Scribd
Upload
108 views

How To Detect and Remove Malware

The document provides instructions on how to detect and remove malware from a computer. It recommends using Ad-Aware SE to scan for malware. It also describes how to use the Task Manager and MSCONFIG utility to check for suspicious processes running at startup or in the background. Additionally, it explains how to use the portqry tool to check if any local applications are communicating with remote computers, which could indicate malware.

Uploaded by

Iruma 入間
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
108 views

How To Detect and Remove Malware

The document provides instructions on how to detect and remove malware from a computer. It recommends using Ad-Aware SE to scan for malware. It also describes how to use the Task Manager and MSCONFIG utility to check for suspicious processes running at startup or in the background. Additionally, it explains how to use the portqry tool to check if any local applications are communicating with remote computers, which could indicate malware.

Uploaded by

Iruma 入間
Copyright
© Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online on Scribd
You are on page 1/ 8

How to Detect and Remove Malware

BY: Wally Beck Gainesville College - http://www.gc.peachnet.edu/www/wbeck

Run Ad-Aware SE from www.lavasoftusa.com


Duh!

Determine what processes are running using Task Manager


1. 2. 3. 4. Press CTRL-ALT-DEL and click Task Manager. Click the Processes tab. Examine all the running processes and look for spyware, etc.. Be aware that some malware does not appear in the process list (Ex: key-stroke logging software)

Determine which applications are running at startup


1. Click Start then click Run. 2. Type msconfig and press Enter. The Microsoft System Configuration Utility window appears. 3. Click the Services tab. 4. Click Hide All Microsoft Services. All non-Microsoft services will appear. 5. Uncheck any applications that you suspect to be Malware.

6. Click the Startup tab.

7. Uncheck any applications that you suspect to be malware. 8. Click OK and reboot your computer to test.

Determine if a local application is communicating with a remote computer


1. Use the Port Query (portqry.exe) Version 2.0 tool from Microsoft. http://support.microsoft.com/default.aspx?scid=kb;en-us;310099&sd=tech 2. Portqry.exe is a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues. Portqry.exe runs on Windows 2000-based computers, on Windows XP-based computers, and on Windows Server 2003-based computers. The utility reports the port status of TCP and UDP ports on a computer that you select. 3. Open a Command Prompt window. Type portqry -local > C:\Port.log and press Enter. 4. This command runs Port Query on the local PC and saves the results to Port.log on the root. 5. An example of the portqry.exe results are shown below. The normal Windows XP processes are bold. Processes related to applications are italicized.
C:\Documents and Settings\wbeck>portqry -local > C:\Port.log Processing local system's ports... TCP/UDP Port to Process Mappings 28 mappings found PID 4 4 4 4 4 4 4 4 4 4 4 4 156 644 700 700 700 860 928 1020 1020 1072 1072 1600 1656 1668 2768 3520 Port TCP 445 TCP 139 TCP 1227 TCP 1243 TCP 1278 TCP 1284 TCP 2289 TCP 2908 TCP 3485 UDP 445 UDP 137 UDP 138 TCP 1042 UDP 1047 UDP 500 UDP 4500 UDP 1027 TCP 3389 TCP 135 UDP 123 UDP 123 UDP 1025 UDP 1026 UDP 1346 TCP 3580 UDP 2967 UDP 3483 UDP 2038 Local IP State Remote IP:Port 0.0.0.0 LISTENING 0.0.0.0:63493 168.30.241.19 LISTENING 0.0.0.0:2048 168.30.241.19 ESTABLISHED 168.30.210.18:445 168.30.241.19 ESTABLISHED 168.30.210.83:139 168.30.241.19 ESTABLISHED 168.24.4.141:445 168.30.241.19 ESTABLISHED 168.24.4.142:445 168.30.241.19 ESTABLISHED 168.30.210.38:445 168.30.241.19 ESTABLISHED 168.30.210.18:445 168.30.241.19 ESTABLISHED 168.30.210.87:445 0.0.0.0 *:* 168.30.241.19 *:* 168.30.241.19 *:* 127.0.0.1 LISTENING 0.0.0.0:39166 127.0.0.1 *:* 0.0.0.0 *:* 0.0.0.0 *:* 127.0.0.1 *:* 0.0.0.0 LISTENING 0.0.0.0:28919 0.0.0.0 LISTENING 0.0.0.0:39054 127.0.0.1 *:* 168.30.241.19 *:* 0.0.0.0 *:* 0.0.0.0 *:* 0.0.0.0 *:* 0.0.0.0 LISTENING 0.0.0.0:20645 0.0.0.0 *:* 127.0.0.1 *:* 127.0.0.1 *:*

