Welcome Guest ( Log In | Register )

16 Pages  1 2 3 > » Bottom
Bump TopicReply to this topicRSS feed Start new topic Start Poll

Outline · [ Standard ] · Linear+

> Virus /Rootkits Thread, Work In Progress (Virus/Malware)

post Jun 18 2007, 04:11 PM, updated 12y ago

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
Group: VIP
Posts: 2,496

Joined: Jan 2003
From: LowYatDotNet Status:Agast
Virus Removal Steps

Keep the infection local.
Disconnect from the network/internet. I mean physically pull out your RJ45/RJ11 plug. This stops the virus from progating throughout your network or over the internet (worms/viruses), stop your data from leaving (calling home) your compromized system (trojans) through backdoors and stops your machine from participating in a zombie mob DOS attack.

Perform a Virus Scan.
This is the first attempt to determine if your system is truly infected. Do a deep scan of every single file and folder on the system. This may take several hours but it is necessary. Make sure your virus definition(Database) is updated. Many of them can update the database locally via a update file you can grab off the offical website.

Grab the prescribed removal tool. Once you've identified the virus infecting your system. you can now better deal with the particular infection by administering the proper "vaccine". You can go to any of the known antivirus companies website and grab a removal tool. This tool will delete any of the known virus-infected files and registry entry made by the virus. Take not of the virus "version" and download the corresponding tool. It will require you to do a scan and then reboot into safe mode and perform the scan again.

Removal Tools:
• Kaspersky
• Norton
• McAfee
• Panda

I also suggest downloading McAfee's Stinger and PC-Cilin's Virus Cleanup template (and their respective virus definition files) which are standalone/install-less virus removal engine.
• McAfee Stinger
• PC-Cilin VCT

Additionally, you can scan your PC online with
• PC-Cilin Trendmicro's Housecall
• Panda Antivirus Active Scan
• Kaspersky Online Scanner
• McAfee File Scan
• Norton Fee Online Virus Scanner

It is very important that you place any media you're using to trasfer the Removal tool, virus database update file or when performing a scan to read-only-mode until you are certain that your system is no longer infected. If you're media does not have read-only option then don't use it. If you have no choice, once it is put in the system, assume that it is also infected and treat it accordingly. These devices can be put into read-only mode by the sliding button on your device. Read your manual. Any portable media not on read-only mode are susceptible to being infected by the virus.

Check for unusual applications and processes.
A virus is just like a regular application and need to be running in order to work. It should also have a way to start itself up again when the system is rebooted (taking advantage of many of the ways programs automatically start-up in Windows). There are typically five ways that programs start-up automatically in windows and we need to look at these five ways to look for the virus.

1. The most rudimery is the Startup folder. Any application or shortcut that is located in the Startup folder will automatically start-up each time the system is booted into Windows. There are several of these folders located throughout the system notebly each user’s profile

• C:\Documents and Settings\<username>\Start Menu\Programs\Starup
(this includes Default and All Users profiles as well)
• C:\Documents and Settings\Default User\Start Menu\Programs\Startup and;
• C:\Documents and Settings\All Users\Start Menu\Programs\Startup

and Windows system files such as;

• c:\autoexec.bat
• c:\config.sys
• Windows\win.ini, wininit.ini, system.ini
• Windows\system\autoexec.nt, config.nt

more reading: http://www.aumha.org/a/loads.php

2. The most typically is from the Registry. Several locations in the registry that controls auto-startup of applications are contained. The HKEY_USERS and HKEY_CURRENT_USER run when the user logs in while settings under HKEY_LOCAL_MACHINE run when the system starts up. Some of the registry keys that you need to look it include:

Local User
HKEY_USERS\<User UID>\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\load

Local Machine
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

a more extensive list of launch point can be found here:

3. The current favorite is as a Service. Just like running from the registry, any viruses that installs itself as a service can run without user intervention upon start-up. It can also start back up when when you kill it because the service control has the option to restart the service upon a failure (in which case, manually killing it constitutes a failure).

user posted image

4. Less common is from a Script. The GPO is an enterprise-wide feature that enables the network administrator to write a script to perform certain tasks upon start-up/shutdown on multiple computers in a network/domain using scripting language such as VB, JS,etc. Your computer also has a local GPO and you need to launch the GPO editor console and to check if there are any suspicious scripts running on your system.

Running Scripts are located in

• Local Computer Policy\Computer Configuration\Windows Settings\Scripts (Startup/Shutdown)\Startup for programs that run when the computer is started and;

• Local Computer Policy\User Configuration\Windows Settings\Scripts (Logon/Logoff)\Logon for programs that run when the user logs in.

user posted image

If you don't do any scripting, aren't on a domain, then anything in here is considered highly suspicious.

