20321403 Elite : Forgot the thread debugging and thread information. I'm not a pro at PE, but it might have the ability to kill threads.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,20321403 Sat, 12 Apr 2008 01:19:50 EDT Re: Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20321392 Elite : This can be done. Hand-removal involves hunting...

However, AutoRuns, another tool by SysInternals, is amazing at doing just this.

With PE, you can check for loaded modules. You can see EXEs (processes), DLL spawned processes, and DLLs or modules loaded in processes. You can check for "open handles" and close them. You can kill processes. You can find paths for any object.

On a side-note, in IceSword (Chinese ARK app), you can forcibly terminate loaded modules in Processes. This is rather interesting.
--
QUAD!!!!]]> http://www.dslreports.com/forum/remark,20321392 Sat, 12 Apr 2008 01:15:15 EDT Using Process Explorer to remove hard to remove malware http://www.dslreports.com/forum/remark,20321143 trparky : I've been doing some investigation into removing hard to removal malware while inside Windows. You know the kind, the kind that no matter how many times you've tried to remove entries using HyjackThis! but still come back.

Well, this is because a lot of malware loads itself into the thread-space of many of the system-level processes such as WinLogon, Explorer, Service, and SvcHost. One of the most famous malwares that do this is our bad friend, Virtumonde.

Now, how do you defeat these things that are lurking inside the depths of thread-space in these system-level processes? Introducing SysInternal's Process Explorer.

This powerful utility is one of the strongest tools you have at your disposal. You can dive right on in and kill internal threads that are running in the thread-space of many critical system-level processes that are stopping you from doing the good work that you need to do.

Got a process that you can't seem to keep killed? You kill it but it keeps coming back? You can suspend the process using Process Explorer so that you can proceed with the cleanup. More often than not, these programs are being re-spawned because of other processes, usually lurking in the... you guessed it, the thread-space of system-level processes.
--
Tom]]> http://www.dslreports.com/forum/remark,20321143 Fri, 11 Apr 2008 23:42:43 EDT