Tuesday, January 26, 2010

Manually Killing Viruses, Part 2

It helps to have a healthy example of every OS to compare a viral computer with. Not sure exactly what the healthy Registry key should be? Look on your XP example machine.
And of course you have to have another computer connected to the Internet to Google any questions. Look up info on files, Registry values, viruses, cleaning and repair advice in various situations...

So we left off with temp files deleted and you sorted the Windows and System 32 folders to see what the most recently modified files were. And you moved suspicious files to a dormant folder we named C:\Suspicious.
You can also do the same inside the Program Files folder. You can move entire folders.

Browse to every Startup folder in every profile on the computer and look for links to suspicious executables.
Check all Favorites, QuickLaunches, Desktops, etc. for evil links.
Check Microsoft Office Startup folders for C:\Program Files\Microsoft Office\Office12\STARTUP and \XLSTART and every profiles startup folders for Word and Excel.

If they have a legal copy of McAfee, you can download the latest McAfee definitions, expand them, and run a commandline scan. Example for the SuperDAT definition file named "sdat5873.exe"...
- Download the DAT or SuperDAT to the McAfee installation folder. Also download the latest engine.
- Then open a command prompt at the same path and run the following command...
sdat5873.exe /e
- Then run 5400eng.exe to update the McAfee engine. If this fails, you're dead in the water until you get the computer booted the hard way.
These files will not expand unless you have a legal McAfee license.
You may not get much feedback when the def's expand, so open Task Manager and watch until sdat5873.exe drops out of memory. On a slow computer, it can take 15 minutes. On a fast computer, it can take 20 seconds.
- Assuming all went well, and both the engine and the def's are expanded, you should see quite a few files, one being scan.exe and several ending in .dat. In the same command-prompt path, launch a scan with the following command...
scan.exe /adl /all /noexpire /clean /rpterr /report c:\ScanRpt.txt
This can take an hour.

You can do the same sort of things for Norton/Symantec - download various stand-alone tools and start scanning.
You can also scan using tools that come on the UltimateBootCD4Win. There are all sorts of anti-virus and anti-malware scanners on the CD.

While that's churning, you can browse suspicious files some more.
One of the crafty things malicious hackers do is they might take legitimate Microsoft files and rename them. So you might do a cursory glance and file properties and see that it is labeled as a Microsoft file. It looks legit. But pay attention. Sometimes they'll take something like tftp.dll and rename it to something else, like ftfp.dll. Their code might use trivial ftp to open a conduit for the hacker to take control of your computer, or send your passwords or credit card account numbers. So make sure that the file name matches the what the properties say it is. A mismatch is definitely suspicious.
To avoid DLL-hell, Windows will sometimes keep multiple copies of one DLL on the hard drive. They obviously have to have different names. Depending on what version of a DLL is required, Windows will register a DLL by an alias, and then when loaded into memory, an alias'd DLL is loaded with the proper name so that the program works. So just because a DLL has a different name doesn't necessarily prove that it's bad, but if it looks suspicious, like tftp does, you should move it to the C:\Suspicious folder.

This concludes part 2.
Next, we'll get to the Registry.
Only a geek would think this is fun.

No comments:

Post a Comment