virus remediation training

Transcription

VIRUS
REMEDIATION
TRAINING
Copyright © 2015 by The Virus Doctor™
All rights reserved
Copyright © 2015, The Virus Doctor™. All rights reserved
Table of Contents
SESSION 1: INTRODUCTION ..........................................................................................
Slides from PowerPoint presentation ..................................................................... 1
UNDERSTANDING THE WINDOWS REGISTRY ................................................................ 9
History and evolution of the Registry .................................................................... 11
The role of the Registry in today’s Operating Systems .......................................... 11
Internal structure of the Registry .......................................................................... 12
Hives and files ...................................................................................................... 12
Editing the Registry, using Regedit and Regedt32.................................................. 13
HKEYs, Keys, and Subkeys ..................................................................................... 15
Using Regedit in Windows XP and subsequent versions ........................................ 16
The Menu Bar in Regedit ...................................................................................... 17
The File Menu ......................................................................................................... 17
How to safely make changes to the Registry ......................................................... 17
The Edit Menu ........................................................................................................ 19
How to effectively use the Find command in Regedit ............................................ 21
How to add Keys and Values to the Registry ......................................................... 22
Data Types used in the Registry ............................................................................ 23
Back to the Menu Bar ........................................................................................... 26
The View Menu ....................................................................................................... 26
The Favorites Menu ................................................................................................ 26
The purpose and function of Control Sets in the Registry ...................................... 27
Working with Users in the Registry ....................................................................... 29
Registry backup and recovery techniques ............................................................. 29
Dealing with missing or corrupted Hives ............................................................... 30
Recovering from the Blue Screen of Death (BSOD) ................................................ 31
Emergency recovery of the Registry if you don’t have a backup ............................ 33
“Bulletproofing” the Registry to keep it safe ......................................................... 33
The role of Group Policies in the Registry .............................................................. 33
How and when to use Permissions to protect the Registry .................................... 37
Windows Services, svchost.exe, and the Registry .................................................. 37
Working with Msconfig and other Registry utility programs ................................. 37
Remote Registry Editing and how it works ............................................................ 40
SESSION 3: VIRUS REPAIR METHODOLOGY ............................................................... 43
Methodology for Malware Remediation – Overview............................................. 45
How to find and identify active malicious processes ............................................. 46
Most-likely malware today ................................................................................... 46
How to terminate rogue software......................................................................... 47
How to find traditional viruses, worms, and Trojan horses ................................... 49
Tracking down traditional malware ...................................................................... 54
How to terminate the malicious processes ........................................................... 58
How to determine the activation method ............................................................. 59
How and where malware is loaded ....................................................................... 59
Understanding the Run Keys – what’s normal, what’s not .................................... 60
Other “hiding places” where malware may be loaded .......................................... 63
Another useful tool to reveal “hiding places” in the Registry ................................ 69
Dealing with Rootkits ........................................................................................... 70
Running an automated Scan to remove all traces of malware ............................... 72
Exceptional Situations .......................................................................................... 73
Browser Hijackers ................................................................................................. 73
Recommended software tools that may help ........................................................ 75
Dealing with difficult situations caused by malware: ............................................ 76
 Your anti-virus program has been disabled and can’t be reinstalled ............. 76
 You can’t access any anti-virus vendor’s web site .......................................... 76
 You can’t connect to the Internet at all .......................................................... 76
 You can’t run Task Manager ........................................................................... 77
 You can’t run Regedit ...................................................................................... 77
 You don’t have a Run command on your Start Button................................... 77
 You can’t access a Command Prompt ............................................................. 78
 You can’t see Display Properties ..................................................................... 78
 You can’t run specific programs, especially MalwareBytes and similar antimalware programs ................................................................................................. 78
 You can’t run any .exe file ............................................................................... 79
Extreme Situations ............................................................................................... 79
Re-Imaging as an Option ....................................................................................... 81
Appendix B -- Point solutions for specific infections ................................................... 85
Appendix C -- Processes found in Task Manager ....................................................... 113
Appendix D -- Registry Differences by Operating System .......................................... 115
SESSION 4: THE VIRUS REPAIR TOOLKIT and LAB SESSION ...................................... 117
SESSION 1:
INTRODUCTION
UNDERSTANDING THE
WINDOWS REGISTRY
History and evolution of the Registry
The Registry as we know it today first took on its current form in Windows NT 3.51.
Windows 95 used a similar design, but a completely different internal structure, which
was continued into Windows 98 and Windows ME.
Windows NT 4.0 enhanced the architecture of the earlier NT design but retained the
same general design. This structure remains essentially unchanged through the
subsequent NT-based Operating Systems, which include Windows 2000, Windows XP,
Vista, Windows 7, Windows 8, and Windows Server 2003, 2008, and 2012.
The role of the Registry in today’s Operating Systems
The Registry serves as a central repository of everything that is known about the
Windows environment on that computer. It contains these general categories of
information:
 All the details of the hardware installed, including features, settings, options,
drivers, and resource usage
 All software installed, including default settings, file locations, etc.
 All users defined, including privilege levels, programs available, desktops,
preferences, settings, etc.
 All components of the Operating System, services, settings, configuration, user
interface, startup options, etc.
 Much, much more!
The Registry has been described as “the Subconscious of Windows.” As a general
statement, any time a Windows Operating System will not start correctly, the underlying
cause can be traced to a problem with the Registry.
Other than infection by malware, in almost every case, the source of a problem with the
Registry is caused by one of the following events:
 Hardware installation or removal didn’t complete properly
 Software installation or removal didn’t complete properly
 A manual Registry edit wasn’t done properly
11
Considering the high stakes involved, it is recommended that you back up the Registry
before taking any of these actions. Detailed procedures for Registry backup and restore
options are presented later in this document.
While Microsoft doesn’t provide a lot of public information about the Registry, there is
an article in their KnowledgeBase at http://support.microsoft.com that gives a good
overview. The article is as follows:
 256986 – Windows Registry information for advanced users
Internal structure of the Registry
The internal structure of the Registry falls into one of two categories. Windows
95/98/ME used a simple structure of two files + a Virtual Registry; all of the NT-based
Operating Systems organize the Registry into a much more complex and secure
structure composed of multiple Hives.
While the internal structure of the Registry is completely different between the two
major branches of the Windows Operating Systems, the external representation is
virtually identical among all versions of Windows. In most cases we are dealing with the
external view of the Registry and need not be concerned about its actual internal
structure.
Hives and files
The Registry in the Windows 9X Operating Systems is made up primarily of two files:
 System.dat
 User.dat
The System.dat file is by far the larger of the two. It contains everything that is known
about the hardware, software, services, applications, and anything else about the
Windows environment. This file is typically in the range of 1.5 to 4 MB in size.
The User.dat file is much smaller than System.dat, but contains essential information as
well. The contents of this file are all the user-specific settings, including privilege levels,
programs available, desktops, preferences, settings, etc.
12
Since the Windows 9X Operating Systems are rarely used these days, this document will
not go into any further detail on this aspect of its internal Registry structure.
All of the Windows NT-based Operating Systems organize the Registry into a set of
Hives; each Hive is composed of multiple files. This is a much more complex internal
structure than that used in the 9X Operating Systems, but it also provides for much
greater security, granularity, and increased recovery options in case of Registry
corruption.
Hives “look like” folders, in Windows Explorer. In turn, the files contained in each Hive
look like any other files on the hard drive. The exact number of Hives will vary from one
version of Windows to another, and there are also some differences in the Hive
structure between factory-installed (OEM) versions of Windows vs. retail installations or
upgrades.
In a typical Windows XP installation, the following Hives will be included:





C:\Windows\System32\Config\System
C:\Windows\System32\Config\Software
C:\Windows\System32\Config\Sam
C:\Windows\System32\Config\Security
C:\Windows\System32\Config\Default
A detailed description of the Hives and their locations in the various Operating Systems
can be found in the previously-referenced article in the Microsoft KnowledgeBase:
 256986 – Windows registry information for advanced users
Editing the Registry, using Regedit and Regedt32
Any time you need to examine the contents of the Registry or change any of the Keys or
Subkeys, the program you will normally use is Regedit.exe if the system in question is
running Windows 95/98/ME, XP, Vista, Windows 7, Windows 8, Windows Server 2003,
2008, or 2012, or later versions of the Operating System.
If you are dealing with a system running Windows NT 4.0 or Windows 2000, there is an
additional Registry Editor named Regedt32.exe. It is critical to know when to use which
Registry Editor in either of those Operating Systems.
13
Regedit contains a more modern, more powerful Find capability than the older
Regedt32. But it may not correctly handle the extended Data Types in Windows NT or
Windows 2000. With that potential problem in mind, you should not use Regedit.exe to
make changes to the Registry in either of these older Operating Systems; the older,
“clunkier” Regedt32 will safely modify any Data Type.
You may safely use Regedit.exe to Find information in the Registry of a Windows NT 4.0
or 2000 system, but if you need to Modify an entry, exit Regedit and open Regedt32 to
make the changes.
There have actually been three different versions of Regedit.exe, according to the
Operating System in use:
 Windows 95/98/ME
 Windows NT 4.0 or Windows 2000
 Windows XP, Vista, Windows 7, Windows 8, Server 2003, 2008, or 2012
Another difference, other than the visual appearance of the program, is the handling of
Permissions. The Windows 9X versions of Regedit did not allow any setting of
Permissions; in Windows NT and 2000, Permissions were set in Regedt32 only.
Regedit.exe in Windows XP and later versions includes Permissions.
A significant change to Regedit came into play with the 64-bit versions of Windows. The
Registry in these versions is divided into 32-bit and 64-bit keys. Many of the 32-bit keys
have the same names as their 64-bit counterparts, and vice versa. By default the 64-bit
version of Regedit displays the 64-bit keys.
You can display the 32-bit keys in either of two ways:
 In the 64-bit Regedit, navigate to HKLM\Software\WOW6432Node\, followed by
the desired 32-bit key
 From a Run command or the Open box, type %systemroot%\syswow64\regedit,
and then click OK; this command will open the 32-bit version of Regedit.
You can find additional information about the 32-bit and 64-bit keys and Regedit in the
following article in the Microsoft KnowledgeBase:
 305097 – How to view the system Registry by using 64-bit versions of Windows
14
One final note on the subject, you may still Run Regedt32.exe on a Windows XP or later
system. But in spite of appearances, this is now simply a shortcut to Regedit.exe. Note
also that the correct spelling of Regedt32.exe does not include the letter “i.” Back in the
days when this program was developed, file names were limited to a maximum of 8
characters + a 3-character extension, or file type. This nomenclature was referred to as
“8.3 file names,” which you will still see referenced occasionally in today’s Registry.
HKEYs, Keys, and Subkeys
Regardless of the Operating System in use, the external view of the Registry, as seen
through Regedit or Regedt32, appears mostly identical among all versions. These
Registry editors organize the structure into a series of top-level Keys, as follows:





HKEY_CLASSES_ROOT, abbreviated as HKCR
HKEY_CURRENT_USER, abbreviated as HKCU
HKEY_LOCAL_MACHINE, abbreviated as HKLM
HKEY_USERS, abbreviated as HKU
HKEY_CURRENT_CONFIG, abbreviated as HKCC
Regedit on a Windows 9X machine will show a sixth top-level HKEY, as follows:
 HKEY_DYN_DATA, abbreviated as HKDD
This key is a pointer to the Virtual Registry, which only exists in the 9X Operating
Systems. The presence of six top-level Keys is the only obvious indication in Regedit that
the Registry being edited is from a Windows 9X machine, rather than an NT-based OS.
The top-level Keys are sometimes referred to as Root Keys, or as Handles. Some authors
give the origin of the term HKEY as Handle Keys; according to the Microsoft TechNet
service, the prefix HKEY is their shorthand way of writing “Hierarchy.” In other words,
the HKEYs represent the hierarchy of entries in the Registry.
Each Key, or HKEY, is further subdivided into multiple Subkeys, which may be further
broken down into additional Subkeys. Some of the Subkeys you will be working with in
the Registry may be 5 layers deep, or possibly even deeper.
Note that the HKEYs do not map directly to the Hives referenced earlier. The only direct
correlations between HKEYs and Hives are HKLM to the Hardware Hive and HKU to the
User Hive; HKCR and HKCC are pointers into HKLM, and HKCU is a pointer into HKU.
15
Using Regedit in Windows XP and subsequent versions
As an entry point to a discussion of the Registry, open Regedit and click on the + sign
next to the following Keys in the left-hand pane:




HKEY_LOCAL_MACHINE
SOFTWARE
Microsoft
Windows NT
Then click on the Subkey CurrentVersion. Your results should look similar to this:
By double-clicking on the field “RegisteredOrganization” in the right-hand pane, you can
change the name of your organization or company. If this step was missed in the initial
setup of Windows on this computer, or if the Organization’s name has changed since
then, this is the direct way of correcting that value.
Similarly, if the person using this computer is no longer the one whose name appears in
the “RegisteredOwner” field, you can change it as well. Both of these fields are optional
as far as Windows is concerned, so even blank values are perfectly acceptable.
16
When new hardware or software is installed, these are the Values that will be used by
default to populate the corresponding entries in the new section of the Registry related
to that new hardware or software.
On the other hand, changing these Values does not cause any other corresponding
values to be changed in other Subkeys of the Registry. In the discussion of the Find
command, later in this document, we will offer a technique to semi-automate the
process of changing every occurrence of the Value of one RegisteredOrganization or
RegisteredOwner to another when this situation arises.
The Menu Bar in Regedit
The File Menu
Like most Windows programs, Regedit in Windows XP and later versions of Windows
begins with the File menu. The older versions of Regedit named the first entry Registry
instead of File, but the modern versions use the standard naming convention.
The first two entries in the File menu are Import… and Export… These serve a very
useful purpose as a simple backup method before making changes to the Registry.
How to safely make changes to the Registry
The first step in safely changing any entry in the Registry is to create a backup of that
Key or Subkey. Here is the step-by-step procedure you may want to follow:






Navigate to the desired Subkey
From the File menu, choose Export…
Change the “Save in:” to Desktop (from the drop-down menu)
Enter a meaningful name for “File name:”
Click “Save”
Minimize Regedit and verify that a new icon appears on the Desktop with the File
name you specified
This exported Registry file will have an extension of .reg. It is a plain text file, and it can
be opened in Notepad. Here is a typical .reg file:
17
Note the the first line of any .reg file will contain the identifier “Windows Registry Editor
Version 5.00,” and it will be followed by a blank line. These two lines are used by
Regedit to verify that this is actually an exported Registry file when you attempt to
import the file. Or the first line may simply contain the literal “REGEDIT4” instead of this
text string.
Then you are ready to Modify the selected Subkey, knowing that you can restore the
original value if necessary. Continue as follows:




Make the desired change to the selected Subkey
Test the change to determine whether it produced the desired results
If not, double-click on the desktop icon to import the previous value
Repeat as necessary
Any time you are making changes to the Registry, you want to be sure you can Undo any
changes in case of a problem. Regedit itself provides very little protection against
operator error, so it is your responsibility to create a fallback position.
The next two entries in the File menu are Load Hive… and Unload Hive… These will be
inactive options (grayed out) unless you have previously selected
HKEY_LOCAL_MACHINE or HKEY_USERS.
18
One purpose of these options is to replace a missing or corrupted Hive with a knowngood version from another source. If you regularly make backup copies of your Hives,
this could be a useful option; in most cases you are not likely to have such backups.
Another use of this option is to examine the hives on the hard drive of another
(presumably infected) computer. With HKLM or HKU selected in Regedit, choose Load
Hive and point to the desired hive. You will be asked to assign a name to this external
hive; once it is loaded, you may examine it in the same way you would look into the
local Registry.
The next pair of entries in the File menu are Connect Network Registry… and Disconnect
Network Registry… These options give you the ability to see, or even change, the
Registry on another computer connected to your network. This approach is described in
more detail in this document in the section “Remote Registry Editing and how it works.”
Next is the Print… menu, which is found on the File menu of most applications. While
this serves a useful purpose, use it with care! Even when you are many layers deep in
the Registry, Printing that Subkey could produce an enormous volume of paper.
The Edit Menu
The next entry on the Menu Bar is Edit, again following the standard used by most
Windows applications. But while this Edit menu is similar to that found in many
applications, there are some important differences as well.
The Edit menu is context-sensitive, meaning that the options it offers will vary
depending upon your current location in Regedit. Different selections will appear when
you are on the left-hand side of the bar vs. the right-hand side. And to a limited extent,
the options even change depending on the Key or Subkey selected.
When a Name is selected in the right-hand pane of Regedit, the first entry in the Edit
menu is Modify, followed by Modify Binary Data. Double-clicking on the Name field is
the same as choosing Modify from this Edit menu selection. The steps involved in
modifying Registry data were covered earlier in this document in the section “How to
safely make changes to the Registry.”
When a Key or Subkey is selected in the left-hand pane of Regedit, the first entry in the
Edit menu is the option to create New Keys, Subkeys, or Values. This is most commonly
19
used by vendors of hardware or software to add a section to the Registry to support
their products. The average user, or even the average technical-support person,
normally will not be creating new entries in the Registry.
Unlike many programs, Windows doesn’t necessarily try to make sense of every entry in
the Registry. Windows looks for certain key values but ignores any entries for which it
does not have a specific need. So, you may create any New entries you like, but it’s not
a good idea to clutter the Registry with extraneous data.
The procedure for creating New Keys, Subkeys, or Values will be covered later in this
section, along with some explanation of when you may need to do that.
The next entry in the Edit menu is Permissions… This gives you the ability to specify who
has what type of access to a given Key or Subkey in the Registry. Removing permissions
from certain Keys is one way to protect the Registry against unwanted changes.
The next two entries in the Edit menu are Delete and Rename. Deleting any Registry
entry always carries some degree of risk, so you want to be judicious with this option. A
safer approach is to Rename the entry and verify that the change produces the desired
results. Then you may go back and Delete it if you choose.
As a safety feature, you will note that Delete and Rename are unavailable when one of
the top-level HKEYs is selected. These options only apply to Subkeys below the HKEYs.
One thing you will not find on the Edit menu in Regedit are the traditional options for
Cut, Copy, and Paste. The closest entry to that is Copy Key Name, which is rarely of any
value. The structure of the Registry does not allow for moving a branch from one place
to another.
On the other hand, if there is a specific string of text or some other value that you need
to copy or move to another location in the Registry, that can be accomplished by use of
the Ctrl-key combinations that work with most Windows applications.
In that case, you simply select the string you want and use Ctrl-C to Copy or Ctrl-X to
Cut; then go to the new location and use Ctrl-V to Paste, and you have saved yourself
some re-typing.
Another familiar entry on the Edit menu that is not present in Regedit is Undo. Even
using Ctrl-Z will not undo a change in Regedit. This omission is one more reminder of
the importance of creating your own backup before making changes to the Registry.
20
The final pair of entries on the Edit menu are Find… and Find Next. The following
section details effective use of these options.
How to effectively use the Find command in Regedit
There may be times you know something must be contained in the Registry, but you
have no idea where it is, or what it is called. This is the time to use the Find command
from the Edit menu of Regedit.
There are several techniques you can use to more effectively achieve the results you
want from your Find:
 If you know generally which Key contains the desired value, click on that Key first.
 If the object of your Search will be found in the Data field, deselecting the options
to search in Keys and Values will make the Search go faster.
 Qualify your search term as much as possible; for example, instead of a generic
device name, look in Device Manager to see the specific product name and
search on it.
 Be prepared to use F3 (Find Next) frequently, as many Values are duplicated in
multiple Keys and Subkeys.
 In most cases you can ignore entries that occur in Subkeys that contain the
initials “MRU.” This stands for Most Recently Used, and most of these entries will
be showing the most recent Find results, or something similar that is unlikely to
be relevant to the problem at hand.
 Always wait for the Find command to end normally, saying “Finished searching
through the Registry.” This may take a few minutes, and it may appear that
nothing is happening during the Find process; there is no progress bar and little
hard drive activity, although the CPU Usage will remain near 100% during the
Find process.
If you ever have the need to replace multiple entries with the same new Value, here is a
technique you can use to semi-automate the process:
 Navigate to the first occurrence of the Value to be changed
 Double-click on that Name, which will open the Edit String with the Value
selected
 Change the Value to the desired new data, then click OK
 Double-click that Name again, to open the Edit String
21