Port Statistics TCP mappings: 13 UDP mappings: 15 TCP ports in a LISTENING state: TCP ports in a ESTABLISHED state:

6 = 46.15% 7 = 53.85%

Port and Module Information by Process Note: restrictions applied to some processes may prevent PortQry from accessing more information For best results run PortQry in the context of the local administrator ====================================================== Process ID: 0 (System Idle) System Idle Process ====================================================== Process ID: 4 (System) System Process PID Port Local IP State Remote IP:Port 4 TCP 445 0.0.0.0 LISTENING 0.0.0.0:63493 4 TCP 139 168.30.241.19 LISTENING 0.0.0.0:2048 4 TCP 1227 168.30.241.19 ESTABLISHED 168.30.210.18:445 4 TCP 1243 168.30.241.19 ESTABLISHED 168.30.210.83:139 4 TCP 1278 168.30.241.19 ESTABLISHED 168.24.4.141:445 4 TCP 1284 168.30.241.19 ESTABLISHED 168.24.4.142:445 4 TCP 2289 168.30.241.19 ESTABLISHED 168.30.210.38:445 4 TCP 2908 168.30.241.19 ESTABLISHED 168.30.210.18:445 4 TCP 3485 168.30.241.19 ESTABLISHED 168.30.210.87:445 4 UDP 445 0.0.0.0 *:* 4 UDP 137 168.30.241.19 *:* 4 UDP 138 168.30.241.19 *:* ====================================================== Process ID: 548 (smss.exe) Process doesn't appear to be a service ====================================================== Process ID: 620 Process doesn't appear to be a service ====================================================== Process ID: 644 (winlogon.exe) Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 644 UDP 1047 127.0.0.1 *:* ===================================================== Process ID: 688 (services.exe) Service Name: Eventlog Display Name: Event Log Service Type: shares a process with other services Service Name: PlugPlay Display Name: Plug and Play Service Type: shares a process with other services ====================================================== Process ID: 700 (lsass.exe) Service Name: Netlogon Display Name: Net Logon Service Type: shares a process with other services Service Name: PolicyAgent Display Name: IPSEC Services Service Type: shares a process with other services

Service Name: ProtectedStorage Display Name: Protected Storage Service Name: SamSs Display Name: Security Accounts Manager Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 700 UDP 500 0.0.0.0 *:* 700 UDP 4500 0.0.0.0 *:* 700 UDP 1027 127.0.0.1 *:* ====================================================== Process ID: 860 (svchost.exe) Service Name: DcomLaunch Display Name: DCOM Server Process Launcher Service Type: shares a process with other services Service Name: TermService Display Name: Terminal Services Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 860 TCP 3389 0.0.0.0 LISTENING 0.0.0.0:28919 ====================================================== Process ID: 928 Service Name: RpcSs Display Name: Remote Procedure Call (RPC) Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 928 TCP 135 0.0.0.0 LISTENING 0.0.0.0:39054 ====================================================== Process ID: 1020 (svchost.exe) Service Name: AppMgmt Display Name: Application Management Service Type: shares a process with other services Service Name: AudioSrv Display Name: Windows Audio Service Type: shares a process with other services Service Name: BITS Display Name: Background Intelligent Transfer Service Service Type: shares a process with other services Service Name: CryptSvc Display Name: Cryptographic Services Service Type: shares a process with other services Service Name: Dhcp Display Name: DHCP Client Service Type: shares a process with other services Service Name: dmserver Display Name: Logical Disk Manager Service Type: shares a process with other services Service Name: ERSvc Display Name: Error Reporting Service Service Type: shares a process with other services Service Name: EventSystem Display Name: COM+ Event System