5. Possibly, but rarely, from a Scheduled Task. A scheduled task has the ability to run applications on start up and on log in of a user. They also have the ability to run a program as a different user or as the system itself. The Scheduled Tasks can be found under the Control Panel.

it is very common to see virus writers use a combination of these steps so you need to cover all these basics.

Using Msconfig,Gpedit.msc,Services.msc
The Microsoft System Configuration Utility or simply MSCONFIG is a tool built into Windows that is designed to help you troubleshoot problems with your computer. You can see some of the programs that run in the background upon startup here together with some registry entries and it's a good place to start. To check your services you need to use Services.msc and to check scripts, as mentioned before, Gpedit.msc. All are run from Start > RUn >

user posted image

more information:

for a more extensive utitily I would recommend AutoRuns from Sysinternals.

Turn off System Restore.
There is some debate about whether to turn off system restore or not when during an infection. The reason why we need to be concerned with system restore is because system restore can at certain times cache a virus which will be restored with the other windows system state files during a system restore operation. Often times you will also get the AV complaining that it is unable to clean one or more files in the System Volume Information data store. The downside is that when you purge the restore points, you will be unable to restore your system to a previous system state if anything goes wrong.

Remove infected files that you cannot clean in the System Restore data archive
If you suspect that previous restore points contain copies of infected monitored files that your antivirus program was not able to clean, you can remove these files and all the related restore points from the System Restore archive. To do so, turn off System Restore, and then turn it on again.

Notes: When you turn off System Restore, you remove all the restore points. When you turn on System Restore again, new restore points are created as the schedule and events require.  Verify that all the signature or the definition files are current. Make sure that your antivirus program is configured to exclude the System Volume Information (SVI) folder (a hidden computer folder that is located in the computer root, or %SYSTEMDRIVE%).

To completely and immediately remove any infected file or files in the data store, turn off and then turn on System Restore. To do so, follow these steps:
1. Click Start, and then click Control Panel.
2. Click Performance and Maintenance, and then double-click System.
3. Click the System Restore tab, and then click to select the Turn off System Restore for all drives check box.
4. Click OK, and then click Yes to initiate the restore point deletion.
Use Task Manager
Get familiar with process running in the background on your own PC. once you're familiar with all the usual process then anything out of the ordinary will stand out like a sore thumb. most (not all) viruses tend to have weird filenames like Age_of_empire.exe (huh? i didn't play that game) and some try to look legitimate by taking similar names to common Windows processes. eg. svchost.exe instead of scvhost.exe.

Once you're comfortable with processes, you can opt to use Process Explorer from Sysinternal. Downloadable from here: http://www.microsoft.com/technet/sysintern...ssExplorer.mspx

this are normal processes
QUOTE(homenetworking help)
"System Idle Process"
"System" The Windows System Process
"SMSS.EXE" Session Manager Subsystem
"CSRSS.EXE" Client Server Runtime Subsystem
"WinLOGON.EXE" The Windows Logon process
"SERVICES.EXE" Services Control Manager
"LSASS.EXE" Local Security Authentication Server Service
"svchost.exe" Service Host
"spoolsv.exe" The print spooler service
"explorer.exe" Windows Explorer
"TASKMGR.EXE" The Task Manager
"regsvc.exe" Remote Registry Service
user posted image

as a general rule, take extra interest in any processes don't have a company name (with the exception of DPCs, Interrupts, System, SMSS, Services, System Idle Process and things mentioned above), verification signer (Process explorer auto verifies images) and version number attached to it. you can kill the process by right-clicking on it selecting Kill. process explorer also allows you to search for a specific process. you should also be interested in purple threaded processes.

QUOTE(mark russ ppt presentation slide)
Purple highlighting indicates an image is “packed”
Packed can mean compressed or encrypted
Malware commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult
Packing and encryption also hides strings from view
user posted image

If you're unsure what a process is responsible for you can check it out here:

This post has been edited by AsenDURE: Jun 20 2007, 02:53 PM
post Jun 19 2007, 08:33 PM

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
Group: VIP
Posts: 2,496

Joined: Jan 2003
From: LowYatDotNet Status:Agast

what are rootkits?
normally only sysadmins are concerned with these, but i'm seeing alot of these crap floating around in the home networking environment. could be coz alot of current Windows version seem to be based on NT/Server platform. a rootkit is program that that allows the a hacker to mask intrusion and gain root or privileged access to the computer. rootkits can then monitor traffic, grab keystrokes, steal passwords, or create a "backdoor" into the system for the hacker to administer the infected system remotely for almost anything he wishes to.

