How to Detect and Remove Malware

gazecummingNetworking and Communications

Oct 26, 2013 (3 years and 9 months ago)

87 views

How to Detect and Remove Malware

BY: Wally Beck


Gainesville College

-

http://www.gc.peachnet.edu/www/wbeck

Run Ad
-
Aware SE

from www.lavasoftusa.com

Duh!


Determine what process
es

are running

using Tas
k Manager


1.

Press
CTRL
-
ALT
-
DEL

and click
Task Manager
.

2.

Click the
Processes

tab.

3.

Examine all the running processes and look for spyware, etc..

4.

Be aware that some
malware

does not appear in the process list (Ex: key
-
stroke logging
software)


Determine which a
pplications are running at startup


1.

Click
Start

then click
Run
.

2.

Type
msconfig

and press
E
nter
. The Microsoft System Configuration Utility window
appears.

3.

Click the
Services

tab.

4.

Click
Hide All Microsoft Services
. All non
-
Microsoft services will appear.

5.

Un
check any applications that you

suspect to be
M
alware
.





6.

Click the
Startup

tab.

7.

Uncheck any applications that you suspect to be malware.

8.

Click
OK

and reboot your computer to test.



Determine if a

local

application is
communicating with a
remote

comput
er


1.

Use the Port Query (portqry.exe) Version 2.0 tool from Microsoft.
http://support.microsoft.com/default.aspx?scid=kb;en
-
us;310099&sd=tech

2.


Portqry.exe is a command
-
l
ine utility that you can use to help troubleshoot TCP/IP
connectivity issues. Portqry.exe runs on Windows 2000
-
based computers, on Windows
XP
-
based computers, and on Windows Server 2003
-
based computers. The utility reports
the port status of TCP and UDP po
rts on a computer that you select.


3.

Open a Command Prompt window. Type
portqry
-
local

> C:
\
Port.log

and press
Enter
.

4.

This command runs Port Query on the local PC and saves the results to Port.log on the
root.

5.

An example of the portqry.exe results are shown

below.

The normal Windows XP
processes are
bold
. Processes related to applications are
italicized
.



C:
\
Documents and Settings
\
wbeck>
portqry
-
local > C:
\
Port.log

Processing local system's ports...


TCP/UDP Port to Process Mappings


28 mappings found


PID

Port


Local IP

State



Remote IP:Port

4

TCP 445

0.0.0.0

LISTENING


0.0.0.0:63493

4

TCP 139

168.30.241.
1
9

LISTENING


0.0.0.0:2048

4

TCP 1227

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.
18
:445

4

TCP 1243

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.
8
3:139

4

TCP 1278

168.30.241.
1
9

ESTABLISHED


168.24.
4
.1
4
1:445

4

TCP 1284

168.30.241.
1
9

ESTABLISHED


168.24.
4
.1
4
2:445

4

TCP 2289

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.3
8
:445

4

TCP 2908

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.1
8
:445

4

TCP 3485

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.
8
7:445

4

UDP 445

0.0.0.0




*:*

4

UDP 137

168.30.241.
1
9




*:*

4

UDP 138

168.30.241.
1
9




*:*

156

TCP 1042

127.0.0.1

LISTENING 0.0.0.0:39166

644

UDP 1047

127.0.0.1




*:*

700

UDP 500

0.0.0.0




*:*

700

UDP 45
00

0.0.0.0




*:*

700

UDP 1027

127.0.0.1




*:*

860

TCP 3389

0.0.0.0

LISTENING 0.0.0.0:28919

928

TCP 135

0.0.0.0

LISTENING 0.0.0.0:39054

1020

UDP 123

127.0.0.1




*:*

1020

UDP 123

168.30.241.
1
9




*:*

1072

UDP 1025

0.0.0.0




*:*

1
072

UDP 1026

0.0.0.0




*:*

1600

UDP 1346

0.0.0.0




*:*

1656

TCP 3580

0.0.0.0

LISTENING 0.0.0.0:20645

1668

UDP 2967

0.0.0.0




*:*

2768

UDP 3483

127.0.0.1




*:*

3520

UDP 2038

127.0.0.1




*:*



Port Statistics

TCP mappings: 13

UDP map
pings: 15

TCP ports in a LISTENING state:

