Poll: How do YOU remove malware?
- Thread starter NathanE
- Start date
I never have to do malware removal on my own PC but for friends and family it is quite a common thing (probably 3 to 5 times per year on average).
My personal weapons of choice are:
Sysinternals Autoruns
Sysinternals Process Explorer
Sysinternals Rootkit Revealer
Regedit
NTFS Security
I use Autoruns and Procexp to get a broad view of the system and somehow I just "know" more or less instantly whether a filename looks dodgy or not. Then sure enough, after a quick look at the file properties it won't have any Version information like copyright, author or anything like that. Or sometimes it will but it will be badly written like "Micro soft (c)" or something ridiculous.
It is very common these days that malware automatically protect themselves by recreating their startup entries in case they are deleted (i.e. by Autoruns). This can be frustrating because usually "budding malware removers" can't work around the issue and have to reinstall.
But there is a method to remove these types of malware that I have used successfully for years. I used it yesterday on 2 rootkits that were even hiding their files from being listed in Explorer or CMD or anywhere!
The method is NTFS Security!
If you can see the file in Explorer then just goto its Properties and then the Security tab. All you need to do is create two new entries in here, as follows:
1. Create a DENY rule for the "SYSTEM" account. When selecting the permissions to be denied tick the "Full Control" box.
2. Create a DENY rule for the "Everyone" account. When selecting the permissions to be denied ONLY tick the "List folder / read data" and "Traverse folder / execute file" options. All other check boxes should be left unchecked.
Once you have created these rules. Press Apply/OK etc to save the NTFS Security changes you have made to the file(s).
Use this procedure on as many suspected rogue files as possible and then reboot your machine. No need to go into safe mode.
When the machine reboots the system will still attempt to "load" the malware but because you have set a NTFS Security rule to DENY the "SYSTEM" account and the "Everyone" account from reading or executing the file... it will not be loaded. All of the "autostart" regions of Windows will fail silently. So if there is a HKLM\Software\Windows\CurrentVersion\Run entry that points to a file which the system cannot access at startup then you will not receive any warning or notification but the file will not be loaded either.
Once booted back into Windows load up the Autoruns and Procexp again. Now you can attempt to delete the entries listed in the Autoruns software. Once you've deleted all the rogue entries perform a screen refresh (F5 key). The entries should NOT come back (i.e. they shouldn't be regenerated by the malware). If they do come back then it means that the malware is still running somewhere (perhaps you missed one of its companion files) and therefore it has regenerated its autostart entries.
This technique can be used with rootkits that hide their files as well however the procedure can be a little more involved... for the simple fact that while displaying the standard Explorer "File Properties" dialog is totally possible on a rootkit hidden file, it is just not made easy by Explorer to do it. I made a utility to workaround this if anyone wants it.
My personal weapons of choice are:
Sysinternals Autoruns
Sysinternals Process Explorer
Sysinternals Rootkit Revealer
Regedit
NTFS Security
I use Autoruns and Procexp to get a broad view of the system and somehow I just "know" more or less instantly whether a filename looks dodgy or not. Then sure enough, after a quick look at the file properties it won't have any Version information like copyright, author or anything like that. Or sometimes it will but it will be badly written like "Micro soft (c)" or something ridiculous.
It is very common these days that malware automatically protect themselves by recreating their startup entries in case they are deleted (i.e. by Autoruns). This can be frustrating because usually "budding malware removers" can't work around the issue and have to reinstall.
But there is a method to remove these types of malware that I have used successfully for years. I used it yesterday on 2 rootkits that were even hiding their files from being listed in Explorer or CMD or anywhere!
The method is NTFS Security!
If you can see the file in Explorer then just goto its Properties and then the Security tab. All you need to do is create two new entries in here, as follows:
1. Create a DENY rule for the "SYSTEM" account. When selecting the permissions to be denied tick the "Full Control" box.
2. Create a DENY rule for the "Everyone" account. When selecting the permissions to be denied ONLY tick the "List folder / read data" and "Traverse folder / execute file" options. All other check boxes should be left unchecked.
Once you have created these rules. Press Apply/OK etc to save the NTFS Security changes you have made to the file(s).
Use this procedure on as many suspected rogue files as possible and then reboot your machine. No need to go into safe mode.
When the machine reboots the system will still attempt to "load" the malware but because you have set a NTFS Security rule to DENY the "SYSTEM" account and the "Everyone" account from reading or executing the file... it will not be loaded. All of the "autostart" regions of Windows will fail silently. So if there is a HKLM\Software\Windows\CurrentVersion\Run entry that points to a file which the system cannot access at startup then you will not receive any warning or notification but the file will not be loaded either.
Once booted back into Windows load up the Autoruns and Procexp again. Now you can attempt to delete the entries listed in the Autoruns software. Once you've deleted all the rogue entries perform a screen refresh (F5 key). The entries should NOT come back (i.e. they shouldn't be regenerated by the malware). If they do come back then it means that the malware is still running somewhere (perhaps you missed one of its companion files) and therefore it has regenerated its autostart entries.
This technique can be used with rootkits that hide their files as well however the procedure can be a little more involved... for the simple fact that while displaying the standard Explorer "File Properties" dialog is totally possible on a rootkit hidden file, it is just not made easy by Explorer to do it. I made a utility to workaround this if anyone wants it.
I've googled and googled but I've never seen my technique talked about or documented anywhere. Quite strange really considering it is such a simple and easy to use technique.
I believe the only malware/rootkit that at least partially prevents this technique is Conficker. But only because it sets the NTFS Security of its hidden rootkit files to deny the "Users" group all access to its files. But the "SYSTEM" account would still have access so it would just be a case of executing a script under that account to modify the NTFS Security. It would be much more involved but still possible.
I believe the only malware/rootkit that at least partially prevents this technique is Conficker. But only because it sets the NTFS Security of its hidden rootkit files to deny the "Users" group all access to its files. But the "SYSTEM" account would still have access so it would just be a case of executing a script under that account to modify the NTFS Security. It would be much more involved but still possible.
Oh my word, eXor. You must be one of the very very very few posters here that actually has a clue what they're talking about
Most people these days seem to just give up immediately and post up "Switch to FireChrome instead, it's much more awesome but I don't know why." or "Switch to Linux it's so much more secure but again I don't actually know why - I think I read it somewhere on a pro-Linux web site."
Most people these days seem to just give up immediately and post up "Switch to FireChrome instead, it's much more awesome but I don't know why." or "Switch to Linux it's so much more secure but again I don't actually know why - I think I read it somewhere on a pro-Linux web site."