Service Type: shares a process with other services Service Name: helpsvc Display Name: Help and Support Service Type: shares a process with other services Service Name: lanmanworkstation Display Name: Workstation Service Type: shares a process with other services Service Name: Messenger Display Name: Messenger Service Type: shares a process with other services Service Name: Netman Display Name: Network Connections Service Name: Nla Display Name: Network Location Awareness (NLA) Service Type: shares a process with other services Service Name: RasMan Display Name: Remote Access Connection Manager Service Type: shares a process with other services Service Name: Schedule Display Name: Task Scheduler Service Name: seclogon Display Name: Secondary Logon Service Name: SENS Display Name: System Event Notification Service Type: shares a process with other services Service Name: SharedAccess Display Name: Windows Firewall/Internet Connection Sharing (ICS) Service Type: shares a process with other services Service Name: ShellHWDetection Display Name: Shell Hardware Detection Service Type: shares a process with other services Service Name: TapiSrv Display Name: Telephony Service Type: shares a process with other services Service Name: Themes Display Name: Themes Service Type: shares a process with other services Service Name: TrkWks Display Name: Distributed Link Tracking Client Service Type: shares a process with other services Service Name: W32Time Display Name: Windows Time Service Type: shares a process with other services Service Name: winmgmt Display Name: Windows Management Instrumentation Service Type: shares a process with other services

Service Name: wuauserv Display Name: Automatic Updates Service Type: shares a process with other services Service Name: WZCSVC Display Name: Wireless Zero Configuration Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 1020 UDP 123 127.0.0.1 *:* 1020 UDP 123 168.30.241.9 *:* ====================================================== Process ID: 1072 Service Name: Dnscache Display Name: DNS Client Service Type: shares a process with other services PID Port Local IP State Remote IP:Port 1072 UDP 1025 0.0.0.0 *:* 1072 UDP 1026 0.0.0.0 *:* ====================================================== Process ID: 1112 Service Name: LmHosts Display Name: TCP/IP NetBIOS Helper Service Type: shares a process with other services Service Name: WebClient Display Name: WebClient Service Type: shares a process with other services ======================================================

Process ID: 1540 (DefWatch.exe) Process ID: 1600 (ngctw32.exe)


Service Name: NGClient Display Name: Symantec Ghost Client Agent

Service Name: DefWatch Display Name: DefWatch ======================================================

PID Port Local IP State Remote IP:Port 1600 UDP 1346 0.0.0.0 *:* ======================================================

Process ID: 1656 (niSvcLoc.exe)


Service Name: niSvcLoc Display Name: NI Service Locator

PID Port Local IP State Remote IP:Port 1656 TCP 3580 0.0.0.0 LISTENING 0.0.0.0:20645 ======================================================

Process ID: 1668 (Rtvscan.exe)


Service Name: Norton AntiVirus Server Display Name: Symantec AntiVirus Client PID Port Local IP State Remote IP:Port 1668 UDP 2967 0.0.0.0 *:* ======================================================

Process ID: 1748

Service Name: UMWdf Display Name: Windows User Mode Driver Framework Service Type: runs in its own process ====================================================== Process ID: 156

Service Name: ALG Display Name: Application Layer Gateway Service Service Type: runs in its own process PID Port Local IP State Remote IP:Port 156 TCP 1042 127.0.0.1 LISTENING 0.0.0.0:39166 ====================================================== Process ID: 2076 (Explorer.EXE) Process doesn't appear to be a service ====================================================== Process ID: 3520 (spoolsv.exe) Service Name: Spooler Display Name: Print Spooler PID Port Local IP State Remote IP:Port 3520 UDP 2038 127.0.0.1 *:* ====================================================== Process ID: 3484 (svchost.exe) Service Name: stisvc Display Name: Windows Image Acquisition (WIA) Service Type: shares a process with other services ======================================================