6 = 46.15%

TCP ports in a ESTABLISHED state:

7 = 53.85%


Port and Module Information by Process

Note: restrictions applied to some processes may


prevent PortQry from accessing more information


For be
st results run PortQry in the context of


the local administrator


======================================================

Process ID: 0 (System Idle)

System Idle Process

======================================================

Process ID: 4 (System)

Sys
tem Process

PID

Port


Local IP

State



Remote IP:Port

4

TCP 445

0.0.0.0

LISTENING


0.0.0.0:63493

4

TCP 139

168.30.241.
1
9

LISTENING


0.0.0.0:2048

4

TCP 1227

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.
18
:445

4

TCP 1243

168.30.241.
1
9

ESTABLISHED


168.3
0.2
1
0.
8
3:139

4

TCP 1278

168.30.241.
1
9

ESTABLISHED


168.24.
4
.1
4
1:445

4

TCP 1284

168.30.241.
1
9

ESTABLISHED


168.24.
4
.1
4
2:445

4

TCP 2289

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.3
8
:445

4

TCP 2908

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.1
8
:445

4

TCP 348
5

168.30.241.
1
9

ESTABLISHED


168.30.2
1
0.
8
7:445

4

UDP 445

0.0.0.0




*:*

4

UDP 137

168.30.241.
1
9




*:*

4

UDP 138

168.30.241.
1
9




*:*

======================================================

Process ID: 548 (smss.exe)

Process doesn't appear to b
e a service

======================================================

Process ID: 620

Process doesn't appear to be a service

======================================================

Process ID: 644 (winlogon.exe)

Process doesn't appear to be a service

PID

Port


Local IP

State



Remote IP:Port

644

UDP 1047

127.0.0.1




*:*

=====================================================

Process ID: 688 (services.exe)

Service Name: Eventlog

Display Name: Event Log

Service Type: shares a process with other services


Servi
ce Name: PlugPlay

Display Name: Plug and Play

Service Type: shares a process with other services

======================================================

Process ID: 700 (lsass.exe)

Service Name: Netlogon

Display Name: Net Logon

Service Type: shares a proces
s with other services


Service Name: PolicyAgent

Display Name: IPSEC Services

Service Type: shares a process with other services


Service Name: ProtectedStorage

Display Name: Protected Storage


Service Name: SamSs

Display Name: Security Accounts Manager

Se
rvice Type: shares a process with other services


PID

Port


Local IP

State



Remote IP:Port

700

UDP 500

0.0.0.0




*:*

700

UDP 4500

0.0.0.0




*:*

700

UDP 1027

127.0.0.1




*:*

======================================================

Process ID: 860

(svchost.exe)

Service Name: DcomLaunch

Display Name: DCOM Server Process Launcher

Service Type: shares a process with other services


Service Name: TermService

Display Name: Terminal Services

Service Type: shares a process with other services


PID

Port


L
ocal IP

State



Remote IP:Port

860

TCP 3389

0.0.0.0

LISTENING


0.0.0.0:28919

======================================================

Process ID: 928

Service Name: RpcSs

Display Name: Remote Procedure Call (RPC)

Service Type: shares a process with other
services


PID

Port


Local IP

State



Remote IP:Port

928

TCP 135

0.0.0.0

LISTENING


0.0.0.0:39054

======================================================

Process ID: 1020 (svchost.exe)

Service Name: AppMgmt

Display Name: Application Management

Service Typ
e: shares a process with other services


Service Name: AudioSrv

Display Name: Windows Audio

Service Type: shares a process with other services


Service Name: BITS

Display Name: Background Intelligent Transfer Service

Service Type: shares a process with oth
er services


Service Name: CryptSvc

Display Name: Cryptographic Services

Service Type: shares a process with other services


Service Name: Dhcp

Display Name: DHCP Client

Service Type: shares a process with other services


Service Name: dmserver

Display Nam
e: Logical Disk Manager

Service Type: shares a process with other services


Service Name: ERSvc

Display Name: Error Reporting Service

Service Type: shares a process with other services


Service Name: EventSystem

Display Name: COM+ Event System

Service Type
: shares a process with other services


Service Name: helpsvc

Display Name: Help and Support

Service Type: shares a process with other services


Service Name: lanmanworkstation

Display Name: Workstation

Service Type: shares a process with other services


S
ervice Name: Messenger

Display Name: Messenger

Service Type: shares a process with other services


Service Name: Netman

Display Name: Network Connections


Service Name: Nla

Display Name: Network Location Awareness (NLA)

