Windows Explored

Here is a quick guide to some methods for defeating malware after you have been infected. I have used all of these myself (with the exception of the Desktops utility mentioned below) to successfully isolate and remove malware after it has found its way onto the computer.

• A second account with administrator access
  • A lot of malware or Fake AV (scareware) is account specific since the malware program gets downloaded into the C:\Documents and Settings\username\…on an XP system or C:\Users\username\… in Windows Vista – 7. These programs often place themselves into the Windows Startup folder for the infected account and/or create a string in the Windows registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run that points to itself. Here is an example from an earlier post:
    
    If you are unable to identify, stop and remove the .exe manually because it is blocking the launching of the Task Manager, Windows Explorer, MsConfig or other process utilities like Process Explorer, then logging into another account on the same computer with administrator access may provide a workaround.Once logged into the other account, proceed to the user folder for the infected account and start looking for suspicious exe files. For the most part, legitimate applications do not install exes into the user’s folders, although the Windows Vista – 7 Downloads folder can contain any number of programs you have downloaded that are self installing. I often find Fake AV and other less sophisticated malware in the username\Application Data folder on XP systems and in the username\AppData folder on Vista – 7 systems.

    This also provides a good chance to update your anti-virus to get the latest threat definitions and perform a scan. However, if the malware is new, there may not yet be a signature for it and it will still go undetected.

    Afterwards, assuming you have found the malicious or annoying program and deleted it, log back into the account that was infected. Finish by cleaning up any suspicious-orphaned registry entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It’s not a bad idea to also manually search the registry for any reference to files you identified and deleted earlier. A quick way to see all items loading or attempting to load in Windows is to use Autoruns from SysInternals.

• A second computer on the network
  • You can perform the same file tasks above by navigating to the UNC and administrative share of the infected systems, e.g. \\ComputerNameOrIP\c$. For non-domain computers, you will need to know the local account name and password. Additionally, you can also remote registry into the infected computer to manually clean up the registry. Note, you will not have access to HKCU of the remote computer–user accounts in the remote registry can be accessed from HKEY_USERS¹ and are named by a unique security identifier.
    
    If there is more than one unique SID, you can identify the account name by navigating into HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ProfileList of the remote computer, selecting the matching SID from HKEY_USERS and looking at the ProfileImagePath string:
    
• Remotely suspend or kill the malicious process
  • If you have another computer on the network, use the built in Taskkill from the command shell. You can also use PsList in conjunction PsKill from SysInternals. Some malware install watchdogs, other processes that monitor their friends and restart them when they are ended. In these cases, you will need to suspend the process first, locate the watchdog, and suspend it, too. Use PsSuspend to do this. Afterwards, kill them and then launch whatever utilities you need to on the infected computer and clean up. If all this command line jargon becomes overwhelming, try out this GUI for all the SysInternals PSTools: http://www.davitools.com/fepstools/fepstools.aspx. It was developed by a co-worker.
• Place your troubleshooting utilities into Startup
  • If you can access Windows Explorer or any other file management utility, copy Autoruns, Process Explorer, a shortcut to the Task Manager, or whatever you want into it. If you are lucky, these applications will start before the malware loads. The Startup folder is located in C:\Documents and Settings\username\Start Menu\Programs\Startup in the XP OS and C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs in the Windows 7 OS.
• Desktopsfrom SysInternals
  • You can read about how this utility was used to defeat some malware on the Mark Russinovich Blog here: http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx. In short, a virtual desktop was started on the infected system, which was ignored by the malware, and from within the virtual desktop the user was able to open Process Explorer and Process Monitor.
• Look for suspicious Scheduled Tasks.
  • Some malware will create tasks (or .jobs) that perform specific actions periodically, such as going out to the Internet to download files you or your AV may have deleted earlier or retrieve newer variants of themselves for which signatures may not yet exist. I once encountered malware that created hidden scheduled tasks that I could not detect even when View Hidden Tasks was checked. I had to use Autoruns to reveal their presence:
    
• Remove and scan the infected drive
  • Remove the infected drive from the system case, drop it into an hd external enclosure, attach to another computer and scan it. You can also browse the user folders and manually remove suspicious .exe files. You can even load the NTUSER.DAT that resides in the User’s profile into the hive of a running registry and go to the startup locations therein and delete any keys or values.
• Watch and study the malware
  • When all else fails and reformatting the drive and reinstalling Windows just seems too much of burden, try running Process Monitor, collect a log of all system activity, and study. Look for signs of where the malware starts from and how it works.

¹ HKEY_USERS contains all active profiles on the computer and hosts HKCU.