Use Ctrl-C to Copy that value to the Windows Clipboard
Use the Find command to find the next occurrence of the old Value
Double-click on that Name, to open the Edit String
Use Ctrl-V to Paste the Clipboard contents into this Value, then click OK
Use F3 to Find the Next occurrence of the old Value
Double-click on that Name, to open the Edit String
Use Ctrl-V to Paste the Clipboard contents into this Value, then click OK
Repeat until all desired Values have been updated
How to add Keys and Values to the Registry
In some cases it may be necessary to add Keys or Subkeys to the Registry, or to add new
Values to existing Subkeys. This situation may arise in three common circumstances:
 Malware has deleted a required key, and you need to add it back
 The default value of a particular Subkey is being used, that key is not explicitly
coded in the Registry, and you need to assign it a different value
 You want to add non-Windows information to the Registry for any reason
The procedure is different, depending on the “side” of the Registry that needs to be
added. Adding a new Subkey is a multi-step procedure:
 Navigate to the Subkey under which the new entry should appear
 On the Edit menu, choose New and select Key
 Enter the desired name for the new Subkey
Now you will enter the appropriate Value(s) for this new Subkey, which will appear in
the right-hand pane of the Regedit window. This procedure will be the same for a new
Subkey or for adding one or more Values to an existing Subkey:
 On the Edit menu, choose New and then select the desired Data Type from the
list
 Enter the desired Name for that Value
 Double-click that Name and enter the desired Data
 Repeat if necessary to add more Values
22
Data Types used in the Registry
Early versions of the Registry included three possible types of data:
 REG_BINARY
 REG_DWORD
 REG_SZ
Windows NT 4.0 and the later NT-based Operating Systems include two additional data
types, although less frequently:
 REG_EXPAND_SZ
 REG_MULTI_SZ
The 64-bit versions of Windows include a new data type:
 REG_QWORD
REG_BINARY (Binary) fields consist of pairs of hexadecimal numbers, each with a value
of 0-9, a, b, c, d, e, or f. The values a through f represent decimal equivalents of 10
through 15, respectively. These fields may be any length, from one byte to 32 bytes or
longer in rare cases. An example of a Binary field can be found at
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ DigitalProductID in the
following screen capture.
REG_DWORD (Doubleword) fields are always four bytes long, on doubleword
boundaries (addresses that end in 0, 4, 8, or c). They are expressed as 0x followed by
eight hexadecimal digits, then the equivalent decimal value enclosed in parentheses. An
example of a Dword field can be found at HKLM\Software\Microsoft\Windows NT\
CurrentVersion\InstallDate in the following screen capture.
REG_SZ (String) fields are composed of alphanumeric characters, such as names,
descriptions, files, paths, etc. These fields may be any length, from one byte to 32 bytes
or longer in some cases.
The SZ designates that this field is terminated internally by a Zero. An example of a
String field can be found at HKLM\Software\Microsoft\Windows NT\
CurrentVersion\SystemRoot in the following screen capture.
23
REG_EXPAND_SZ (Expandable String) fields are made up of alphanumeric characters
when there may be a need to expand the length of the field from an environment
variable, such as %SystemRoot%. Otherwise, fields of this Type are the same as regular
String fields, including the Zero terminator. An example of an Expandable String field
can be found at HKCR\txtfile\shell\open\command:
REG_MULTI_SZ (Multi-String) fields contain a series of strings, or multiple entries of
alphanumeric characters, arranged in tabular fashion. Once again, the field length is
variable and each one is terminated by a Zero. An example of a Multi-String field can be
found at HKLM\Software\Microsoft\Windows NT\ CurrentVersion\SvcHost:
24
In turn, the selected subkey contains multiple entries in tabular form, as in this example
of LocalService:
REG_QWORD (Quadword) fields are always eight bytes long, on quadword boundaries
(addresses that end in 0 or 8). They are expressed as 0x followed by 16 hexadecimal
digits, then the equivalent decimal value enclosed in parentheses. These are only
applicable to 64-bit versions of Windows. Here is an example:
25
Back to the Menu Bar
The View Menu
The View menu is pretty straightforward and similar to what you’ve seen in many
applications. The first selection, a toggle for Status Bar, is one you will normally want to
have selected. This shows the currently selected Key or Subkey and other useful
information in the bottom line of the Regedit window.
The next option, Split, lets you adjust the relative size of the two panes in Regedit. This
can also be accomplished by simply dragging the vertical bar between the panes to the
desired size.
Display Binary Data gives you a more detailed view of any entry, displaying its contents
in hexadecimal representation.
The final option on the View menu, Refresh, lets you ensure that what you are seeing in
the Regedit view is completely current. While you are looking at an area of the Registry,
it may have been changed as a result of normal activity on the system. To be sure you
are seeing the latest version, you may either choose this option or hit the F5 key.
The Favorites Menu
The Favorites menu was new in Regedit for Windows XP and has been carried forward
into the later versions of Windows as well. This gives you the ability to define branches
of the Registry you need to access on a regular basis, such as
HKLM\Software\Microsoft\Windows NT\CurrentVersion.
If you have some Favorites you use on a regular basis and would like to set them up on
other computers, you may export that Registry key to a thumb drive or your Virus
Repair Toolkit, then import them into the other computer. These Favorites are stored in
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\Favorites.
26
The purpose and function of Control Sets in the Registry
Under HKLM\System\ you will find multiple Control Sets. The first one is normally
named ControlSet001, but the second may show up as ControlSet002 or ControlSet003.
These provide the capability to have multiple configurations of Windows XP at various
times.
The Control Set presently in use is shown as CurrentControlSet. This is actually a copy of
one of the numbered Control Sets, but it takes some digging to determine which is the
CurrentControlSet at any given time.
If you’re curious enough to take the time, you may navigate to
HKLM\System\CurrentControlSet\Control\IDConfigDB\CurrentConfig. The value shown
in that field represents the ControlSet number, ControlSet001 in this example:
27
One use of the multiple ControlSets is in case of a problem starting Windows. If you
encounter that situation, the Boot Menu offers several options to help resolve the
problem. One option to consider is the Last Known Good Configuration (LKG).
This option reloads the CurrentControlSet from the numbered ControlSet that was
active the last time Windows started successfully. It does not make any other changes
to the Registry.
If you ever want to verify which is the CurrentControlSet, there is another way to make
that determination. Here are the steps to follow:






In CurrentControlSet, note the value of a specific Subkey
Find that same Subkey under ControlSet002 or ControlSet003
Change the value of that Subkey
Look in CurrentControlSet to see whether that value is the same as above
If so, that was the CurrentControlSet
If not, ControlSet001 is the CurrentControlSet
Sometimes the numbering of the ControlSets is not as you would expect. While the first
one is normally named ControlSet001, it may actually be ControlSet002 or some other
number. Most systems contain two ControlSets, regardless of their numbers; some
contain three; and you may occasionally see many more than that, possibly two dozen
or more.
Further confusing the issue is the fact that all ControlSet numbers may not be
consecutive. One infected computer contained ControlSet001 through ControlSet026,
followed by ControlSet063. The reference in CurrentConfig shown above is the relative
position of that ControlSet in the list, starting with 1.
For more detailed information on ControlSets, a very old article in the Microsoft
KnowledgeBase is still available. It was written about Windows NT 3.51, but the
contents seem to apply to the later versions of NT-based Operating Systems as well:
 100010 – What are Control Sets? What is CurrentControlSet?
28
Working with Users in the Registry
As you might suspect, Users are defined in the Registry under HKEY_USERS. These
entries begin with .DEFAULT, which is the User Profile that is current before any User
logs onto Windows. This entry is followed by a string of entries in the format S-1-5something. These are known as Security IDs, or SIDs.
The first entries are used by various system functions. The entries starting with S-1-5-21
are the Users who have been defined on this computer. You can find a complete list of
Users in HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList.
For each entry in that Subkey that begins with S-1-5-21, look in the right-hand pane at
the data in ProfileImagePath. This entry will give you the path to that User Profile,
ending with the User’s name for that SID.
Registry backup and recovery techniques
Several methods are available to back up and restore the Registry in case of errors or
corruption. These are the most commonly used:
 Exporting selected Keys or Subkeys from Regedit
 Using System Restore to create Restore Points or restore from previous Restore
Points
 Making an Automatic System Recovery (ASR) backup and recovering from it
 Manually copying individual Hives
29
An article in the Microsoft KnowledgeBase explains some of the ways to back up and
restore the Registry in different versions of Windows. The article is as follows:
 322756 – How to back up and restore the Registry in Windows
Dealing with missing or corrupted Hives
Any time a Hive goes missing or becomes corrupted, the likelihood of successful
recovery is not very high. An article in the Microsoft KnowledgeBase covers one set of
procedures that could resolve the issue, with several variations depending upon the
exact circumstances of the problem.
This article deals with Windows XP, but there are similar articles that cover the other
versions of Windows. A search through the KnowledgeBase turns up additional articles
on the subject, but this is the most comprehensive. The article is as follows:
 307545 – How to recover from a corrupted Registry that prevents Windows XP
from starting
When a problem with a damaged Hive occurs, the most common symptom is an error
message at Windows startup. This message is in white text on a black background, and
may say “Windows XP could not start because the following file is missing or corrupt:”
followed by the name of the file. This will usually be
\WINDOWS\SYSTEM32\CONFIG\SYSTEM or
\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.
In any of these cases, if you have manually copied the Hives recently, there is a good
chance of successful recovery. If not, the following procedure offers a fairly high
probability of recovering the corrupted Hive. You may save yourself some time and
trouble by following this procedure before trying the steps outlined in the article
referenced above:
In Recovery Console, follow these steps:
 chkdsk /r (Enter) – Be sure there is a space before the /r, and that is a forwardslash, not a backslash. This will run for a while, be patient!
 chkdsk /p (Enter)
 fixboot c: (Enter) – Assuming the hard drive is C:
 exit (Enter) – Computer will restart, hopefully with the Registry intact
30
Microsoft introduced two new tools to deal with some of these issues in Vista, and
these tools have been carried forward into Windows 7 and Windows 8. The first to try
in these cases is the Startup Repair option in the System Recovery Options dialog box.
If Startup Repair doesn’t resolve the issue, it’s time to move on to the other new tool,
Bootrec.exe. Its use is described in this article in the Microsoft KnowledgeBase:
 927392 – Use the Bootrec.exe tool in the Windows Recovery Environment to
troubleshoot and repair startup issues in Windows
Recovering from the Blue Screen of Death (BSOD)
There are many possible causes of BSOD, including some hardware failures and some
software issues. If a particular BSOD is caused by a software problem, it almost certainly
involves a Registry issue. A search of the Microsoft KnowledgeBase for “blue screen
error Windows XP” results in more than 500 articles, so it will probably be necessary to
dig deeper for the cause.
In some cases you will not see the BSOD because the computer reboots itself when such
an error occurs. If that happens, go to the Boot Menu (F8 at bootup time) and select
the option to “Disable automatic restart on system failures.” That change will allow you
to see the actual error message and start your diagnosis with more useful information.
One fairly common cause of BSOD errors involves corrupted Registry Hives and
produces the message “Windows XP Unmountable_Boot_Device Error.” This problem
frequently can be solved by using the procedure outlined above for repairs from the
Recovery Console.
Similarly, Vista, Windows 7, and Windows 8 computers with BSOD errors may respond
to the Startup Repair and Bootrec.exe procedures outlined above.
Ironically, another fairly common cause of BSOD involves corrupted installations of
popular anti-virus programs. Two of the most widely used A/V programs, Norton and
McAfee, have been known to cause this error. There are three symptoms that indicate
this is the cause of a particular BSOD:
 The BSOD occurs after the desktop is loaded, not immediately upon startup
 The Stop Code is 0x0000000A
 The error message is “IRQL_NOT_LESS_OR_EQUAL”
31
If your BSOD matches these symptoms, the easiest fix is to completely remove the
offending program. On another computer, download the removal tool from the
appropriate vendor’s web site and copy it to a USB drive or CD. Then reboot the BSOD
computer into Safe Mode with Command Prompt and run the removal tool.
Microsoft provides a tool you may download for help with BSOD issues. The tool is the
WinDBG Debugger, and its use is described in the following article:
 315263 – How to read the small memory dump files that Windows creates for
debugging
There is also an article in TechRepublic that outlines a detailed procedure for using this
program. The article title is How do I use WinDBG Debugger to troubleshoot a Blue
Screen of Death? You may download it from www.techrepublic.com.
Another tool that is helpful in recreating the BSOD screen is BlueScreenView, from
NirSoft, at http://www.nirsoft.net/utils/blue_screen_view.html. This free program lets
you view the Blue Screen messages as they originally appeared, and provides additional
information that may help you diagnose and resolve these errors.
In some extreme cases of Windows corruption it may be necessary to reinstall the
Operating System. It will frequently be possible to do a Repair Install, which is far less
destructive than a full installation. If you can accomplish a Repair Install, the Registry
will probably remain intact, and applications will not need to be reinstalled.
The following article describes the steps to follow in attempting a Repair Install of
Windows XP:
 978788 – How to perform an in-place upgrade (reinstallation) of Windows XP
A later change to this procedure applies if Internet Explorer 7 or 8 has been installed on
this system. If so, the browser must be uninstalled prior to reinstalling Windows XP.
The procedure to do this is outlined in the following article:
 917964 – How to perform a repair installation of Windows XP if a later version of
Internet Explorer is installed
32
Emergency recovery of the Registry if you don’t have a backup
When Windows XP was initially installed, a backup copy of the Hives was saved to the
C:\windows\repair folder. If you have no other usable backups of the Hives, it is
possible to recover from these copies. This usually is not a good solution, as the
restored Registry will not reflect any of the changes to the Registry since the initial
installation of Windows XP. But this is a less-destructive procedure than reformatting
the hard drive and reinstalling Windows from scratch.
The procedure for restoring the Hives from the Repair folder is included in the Microsoft
KB article referenced above, 307545. But it is important to note that this article does
not apply to OEM installations of Windows XP. If the computer that is experiencing the
problem came with the OEM version of Windows XP preinstalled from the
manufacturer, this procedure may not work as it would with the retail version. The
article describes the potential problem in more detail, to help you determine whether
this procedure is an option for you to consider.
“Bulletproofing” the Registry to keep it safe
There are a number of steps that should be taken to protect the Registry as much as
possible. Here are some options:






Remove Regedit.exe and Regedt32.exe from the local hard drive
Change the File Association for .reg files to open in Notepad instead of Regedit
Don’t let the user have Administrative Privileges
Don’t let the user have access to a Windows Boot Disk or a Windows Install CD
Don’t let the user have access to a network drive with Windows System files
Implement User Profiles and/or Group Policies to block access to the Registry
Editors
The role of Group Policies in the Registry
Group Policies are normally used to prevent the user from doing things that could
potentially harm the system or its Registry. But in some cases Group Policies may be
used maliciously to prevent the technician from finding or removing viruses or other
malevolent software.
33
Group Policy settings actually end up in the Registry, where they are applied at
Windows startup time. You can view and change Group Policy settings in any
Professional version of Windows, assuming you have the appropriate Permissions. The
Home editions of Windows do not include gpedit.msc, but the Home editions will honor
Group Policy settings in the Registry, however they were put there in the first place.
The most direct way to set Group Policies is to choose the Run command and enter
gpedit.msc, then click OK. This will take you to a screen that should look similar to this
(Windows XP):
Most of the Group Policies you will want to set fall under User
Configuration\Administrative Templates. One example is the Policy to “Prevent access
to Registry editing tools,” as shown here:
34
Double-clicking on that Setting opens the following dialog box:
Change the default value of Not Configured to Enabled, then click Apply, and this user
can no longer run Regedit.exe or Regedt32.exe. This is a protection you probably want
to include on most User logons.
35
There are more than 700 Group Policy settings in the modern versions of Windows,
including many that are likely to serve a useful purpose for large groups of Users. Each
Policy that is Enabled produces a corresponding entry (or entries) in the Registry. These
entries are found in one of the following Subkeys:
 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies for entries under
User Configuration
 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies for entries under
Computer Configuration
In addition to the Registry entries, Group Policy settings are stored in two .pol files.
These .pol files are examined at Windows startup time and loaded accordingly. At that
time the corresponding Registry keys are set as necessary to enforce the specified
policies. The file names are as follows:
 NTUser.pol for entries under User Configuration
 Registry.pol for entries under Computer Configuration
Group Policies may be defined on a local machine using Gpedit.msc as shown here, or
they may be handed down from a higher-level Domain Controller in a Client-Server
network. Any Policy may be set on the local machine, so long as it does not conflict with
a Policy handed down from higher up in the hierarchy of the network.
Most Group Policies will take effect as soon as the Apply button is clicked, or OK. But to
be sure all newly-enabled Policies are active, you may issue the following command
from a Run:
 gpupdate /force
In some cases all of the standard Group Policies may not appear in the Gpedit.msc
window. The most common reason for these omissions is the absence of the
corresponding .adm files that contain the options for those settings. A full discussion
and listing of the .adm files included in the various versions of Windows can be found in
the following Microsoft KnowledgeBase article:
 816662 – Recommendations for managing Group Policy administrative template
(.adm) files
36
The following article in the Microsoft KnowledgeBase describes some other possible
causes of those missing Policies, and how to get them back:
 555218 – Some Group Policy areas are missing from the Group Policy Editor
How and when to use Permissions to protect the Registry
While some Keys and Subkeys in the Registry must be updated frequently as Windows is
running and programs are opened and closed, many more should not be changed from
their initial values. In some cases it may be worth the effort to manually change the
Permissions on a given Subkey to prevent any changes from being made.
Permissions are set by Subkey, found on the Edit menu of Regedit in Windows XP and
later versions. They can be set differently for different users that are defined for a
particular computer, and may include the ability to Allow or Deny Full Control, Read, or
Special Permissions for each user.
Windows Services, svchost.exe, and the Registry
The Services that are defined in CurrentControlSet for a given computer are started
when Windows starts. Each Service is started by a process named Svchost.exe. Looking
in Task Manager, you will see multiple occurrences of Svchost.exe when Windows is
running. There will usually be at least 6 occurrences of Svchost.exe in Windows XP; in
Vista, Windows 7, or Windows 8 there may be as many as 12 or more.
Each Svchost.exe process is responsible for running one or more of the Windows
Services. A full description of the association of Services to Svchost.exe instances can be
found in the Microsoft KnowledgeBase, in the following article:
 314056 – A description of Svchost.exe in Windows XP Pro
Working with Msconfig and other Registry utility programs
Ever since Windows 98, with the exception of Windows 2000, Microsoft has provided a
safer way of working with the Run Keys than manually editing them in Regedit. The
Msconfig.exe utility program gives direct access to the entries found in the Run Keys in
HKLM and HKCU.
37
To open Msconfig.exe, simply type that file name into a Run command. This program
will open a window similar to this:
When the Startup tab is selected, as in the example above, all entries found in the Run
Keys under HKLM and HKCU are displayed. In 64-bit versions of Windows, the Run keys
under WOW6432Node will follow the HKCU entries. To keep an entry from starting at
Windows startup, uncheck that entry from the list. If you need to recover an entry at a
later time, you can simply recheck that box and the entry will be active again.
The “Location” column in Msconfig shows the location in the Registry where this Item
was found, starting with the top-level HKEY. Most of those entries will start with HKLM
or HKCU, but there may also be some Items with a Location of Startup or Common
Startup.
Startup or Common Startup designates that the item is in the Startup Folder instead of a
Run key. If you click on Start | Programs | Startup, you will see the Items that will start
with Windows but that are not contained in any of the Run keys.
Note that the columns for “Manufacturer” and “Date Disabled” were new with
Windows Vista and standard in Windows 7, but not included in the Windows XP version
of Msconfig. Windows 8 still includes Msconfig, but it is no longer used to specify the
programs to autostart with Windows.
38
When an entry is unchecked from Msconfig, that entry is moved to a different area of
the Registry. All of those disabled entries can be found in this Subkey:
 HKLM\Software\Microsoft\Shared Tools\Msconfig\Startupreg
The following example shows five entries that have been unchecked in Msconfig:
You will notice that the right-hand pane contains all the “pieces” that would be needed
to restore each entry to active status. This includes the executable name of the
program, including the full path to it, the top-level HKEY that originally contained it, and
the full path to the entry in the Registry.
Note also that this screen shot, from Windows 7, includes the date and time this entry
was disabled (“unchecked” in Msconfig). Those fields are MONTH, DAY, YEAR, HOUR,
MINUTE, and SECOND. These fields do not appear in this subkey in Windows XP, Server
2003, or previous versions of Windows.
In older versions of Windows that did not include Msconfig, there is another way of
deactivating an entry in a Run Key without actually deleting that entry. If you Edit the
entry you no longer want and place a semicolon (;) at the beginning of the Data entry,
that action will turn that line into a comment, or remark. It will still be there, but won’t
execute at Windows startup time. If you need to recover that entry, simply Edit it again,
remove the semicolon, click OK, and that entry will be active the next time Windows is
restarted.
39
Remote Registry Editing and how it works
Regedit allows for Remote Registry Editing, whereby one computer can access and
change the contents of the Registry on another computer across the network. This is
obviously a potentially useful feature to have; at the same time, it is just as obviously a
potentially dangerous feature to use.
If you have no need to have the Registry on a given computer accessed remotely, you
can easily disable that functionality. If you are doing Remote Registry Editing, it is
critical to follow the procedure carefully and double-check any changes you make to the
remote computer’s Registry. Creating a Restore Point or Registry Export is even more
important than the more typical environment of locally editing a Registry.
In order for Remote Registry Editing to work, several key pieces must be in place:
 The computers must be on a Client-Server network, with a Domain Controller to
authenticate users and permissions. This requirement excludes the Home
versions of Windows from participating, in either direction.
 Remote Registry Service must be running on the computer that is to be accessed
remotely
 Permissions must be granted for a specific User to access specific Keys or Subkeys
in the Registry of the remote computer
 The person doing the remote access must log on as the specified User with the
requisite Permissions
Once those pieces are in place, the steps to establish a Remote Registry Editing session
are fairly straightforward:




Open Regedit, logged on as the User who will be accessing the remote Registry
On the File Menu, choose Connect Network Registry
Select the name of the computer you need to access, then click OK
The Keys and Subkeys to which you have been granted Permission will display in
the left-hand pane of Regedit, under the Registry of your local computer
 View and Edit the contents of the remote Registry as needed
 On the File Menu, choose Disconnect Network Registry
 Exit Regedit
One critical point to bear in mind about Remote Registry Editing is that there is no
protection against the local User and the remote User making changes at the same time.
40
If the Users at both ends of the connection both have appropriate Permissions, this
shortcoming could lead to some undesired outcomes.
Accordingly, any Remote Registry Editing session should be completed as quickly as
possible to avoid such conflicts. And the final step, of Disconnecting the Network
Registry, is very important.
If you want to be sure nobody can access the Registry of a given computer remotely,
that functionality can be blocked in one easy step:
 Change the Startup Type of Remote Registry Service to Disabled
This is done through Control Panel | Administrative Tools | Services or by typing
in “services.msc” from the Run command. Scroll down to Remote Registry
Service, Stop the Service, then change the Startup Type to Disabled.
There are other methods that can be used to remotely edit the Registry on
another computer. These fall into several broad categories:
 Microsoft-provided utility programs, such as Terminal Services or Remote
Desktop
 Third-party utility programs, such as pcAnywhere, VNC, Dameware, and others
 Web-based remote access, such as GoToMyPC, GoToAssist, LogMeIn, and others
There is no one “best” solution, but these are some of the options that are available to
you.
41
42
SESSION 3:
VIRUS REPAIR
METHODOLOGY
43
44
Methodology for Malware Remediation – Overview
The procedure for cleaning an infected computer of malicious programs is very
straightforward. The following flowchart illustrates the process in simplified form:
45
How to find and identify active malicious processes
The first step in cleaning an infected computer is to determine the general type of infection it
involves. Most malicious software today falls into one of two broad categories:
 Traditional viruses, worms, and Trojan horses, which may display no obvious symptoms
of infection
 Rogue software, which generates frequent and annoying messages in attempts to
induce the user to purchase the bogus program. This category is further broken down
into three general types:
o Fake anti-virus software, claiming to have found infections on the computer
o Fake hardware diagnostics, claiming to have detected an impending hardware failure
(usually of the hard drive)
o Ransomware, claiming to be from a law-enforcement agency, and holding the
computer hostage until the user pays a “fine”
Most-likely malware today
The most common type of malware encountered since late 2009 and through 2014 falls into
the category of Rogue Software. This includes programs such as Antivirus 2010, XP Antivirus,
Total Security, Windows Recovery, and Internet Security 2012. These programs pop up, usually
at the time of Windows startup, and inform the user that their computer is infected. For a
price, generally in the range of $39.95 to $59.95, they offer to remove the infections.
A more recent variation on this approach pops up a different type of warning. Instead of
claiming to have found malware, programs such as Windows Recovery inform the user that
their hard drive is failing. To lend credibility to that claim, the user no longer sees the
programs and program groups that had been on that computer prior to the appearance of this
message.
One of the most widespread rogues since 2012 has been the FBI MoneyPak Ransomware, also
known as the Reveton Trojan. This malware takes over the user’s desktop and blocks access to
any programs or system functions until the user pays a “fine” to have the malware removed.
The first version of this malware demanded $100 in the U. S. Later variants have increased
that demand to $300.
The newest form of Ransomware first appeared in September, 2013 under the name of
CryptoLocker. Instead of blocking access to the desktop or the programs the user would
46
normally run, it encrypts all of the important data files and holds them “hostage” until the user
pays the ransom for the decryption key.
CryptoLocker was so widespread, so effective, and so profitable for its authors that it has
spawned a host of imitators. As of the first quarter of 2015, there have already been at least
10 similar pieces of malware released in the wild. You can find more details of this family of
Ransomware in Appendix B of this document.
If a computer is infected by one or more of these Rogues, you will want to clean those
infections before digging deeper to discover additional malware.
The following screen shot is an example of a typical message from Smart Fortress 2012:
If the computer in question shows symptoms such as this, continue with the following section
“How to terminate rogue software.” If not, skip to the section “How to find traditional viruses,
worms, and Trojan horses.”
How to terminate rogue software
These programs will usually initiate a realistic-looking scan and report detailed results, but they
are not legitimate. Even clicking on the Close button or the large red X in the top right corner
47
of the box will not get rid of the program; in many cases the entire box is a hyperlink, so it is
important not to click anywhere in that window.
If there is an entry for this dialog box showing in the Taskbar, the safest procedure is to rightclick and close the program from there. Alternatively, the key combination Alt-F4 may close
the program. Frequently it will not show up in the Taskbar, though, and the only safe way to
close the program is through Task Manager or Process Explorer. In Task Manager the rogue
program should appear on the Applications tab, where you can select it and End Task.
A common defense used by programs in this category is to block access to Task Manager,
Regedit, the Run command, the Command Prompt, and other tools that would normally be
used to remove the threat. If you encounter any of these issues, you may use the specific tools
included on the Virus Repair Toolkit to restore that functionality.
Another tool that may be useful to terminate rogue programs is rkill.exe, from
www.bleepingcomputer.com. You will find the download link on the Virus Repair Toolkit CD.
This program should end all processes associated with rogue security software but will not
prevent them from restarting the next time Windows is restarted.
Included in Appendix B of this document are specific procedures to deal with the most
common examples of rogue security software. If a rogue is active on the computer you are
troubleshooting, check Appendix B first for a solution specific to that malware.
If the rogue in question is not listed in Appendix B, you may apply either of two generic
solutions to remove it. We’ll start with the easier one:
1. Terminate the rogue by whatever means necessary (but do not click anywhere in the
rogue window
2. Perform a System Restore and roll back to a date and time before the rogue was active
(if necessary, re-boot into Safe Mode, Command Prompt and run System Restore from
that environment; the command is %systemroot%\system32\restore\rstrui.exe)
3. Run a Scan with MalwareBytes in Chameleon mode to find and remove the rogue and
any other malware traces it finds
If for any reason that generic procedure doesn’t remove the rogue, here is a slightly more
involved method that should take care of it:
1. Boot into Safe Mode, Command Prompt
2. From the Virus Repair Toolkit, run Enabletaskmgr.bat
3. From the Virus Repair Toolkit, run Enableregedit.bat
48
4. (Vista or later) From TechWARU, run Registry Investigator or (XP or older) From the
Virus Repair Toolkit, run Regstep.bat, and fix or restore Registry entries as necessary
5. Re-boot into Normal Mode and run a Scan with MalwareBytes in Chameleon mode to
find and remove the rogue and any other malware traces it finds
A surprisingly high percentage of rogues would actually be more correctly described as PUPs,
or Potentially Unwanted Programs. Although they exhibit behavior such as we normally
associate with malware, they may act like legitimate programs in some respects. Along those
lines, you may find them in the Add/Remove Programs listing and be able to remove them
from there. It’s at least worth a try!
How to find traditional viruses, worms, and Trojan horses
There is no one symptom that will always indicate a system is infected, and no sure sign that it
is not. Here are some common symptoms that could indicate the presence of malware:
 If any warning or error messages are appearing unexpectedly, that could be a symptom
of a malware infection
 If the computer is running unusually slowly, malware is a possible cause
 Start Task Manager and look on the Performance tab. With no applications running, the
CPU Usage should mostly remain less than 5%; in this example, you will notice there are
117 Processes running, so 20% is a reasonable number:
49
 If the computer being examined is running Windows XP or Windows Server 2003, check
the Network Connection icon in the System Tray for activity. Unless the computer is
actively communicating across the network, the lights in this icon should mostly remain
unlit.
 If the computer in question is running Vista, Windows 7, or Windows 8, you will not
have the convenient Network Connection icon to check; another alternative in these
later Operating Systems is to look at the Network tab of Task Manager and see whether
there is a significant amount of network traffic going to and from any or all of the
network adapters.
 The following example shows a laptop computer with a wireless adapter (top graph) and
a wired Ethernet connection (lower graph). You will notice that there is some activity on
both adapters, and the two graphs are completely different:
50
If any of these indicators reveal abnormal traffic, you will need to determine the nature of that
traffic and its source and/or destination. You can find the key pieces of this information by
using the netstat command, from a Command Prompt, with the –na parameters selected. The
results will be similar to this:
51
The first piece of information to examine in this listing is the Local Addresses. Any Reserved
addresses or Private addresses are probably normal and not indicative of malware activity.
These addresses are as follows:
 Reserved addresses:First octet is 0 or 127
 Private addresses: Class A –
Class B –
Class C –
10.0.0.0 through 10.255.255.255
172.16.0.0 through 172.31.255.255 or
169.254.0.0 through 169.254.255.255
192.168.0.0 through 192.168.255.255
The number following the colon in the Local Address or Foreign Address is the TCP Port being
used for this connection. While there are over 65,000 possible ports, fewer than 1,000 have
legitimate uses. Malware will typically use a port that is not otherwise assigned, to send and
receive data to and from the infected computer.
The listing of Port number assignments is maintained by IANA, the Internet Assigned Numbers
Authority. A complete listing of assigned Port numbers is located on the IANA web site, at
http://www.iana.org/assignments/port-numbers.
Any Foreign Address shown in the netstat listing represents a connection to an address outside
of the local computer. Any addresses that are not familiar should be checked out to determine
the owner of the site assigned that address. One resource for looking up TCP/IP addresses is
ARIN – the American Registry for Internet Numbers. Here is their home page, at www.arin.net:
52
In the top line of this web page, you may enter the IP address shown in the netstat listing, in
this example 209.85.225.103. Then click the > to the right of that box, and the owner of that
address will be revealed. In this case the address in question was assigned to Google, as shown
in the WHOIS record:
53
An investigation of all active connections shown in the netstat listing will uncover any malware
activity, whether there is any obvious network activity or not. Some malware is sophisticated
enough that it only sends data packets after some period of inactivity, making it less likely that
the user will notice that abrupt spike in traffic.
On the other hand, some computers that are tied into botnets may be programmed to send
data continuously, knowing that the connection could be discovered and deactivated at any
time. In other words, your mileage may vary.
Another useful option of the Netstat command is to use it with the –no parameters. This will
show all Active Connections, with their Local Address, Foreign Address, and the associated
Process ID. By cross-referencing that Process ID in Task Manager, you can determine which
process is responsible for each connection.
Tracking down traditional malware
When you have determined that a computer is infected, or have reason to believe it is, the
next step is to try and identify the infected Process(es). Most malware will show up on the
Processes tab of Task Manager, if you know what to look for.
There are several steps you can take to make your life easier in going through the Task
Manager Processes.
1.
2.
3.
4.
5.
6.
7.
8.
54
Make sure that only one user is logged on; if necessary, log off any other users
Check the box to “Show processes from all users”
Adjust the size of the Task Manager window to display as many entries as possible
Click the heading for Image Name, to sort the entries alphabetically
Using Alt-PrtSc, copy the Processes window to the Clipboard
Paste this window into a Microsoft Word document (or your preferred word processor)
If all Processes didn’t fit on a single screen, scroll down and repeat
When done, print out this document
The Task Manager shown here probably doesn’t look exactly the same as the Task Manager
you are looking at right now. There are two possible reasons for those differences:
 Windows XP, Server 2003, and older versions did not include the Command Line or
Description fields
 Some of the fields shown here are not in the default view; you will need to go to the
View menu of Task Manager and click on Select Columns… There you may select PID,
Command Line, and Description if they are not already checked; you may see other
columns you’d like to monitor as well.
The most tedious part of this process is going through the Processes and making a
determination of which are legitimate and which are questionable. As you go through this
process many times on multiple computers it becomes easier and requires less time to
complete. You will also come to recognize which Processes are normal and their intended
function, especially if you work on many systems that are the same make and model, with the
same applications installed on them.
There is an additional program that can be very helpful in identifying the individual Processes,
their purpose, and the company that produced them. This program, Process Explorer, was
developed by Sysinternals, which is now owned by Microsoft. You can download it from the
55
Microsoft web site, www.microsoft.com, free of charge. The full download link is included on
the Virus Repair Toolkit CD-ROM.
Process Explorer gives a more detailed breakdown than Task Manager of all Processes that are
running at any given time. In the following example, you will notice that most of the listed
Processes include a Description. This will help you determine whether the Process is legitimate
or malware.
If there is no Description shown for any running Process, that omission bears further
investigation. The Process may be legitimate, but you really need more information to make
that determination. Your favorite search engine should probably be the next stop.
Note that Task Manager in Windows Vista, Windows 7, and Windows 8 includes some of the
information found in Process Explorer, such as the Description and Command Line. Also, rightclicking on a Process now gives you a new option, “Open File Location.” Task Manager in
Windows XP does not include these features.
Recent enhancements to Process Explorer include additional columns that can be useful in
troubleshooting suspected malware. In this example, Autostart Location and VirusTotal
columns are included.
Autostart Location identifies the Registry key that caused this process to be started; VirusTotal
shows the historical analysis of each process by VirusTotal. The designation 0/54, for example,
indicates that 54 of the sites monitored by VirusTotal had this program in their database, and
none identified it as malicious; on the other hand, a later entry with a designation of 1/46,
indicates that one of the 46 sites with this process listed thought it was malicious.
56
The author of Process Explorer and the other tools from Sysinternals is Mark Russinovich, who
is now an employee of Microsoft. He has made several outstanding presentations at Microsoft
Tech-Ed conferences over the past few years. His latest, titled Malware Hunting with the
Sysinternals Tools, was presented at TechEd North America 2014. That session runs one hour
and 26 minutes, and can be viewed here:
http://video.ch9.ms/sessions/teched/na/2014/DCIM-B368.mp4.
For those Processes you could not sufficiently identify with Process Explorer, the next step is to
use a Web site that provides details of the most common entries. One of the most complete
and reliable is www.answersthatwork.com, and that is the recommended starting point.
This site contains alphabetical listings of over 3,000 Processes that may show up in Task
Manager, a description of those it recognizes, and recommendations as to whether they are
required, optional, or problematic. In the great majority of cases you can safely follow the
recommendations from this site.
There are two additional web sites that have received favorable reviews for their ability to
identify Processes found in Task Manager. These are www.systemlookup.com and
www.kephyr.com. Between these three sites, you should be able to identify most Processes.
57
Another web site offers a potentially useful analysis of programs you may find in Control Panel
under Add/Remove Programs. This site is www.shouldiremoveit.com, and it lists the top
10,000 installed programs on Windows computers. It also allows you to search for a specific
program and gives you more details so that you can decide whether to remove it or not. This
site is especially helpful for dealing with PUPs (Potentially Unwanted Programs), which are not
necessarily malware but may have been installed without the user’s permission.
If you are suspicious of a particular Process that is running on an infected system, there is
another web site that will allow you to upload that file and have it scanned by multiple antimalware engines. This site, referenced earlier in the discussion of Process Explorer, is
www.virustotal.com.
For any Processes that are not listed in any of these sites, your next option is to search for
those processes using your favorite search engine. The first page of “hits” should give you a
pretty good idea whether this particular entry is normal or malicious.
As you go through this process, you may want to create and maintain your own database or
spreadsheet listing the Processes you have found and identified, whether they are normal,
required or optional, legitimate or malicious, and any more details you may need to recall.
Having such a reference will reduce the time required to diagnose other computers in the
future.
Here are some suggested fields for such a database:






Executable name
Description
Company name
Application or Device associated with process
Legitimate or Malicious
Required or not
A sample spreadsheet with such a listing of Processes is included in this document as Appendix
C. The .xls file for this spreadsheet is included on the Virus Repair Toolkit, so you may use it in
your diagnostic efforts and update it with the Processes you encounter on various computers.
How to terminate the malicious processes
If you determine that a Process is malicious or unnecessary, you have several options for
terminating it. In most cases the preferred program for this purpose is Task Manager.
58
In Task Manager, look first on the Applications tab. If the undesired program appears there,
select it and click on “End Task.” In most cases you will need to return to the Processes tab,
select the target program and End Process from there. You may terminate all processes
associated with this program by choosing “End Process Tree” instead.
If Task Manager is not available, or if you prefer, you can End Task on processes by using
Process Explorer as an alternative. The icon in the Toolbar just to the left of the binoculars in
the above example is used to stop that process. When a Process is selected, this icon is active
and the “X” is a bright red.
Regardless of the method used to terminate a process, it may return on its own in short order.
Some sophisticated malware monitors the system to determine whether that malicious
process has been terminated; if so, it may be restarted automatically.
After terminating a process, your next objective comes in two parts:
 Determine that the system is stable, and in fact the terminated process is not required
 Verify that the terminated process stays terminated and does not restart on its own
How to determine the activation method
Once you’ve identified and terminated any malevolent Processes, the next step is to determine
how and where they are being invoked, and remove those activators. There are many places
this could be happening.
How and where malware is loaded
Early viruses that infected Windows-based computers were most commonly invoked in the .ini
files, win.ini and system.ini. These files are no longer used in the more recent versions of
Windows, so it is not likely these files are the source of an infection today.
There are multiple files that may be used to start a virus or spyware. Some of these are also
remnants of older versions of Windows, but will still serve the same function today if present.
The most common example you may encounter is Winstart.bat.
59
If you click on the Start button and select Programs (or All Programs), you will find a Startup
folder. Every entry in that folder will be started every time Windows starts. In most cases this
will be the desired behavior, but some malware will start from this folder as well.
By far the most likely place for malware to be invoked is in the Registry of Windows itself.
There are many Keys in the Registry that may be used for this purpose, and this workbook will
list the most frequently used such Keys.
A good starting point for tracking down the malware is the Find option in Regedit. Do a Find
for the program in question, including the file type, or extension, such as badguy.exe. In most
cases this will take you to the Subkey in the Registry that is responsible for starting this
program.
When you find the suspicious entry in the Registry, look for the Path to this executable code. If
it is contained in a Temp folder, that is highly suspicious. And it may be as easy to remove as
running a Disk Cleanup and deleting all Temporary files and Temporary Internet files. Or it may
not be that simple!
On the other hand, if a program was suspicious but you find the Path is that of a legitimate
application or hardware device, it may be legitimate after all. Again, this is an imperfect
process.
Understanding the Run Keys – what’s normal, what’s not
There may be as many as 13 Run Keys in the Registry of a given computer. These Keys are the
mechanism Microsoft intended vendors to use for the purpose of starting their applications
when Windows starts. But this is one of the most likely starting points for much of the
malware found on today’s computers.
These Run Keys fall into three broad categories. The first set consists of five Keys under HKLM,
as follows:





HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
Note that the RunServices subkeys do not belong in Windows XP, or any NT-based version of
Windows. They were a normal part of the Windows 9X Operating Systems, but were never
60
included in any of the newer versions of Windows. But the producers of malware have
discovered these subkeys and sometimes use them to start their nasty deeds.
The presence of one of these subkeys will vary depending upon the version of Windows
involved. The RunOnceEx subkey is no longer included by Microsoft in Windows 7, Windows 8,
or Windows Server 2008. But the malware developers may include these subkeys in the newer
Operating Systems, and they will be executed if present.
Appendix D of this document lists this and other differences in the Registry from one version of
Windows to the next. Bear in mind that these differences reflect the Microsoft-provided
contents, which may be overridden by malware.
There are similar entries under HKCU, with one notable exception. These are the Run keys you
may find under HKCU:




HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
The 64-bit versions of Windows contain a third area in the Registry with additional Run keys.
These subkeys also fall under HKLM, as follows:




HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce
You will note there is no RunOnceEx entry under the HKCU or the WOW6432Node keys. Just
as discussed with the Run keys under HKLM, the RunServices and RunServicesOnce subkeys
should not appear under HKCU or WOW6432Node.
Regardless of the specific subkey involved, the effect is the same. At Windows startup time,
every entry in all of these subkeys is started. The entries in HKLM start regardless of who is
logged onto that machine; the entries in HKCU start only when this specific user logs on. Thus,
you may have a computer that has different Processes running when different users are logged
on. Here is an example of the Run keys under the HKLM branch of the Registry:
61
As you go through the entries in the right-hand pane of the Run keys, you will recognize many
legitimate programs. But in the process, you may come across some that are clearly
malevolent or at least unnecessary. You want to remove those entries.
Here are examples of some types of entries you will want to remove:
 Known viruses and spyware, such as msblast.exe, load.exe, or optimize.exe
 Unnecessary registration reminders, such as remind, remind32, register, or
register32.exe
 Any non-.exe file, especially files with extensions .bat, .com, .pif, or .reg
 Files in c:\Windows\System32 folder other than known good Windows components
 Files located in Temp folders or Temporary Internet Files
 File names that are all numeric or that are in folders whose names are all numeric
 File names that don’t spell anything or recognizable abbreviations
 File names that begin with an Underscore, for example _ix4.exe
 File names not found in Google search
 Files with today’s date
 Files that are unusually small, i.e. 4 KB or less
The easiest, safest way to remove those entries is by using Msconfig.exe and unchecking the
corresponding box for undesired items. But be aware, some of the more sophisticated
malware will detect that you have unchecked that box and will re-check it without your
permission.
62
Other “hiding places” where malware may be loaded
As malware has become more sophisticated, the creators have become more devious in
methods they use to invoke the infected code. Especially since the advent of Msconfig.exe, the
authors of viruses and spyware know that more users will simply remove the offenders with a
few mouse clicks. Accordingly, they have discovered an increasing number of less obvious
“hiding places” to start their dirty deeds with less likelihood of being detected and removed.
One area of the Registry that is frequently compromised by modern malware involves File
Associations, or the mechanism for handling the various file types, or extensions, that may be
encountered. Most vulnerable is the processing of .exe files, which is defined in two separate
subkeys under HKCR.
The first entry to examine is HKCR\.exe, which should look similar to this example:
The Data contained in the (Default) entry contains the name of the Registry subkey under
HKCR that provides the detailed information for properly handling this file type. Note that the
correct value of this key for the .exe entry is exefile, as shown here.
In turn, the HKCR\exefile entry should look similar to this example:
The default entry shown here represents the normal processing for an .exe file; any value other
than this string of special characters indicates that the entry has been compromised by
63
malware. Note that the second entry, IsolatedCommand, will not be present on Windows XP,
Server 2003, or earlier versions of Windows.
Some other subkeys that are subject to the same vulnerabilities include the following:






.bat
.com
.hta
.pif
.reg
.scr
HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\htafile\shell\open\command
HKCR\piffile\shell\open\command
HKCR\regfile\shell\open\command
HKCR\scrfile\shell\open\command
All of these subkeys, with the exception of Htafile, Regfile, and Scrfile, should contain only the
Default entry, with a Value of “%1” %*. The most likely to be infected is the exefile entry, but
no file type is immune to this type of attack. Another recent change in malware behavior is the
addition of new file types, directed to act as if they were .exe or other vulnerable file types.
If the Value of any of these entries (other than Htafile or Regfile) contains an executable file
name, that is almost surely malware and should be removed. Simply resetting the Value of the
entry to the default shown above will stop the damage caused by any malware using this
technique.
The Htafile entry is slightly different. It should also contain only the Default entry, but the
correct value is C:\WINDOWS\system32\mshta.exe, followed by the same string of special
characters; on a 64-bit system the path will be C:\WINDOWS\SysWOW64\mshta.exe. The
Regfile entry is different still. It should also contain only the Default entry, but the correct
value is regedit.exe “%1”. Finally, the Scrfile value should be “%1” /S.
Unlike the HKCR\exefile\shell\open\command subkey, these additional file types in
Windows Vista, Windows 7, Windows 8, and Server 2008 or 2012 do not contain the
IsolatedCommand entry with the same contents as the (Default) entry.
Another Key that is frequently used to load malware is HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon. This key contains multiple vulnerabilities in Windows XP and
Windows Server 2003, in at least the following Values. Some of these values have been
removed in the later versions of Windows, but malware could have added them back in:
 Shell should have a value of Explorer.exe; any other value for this entry, or multiple
entries, would be a sure sign of infection.
 Even if the Shell entry appears normal, double-click that Value and be sure the data
contained in that entry actually matches what is being displayed; it may not!
64
 Also in the Shell entry, look to the end of the contents; in some cases the malware entry
will be preceded by enough spaces (blanks) to put the malware past your field of view.
 One more method sometimes used by malware is to place an infected Explorer.exe in a
different folder and change the Shell entry to point to that version instead of the
original program provided by Microsoft; if a Path is shown in this entry, it is likely to an
infected version of Explorer.exe.
 UIHost should have a value of logonui.exe; any other value would be highly suspicious.
 Userinit should have a value of C:\Windows\System32\userinit.exe, with the comma on
the end being normal; but if there is a second entry following the comma, there is a high
likelihood it is malicious. This could be a legitimate logon script or some other such
code, but it definitely should be checked out.
 The Notify subkey under Winlogon contains entries for .dll files that are to be loaded at
Windows startup time; some malware will insert itself into this area where it is unlikely
to be detected. There will normally be between 10 and 13 entries under Notify, as
shown in the following screen shot:
Another recent variation is that some malware adds a subkey under HKCU, as
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. The Shell entry in
this subkey may be set to a value of cmd.exe or some other executable program. But in any
event, this entry does not belong and should be deleted.
There are two additional subkeys under HKCU that have been added or compromised by
recent strains of malware: HKCU\Software\Microsoft\Command Processor; the Autorun
entry in this subkey may be set to a malicious .exe file. Also, in a special case,
HKCU\Software\Microsoft\IntelliType Pro may be misused to start a malicious .exe file;
the AppSpecific entry in this subkey contains the name of the malicious file.
65
There are several more subkeys that may be used to invoke malware, such as the obscure
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad,
as shown here:
The entries shown in this example are normal; if the machine you’re examining has any
additional entries in the right-hand pane of this window, they may be malicious.
There is a little-known area of the Registry that is sometimes used by malware to block
execution of a specific program, such as regedit.ext or taskmgr.exe. This is the Image File
Execution Options subkey, as seen in the following screen shot:
66
The full path to this subkey is HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Image File Execution Options. You will note that, in spite of the name, this subkey has
nothing to do with traditional image files, such as .jpg or .bmp. In fact, it is not directly related
to file associations in any way.
By adding entries to this subkey, the malware can prevent any program from running,
regardless of how it is invoked. Even if you find the desired .exe file and double-click on it, you
will receive a “file not found” message if that file is included in this subkey.
There is another set of subkeys that may be modified by malware to invoke a virus or spyware
at Windows startup. These subkeys define the default folders to be used for various functions.
The first one is HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders, which should look similar to this:
If you find any of these Values different from the defaults shown here on an infected
computer, resetting them to these Values should resolve that piece of the problem. Also,
there may be a Value named Startup in the right-hand pane, which is not present in the above
example. Such an entry could also point to the location of malware.
Farther down in the left-hand pane is a similar entry for User Shell Folders, which also may
have been compromised.
67
These same subkeys will also exist under HKCU.
The final area in the Registry that is commonly used to invoke malware is in the ControlSets
under Services. The full Key is HKLM\System\CurrentControlSet\Services, as shown here:
The damage may take two different forms. In some cases, the malware will be added as a
Service in this subkey and is likely to go unnoticed; in other cases, a legitimate Service will be
compromised with bad data that serves the purpose of the malware.
One example of such a compromise would be in the tcpip service, where the legitimate DNS
Server address may be changed to one that is controlled by the author of the virus or malware.
Another technique that is sometimes used to start malware is to put the malicious code into a
Scheduled Task, with a starting time that may not be obvious to the user. If you have found
and removed all the malicious entries from the Registry keys covered thus far, you might want
to look into the Scheduled Tasks for any additional entries.
There is one more area, outside of the Registry, that is sometimes used to invoke malware.
This technique usually results in the entire Desktop being turned into one big hyperlink to a
malicious web site. This infection method is only applicable to Windows XP and earlier
versions of Windows.
68
If you go into Display Properties and select the Desktop tab, then choose Customize Desktop…
This will take you to Desktop Items, where you select the Web tab. If a Web page appears in
that window, and it’s not something you selected, that is the source of this problem.
Unchecking that box should resolve this issue.
As an additional step in cases such as this, it is recommended that you find the .html file
referenced on the Web tab and delete it. Renaming that file to a different extension would
have the same effect and may be a safer alternative.
Another useful tool to reveal “hiding places” in the Registry
Another program developed by Sysinternals is Autoruns, which shows all the Registry Keys that
can be used to cause programs or processes to start automatically. As you can tell from the
scroll bar in the following example, there are hundreds of entries tracked by this program.
There are two reasons for the large number of Keys displayed by Autoruns. One reason is the
redundancy and duplication inherent in the Registry structure itself. Another is the listing of all
69
Services in all Control Sets. Every Service is vulnerable to attack by malware, but only a few are
common targets.
Like Process Explorer, Autoruns.exe can be downloaded from the Microsoft web site,
www.microsoft.com, free of charge. There are actually two versions of this program; in
addition to autoruns.exe, shown here, autorunsc.exe displays similar information but from a
Command Prompt.
Dealing with Rootkits
Rootkits are a more sophisticated breed of malware that leaves no obvious traces to be
detected with the naked eye. These programs infect the core components of Windows itself,
so that no new Processes are visible in Task Manager.
Most of the major anti-virus software includes rootkit detection, and for a time the better
products would successfully detect and remove most rootkits. That success rate changed
dramatically in late 2009, though, when the first TDL3 rootkits appeared. These are also known
as TDSS, Tidserv, or Alureon rootkits.
This new generation of rootkits avoids detection and removal by most anti-virus software and
effectively mask most of their symptoms. They sometimes infect .sys files, such as ansi.sys,
atapi.sys, pci.sys, etc.
There are at least four possible symptoms of a TDL3 rootkit infection:
1. When clicking on a link from a search result, a new browser window will open to a
random web site. This usually appears to be a legitimate site, although not related to
the search that preceded it.
2. Windows Update (or Microsoft Update) usually will not run successfully. More
specifically, these failures may take either of two forms: You may see the generic error
message “Internet Explorer cannot display the webpage” or you might receive the
Microsoft Update-specific error message “The website has encountered a problem and
cannot display the page you are trying to view,” with an associated Error number
0x80072EFF.
3. Immediately following a download (especially of an anti-malware program, such as
MalwareBytes), a window pops up from the System Tray indicating that the file you just
downloaded was infected by a virus, so it has been deleted.
70
4. A radio station may begin playing through the computer, even with no browser window
open. This may be music, talk, or commercials, and it may be in English or some other
language. But in any event, the user did not ask for it.
If no unsolicited browser windows are opening and a computer can receive Windows Updates,
it likely is not infected by one of these rootkits.
By the middle of 2010 the anti-virus vendors were aware of the TDL3 rootkits and began to
incorporate detection of this malware into their products. This major update is one more good
reason to be sure that all computers are protected by current versions of anti-virus software.
In mid-2011, TDL4 rootkits began appearing “in the wild.” As might be expected, this latest
generation is more effective at avoiding detection and may not be removed by older versions
of anti-malware programs.
One interesting twist with the TDL4 rootkits is the addition of anti-virus functionality within the
malware itself. These infections remove other common viruses, so that the user is less likely to
know the computer is infected. If the user doesn’t realize the computer is infected, he/she has
no reason to call in a technician to check it out. Thus the infection remains, and the producer
of the malware continues to reap a profit.
In addition to all the general anti-malware programs on the market, there are also targeted
anti-rootkit programs that may be helpful in these specific situations. Here are some
examples:











aswMBR.exe, from avast.com
BitDefender Removal Tools, from BitDefender.com, 32-bit and 64-bit versions
FixTDSS.exe, from Symantec.com
GMER, from www.gmer.net; detects and removes rootkits in latest versions
HitmanPro, from SurfRight, in the Netherlands (www.surfright.nl)
MalwareBytes Anti-Rootkit, from MalwareBytes (www.malwarebytes.org)
Panda Anti-Rootkit, from Panda (www.pandasecurity.com), last updated 2007
Rootkit Buster, from Trend Micro (www.trendmicro.com)
Rootkit Revealer, from Microsoft (originally developed by Sysinternals)
Sophos Anti-Rootkit, from Sophos (www.sophos.com)
TDSSKiller, from Kaspersky (www.kaspersky.com)
While no single procedure is effective in identifying and removing all rootkits, this is a
recommended sequence of tools and manual repairs that will handle most infections of this
type:
71
1. Scan with TDSSKiller, check results. Write down any infections found, let TDSSKiller fix
them.
2. Scan with HitmanPro, check results. Let HitmanPro delete or quarantine any rootkits,
but nothing else.
3. If one or more .sys files are still infected, copy those files from a non-infected computer
running the same version of Windows.
4. Scan with MalwareBytes Anti-Rootkit, let it fix any rootkit infections found.
5. If rootkit infection is still present, scan with other anti-rootkit programs listed above for
confirmation and possible repairs.
Running an automated Scan to remove all traces of malware
Some viruses and spyware create multiple files and Registry entries to activate the malware
and execute the payload intended by the author of that malware. Even though it is possible to
manually find all of those entries and remove them, that is not the most practical approach.
At this stage of the diagnostic process it is appropriate to run scans for malware with one or
more trusted programs. Before running any scans, though, you can resolve some problems
and reduce the time required for the scan by removing unnecessary files from the hard drive.
You may use the Disk Cleanup program provided by Microsoft for this purpose, or Ccleaner,
which you may download using the link on the Virus Repair Toolkit CD. This program removes
more files than the Microsoft offering, and optionally cleans selected Registry entries as well.
For the sake of this procedure it is recommended that you not use Ccleaner for any Registry
changes.
An important exception to this recommended procedure involves specific rogue security
programs. If a computer is infected by Windows Recovery or similar malware that hides
programs and program groups, or data files, DO NOT run any program or procedure that
removes Temp files. Doing so could remove your ability to restore the programs as required.
Having found and removed the most obvious symptoms and components of the malware, your
final step is to run a Deep Scan with trusted anti-virus and anti-malware software. In most
cases MalwareBytes is the first choice for effective detection and removal of all types of
malware.
You can sometimes (but not always) increase the likelihood of detecting all malware present
on the system by booting into Safe Mode and running the Deep Scan in that environment. This
72
extra precaution will reduce the chance that a virus or spyware will remain hidden or
reactivate itself after you have removed it.
The Virus Repair Toolkit contains links to download MalwareBytes and other programs that
may also be helpful in virus and malware remediation. If you are comfortable with a particular
program and have realized successful results from it, by all means keep using it until it no
longer serves its intended purpose.
Exceptional Situations
The methodology covered in this workbook thus far will resolve the great majority of malware
issues you are likely to encounter. But with the increasing sophistication of malware authors,
you will sometimes find situations that do not respond to this approach.
The remainder of this document covers unusual circumstances that are characteristic of some
recent malware attacks and their defense mechanisms. These additional procedures and tools
are available to you if necessary.
Browser Hijackers
Browser Hijackers are sometimes difficult to fully remove. Browser Hijackers typically modify
the way the Internet Browser program works in two specific areas:
 The Home Page is changed to one other than what is desired, typically a pornographic
site, a gambling site, or a search page different from your normal search selection
 Additional Toolbars may be installed, without the option to deselect them
In the majority of cases, the steps already discussed will eliminate this form of malware; if not,
there are two recent variations in the infection vector for this type of malware that may
require manual removal:
 An increasing number of browser hijackers come through browser plug-ins, usually with
legitimate-sounding names or purposes; they may claim to be video or audio codecs or
Facebook Themes.
 A common technique used by recent browser hijackers is to modify the shortcut to the
browser itself, e.g. iexplore.exe http://www.hijackedpage.com; in most cases you can
simply delete the URL or .html document referenced, and the problem will be solved.
Note that this technique is normally used for all browsers installed on that computer.
73
When browser hijackers first became a problem, there were two software tools that were
helpful in the process of removing them. Both of these programs are still available free of
charge and can be downloaded from Trend Micro, at www.trendmicro.com:
 CWShredder
 HijackThis
Microsoft has an article in their KnowledgeBase related to Browser Hijackings and possible
ways to fix these problems. The article is as follows:
 320159 – Home page setting changes unexpectedly, or you cannot change your home
page setting
74
Recommended software tools that may help
There are some virus and malware removal tools that are very effective; others are marginally
effective or completely outdated; and some are actually malware themselves. We discussed
scareware, or rogue security software, early in this workbook.
There are numerous examples of software that is outdated against today’s threats, including
several programs that were at one time very effective. Rather than listing specific programs in
this document, the general rule is that you need not waste your time using any anti-malware
product that is not mentioned by name in this course.
These programs may also be helpful in detecting and removing the current generation of
malware and PUPs:










AdwCleaner
D7, includes Killemall.scr to terminate all but required Windows Processes
dBug, similar to Killemall.scr but faster and more flexible
Emsisoft Anti-Malware 9.0
Farbar Recovery Scan Tool (FRST)
Junkware Removal Tool (JRT)
RogueKiller
TechSuite, from RepairTech
VIPRE, from ThreatTrack Security, Inc. (formerly GFI Software)
VIPRE Rescue, for badly infected computers
Many encrypting ransomware programs, such as CryptoLocker, are effective at avoiding
detection by traditional anti-malware and Internet Security programs. To fill this void and
provide additional protection, three new programs have been introduced that, as of this
writing, seem to be effective in blocking this type of infection. They are as follows:
 CryptoPrevent, from FoolishIT (developer of D7, referenced above)
 HitmanPro.Alert, from Surfright
 MalwareBytes Anti-Exploit
There are two additional programs that are primarily marketed to end-users who want to do
their own malware repairs. These could serve a useful purpose for us as well, so you may want
to include one or both of them in your Virus Repair Toolkit. Here they are:
 GrimeFighter, from Avast, (formerly Jumpshot), www.avast.com/en-us/grimefighter
 FixMeStick, from www.fixmestick.com
75
Dealing with difficult situations caused by malware:
 Your anti-virus program has been disabled and can’t be reinstalled
Determine which Process is blocking access to the program and remove it. This is also a
good example of a time to run VIPRE Rescue, either in Safe Mode or from a Command
Prompt.
 You can’t access any anti-virus vendor’s web site
Check the Hosts file for URLs being redirected to specific IP addresses, restore default
Hosts file if necessary. The Hosts file will normally be found in c:\Windows\System32\
drivers\etc and in most cases should contain just one entry. This is shown as localhost,
going to an IP address of 127.0.0.1. If the Hosts file on the infected computer contains
multiple entries, especially to anti-virus or security sites, those entries need to be
removed.
If Spybot Search and Destroy with the TeaTimer option was installed on the infected
computer, it may have added multiple entries to the Hosts file – possibly 10,000 URLs or
more. These are no longer needed, nor is the Spybot program, so it should be
uninstalled.
If malware was responsible for the Hosts file entries, there will probably be about 100
URLs included. Most of these will be for anti-virus and security vendors, but in some
cases Google and other search engines will be blocked as well.
Before replacing the Hosts file with the default, you may want to rename the existing
one to Hosts.Bad or some other name. It’s possible there were some legitimate entries
in there that you may need to add back to the default Hosts file.
 You can’t connect to the Internet at all
To prevent this infected computer from accessing the Internet, some malware will
change the LAN Settings to use a Proxy Server, with a bogus address. In Internet
Explorer, Under Internet Options, on the Connections tab, click on LAN Settings. If the
box is checked for “Use a Proxy Server,” uncheck it and that should solve the
connectivity problem. If a Proxy Server is actually being used, be sure the Address and
Port are entered correctly.
76
Some of the more persistent malware will attempt to keep changing the Proxy Server
settings. If you make these changes and still can’t connect, check the settings again to
be sure they haven’t been changed back. It may be necessary to repeat this process
several times until the malware has been defeated.
If no Proxy Server has been set, or if the settings appear to be legitimate, the next step
may be to run the Internet Connection Wizard to re-establish the correct settings for
this computer’s Internet connection. Another option would be to run VIPRE Rescue,
either in Safe Mode or from a Command Prompt.
 You can’t run Task Manager
Most likely being blocked by a Group Policy; run enabletastkmgr.bat from the Virus
Repair Toolkit or enter the following lines from a Command Prompt to fix that setting:
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
DisableTaskMgr /t REG_DWORD /d 0 /f
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v
DisableTaskMgr /t REG_DWORD /d 0 /f
 You can’t run Regedit
Several possible causes and solutions:
 May be blocked by a Group Policy; run enableregedit.bat from the Virus Repair
Toolkit or enter the following line from a Command Prompt to fix that setting:
DisableRegistryTools /t REG_DWORD /d 0 /f
 Try running regedt32 instead
 Try renaming Regedit.exe to Regedit.com
 Try renaming Regedit.exe to Yourname.com
 You don’t have a Run command on your Start Button
Most likely being blocked by a Group Policy; run enablerun.bat from the Virus Repair
Toolkit or enter the following lines from a Command Prompt to override that setting:
77
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoRun /t REG_DWORD /d 0
REG add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
NoRun /t REG_DWORD /d 0
If the Run command no longer shows up on the Start button, but it has not been
removed by a Group Policy, check the Taskbar settings. Right-click on an empty area of
the Taskbar and select Properties | Start Menu | Customize. On the Advanced tab, go
through the list of Start menu items until you find the Run command (near the end). Be
sure there is a check mark in that box, and the Run command will reappear.
 You can’t access a Command Prompt
Most likely being blocked by a Group Policy; run enablecommand.bat from the Virus
Repair Toolkit or enter the following line from a Run command to override that setting:
REG add HKCU\Software\ Microsoft\Windows\CurrentVersion\Policies\System /v
DisableCMD /t REG_DWORD /d 0 /f
 You can’t see Display Properties
Most likely being blocked by a Group Policy; run enabledisprop.bat from the Virus
Repair Toolkit or enter the following line from a Command Prompt to fix that setting:
NoDispCPL /t REG_DWORD /d 0 /f
 You can’t run specific programs, especially MalwareBytes and similar antimalware programs
In some cases you may be able to run the program by renaming it to a slightly different
name, or changing the file type to .com instead of .exe.
Most likely blocked by a Group Policy; run unblockapps.bat from the Virus Repair Toolkit
or enter the following lines from a Command Prompt to override that setting:
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v
DisallowRun /f
78
REG delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
DisallowRun /va /f
Following successful removal of these Registry entries, use Group Policy Editor
(gpedit.msc) to prevent recurrence. Go to User Configuration | Administrative
Templates | System and change the State of “Don’t run specified Windows applications”
to Not Configured.
 You can’t run any .exe file
Most likely caused by deleted Subkey for exefile; double-click on Exefile fix.reg from the
Virus Repair Toolkit or enter the following line from a Command Prompt to recreate that
Subkey:
REG add HKCR\Exefile\Shell\Open\Command /t REG_SZ /ve /d “\”%1\” %*”
(Vista, Windows 7, Windows 8, or Windows Server 2008 only, add the following line):
REG add HKCR\Exefile\Shell\Open\Command /v IsolatedCommand /t REG_SZ /d
“\”%1\” %*”
Also, Symantec has a file that will reset the Shell\Open\Command values and some of
the Winlogon entries back to their default settings. That file is named UnHookExec.inf,
and you may download it from here, with full instructions and Warnings:
http://www.symantec.com/norton/security_response/writeup.jsp?docid=2004-0506140532-99
Extreme Situations
 In some cases the malware may detect that it has been removed and keep regenerating
itself, usually with the same file name in the same folder. Several steps may be
necessary to defeat this behavior:
o Change the Permissions to Read-Only on the Registry Subkey that invokes the
malevolent program.
o Change the Attributes of the malevolent program, removing Hidden, Read-Only, and
System Attributes if necessary, so that you can delete the file
o After deleting the file, create a folder of the same name in its place; this will keep a
new file from being created in that name.
79
 If you are unable to run MalwareBytes, VIPRE, VIPRE Rescue, or any other anti-malware
program but the computer is running reasonably well, you may want to connect the
infected computer via network to a known-good machine with a current version of one
of these programs and scan from there. This is a potentially risky approach, as it is
possible the infection could spread to the computer that is performing the scan.
 In the same scenario, but if you are not able to connect via network or choose not to do
so, it may be necessary to remove the hard drive from the infected machine and attach
it to the known-good machine with current malware protection and scan it from there.
The same caution applies as in the previous case.
 In some rare cases you may not be able to delete malevolent files from the hard drive
when Windows is running, even at a Command Prompt. Or you may not even be able to
see the infected files. To deal with those situations it may be necessary to boot from a
non-Windows Operating System.
There are a number of bootable, non-Windows CDs from which to choose. Some of the
more popular choices include Bart-PE, The Ultimate Boot CD, Hirens, Knoppix, or other
Linux variants.
Microsoft also offers the ability to create a bootable CD for use in cases of severe
malware infections, as do some anti-virus vendors. In this category AVG and Kaspersky
provide this functionality free of charge.
Links to download these CDs are included on the Virus Repair Toolkit.
80
Re-Imaging as an Option
In some cases it may seem that re-imaging the hard drive may be the most cost-effective
method of dealing with a severely corrupted system. That may be the case, provided certain
conditions are met:




A recent image of the desired hard drive contents and configuration is available
All programs in use on this machine are included on the image
Little or no data is stored on this local machine
The user has made no significant changes to the Desktop, default settings, etc.
If all of these conditions are true, re-imaging may be the way to go. But if you choose to take
this route, the process may be much more complicated and time-consuming than anticipated.
In order to ensure that the re-imaged hard drive provides the same functionality and
appearance as the user had prior to the malware infestation, all of these steps may be
necessary:












Back up all data from all User Profiles on that computer
Start with the original image from the computer manufacturer
Apply all Service Packs and Windows Updates
Install and update anti-virus, anti-spyware, and firewall software
Update all ancillary software, such as Adobe Reader and Flash, Java, Media Players, etc.
Install all applications from installation media (CDs or DVDs)
Install all applications that were originally downloaded
Install and update drivers for all hardware and external devices such as printers,
cameras, PDAs, external hard drives, etc.
Restore all User Profiles and all data files in each Profile
Set up and configure Internet and e-mail settings and options
Define default settings in Windows and all applications
Arrange desktop icons to meet user’s expectations
For a more detailed discussion of the steps involved in a successful re-imaging, Microsoft has a
series of 7 articles in their KnowledgeBase that you may find helpful. The first article in the
series is this one:
 896526 – Reinstalling Windows XP Home (Part 1): Introduction
This article, in turn, contains links to the remaining six parts of the overall procedure. Similar
articles are available with the details of the more recent versions of Windows. Going through
81
this entire process manually could easily require 6-8 hours of hands-on work, and the end
result usually will not match the user’s expectations.
There is another program that has received high marks for making this process more efficient
and more inclusive. That program is Fab’s AutoBackup 5 Pro, from Fab’s Corner at
www.fpnet.fr (this is a French company). Many techs seem to prefer the earlier Version 4, if
you can still find it. It is less expensive and uses a traditional GUI, whereas Version 5 has the
look of the Windows 8 Metro interface and may not be as intuitive to use.
Even the cost of Version 5 is nominal, at 45 Euros, but Version 4 sold for 30 Euros. If you use
this program once, it has pretty much paid for itself. At current exchange rates, 45 Euros
equates to about $60 US.
As of January, 2015 the latest release is Version 6. It is said to have “a bunch of fixes and
improvements,” and the price remains at 45 Euros.
82
Appendix A -- Virus Remediation Training Procedure, Step by Step
A. Deal with rogue, if present
1.
2.
3.
4.
2.
3.
4.
5.
6.
2.
3.
4.
Check Appendix B of VRT Workbook for specific solution
(Generic Solution 1 starts here)
Terminate rogue by whatever means necessary (do not click anywhere in rogue window)
System Restore to date and time before rogue was active (if necessary, re-boot into Safe Mode,
Command Prompt and run System Restore from that environment)
Run MalwareBytes in Chameleon mode to find and remove rogue and any other infections found
(Generic Solution 2 starts here, if Generic Solution 1 doesn’t work)
Boot into Safe Mode, Command Prompt
From Virus Repair Toolkit, run Enabletaskmgr.bat
From Virus Repair Toolkit, run Enableregedit.bat
(Vista or later) From TechWARU, run Registry Investigator or (XP or older) From Virus Repair
Toolkit, run Regstep.bat, and fix or restore Registry entries as necessary
Re-boot, run MalwareBytes Chameleon to find and remove rogue and any other infections found
(Generic Solution 3 starts here, if Generic Solution 2 doesn’t work)
Boot from Kickstart thumb drive (Change Boot Sequence if necessary)
Let HitmanPro run to completion, Quarantine any rootkits, bootkits, or threats found in Boot
Sector, Master Boot Record, or Track 0 of hard drive
Remove Kickstart thumb drive and boot normally from hard drive
B. Identify and remove traditional malware
1.
2.
3.
4.
5.
6.
7.
8.
9.
Open Task Manager and look for any malicious or suspicious processes running
If Task Manager won’t run, run Enabletaskmgr.bat from Virus Repair Toolkit
End Process Tree on each process identified in previous step, record process name
Open Regedit, find activation point for each of these processes and delete it
If Regedit won’t run, run Enableregedit.bat from Virus Repair Toolkit
Run Process Explorer, look for malicious processes in VirusTotal column
Handle these processes the same as those found manually using Task Manager
If you didn’t do Step A5 (above), do it now
Re-boot normally, scan with MalwareBytes and remove any infections and PUPs found
C. Find and remove any rootkit infections
1.
2.
3.
4.
5.
Are there obvious symptoms of rootkit (Google redirects, infected download, radio playing)? If
so, go to Step 3.
Perform a manual Windows Update. If that works, probably no rootkit present  Done. May
continue with Steps 3-5 for added confidence that there is no rootkit infection.
Run TDSSKiller, from Kaspersky; before starting scan, click on “Change Parameters” and be sure
that all three boxes under “Additional options” are checked. Let it fix any rootkit infections it
finds, then re-boot normally.
Scan with HitmanPro, let it Quarantine any rootkits it finds; don’t let it delete any files, and don’t
quarantine anything but rootkits.
If HitmanPro found and quarantined any rootkits, re-boot one last time and verify that all
symptoms of infection are gone.
83
84
Appendix B -- Point solutions for specific infections
Security Tool Scareware:
1. From the Virus Repair Toolkit, run Process Explorer. If the program will not run
successfully from the CD, it may be necessary to take the following additional steps:
 Copy the program procexp.exe from the CD to a new folder on the hard drive. Do
not copy it to the Desktop, the Windows folder, or any subfolder under Windows.
 Rename the copied procexp.exe to explorer.exe
 From a Command Prompt, go to the folder that contains the renamed explorer.exe
and run it
2. Disable any processes that are named (random number).exe, such as 12345678.exe, etc.
3. Run MalwareBytes and do a Quick Scan to find and remove Security Tool. Do not reboot
the system prior to full removal, otherwise the process will load again. In that case,
repeat Step 2 to disable the process.
Note: This procedure is adapted from an article on About.com by Mary Landesman.
85
Internet Security 2010 Scareware:
1.
2.
3.
4.
5.
Open Regedit and select HKEY_CLASSES_ROOT
Open Task Manager and select the Processes tab
Look for av.exe or ave.exe and End Process on whichever is present
Return to Regedit and do a Find for the executable that was found in Step 3
If av.exe or ave.exe is found in a \Shell\Open\Command under Exefile, double-click on
the file Exefile fix.reg from the Virus Repair Toolkit and, when prompted, confirm that
you want to import that key
6. Hit F3 to Find Next
7. If any more entries for av.exe or ave.exe are found under HKCR, double-click on the file
UnHookExec.inf from the Virus Repair Toolkit
8. Close Regedit
9. Click Start | Run | then type %appdata% and press Enter. This will open Windows
Explorer to the Application Data folder for the current user. Verify that the Windows
Explorer options are set to show all Hidden Files, System Files, and Files in System
Folders, then Search that folder for av.exe or ave.exe and delete the file(s) if found.
10. If you are unable to delete the malicious file(s), these additional steps may be required:
 From a Command Prompt, navigate to the current user’s Application Data folder
 Type in the following command: attrib –r –h –s *.* to remove the Read-Only,
Hidden, and System attributes from the files in that folder
 Return to Step 9
Note: This procedure is adapted from an article on About.com by Mary Landesman.
86
Antivirus8 or Antivirus 8:
1. Copy the file Mbam-setup.exe from the Virus Repair Toolkit to the desktop of the
infected computer.
2. Rename the file on the desktop to iexplore.exe.
3. Close all programs and any open windows.
4. Double-click on the iexplore.exe icon to install MalwareBytes.
5. At the end of the MalwareBytes installation, uncheck both of the boxes that are
selected by default, then click Finish.
6. Do not re-boot the computer.
7. Look in C:\Program Files\Malwarebytes’ Anti-Malware\ for mbam.exe.
8. Rename mbam.exe to iexplore.exe.
9. Double-click on iexplore.exe to run MalwareBytes.
10. Click on the Update tab and click on Check for Updates.
11. If MalwareBytes does not successfully download the latest updates, follow the
procedure described in the Virus Repair Toolkit documentation to obtain the latest
definitions.
12. Click on the Scanner tab and choose Perform Full Scan, then click on the Scan button.
13. When the scan has completed, click on Show Results. At least one entry should show up
as Rogue.Antivirus8.
14. Click on Remove Selected. If it indicates a reboot is required after removing these
items, reboot and let Windows come up normally.
15. Uninstall MalwareBytes with the modified file names. If you want to reinstall it for
future use, leave the default file names in place.
Note: This procedure is adapted from a procedure found in www.bleepingcomputer.com.
87
Total Security:
1. With the Virus Repair Toolkit in the CD drive of the infected computer, open it with
Windows Explorer.
2. Double-click on the ProcessExplorer tab.
3. Copy the file procexp.exe to the desktop of the infected computer.
4. Rename that file to iexplore.exe.
5. Double-click on the iexplore.exe icon to run Process Explorer.
6. In Process Explorer, look for a file named tsc.exe or an all-numeric file name. The Total
Security program will show a shield or padlock icon next to the file name.
7. Click on that process, then click on the red X in the toolbar to kill that process. Click Yes
when it asks whether you are sure.
8. Copy the file Mbam-setup.exe from the Virus Repair Toolkit to the desktop of the
infected computer.
9. Close all programs and any open windows.
10. Double-click the file Mbam-setup.exe on the desktop to install MalwareBytes on the
infected computer.
11. At the end of the MalwareBytes installation, leave both of the boxes checked that are
selected by default, then click Finish. The MalwareBytes program will open.
12. Click on the Scanner tab and choose Perform Quick Scan, then click on the Scan button.
13. When the scan has completed, click on Show Results. At least one entry should show up
as Rogue.Total.Security.
14. Click on Remove Selected. If it indicates a reboot is required after removing these
items, reboot and let Windows come up normally.
Note: This procedure is adapted from a procedure found in www.bleepingcomputer.com.
88
Virus Protection New Age of Antivirus Software:
These solutions were derived from the following article:
http://en.kioskea.net/forum/affich-295938-virus-protection-2010-new-age-crap
1. Boot the computer into Safe mode with Command Prompt.
2. At the Command Prompt type Explorer.exe and Press Enter. Windows Explorer opens.
Locate the file fix.inf on the Virus Repair Toolkit CD, right-click and select Install. Close
Windows Explorer.
3. In the Command Prompt type shutdown -r and press Enter. The computer will be
rebooted.
4. Install MalwareBytes Anti-malware (MBAM). Update definitions and perform a Quick
Scan. This should remove most malware, if not all. Perform a Deep Scan to be sure.
Or, an alternative version:
1.
2.
3.
4.
Boot into Safe Mode, Command Prompt
From the Virus Repair Toolkit CD, run the batch file enableregedit.bat
Re-Boot into Safe Mode with Networking
Run Regedit and navigate to
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
5. Change the Shell entry to Explorer.exe
6. Install MalwareBytes, update definitions (from Virus Repair Toolkit CD), and perform a
Quick Scan
7. Boot into normal mode, perform a Deep Scan with MalwareBytes if desired
89
Windows Recovery:
The following procedure is based on work done by www.bleepingcomputer.com, with some
adjustments for alumni of the Virus Remediation Training. The full procedure is available at
this location: http://www.bleepingcomputer.com/virus-removal/remove-windows-xprecovery.
1. In Task Manager, find and End Process on Processes associated with this malware.
There may be two of these processes running – one will have an all-numeric filename,
and the other will be 11 to 13 characters in length, with a mix of Caps and lower-case
letters and possibly numbers as well.
2. If Task Manager won’t run, use the Enabletaskmgr.bat program from the Virus Repair
Toolkit to restore that functionality. Or, use Process Explorer for this step.
3. Download and run the latest version of rkill.exe, from this location:
http://www.bleepingcomputer.com/download/anti-virus/rkill.
4. Do not restart Windows.
5. Install MalwareBytes, then manually update the definitions using the procedure
outlined in the Virus Repair Toolkit.
6. Run a Quick Scan with MalwareBytes, and have it Remove all selected items.
7. Restart Windows if required for MalwareBytes to finish removing detected threats.
8. Download and run the latest version of unhide.exe, from this location:
http://download.bleepingcomputer.com/grinler/unhide.exe.
9. The following Registry keys should have been removed by Unhide.exe. If not, examine
the contents for these values. If the values match what is shown here, either delete
those entries or change the values to the correct settings. For example, in HKCU and
HKLM, …DisableTaskMgr should have a value of 0.
 HKCU\Software\Microsoft\Internet Explorer\Download – CheckExeSignatures = ‘no’
 HKCU\Software\Microsoft\Internet Explorer\Main – Use FormSuggest = ‘yes’
 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced –
Hidden = 0
90
 HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced –
ShowSuperHidden = 0
 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings –
CertificateRevocation = 0
 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings –
WarnonBadCertRecving = 0
 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop –
NoChangingWallpaper = 1
 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations –
LowRiskFileTypes = ‘{hq:/s’s:/ign:/uyu: … /kqf:/
 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments –
SaveZoneInformation = 1
 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer –
NoDesktop = 1
 HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System –
DisableTaskMgr = 1
 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System –
DisableTaskMgr = 1
10. Open and remove these files, then remove them from the Recycle Bin:
 %AppData%\Microsoft\[random.exe]
 Note: Appears to be mislabeled, in example on Windows XP computer 4 files were
found in c:\Documents and Settings\All Users\Application Data, at same level as
Microsoft. Example files included 15654708 and 15654708.exe,
dsPRWEQVDghDN.exe and PLAcgIBC9DAX
The latest version of Unhide.exe should restore all program menus and shortcuts to their
original locations. If not, the final steps will be different for Windows XP than for Vista,
Windows 7 or 8. Choose one of the following procedures, depending upon the OS in use.
In case of Windows XP, copy the entire content of this folder:
C:\DOCUME~1\user_name\LOCALS~1\Temp\smtmp\1
to C:\Documents and Settings\All Users\Start Menu
and the entire content of this folder:
C:\DOCUME~1\user_name\LOCALS~1\Temp\smtmp\1\Programs
91
to C:\Documents and Settings\All Users\Start Menu\Programs
to C:\Documents and Settings\user_name\Application Data\Microsoft\Internet Explorer\Quick
Launch
to C:\Documents and Settings\All Users\Desktop
In case of Vista, Windows 7, or Windows 8, copy the entire content of this folder:
C:\Users\user_name\AppData\Local\Temp\smtmp\1
to C:\Program Data\Start Menu
C:\Users\user_name\AppData\Local\Temp\smtmp\1\Programs
to C:\Program Data\Start Menu\Programs
C:\Users\user_name\AppData\Local \Temp\smtmp\2
to C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
and the entire content of this folder (if found):
C:\Users\user_name\AppData\Local \Temp\smtmp\3
to C:\Users\user_name\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User
Pinned\Taskbar
C:\Users\user_name\AppData\Local\Temp\smtmp\4
to C:\Program Data\Desktop
11. Run a Deep Scan in MalwareBytes to make sure no more infections are detected.
12. Check for Rootkit activity using the procedures covered in the Virus Remediation
Training, and remove if found.
92
Win 7 Internet Security 2012:
This rogue security program goes by at least 15 different names, depending partially upon the
version of Windows on which it is running. The first part of the name will be XP, Vista, or Win
7, accordingly. The last part will be 2012, and the middle will be Antispyware, Antivirus,
Security, Home Security, or Internet Security.
Unlike many programs of its type, this rogue may only show its symptoms to one user defined
on the infected computer. Other users may see no visible signs of infection, but the rogue
does infect them in less-obvious ways.
adjustments for alumni of the Virus Remediation Training. The full procedure is available at
this location: http://www.bleepingcomputer.com/virus-removal/remove-win-7-antispyware2012.
1. On a clean computer, download the file FixNCR.reg from this location:
http://download.bleepingcomputer.com/reg/FixNCR.reg.
2. Copy FixNCR.reg to a removable device, insert that device into the infected computer,
and double-click the file’s icon.
3. Allow the data to be merged into the Registry of the infected computer.
4. In Task Manager, find and End Process on Processes associated with this malware. The
main process will be three random letters such as kdn.exe.
5. Download the latest version of rkill.exe, from this location:
http://www.bleepingcomputer.com/download/anti-virus/rkill. Download the version
named iexplore.exe, save it to the Desktop, and run it from there.
6. Install the latest version of MalwareBytes, then manually update the definitions using
the procedure outlined in the Virus Repair Toolkit.
8. If necessary to complete the MalwareBytes cleanup, restart Windows in Normal Mode
and log in as the user who was infected.
93
System Fix:
The rogue security program named System Fix is a variant of Windows Recovery and similar
members of the Fake HDD family of rogues. The following procedure is based on work done by
www.bleepingcomputer.com, with some adjustments for alumni of the Virus Remediation
Training. The full procedure is available at this location:
http://www.bleepingcomputer.com/virus-removal/remove-system-fix.
1. Boot into Safe Mode with Networking and log in as the user who is infected by Sytem
Fix.
2. From the Virus Repair Toolkit, run Enabletaskmgr.bat to restore access to Task Manager.
3. Run Enablecommand.bat, Enablerun.bat, and Enableregedit.bat as required.
4. Do not run Disk Cleanup, Ccleaner, ComboFix, or any program that deletes Temp files.
5. In Task Manager, find and End Process on Processes associated with this malware.
There may be two of these processes running – one will have an all-numeric filename,
and the other will be 11 to 13 characters in length, with a mix of Caps and lower-case
letters and possibly numbers as well.
6. Download the latest version of rkill.exe, from this location:
http://www.bleepingcomputer.com/download/anti-virus/rkill. Download the version
named iexplore.exe, save it to the Desktop, and run it from there.
9. Restart Windows into Normal Mode and log in as the user who was infected.
10. Download and run the latest version of unhide.exe, from this location:
http://download.bleepingcomputer.com/grinler/unhide.exe. This program will run for a
while, as it is changing the attributes of thousands of files.
11. Verify that all program groups and programs are visible and accessible.
12. Restore the desktop wallpaper and/or theme as required.
94
Smart Fortress, Live Security Platinum, or System Progressive Protection:
The rogue security programs named Smart Fortress or Live Security Platinum are almost
identical variants of Windows Recovery and similar members of the Fake HDD family of rogues.
adjustments for alumni of the Virus Remediation Training. The full article on Smart Fortress is
here: http://www.bleepingcomputer.com/virus-removal/remove-smart-fortress-2012, and
Live Security Platinum is here: http://www.bleepingcomputer.com/virus-removal/remove-livesecurity-platinum.
1. Boot into Safe Mode with Networking and log in as the user who is infected by the
rogue.
2. Open the browser of your choice and go to this URL:
http://www.bleepingcomputer.com/download/fixexec/. Click on the Download
Renamed Version button and save the file to the Desktop.
3. Double-click the icon on the Desktop to repair the infected Registry.
4. If you can’t connect to the Internet, check for a Proxy Server and uncheck that box in
LAN Connections.
Note: A recent variation on this rogue is named System Progressive Protection. It responds to
two simpler methods of removal. You may follow either of these procedures:
 Enter a Registration Code AA39754E-715219CE. This will remove the rogue from view,
but the system is still infected. Pick up with Step 5 above.
 Perform a System Restore to a date and time prior to the appearance of System
Progressive Protection. Pick up with Step 5 above.
95
S.M.A.R.T. HDD:
The rogue security program named S.M.A.R.T. HDD is a variant of Windows Recovery and
similar members of the Fake HDD family of rogues. The following procedure is based on work
done by www.briteccomputers.co.uk, with some adjustments for alumni of the Virus
Remediation Training.
1. Boot into Safe Mode with Networking and log in as the user who is infected by
2.
3.
4.
5.
6.
7.
S.M.A.R.T. HDD.
From the Virus Repair Toolkit, run Enabletaskmgr.bat if necessary to restore access to
Task Manager.
Run Enablecommand.bat, Enablerun.bat, and Enableregedit.bat as required.
Do not run Disk Cleanup, Ccleaner, ComboFix, or any program that deletes Temp files.
In Task Manager or Process Explorer, find and End Process on Processes associated with
this malware. There will probably be one such process running – it will be 11 to 15
characters in length, with a mix of Caps and lower-case letters and possibly numbers
and special characters as well.
Find and delete the Smart HDD folder, the .exe and related files
Open Regedit, look for the .exe file in all of the following keys and delete if found:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
10. If all programs and program groups are not visible, download and run the latest version
of unhide.exe, from this location:
http://download.bleepingcomputer.com/grinler/unhide.exe. This program will run for
a while, as it is changing the attributes of thousands of files.
11. Verify that all program groups and programs are visible and accessible.
13. Restore the desktop wallpaper and/or theme as required.
96
FBI MoneyPak Ransomware or the Reveton Trojan, aka
Computer Crime and Intellectual Property Section
Department of Justice
ICE Cyber Crime Center:
This family of rogues has become the most widespread malware in recent history, and they are
especially persistent. They block any other programs from running, and the normal Windows
desktop is replaced by the threatening screen demanding payment via MoneyPak.
There have been at least four generations of this malware to date, and a different procedure
may be required to remove each of them. The following methods will remove all known
variants of this malware from infected computers. They should be used in the order indicated,
starting with Method 1 and continuing through the remaining approaches as required.
Method 1
Some of the early strains of this malware would allow you to boot into Safe Mode With
Networking. If that is the case, this simple procedure should remove the infection:
1.
2.
3.
4.
5.
Restore the computer to a date and time prior to the onset of the infection
Install MalwareBytes, update the definitions, and perform a Quick Scan
Let MalwareBytes quarantine any infected files it finds
Re-boot and verify that the infection is no longer present
Go to the “Common conclusion” section, below
Method 2
If the malware allows you to boot into Safe Mode With Networking but the procedure outlined
in Method 1 does not resolve the issue, the following procedure is effective in dealing with the
second generation of this malware. This procedure was developed by The Virus Doctor™ and is
available only to alumni of the Virus Remediation Training. It should remove the infection in
less than 30 minutes:
1.
2.
3.
4.
Boot into Safe Mode with Command Prompt
From the Virus Repair Toolkit, run the program enableregedit.bat
From the Virus Repair Toolkit, run the program enabletaskmgr.bat
From the Virus Repair Toolkit, run the program regstep.bat (in Windows XP) or regstep –
Win7.bat (in Vista, Windows 7, or Windows 8)
97
5. When regstep reaches HKCU\Software\Microsoft\Windows\CurrentVersion\Run, look in
the right-hand pane for an unusual-looking entry, such as hnNPUrMR21XBMJ2. The
value of this entry will be a random-named .exe file in the %UserProfile%\Application
Data folder, such as Ii0Nm8sy.exe. Double-click this entry, insert a semicolon and a
blank space before the current contents, and click OK. Write down the name of this
entry and the full path to the .exe file, then close Regedit.
6. When regstep reaches HKLM\Software\Microsoft\Windows\CurrentVersion\Run, look
in the right-hand pane for the same entry as was found in HKCU. Double-click this entry,
insert a semicolon and a blank space before the current contents, click OK, then close
Regedit.
7. When regstep reaches HKLM\Software\Microsoft\Windows NT\CurrentVersion\
Winlogon, look in the right-hand pane for the Shell entry. The value of this entry will
probably be the same as the malicious .exe file found in both Run keys. If so, change it
to Explorer.exe (in Windows XP) or explorer.exe (in Vista, Windows 7, or Windows 8),
then close Regedit.
8. When regstep reaches HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\
Explorer, look in the right-hand pane for an entry named NoDesktop. If this has a value
of 1, change it to 0. Then look in HKCU\Software\Microsoft\Windows\CurrentVersion\
Policies\System for entries named Disableregistrytools and DisableTaskMgr. Both of
these entries should have been set to values of 0 by the commands executed in Steps 2
and 3 of this procedure, but if either shows a value of 1, change it to 0, then close
Regedit.
9. When regstep has finished, navigate to the location of the executable file as found in
Step 5 of this procedure, then delete that file.
10. In the folder that contained the malicious .exe file, use the md command to create a
new folder with the same name as the executable, including the .exe extension.
11. Shut down and restart into Normal Mode.
12. Install the latest version of MalwareBytes and update the definitions.
13. Run a Quick Scan with MalwareBytes, and have it Remove all selected items, then
restart in Normal Mode.
14. If there are no icons showing on the desktop, right-click on the desktop, go to Properties
| Arrange Icons By | Show Desktop Icons.
15. Go to the “Common conclusion” section, below
Note: %UserProfile% refers to the current user's profile folder. By default, this is
C:\Documents and Settings\<Current User> for Windows 2000/XP, C:\Users\<Current User> for
Windows Vista/7/8, and c:\winnt\profiles\<Current User> for Windows NT.
98
Method 3
The latest variants of this malware modify the Master Boot Record in such a way as to prevent
the use of the F8 key at Windows startup time to enter the Advanced Boot Options. If this is
the strain you’re dealing with, it will be necessary to boot from a USB thumb drive that will
automatically launch a program to remove the infection.
*** Note ***
This procedure presently is not compatible with Windows 8. A separate procedure for
Windows 8 computers infected by this strain of the FBI MoneyPak virus is included at the end
of this writeup.
The following procedure is adapted from a writeup in Bleeping Computer, shortened and
modified to take advantage of tools that are included in the Virus Repair Toolkit. You may find
the original procedure at http://www.bleepingcomputer.com/virus-removal/remove-icecyber-crime-center-ransomware if you need any further details of the steps outlined here.
1. Download the latest version of HitmanPro.Kickstart from this address:
http://www.surfright.nl/en/downloads. You will download the 32-bit or 64-bit version
to match the computer you are downloading the program onto; the Windows version
installed on the infected computer does not factor into this decision.
2. When the download is complete, you will create a bootable USB thumb drive to be used
on the infected computer. The contents of this thumb drive will be completely erased,
so use one with no important data on it. Any size thumb drive from 1 GB and up will
work for this purpose. Insert the thumb drive and continue to the next step.
3. Double-click the appropriate executable file downloaded in Step 1 above. The file name
will be either HitmanPro.exe (for 32-bit versions of Windows) or HitmanPro_x64.exe (for
64-bit versions of Windows).
4. At the bottom of the start screen you will see an unlabeled icon next to the Settings
button. If you hover over this icon, you’ll see it says “Create HitmanPro.Kickstart USB
flash drive.” Click on this icon.
5. Click on the desired thumb drive, then click on Install Kickstart.
6. You will be given a final warning that the USB flash drive will be erased. To proceed,
click on the Yes button.
7. The program will download the necessary files and make the thumb drive bootable.
When the process has completed, click on the Close button to close Kickstart.
8. Remove the thumb drive from the computer, turn off the infected computer, and insert
the thumb drive into it.
99
9. Power on the infected computer and modify the Boot Sequence if necessary to boot
first from a USB device.
10. You should see the Kickstart Boot Menu, with three options. If you do not, make sure
the USB drive is first in the boot sequence. From that boot menu, choose Option 1.
11. When Windows starts, log on normally if required. At that point the malware will start
as it has been since the computer became infected. After a brief period of time (usually
15-20 seconds, could be as long as one minute or so), the HitmanPro window will
appear on top of the ransomware. Click on the Next button to start the cleaning
process.
12. On the HitmanPro Setup screen, choose the option “No, I only want to perform a onetime scan to check this computer,” then click on the Next button.
13. HitmanPro will now scan the computer for infections and show its results as it
encounters malware. If the background of the screen turns red during the scan, that
indicates it has found malicious software that is significant. The total scan time is
usually less than 5 minutes.
14. Click on the Next button to have HitmanPro remove the detected infections. When it is
done you will see a Removal Results screen that shows the status of the infections that
were identified and removed. Click Next on this screen, and then Reboot on the next
screen.
15. The system should now boot into the normal Windows environment. The user should
log in as normal, and the malware will be gone. The normal desktop, wallpaper, and
icons should be intact, and all programs should run as they did prior to the infection.
16. On some variants of this malware, the user is taken to a Command Prompt window
instead of the normal desktop. If that happens, in the Command Prompt window type
explorer.exe, followed by the Enter key.
17. Once the desktop appears normally, run the program fixshell.bat from the Virus Repair
Toolkit. This will ensure that the desktop comes up immediately the next time Windows
is restarted.
18. Restart Windows and verify that everything is back to normal functionality.
19. Go to the “Common conclusion” section, below
Method 4
This is a variation on Method 3 that may be necessary in especially persistent versions of this
family of malware. If you have been following the steps in Method 3, but the Ransomware
screen reappears during Step 13, you may need to use the Force Breach mode of Kickstart.
In this case you will follow Steps 1 through 10 as described in Method 3. As soon as you have
selected Boot Option 1 from the Kickstart Boot Menu, press and hold the left CTRL key until
HitmanPro starts. This enables the Force Breach mode, which terminates all non-essential
100
Windows applications. You can verify if this mode is enabled by looking at the bottom of the
HitmanPro screen. That line should say “Force Breach: HitmanPro terminated nn processes.”
The number nn may be anywhere from 5 to 30 processes.
If a logon is required when starting Windows, logon normally and then immediately press and
hold the left CTRL key until HitmanPro starts.
In either case, once you have verified that you are in Forced Breach mode, continue the
process from Method 3 at Step 11.
Common Conclusion
 Check for Rootkit activity using the procedures covered in the Virus Remediation
 Run a Deep Scan in MalwareBytes to make sure no more infections are detected.
Windows 8 computers infected with the FBI MoneyPak ransomware
If a computer running Windows 8 is infected by malware in this family, the first step is to
enable the Advanced Boot Options and determine whether you can boot the machine into Safe
Mode With Networking or Safe Mode Command Prompt. The procedure for accessing these
options is outlined in this Workbook in the section “Random Troubleshooting Techniques.”
If you are able to boot the infected Windows 8 computer into Safe Mode, there is a good
chance that Method 1 or Method 2 will work to remove the malware. If not, the procedure
will be a bit more involved.
The exact steps may vary a bit, but here is the general approach:
 Boot from a bootable CD, DVD, or USB thumb drive (but not a Kickstart thumb drive)
 Run the appropriate version of HitmanPro from a CD, DVD, or USB thumb drive
 Pick up with Step 12 in the Method 3 procedure outlined above
101
CryptoLocker Update
In October, 2013 I wrote about what was then the newest and most widespread malware
infecting computers worldwide, known as CryptoLocker. At the time I referred to it as “GameChanging Malware.” You may read that blog post here:
http://www.thevirusdoc.com/blog/cryptolocker-game-changing-malware.
There have been quite a few developments along these lines since then, and this type of
malware has become one of the most destructive threats of all time. Most of these
developments have been of what we would have to consider a negative variety, but there is
also a ray of good news thrown in for some victims of a CryptoLocker infection. First, here is a
review of the evolution of encrypting ransomware over the past year.
Evolution of encrypting ransomware, September, 2013 – September, 2014
Just about the time the original CryptoLocker was starting to make a significant impact (and a
lot of money for its authors), a variation appeared that looked very much like the original. The
infection methods were the same, the encryption was apparently done in the same way, and
the message that showed up on the infected computer was almost identical to the original.
There were only two obvious differences.
The original CryptoLocker initially set a price of $100 for the decryption key; this imitator
demanded $300. But by that time the original authors had also raised their price to the same
$300. The original gave the victim two options for paying the ransom – either a MoneyPak
non-refundable debit card or payment in Bitcoin; the imitator would only accept payment via
Bitcoin.
But on further analysis, several anti-virus vendors determined that this imitator was most likely
produced by a totally different programmer or, more likely, programming team. They
discovered that it was written in a different programming language from the original, and
many other differences became apparent upon disassembly of the program and comparison to
the original.
Since then, at least 6 similar programs have been released into the wild with a CryptoLockertype payload. These are known generically as encrypting ransomware, and they continue to
spread and evolve into even more-sophisticated threats. Most of these variants are obviously
different programs, produced by different programming groups, each with its own twist on the
distribution, payment amount and payment mechanism, and the message that is displayed
after the user’s data files have been encrypted.
102
These are the names that have surfaced to date:








CryptoLocker
CryptoLocker II (my name for the original imitator, referenced above)
PrisonLocker, aka PowerLocker
CryptoDefense
CryptorBit
CryptoWall
CTB Locker, aka Critroni
TorLocker
Infection vectors
Unfortunately, the way this category of malware spreads makes it difficult for traditional antivirus and anti-spyware programs to detect and block them from successfully installing on
computers running any version of Windows. At a minimum, a full Internet Security Suite is
necessary in order to give most users even marginally adequate protection.
Most of these infections are contracted in the usual way, by the user opening an e-mail
attachment that launches the malware. These attachments are most typically .pdf or .zip files,
but they may be .exe or .com files, or some other file type that would normally be considered
benign.
The subject of these e-mail messages may be a failed delivery notification that appears to
come from the Post Office, UPS, DHL, or FedEx; some may claim that the attachment is a
recorded voicemail message, or some other legitimate-sounding reason the user should open
it. As always, user behavior frequently plays a pivotal role in the infection sequence; user
training and security awareness may reduce the likelihood of infection.
As with so many other infections in the past few years, this malware sometimes comes in the
form of a “drive-by download” that may be triggered by the user being sent to an infected web
site or clicking on an infected link in an e-mail message. This method may take advantage of
known vulnerabilities in ancillary programs such as Java, Adobe Reader, and Flash.
Accordingly, it’s even more important than ever to make sure that these programs are kept upto-date. And of course, it’s critical that Windows and all installed applications stay updated as
well. We must assume that Windows XP is more vulnerable to these infections than the newer
versions of Windows, since Microsoft no longer updates that Operating System.
103
Protection against these threats
As a direct response to these attacks, at least three software vendors have created products
specifically designed to block infection by this type of malware. Some are offered free of
charge, while others carry a nominal cost. None of these programs will conflict with installed
anti-virus or Internet Security programs, but they may conflict with one another. So, choose
one:
The first entrant in this category was CryptoPrevent, from Foolish IT (www.foolishit.com), the
creators of the D7 software suite. The original version is still free, but they now also offer a
Premium Edition, with additional features and capabilities, for $15.00 U.S. for a permanent
license.
Another long-established, reputable vendor of anti-malware software, MalwareBytes
(www.malwarebytes.org), has come out with a similar program called MalwareBytes AntiExploit. They also offer a free version and a Premium Edition, which provides additional
protection and will protect up to three computers, for $24.95 U.S. per year.
The other entrant in this arena is Surfright (www.surfright.nl), the producers of HitmanPro.
Their free program, HitmanPro.Alert, was originally intended to block banking Trojans and
similar attacks, and compromises of any Internet browsers on the targeted computer. This
program has been updated to include CryptoGuard, specifically to protect against encrypting
ransomware.
A later variant of malware in this category, CTB Locker (or Critroni), was released in mid-July,
2014. Although the end result is similar to the other variants discussed here, this infection is
more sophisticated and different enough that it may not be detected or blocked by the
products listed above. The author of CryptoPrevent tells me that Version 6.x (and later) does
protect against the known variants of CTB Locker, but only through detection of its signature.
At this point he cannot guarantee that future variants of CTB Locker will be detected, especially
in the first few days after they are released. I have not received a response from either of the
other listed vendors with regard to their handling of CTB Locker.
Encrypting ransomware on other (non-Windows) platforms
To wrap up the “bad news” aspect of this update, there is another recent development in the
field of encrypting ransomware. That is the spread of these attacks to additional hardware
platforms, beyond the Windows Operating Systems. A popular Network-Attached Storage
(NAS) system is now being targeted, as are smartphones and tablets running the Android
Operating System.
104
Apple users seem to be immune to this category of malware thus far. I have heard no reports
of Macs, iPads or iPhones being targeted for CryptoLocker-type attacks. That’s not to say it
couldn’t (or won’t) happen, but as far as I know it hasn’t been an issue yet.
The good news
Early in this article I promised a ray of good news, so here it is. In August, 2014, two software
vendors announced jointly that they have developed a program that may be able to decrypt
files that were encrypted by the original CryptoLocker. They are offering this program free of
charge to anyone who still has those encrypted files and wants to recover them.
The companies are FireEye (www.fireeye.com), of Milpitas, California, USA and Fox-IT
(www.fox-it.com), of Delft, The Netherlands. It’s important to note that these companies do
not claim to have “cracked the code” to decrypt these files; rather, they gained access to some
of the servers that contained the private keys used by the original CryptoLocker infection.
Through some clever detective work and reverse-engineering, they developed a program
(DecryptCryptoLocker) that may be used to decrypt these encrypted files. Here is a link with
the details of how this procedure works: https://www.decryptcryptolocker.com/. While there
is a good chance this program will let you recover these files, it is not a “silver bullet.” Here are
some possible obstacles that may prevent it from working in specific cases:
 The procedure is only known to work on the original CryptoLocker infections; it could
apply to later variants and imitators, but I would consider that to be unlikely
 There is no guarantee that the servers accessed by FireEye and Fox-IT contained all of
the private keys used by the CryptoLocker authors
 The original CryptoLocker was effectively brought down in late May, 2014; any
infections since that date are unlikely to use the same set of private keys
Even so, this procedure is a welcome piece of good news and a significant win by the good
guys! FireEye and Fox-IT deserve a lot of credit for the great work they devoted to this
solution. And if you still have encrypted files you need to recover, it’s definitely worth the
effort to try the procedure and see whether it works for you.
I’ll be very interested in hearing of your results and any further details you may be able to
provide on the process. Good luck!
105
Poweliks Update
Background
Poweliks is one of the most widespread pieces of malware infecting computers in recent
months. It first appeared in early August, 2014 and has been spreading rapidly since October.
This virus is very different from most in one important respect – it does not leave a malicious
file on the infected computer. Instead, the malicious code is injected directly into the Registry
by a Trojan dropper; once that injection is done, the dropper file is deleted.
As a result of this infection sequence, traditional anti-virus and anti-malware programs that
scan the hard drive looking for infected files will not detect Poweliks. Unless a given scanning
program knows exactly what to look for, it will erroneously pronounce a Poweliks-infected
computer “clean.”
Symptoms
It’s easy to recognize the symptoms of a Poweliks infection:




Multiple dllhost.exe processes are running
CPU utilization is very high
There is a large amount of network traffic
Computer is running slowly as a result of these behaviors
More recent variants of Poweliks also disable the ability to download files, by using a “Custom”
Security setting. It has also been reported that the infection creates a large number of files in
the Temp folder and the Temporary Internet Files folder. This symptom has not been
discussed or confirmed by any anti-virus vendors to my knowledge, but the logs I saw from one
infected computer revealed almost 300,000 files in these folders – for a total size in excess of 9
GB.
Another case that was suspected to be a Poweliks infection turned out not to be. The tech
who reported it saw multiple Conhost.exe processes running and suspected this might be a
variant of the typical Poweliks infection. On further investigation, it appears that these
processes were associated with Kaseya, which was a legitimate program running on that
computer.
106
How it operates
(This description is based in part on the writeup of Poweliks by Adlice Software, creators of the
RogueKiller program.)
The payload is stored in an encrypted Registry Value, and loaded at boot time by that subkey
calling a rundll32.exe process on an encrypted Javascript payload. Once the payload is loaded
in rundll32.exe, it tries to execute an embedded Powershell script in interactive mode (no UI).
That Powershell script contains a base64-encoded payload (another one) which will be injected
into a dllhost.exe process (the persistent item), which will be zombified and act as a Trojan
downloader for other infections. The dllhost.exe injected thread is also responsible for
protecting the Registry Value (persistence item) by recreating it when removed.
Where it is found
The payload of Poweliks has been found in two different areas of the Registry. In either case
the Subkey name and the Value name are injected with unicode characters, so that the highlevel API cannot read them and remove them. Said another way, that technique prevents the
tech from being able to delete those entries in Regedit or most other Registry-editing tools.
The first generation of Poweliks infections appeared in the Run subkey under
HKEY_CURRENT_USER. Later (and current) Poweliks samples have been found in HKEY_
CURRENT_USER \Software\classes\clsid\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\
LocalServer32 or HKEY_ CURRENT_USER \Software\classes\clsid\{AB8902B4-09CA-4bb6-B78DA8F59079A8D5}\LocalServer32, but they actually could use any clsid subkey in the future.
Note that most legitimate Clsid entries will be found under HKEY_LOCAL_MACHINE, not
HKEY_CURRENT_USER. These legitimate subkeys will also be found at
HKEY_CLASSES_ROOT\clsid\{...}.
Easy way to determine whether a computer is infected by Poweliks
Since the behavior of this infection has been consistent, regardless of the Registry subkey used
or the exact payload, it is easy to detect its presence. In every case the first of two infected
entries will begin with the value “rundll32.exe javascript:””. A simple Find in Regedit will reveal
that instruction sequence if it is present. Here is all that needs to go into that Find command:
107
Be sure you are at the top of the Registry tree before you enter this Find command. If you
reach the end of the Registry without finding that sequence, the computer is not infected by
Poweliks.
How to remove a Poweliks infection
One problem with Poweliks removal is that the infected computer may be running so slowly
that you could spend a lot of time waiting for each step to complete. There is one simple step
you can take that will greatly reduce the CPU utilization of the Poweliks processes – disconnect
the computer from the network (wired or wireless). Since much of the payload involves
attempted communications with the Command and Control Server, breaking that connection
will immediately produce a significant performance improvement.
If downloads have been blocked, you can restore that functionality by going into Internet
Options | Security tab | Custom level... | Downloads (Enable) or by changing the Security level
for this zone back to Medium-high.
In the time since Poweliks first appeared, many articles and blog posts have been written,
procedures documented, and tools produced by various software vendors to help in the
removal process. The quality and effectiveness of these different methods ranges from poor to
very good, and some vendors have updated their tools and procedures as they have learned
more about how Poweliks operates and how it protects itself.
Based on feedback I have received from quite a few graduates of my Virus Remediation
Training program, as well as my own hands-on work on several Poweliks-infected computers,
these are the best solutions I have found to date:
1. ESET offers a free Poweliks removal tool, at
http://www.eset.com/int/download/utilities/detail/family/252/. Everyone I have talked
108
with who has used this tool reports that it successfully removed the infection, with
minimal effort.
2. MalwareBytes reports that the latest version of their MalwareBytes Anti-Rootkit
program detects and removes Poweliks infections. Note that this is NOT the standard
MalwareBytes Anti-Malware that we have all been using for long time; that program,
good as it is, does not deal effectively with Poweliks. Also note that MBAR is still in Beta
testing, as it has been for a long time. I normally do not recommend use of any
programs in Beta, but I make a significant exception in this case. You can download it
here: http://downloads.malwarebytes.org/file/mbar. Here is a link to a discussion on
Poweliks removal in a MalwareBytes forum:
https://forums.malwarebytes.org/index.php?/topic/160693-removal-instructions-forpoweliks/.
Feedback from my alumni who have used this program on Poweliks infections does not
reflect 100% success, but it’s possible some of them may not have followed the
instructions carefully, or they may have tried the program before the Poweliks removal
code was included in it.
3. The first solution I distributed involved use of RogueKiller, from Adlice Software. That
procedure was effective, if a bit involved. RogueKiller has since updated their program
to automatically terminate the dllhost.exe processes, so it is no longer necessary to
perform that step manually if you want to stick with RogueKiller for removal. Their
article (updated 11/21/14), and the link to download the program, are here:
http://www.adlice.com/poweliks-removal-with-roguekiller/.
4. By all accounts I’ve heard, the Farbar Recovery Scan Tool is effective in finding and
removing Poweliks infections. It is also the most confusing to use (for me, at least!),
thus its placement at #4 on this list. You may download it from Bleeping Computer
here: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/.
These solutions are listed in the order of my preference, based on reported results, ease of
use, and least time required. Any of them should work to find and remove these infections, so
it comes down to a matter of personal preference.
Additional resources
Most of the major anti-virus and anti-malware vendors have information about Poweliks on
their web sites, although some of it is pretty dated (and thus inaccurate) by now. Here are
109
some of those details, if you want to do further research on your own. These vendors are
listed in alphabetical order, with no preference expressed or intended on my part.
 BitDefender – A search for Poweliks on their web site produces no hits. A second-hand
conversation with one of their techs confirms that they are aware of Poweliks, but my
phone calls and e-mails requesting further information have not been answered.
 Emsisoft – I received a detailed response to my questions from a Malware Analyst at
Emsisoft, which was greatly appreciated. Emsisoft has historically been one of the first
vendors to detect and effectively deal with emerging malware threats. With regard to
Poweliks, the response indicated that “Emsisoft’s behavior blocker detects code
injection and can block installation of the malware.” On the other hand, the analyst
follows up by saying, “While Emsisoft products successfully detect Poweliks during
installation, at this moment removal after a scan is not yet guaranteed. We are
currently working on a safe and reliable way to incorporate this into our engine (rather
than adding a solution that might put the system at risk).” I appreciate their candor in
this regard, and this response reinforces my high regard for Emsisoft.
 ESET – In addition to their removal tool mentioned above, they have confirmed to me
that their normal anti-virus program protects against Poweliks infections.
 Kaspersky – A search for Poweliks on their web site produces no hits. A second-hand
conversation with one of their techs confirms that they are aware of Poweliks, but my
phone calls and e-mails requesting further information have not been answered.
 Sophos – One of the first vendors to document Poweliks and its behavior. Their article is
here: http://www.sophos.com/en-us/support/knowledgebase/121370.aspx, although it
has not been updated since September 29. In my own experience of trying their
procedure on two infected computers, I was not successful on either. It’s possible that I
did not give their scanner enough time to complete, and their procedure made no
mention of the need to terminate the running dllhost.exe processes.
 Symantec – They offer a manual removal procedure for Poweliks, and a removal tool,
which you can find here:
http://www.symantec.com/security_response/writeup.jsp?docid=2014-080408-561499&tabid=3. While one of my alumni reported successful removal by following the
manual procedure, it seems unnecessarily complex and time-consuming to me. If the
removal tool works, that is probably a better and faster solution.
110
Conclusion
Poweliks has presented an unusual challenge in several respects, especially when it was first
introduced and the concept of “file-less” malware was unknown. As it has become more
widespread, some vendors have developed more effective responses to it. I will continue to
keep you updated as we learn more about this infection.
111
112
Appendix C -- Processes found in Task Manager
L/
M
Required
?
AOL
L
No
AOLacsd.exe
AOL
L
aolsoftware.exe
AOLSP
Scheduler.exe
AOL
L
AOL Spyware Protection
AOL
L
No
aoltpspd.exe
AOL Top Speed
AOL
L
Yes
aoltray.exe
AOL Systray Icon
AOL
L
No
aoltsmon.exe
AOL Top Speed Monitor
AOL
L
Yes
Process Name
Description
Company
anotify.exe
AOL Update Popup
BrccMCtl.exe
Brother
BrMfcMon.exe
Brother
BrMfcWnd.exe
Brother
Application/Device
ccEvtMgr.exe
Event Manager
Symantec
L
Yes
ccSetMgr.exe
Settings Manager
Symantec
L
Yes
cmd.exe
Command Prompt
Microsoft
L
No
companion.exe
AOL Companion
AOL
L
No
csrss.exe
Client Server Runtime Subsystem
Microsoft
L
Yes
ctfmon.exe
MS Office Language Bar
Microsoft
L
Yes
DefWatch.exe
Definitions Watch
Symantec
L
Yes
explorer.exe
Windows Desktop
Microsoft
L
Yes
g2comm.exe
GoToMyPC
Citrix
g2pre.exe
GoToMyPC
Citrix
g2svc.exe
GoToMyPC
Citrix
g2tray.exe
GoToMyPC
Citrix
hpcmpmgr.exe
Windows Update?
or Windows Explorer
Hewlett-Packard
hpqtra08.exe
HP Digital Imaging Monitor
Hewlett-Packard
L
Yes
hpsysdrv.exe
HP System Recovery
Hewlett-Packard
L
No
hpwuschd2.exe
HP Windows Updates Scheduler
Hewlett-Packard
L
No
kbd.exe
Hewlett-Packard
L
No
lsass.exe
HP Keyboard Manager
Local Security Authentication
Server
Microsoft
L
Yes
MDM.EXE
Machine Debug Manager
Microsoft
L
Yes
Nvidia Driver Service
Nvidia
L
No
Dispatcher Service
PDF Complete,
L
Yes
net.exe
NILaunch.exe
nvsvc32.exe
OneTouch.exe
pdfsvc.exe
Print to PDF Complete
113
Process Name
Description
Company
Application/Device
L/
M
Required
?
Inc.
pptd40nt.exe
Print to Desktop
ScanSoft
PaperPort
L
No
qbdagent2002.exe
Delivery Agent
QuickBooks
L
No
RetroExpress.exe
Retrospect Express
L
No
Retrorun.exe
Retrospect Backup Scheduler
Intuit
Dantz
Development
Dantz
Development
L
No
Rtvscan.exe
Real-Time Virus Scan
Symantec
L
Yes
rundll32.exe
Run DLL as an App
Microsoft
L
Yes
SBAMSvc.exe
VIPRE
Sunbelt Software
L
Yes
SBAMTray.exe
VIPRE Systray Icon
Sunbelt Software
L
Yes
SavRoam.exe
SBPIMSvc.exe
Sunbelt Software
services.exe
Services Control Manager
Microsoft
L
Yes
smss.exe
Session Manager Subsystem
Microsoft
L
Yes
spoolsv.exe
Spooler Service
Microsoft
L
Yes
svchost.exe
Service Host
Microsoft
L
Yes
System
Operating System Kernel
Microsoft
L
Yes
System Idle Process
Idle Time
Microsoft
L
Yes
taskmgr.exe
Task Manager
Microsoft
L
Yes
tfswctrl.exe
Drive Letter Assignment
Hewlett-Packard
L
No
winlogon.exe
User Logon
Microsoft
L
Yes
WINWORD.EXE
MS Word
Microsoft
L
No
L
Yes
wmiapsrv.exe
114
WMI API
Microsoft
Printing or faxing
CD writing
Performance
information
Appendix D -- Registry Differences by Operating System
Key/Subkey
Windows XP
Server 2003
Vista
Server 2008 or
Server 2012
Windows 7,
Windows 8 or 8.1
Top of Registry keys
My Computer
My Computer
Computer
Computer
Computer
HKCR\exefile\shell\open\command
(Default) entry
(Default) entry
(Default) entry +
IsolatedCommand
(Default) entry +
IsolatedCommand
(Default) entry +
IsolatedCommand
HKCR\regedit\shell\open\command
regedit.exe %1
regedit.exe %1
regedit.exe "%1"
regedit.exe "%1"
regedit.exe "%1"
HKCR\regfile\shell\open\command
regedit.exe "%1"
regedit.exe "%1"
regedit.exe "%1"
regedit.exe "%1"
regedit.exe "%1"
HKLM\Software\Microsoft\Windows\
CurrentVersion\RunOnceEx
Yes
Yes
Yes
No
No
HKLM\Software\Microsoft\Windows\
CurrentVersion\ShellServiceObject
DelayLoad
HKLM\Software\Microsoft\Windows
NT \CurrentVersion\Winlogon\Shell
NT \CurrentVersion\Winlogon\System
NT \CurrentVersion\Winlogon\UIHost
NT\CurrentVersion\Winlogon\Notify
Display Properties | Customize
Desktop
4 - 5 entries
4 - 5 entries
WebCheck only
WebCheck only
WebCheck only
Explorer.exe
Explorer.exe
Explorer.exe
explorer.exe
explorer.exe
Yes (no Data)
Yes (no Data)
No
No
No
logonui.exe
logonui.exe
No
No
No
10 - 13 entries
10 - 13 entries
0 - 3 entries
0 - 3 entries
0 - 3 entries
Yes
Yes
No
No
No
115
116
SESSION 4:
THE VIRUS REPAIR TOOLKIT
and LAB SESSION
117
118
Contents of the Virus Repair Toolkit
The Virus Repair Toolkit contains all of the software tools you are likely to need in order
to repair any malware infestation. While you may want to carry these tools on a USB
thumb drive, the CD-ROM version is preferable for three reasons:
1. You can usually boot from a CD-ROM, but may not be able to boot from a USB
drive. The Virus Repair Toolkit as distributed is not bootable, but you may copy
its contents onto a bootable CD you have created.
2. In many cases of malware removal it will be necessary to boot the computer into
Safe Mode. You may not be able to access a USB drive in Safe Mode, but should
always be able to access a CD or DVD drive.
3. If a virus is active on a computer, it may try to infect any additional drives
connected to the system or the network. A USB drive would be susceptible to
such infection, but not a CD-ROM disk.
The files on this CD come from various sources, and in some cases you will want to
download the most recent versions of those files before attempting the repair. These
are the included files, and their sources, in various categories:
The following files are general utilities that are useful in dealing with malware-related
issues:
 Autoruns by SysInternals – Download from http://technet.microsoft.com/enus/sysinternals/bb963902.
 CCleaner – Download from http://www.ccleaner.com/download.
 Personal Software Inspector by Secunia – Scans for outdated and vulnerable
system components and add-ons; download from
http://secunia.com/vulnerability_scanning/personal/.
 Process Explorer by SysInternals – Download from
http://technet.microsoft.com/en-us/sysinternals/bb896653.
You may want to copy these system files from a known-good computer running the
same version of Windows as the machine that is infected:
119




Gpedit.msc – Copy from C:\Windows\System32
Msconfig.exe – Copy from C:\Windows
Regedit.exe – Copy from C:\Windows
Tasklist.exe – Copy from C:\Windows\System32; not included in Windows Home
versions, but may be copied onto such a system
The following files contain the default values:
 Default Hosts file to reset any URL to IP Address translation
 Default Ntuser.pol file to restore Local Group Policies for this User
 Default Registry.pol file to restore Local Group Policies for this Computer
The following programs may be useful for detecting and removing malware:
 AdwCleaner – May be useful in finding and removing adware, toolbars, PUPs, and
browser hijackers. Download from
http://www.bleepingcomputer.com/download/adwcleaner/.
 ComboFix – *** DO NOT USE ***. While this program served a useful purpose at
one time, it has always been risky to use. Even Bleeping Computer, the usual
source of downloading ComboFix, warns that it should be used only at the
direction of, and under the supervision of, a technician trained by Bleeping
Computer. With the range of other, safer tools available to you today and
covered in this workshop, there is no longer any good reason to risk the possible
bad outcome of running ComboFix.
 D7 – A set of tools that can be useful in detecting and removing malware;
download from http://www.foolishit.com/d7/.
 dBug – A tiny utility that serves the same purpose as Killemall in Windows, also
from FoolishIT at https://www.foolishit.com/vb6-projects/dbug/.
 Emsisoft Anti-Malware 9.0 – Full-featured anti-virus program offering active
protection; download from http://www.emsisoft.com/en/.
 Farbar Recovery Scan Tool (FRST) – May help diagnose malware issues.
Download from Bleeping Computer at
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/.
120
 HijackThis – Helps repair browser hijackings; download from
http://www.trendmicro.com/ftp/products/hijackthis/HiJackThis.msi.
 Junkware Removal Tool (JRT) – May be useful in finding and removing adware,
toolbars, and PUPs, including the Ask Toolbar and Conduit. Download from
Bleeping Computer at http://www.bleepingcomputer.com/download/junkwareremoval-tool/.
 Killemall – Program included in D7 to terminate all but required Windows
Processes; you may download killemall.scr alone for free, from
https://www.foolishit.com/vb6-projects/killemall/.
 MalwareBytes – First choice for scanning an infected computer for viruses and
spyware; download from
http://www.malwarebytes.org/products/malwarebytes_free
If the infected computer is not connected to the Internet, you can manually
download the Current Definitions using the following procedure: On a working
(uninfected) computer, copy the following files to a flash drive:
o Rules.ref and Database.conf (in the Configuration folder)
The location of these files will be different, depending upon the Operating
System:
Windows XP and 2000: C:\Documents and Settings\All Users\Application
Data\Malwarebytes\Malwarebytes' Anti-Malware\
Windows Vista, 7 and 8: C:\Program Data\Malwarebytes\Malwarebytes
Anti-Malware\
Paste the copied files from the flash drive into the appropriate locations on the
infected computer. That computer will then have the updated definitions.
 Microsoft Malicious Software Removal Tool – download from
http://www.microsoft.com/en-us/download/details.aspx?id=16
 Rkill.exe – This program will kill processes associated with rogue security
software, but will sometimes terminate legitimate processes as well; use with
care. Download from http://download.bleepingcomputer.com/grinler/rkill.exe.
121
 RogueKiller – A security tool that can be used to terminate and remove malicious
processes and programs from infected computers. It has the ability to remove
infections such as ZeroAccess, TDSS, rogues, and Ransomware. Download from
http://www.bleepingcomputer.com/download/roguekiller/.
 SuperAntiSpyware Portable Scanner – Another malware removal tool; download
from http://www.superantispyware.com/portablescanner.html.
 Symantec Malware Removal Tools – If you know what malware has infected a
system, one of the free removal tools for that specific program may be effective.
This is a link to the entire list:
http://www.symantec.com/norton/security_response/removaltools.jsp.
 TechSuite, from RepairTech – This is a set of tools that can be helpful with several
aspects of malware detection and removal. It now includes a program called
Registry Investigator, which was developed to the specifications defined by The
Virus Doctor. The vendor offers a discount to graduates of the Virus Remediation
Training workshop; ask them for details. https://repairtechsolutions.com/.
 VIPRERescue – This is a self-contained version of VIPRE that will run from Safe
Mode, Command Prompt Only; download from http://live.sunbeltsoftware.com/.
The following programs provide additional protection against infections that may avoid
detection by most anti-virus and anti-malware programs. They are specifically intended
to block exploits such as those used by CryptoLocker and similar encrypting
Ransomware:
 CryptoPrevent – Download from https://www.foolishit.com/vb6projects/cryptoprevent/
 HitmanPro.Alert – Download from http://www.surfright.nl/en/downloads/
 MalwareBytes Anti-Exploit Premium – Download from
http://www.malwarebytes.org/antiexploit/premium/
The following programs may be helpful in dealing with Rootkit infections:
 aswMBR.exe, from Avast. Download from Bleeping Computer, at
http://www.bleepingcomputer.com/download/aswmbr/.
122
 TDL4 Rootkit Removal Tools by BitDefender – Two programs available, one for
32-bit versions of Windows and one for 64-bit versions; download from
http://www.malwarecity.com/blog/free-removal-tool-for-tdl4-available-now1106.html.
 GMER – Will detect rootkit activity, most recent versions will remove or repair
such infections; download from http://www.gmer.net/.
 TDSS Killer – Highly regarded rootkit detection and removal tool, from Kaspersky;
download from http://support.kaspersky.com/viruses/solutions?qid=208280684.
 MalwareBytes Anti-Rootkit (Mbar.exe) – This program is still in beta, as it has
been for a long time. But it comes from a reputable vendor with a good track
record, and seems to include enough “undo” capabilities to make it safe to use.
Download from http://www.malwarebytes.org/products/mbar/.
 Rootkit Revealer – Originally developed by Sysinternals, now available from
Microsoft; published in 2006, but may still be useful in some cases of rootkit
infection. Download from http://technet.microsoft.com/enus/sysinternals/bb897445.aspx.
 Panda Cloud Cleaner – Replaces Panda Anti-Rootkit; download from
http://www.pandasecurity.com/usa/enterprise/support/card?id=1672.
 Sophos Anti-Rootkit – Another rootkit removal tool, from a reputable vendor of
anti-virus software; download from http://www.sophos.com/products/freetools/sophos-anti-rootkit.html.
 HitmanPro – Detects and repairs rootkits, has nice user interface but in some
cases the repairs could lead to additional problems; download from
http://www.surfright.nl/en.
 Symantec FixTDSS – download from
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups
/ fixTDSS.exe
 Trend Micro Rootkit Buster – download from
http://downloadcenter.trendmicro.com/
index.php?regs=NABU&clk=result_page&clkval=drop_list&catid=6&prodid=155.
123
The following files step you through the possible infection points of their respective
Operating Systems, taking you directly to the specified file, directory, or Registry key:
 Regstep.bat – Run this batch file in Windows XP or Windows Server 2003 to
manually inspect the Registry for symptoms of malware infection.
 Regstep – Win7.bat – Run this batch file in Windows Vista, Windows 7, Windows
8, or Windows Server 2008 to manually inspect the Registry for symptoms of
malware infection; must Run as Administrator (right-click and choose this option,
even if you are already logged on as Administrator).
The following files are used to repair specific damage caused by malware infections.
Double-click on each one to perform the indicated function. Unless otherwise noted, all
were developed and are Copyright by Viruseminars.com:
 Exefile Fix.reg – Import this Registry file in Windows XP or Windows Server 2003
if no .exe files will run.
 Exefile Fix Win7.reg – Import this Registry file in Windows Vista, Windows 7,
Windows 8, or Windows Server 2008 if no .exe files will run; must Run as
Administrator (right-click and choose this option, even if you are already logged
on as Administrator).
 BAT files to fix the following symptoms:
o Enablecommand.bat – Run this batch file if you can’t access the Command
prompt
o Enabledisprop.bat – Run this batch file if you can’t access the Display
Properties
o Enableregedit.bat – Run this batch file if you can’t run Regedit
o Enablerun.bat – Run this batch file if you can’t access the Run command
o Enabletaskmgr.bat – Run this batch file if you can’t run Task Manager
o Fixshell.bat – Run this batch file to restore Winlogon entries to correct values
o Unblockapps.bat – Run this batch file if you can’t run specific programs
124
The following links take you to sites where you may download bootable CD images to
boot into non-Windows Operating Systems:
 AVG Rescue CD – Download from http://www.avg.com/ie-en/avg-rescue-cd
 Avast! 2014 Rescue Disk – Download from http://www.avast.com/enus/faq.php?article=AVKB114
 Avira Antivir Rescue System Boot CD – Download from
http://www.avira.com/en/support-download-avira-antivir-rescue-system
 Bart-PE – Download from http://download.cnet.com/BartPE-Bootable-LiveWindows-CD-DVD/3000-2094_4-10611131.html
 Hiren’s BootCD – Download from http://www.hirensbootcd.org/tag/downloadhirens-bootcd/
 Kaspersky Rescue Disk 10 – download from
http://support.kaspersky.com/viruses/rescuedisk/main?qid=208286084.
 Knoppix – Download from http://www.knoppix.net/
 The Ultimate Boot CD – Download from http://www.ultimatebootcd.com/; while
this is one of the original bootable CDs, recent reports indicate may have outlived
its usefulness.
A recent entry in the arena of bootable CDs is from Microsoft, known as Windows
Defender Offline. Note that this is a completely different program from the antispyware product by Microsoft bearing a similar name. This program appears to be an
updated version of Microsoft Standalone System Sweeper.
The program can be used to create a bootable CD, DVD, or USB thumb drive with
current malware definitions. You may find more details here:
http://windows.microsoft.com/en-US/windows/what-is-windows-defender-offline.
One final resource may be useful if you are suspicious of a particular file. This site will
give you the legitimate MD5 and SHA1 Hash values for a given Windows System file, so
that you can compare those to the file in question:
http://spybotupdates.biz/files/filealyz2.0.3.50.exe#hash(md5:11664F19C467EFE118F015DF966CD3AF)
125

virus remediation training

Transcription

Similar documents

Misery from Social Media (and other thoughts)

Evasive Tactics: Terminator RAT | FireEye Blog

learn more

What We`ve Seen in Q2 2015

exclusive gift

The evolution of the fileless click-fraud malware Poweliks

Detecting Malware With Memory Forensics

Calphalon - Crate and Barrel

Reg Organizer

AppRiver guards your inbox against unwanted