Service Type: shares a process with
other services


Service Name: RasMan

Display Name: Remote Access Connection Manager

Service Type: shares a process with other services


Service Name: Schedule

Display Name: Task Scheduler


Service Name: seclogon

Display Name: Secondary Logon


Service Name:

SENS

Display Name: System Event Notification

Service Type: shares a process with other services


Service Name: SharedAccess

Display Name: Windows Firewall/Internet Connection Sharing (ICS)

Service Type: shares a process with other services


Service Name:
ShellHWDetection

Display Name: Shell Hardware Detection

Service Type: shares a process with other services


Service Name: TapiSrv

Display Name: Telephony

Service Type: shares a process with other services


Service Name: Themes

Display Name: Themes

Service
Type: shares a process with other services


Service Name: TrkWks

Display Name: Distributed Link Tracking Client

Service Type: shares a process with other services


Service Name: W32Time

Display Name: Windows Time

Service Type: shares a process with other s
ervices


Service Name: winmgmt

Display Name: Windows Management Instrumentation

Service Type: shares a process with other services


Service Name: wuauserv

Display Name: Automatic Updates

Service Type: shares a process with other services


Service Name: WZC
SVC

Display Name: Wireless Zero Configuration

Service Type: shares a process with other services


PID

Port


Local IP

State



Remote IP:Port

1020

UDP 123

127.0.0.1




*:*

1020

UDP 123

168.30.241.9




*:*

===============================================
=======

Process ID: 1072

Service Name: Dnscache

Display Name: DNS Client

Service Type: shares a process with other services


PID

Port


Local IP

State



Remote IP:Port

1072

UDP 1025

0.0.0.0




*:*

1072

UDP 1026

0.0.0.0




*:*

========================
==============================

Process ID: 1112

Service Name: LmHosts

Display Name: TCP/IP NetBIOS Helper

Service Type: shares a process with other services


Service Name: WebClient

Display Name: WebClient

Service Type: shares a process with other service
s

======================================================

Process ID: 1540 (DefWatch.exe)

Service Name: DefWatch

Display Name: DefWatch

======================================================

Process ID: 1600 (ngctw32.exe)

Service Name: NGClient

Display Name
: Symantec Ghost Client Agent


PID

Port


Local IP

State



Remote IP:Port

1600

UDP 1346

0.0.0.0




*:*

======================================================

Process ID: 1656 (niSvcLoc.exe)

Service Name: niSvcLoc

Display Name: NI Service Locator


PID

Por
t


Local IP

State



Remote IP:Port

1656

TCP 3580

0.0.0.0

LISTENING


0.0.0.0:20645

======================================================

Process ID: 1668 (Rtvscan.exe)

Service Name: Norton AntiVirus Server

Display Name: Symantec AntiVirus Client


PID

Po
rt


Local IP

State



Remote IP:Port

1668

UDP 2967

0.0.0.0




*:*

======================================================

Process ID: 1748

Ser
v
ice Name: UMWdf

Display Name: Windows User Mode Driver Framework

Service Type: runs in its own process

========
==============================================

Process ID: 156

Service Name: ALG

Display Name: Application Layer Gateway Service

Service Type: runs in its own process


PID

Port


Local IP

State



Remote IP:Port

156

TCP 1042

127.0.0.1

LISTENING


0.0.0.0:
39166

======================================================

Process ID: 2076 (Explorer.EXE)

Process doesn't appear to be a service

======================================================

Process ID: 3520 (spoolsv.exe)

Service Name: Spooler

Display Name: Pr
int Spooler


PID

Port


Local IP

State



Remote IP:Port

3520

UDP 2038

127.0.0.1




*:*

======================================================

Process ID: 3484 (svchost.exe)

Service Name: stisvc

Display Name: Windows Image Acquisition (WIA)

Service Type:
shares a process with other services

======================================================

Process ID: 2768 (Winword.exe)

Process doesn't appear to be a service


PID

Port


Local IP

State



Remote IP:Port

2768

UDP 3483

127.0.0.1




*:*

=================
=====================================

Process ID: 3664 (cmd.exe)

Process doesn't appear to be a service

======================================================

Process ID: 3108 (PortQry.exe)

Process doesn't appear to be a service


Removing Malware hooked in
to Explorer.exe or Internet
Explorer


1.

