Your virus removal techniques

You sure as hell won't see many rootkits in Process Explorer.
Click to expand...
Can they avoid detection by AutoRuns? I usually look under start ups, pending processes, services, and image hijacks (as I recall) then delete suspicious ones, then hit "refresh" and see if they reappear. If they do then I know a rootkit is still present.
1. To have a whitelist of known good system files, and
2. To check for Company information in the file.
Click to expand...
What folders are you checking in?
Just the C:/Windows/System32/ folder?

And are you checking .exe files? .dll files? .sys files?

Do good system files ever get replaced by rootkit files, using the same name?

That white list must be a long one. I guess you note them from a clean install of XP, Vista, 7.

try something like OTL
Click to expand...
What does OTL stand for?
 
Last edited:
RegEdit said:
Do good system files ever get replaced by rootkit files, using the same name?

That white list must be a long one. I guess you note them from a clean install of XP, Vista, 7.


What does OTL stand for?
Click to expand...

1) Yes, system files are often replaced by malicious ones with the same name.

2) Examine the running processes from a clean install, and you will get a feel for what processes are normal, and those that are not. But, this is still not foolproof, as proved by point number 1 above.

3) OldTimer
 
RegEdit said:
Can they avoid detection by AutoRuns? I usually look under start ups, pending processes, services, and image hijacks (as I recall) then delete suspicious ones, then hit "refresh" and see if they reappear. If they do then I know a rootkit is still present.
Click to expand...

I've got one right now on a virtual machine. I can see it has changed my DNS settings, added a scheduled task and has added several exe's and dll's to my system. Only the scheduled task shows up in Autoruns as far as I can tell. I can't see any pointers to the files I know are malware executables. So I'd say yes they can hide from autoruns.
 
So I'd say yes they can hide from autoruns.
Click to expand...
I find that AutoRuns does display viruses that rootkits launch. Of course how would I know if there are no outwardly signs of virus activity, such as a busy drive, hijacked searches? There's a virus now that keeps checking drives (like floppy drives) every 11 seconds. Sometimes this virus doesn't begin to check drives until you launch a browser.
I guess if there's no outwardly signs then you can only hope that all of the AV software that you run does it's job. As far as AV software I run MWB, Security Essentials, Superantispyware, SpyBot S & D. As a last resort I might run ComboFix.
 
RegEdit said:
Can they avoid detection by AutoRuns? I usually look under start ups, pending processes, services, and image hijacks (as I recall) then delete suspicious ones, then hit "refresh" and see if they reappear. If they do then I know a rootkit is still present.

What folders are you checking in?
Just the C:/Windows/System32/ folder?

And are you checking .exe files? .dll files? .sys files?

Do good system files ever get replaced by rootkit files, using the same name?

That white list must be a long one. I guess you note them from a clean install of XP, Vista, 7.


What does OTL stand for?
Click to expand...

Yes, the nastier kernel-mode rootkits can completely evade Autoruns. As for which files are in question, it's always sys if it's a kernel-mode driver modification. However, I tend to check dlls as well for sake of completeness, as it still turns up some additional malware that are not often modifcations but just possibly overlookable.

As for good system files being replaced, nearly every TDSS rootkit since TDL3 has introduced has leveraged modification of a particular low-level kernel-mode driver file (.sys) using a spoofed creation time/date and modification time/date to prevent detection. The only real way to pinpoint the malicious driver is to check for Company information in the file (digital signature). The .sys missing this info that typically has it is the culprit.

This is getting to be an old-hat technique however; it won't be long before digital signatures are frequently spoofed on all rootkit-modified files as well I'd bet. Somehow!
 
You must log in or register to reply here.

Similar threads

S
Advance Manual Virus Removal
Replies
10
Views
4K
gazza
G
vitalgeek
Streamlining Virus Removal/Tune Up Process
2
Replies
21
Views
4K
vitalgeek
vitalgeek
pc-wiz
My virus removal procedure sheet..
3 4 5
Replies
96
Views
25K
Rubix45
R
T
Virus Removal/PC Tune-Up Process
2 3 4
Replies
65
Views
17K
tech_24
T
Kitten Kong
New fake A/V Win HDD removal
Replies
4
Views
1K
joydivision
joydivision
Back
Top