Process ID: 2768 (Winword.exe)


Process doesn't appear to be a service PID Port Local IP State Remote IP:Port 2768 UDP 3483 127.0.0.1 *:* ======================================================

Process ID: 3664 (cmd.exe)

Process doesn't appear to be a service ======================================================

Process ID: 3108 (PortQry.exe)


Process doesn't appear to be a service

Removing Malware hooked into Explorer.exe or Internet Explorer


1. On a Windows XP computer, using Notepad, create a file called RunAdAware.vbs and copy the following text into it.
Set ShellObj = WScript.CreateObject("Wscript.Shell") Set FSO = WScript.CreateObject("Scripting.FilesystemObject") WinDir = Lcase(Trim(FSO.GetSpecialFolder(0))) SysDir = Lcase(Trim(FSO.GetSpecialFolder(1))) ShellObj.Run SysDir & "\Taskkill.exe /F /IM Explorer.exe",0,True ShellObj.Run SysDir & "\Taskkill.exe /F /IM Iexplore.exe",0,True ShellObj.Run """C:\Program Files\Lavasoft\Ad-Aware SE Professional\AdAware.exe"" /smart +auto +update",3,True ShellObj.Run WinDir & "\Explorer.exe",0,False WScript.QuitWScript.Quit

2. Install Ad-Aware SE Professional or comparable Ad-Aware SE program. 3. Double-click RunAdAware.vbs to execute it.

4. All instances of Explorer.exe (the GUI and Windows Explorer windows) and Internet Explorer will be terminated. Ad-Aware SE will run, automatically updated its definition file, and remove spyware. 5. Explorer.exe (the GUI) will load again.

Removing Watchful Spyware


Definition: Spyware that runs several processes. When a process is ended, the other process detects this and automatically creates a new process. 1. Run Task Manager. 2. Click the Processes tab. 3. Identify the watchful spyware processes. To do this, click a process and then click End Process. 4. If the process returns automatically, then it is a watchful spyware process. 5. On a Windows XP computer, using Notepad, create a file called KillSpyware.bat and copy the following text into it. Keep in mind that the EXE files listed below should be replaced by the EXE files that you identified as watchful spyware processes. (The EXEs listed below are actually watchful spyware processes, but they may not exist on your computer.)
@echo off Taskkill.exe /F /T Taskkill.exe /F /T Taskkill.exe /F /T Taskkill.exe /F /T Taskkill.exe /F /T Taskkill.exe /F /T taskkill /F /T /IM taskkill /F /T /IM Explorer.exe /IM explorer.exe /IM iexplore.exe /IM PIB.exe /IM TBPS.exe /IM WSup.exe /IM WToolsA.exe WebRebates0.exe WebRebates1.exe

6. Double-click KillSpyware.bat to execute it. 7. All instances of Explorer.exe (the GUI and Windows Explorer windows) and Internet Explorer will be terminated. All watchful spyware processes will be terminated. Explorer.exe (the GUI) will load again. 8. Run Ad-Aware SE or remove spyware manually. Taskkill.exe is a utility that is built into Windows XP that can be used to kill processes. The /F switch means Force a process to end. The /T switch automatically kills any child processes. And the /IM switch is used to identify the process name such as explorer.exe.

Removing Polymorphic Spyware


Definition: Spyware that runs several processes. When a process is ended, the other process detects this and automatically creates a new uniquely named process. 1. Boot computer into Safe Mode by pressing F8 during the boot process and selecting Safe Mode from the Advanced Options Menu. 2. Run msconfig and uncheck all spyware entries. 3. Reboot the computer and run Ad-Aware SE.

You might also like