On a Windows XP computer, u
sing Notepad
,
create a file called
RunAdAware.vbs

and
copy the following

text

into it.



Set ShellObj = WScript.CreateObject("Wscript.Shell")

Set FSO = WScript.CreateObject("Scripting.
FilesystemObject")

WinDir = Lcase(Trim(FSO.GetSpecialFolder(0)))

SysDir = Lcase(Trim(FSO.GetSpecialFolder(1)))


ShellObj.Run SysDir & "
\
Taskkill.exe /F /IM Explorer.exe",0,True

ShellObj.Run SysDir & "
\
Taskkill.exe /F /IM Iexplore.exe",0,True

ShellObj.R
un """C:
\
Program Files
\
Lavasoft
\
Ad
-
Aware SE Professional
\
Ad
-
Aware.exe"" /smart +auto +update",3,True

ShellObj.Run WinDir & "
\
Explorer.exe",0,False

WScript.Quit
WScript.Quit


2.

Install Ad
-
Aware SE

Professional or comparable Ad
-
Aware
SE
program.


3.

Double
-
click
RunAdAware.vbs

to execute it.

4.

A
l
l instances of Explorer.exe (the GUI and Windows Explorer windows) and Internet
Explorer will be
terminated
. Ad
-
Aware
SE
will run
, automatically updated its definition
file,
and remove spyware.

5.

Explorer.exe (the GUI) will l
oad again.


Removing Watchful Spyware


Definition: Spyware that runs several processes. When a process is ended, the other process
detects this and automatically create
s

a new process.


1.

Run Task Manager.

2.

Click the
Processes

tab.

3.

Identify the watchful spywa
re processes. To do this, click a process and then click
End
Process
.

4.

If the process returns automatically, then it is a watchful spyware process.

5.

On a Windows XP computer, u
sing Notepad
,
create a file called
KillSpyware.bat
and
copy the following

text

int
o it.

Keep in mind that the
EXE files listed below should be
replaced by the EXE files that you identified as watchful spyware processes.

(The EXEs
listed below are actually watchful spyware processes, but they may not exist on your
computer.)


@echo off

T
askkill.exe /F /T /IM explorer.exe

Taskkill.exe /F /T /IM iexplore.exe

Taskkill.exe /F /T /IM PIB.exe

Taskkill.exe /F /T /IM TBPS.exe

Taskkill.exe /F /T /IM WSup.exe

Taskkill.exe /F /T /IM WToolsA.exe

taskkill /F /T /IM WebRebates0.exe

taskkill /F /T /IM W
ebRebates1.exe

Explorer.exe


6.

Double
-
click
KillSpyware.bat

to execute it.

7.

All instances of Explorer.exe (the GUI and Windows Explorer windows) and Internet
Explorer will be terminated.
All watchful spyware processes
will
be terminated.
Explorer.exe (the GU
I) will load again.

8.

Run Ad
-
Aware
SE
or remove spyware manually.


Taskkill.exe is a utility that is built into Windows XP that can be used to kill processes. The /F
switch means Force a process to end. The /T switch automatically kills any child processes.
And
the /IM switch is used to identify the process name such as explorer.exe.


Removing
Polymorphic Spyware


Definition: Spyware
that runs

several

processes. When a process is ended, the other process
detect
s

this and automatically create
s

a new
unique
ly

named
process.


1.

Boot computer into Safe Mode by pressing
F8

during the boot process and selecting
Safe Mode

from the Advanced Options Menu.

2.

Run
msconfig

and uncheck all spyware entries.

3.

Reboot the computer and run Ad
-
Aware SE.