because rootkits can run at the kernel & API level, it can be hidden from the OS & the upper layer utils like Explorer (file viewers), does not show up in Task Manager (process viewers), will not leave visible entries in the startup folders or common startup locations mentioned above. It will also not show up on most antivirus scanners & antispyware. rootkits not only take advantage of the vulnerbilities in your OS but even in your antispyware/antivirus detector as well.

rootkits are not themselves not malware programs but ofthen times are used to hide the presence of malware programs/trojans/worms. detecting rootkits requires a specialist rootkit detector.

check rootkit threat alerts from here:

types of rootkit-run levels
QUOTE(M'zoft Technet)
The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

Persistent Rootkits
A persistent rootkit is one associated with malware that activates each time the system boots. Because such malware contain code that must be executed automatically each system start or when a user logs in, they must store code in a persistent store, such as the Registry or file system, and configure a method by which the code executes without user intervention.

Memory-Based Rootkits
Memory-based rootkits are malware that has no persistent code and therefore does not survive a reboot.

User-mode Rootkits
There are many methods by which rootkits attempt to evade detection. For example, a user-mode rootkit might intercept all calls to the Windows FindFirstFile/FindNextFile APIs, which are used by file system exploration utilities, including Explorer and the command prompt, to enumerate the contents of file system directories. When an application performs a directory listing that would otherwise return results that contain entries identifying the files associated with the rootkit, the rootkit intercepts and modifies the output to remove the entries.

The Windows native API serves as the interface between user-mode clients and kernel-mode services and more sophisticated user-mode rootkits intercept file system, Registry, and process enumeration functions of the Native API. This prevents their detection by scanners that compare the results of a Windows API enumeration with that returned by a native API enumeration.

Kernel-mode Rootkits
Kernel-mode rootkits can be even more powerful since, not only can they intercept the native API in kernel-mode, but they can also directly manipulate kernel-mode data structures. A common technique for hiding the presence of a malware process is to remove the process from the kernel's list of active processes. Since process management APIs rely on the contents of the list, the malware process will not display in process management tools like Task Manager or Process Explorer.

rootkit detectors

M'zoft's Sysinternal RootkitRevealer [from sysinternal, 'nuff said]

X-Focus's Ice Sword [chinese, very good and for experienced users only]

M'zoft's Malicious Software Removal Tool

Blacklight from F-Secure [non-free]

Sophos Anti-Rootkit [Release Candidate 1]


RootKit Hook Analyzer

Rootkit removal
The difficulty with rootkit removal is lies problem that rootkits work by changing the OS itself at the kernal level, it may not be possible to remove the rootkit without causing Windows to become unstable or non-functioning.

For rootkits that are 'bundled' with spyware/malware, removing the malware hidden by the rootkit presents the normal problems of removing any malware but removing the rootkit itself may unstabilize your entire system to the point that the malware can not be completely removed.

This post has been edited by AsenDURE: Jun 20 2007, 11:08 AM
post Jun 20 2007, 11:02 AM

je suis desole. je n'y crois pas a ces conneries!!
Group Icon
Group: VIP
Posts: 2,496

Joined: Jan 2003
From: LowYatDotNet Status:Agast
ok folks, comment, correct, discuss, contribute...


• Panda Rootkit cleaner is in Alpha Stage (credits to havuk)

• GMER (credits to havuk)

• DarkSpy (credits to havuk)

• Trendmicro's Rootkit Cleaner is in Beta Stage

• McAfee's Rootkit Detective is in Beta Stage

It's good that alot of security/AV companies are taking rootkit seriously. In your next AV upgrade/purchase/license renewal, you may want to seriously consider this feature included in your AV package. smile.gif

This post has been edited by AsenDURE: Jun 21 2007, 10:32 AM
post Jun 20 2007, 09:45 PM

hush puppy
Group: Senior Member
Posts: 1,219

Joined: Jan 2003
i would like to suggest
1. avs for antivirus (www.activevirusshield.com)
2. steps on how to remove and create new system restore points as virus normally lurks there...
post Jul 31 2007, 02:40 PM

Getting Started
Group: Junior Member
Posts: 63

Joined: Aug 2005

sometimes u come across viruses that disable your taskmanager, msconfig and regedit. You can use this to regain access to your registry

or, the direct link to the file


(same thing)

This post has been edited by danixal: Jul 31 2007, 02:41 PM
post Jul 31 2007, 07:53 PM

Getting Started
Group: Junior Member
Posts: 286

Joined: Jan 2003

If you have a copy of the virus, upload it here so antivirus companies can study it and make signatures, also good to see if files are infected by viruses if your antivirus dosent detect it yet . XD



post Aug 1 2007, 12:09 PM

Look at my stars!
Group: Senior Member
Posts: 2,194

Joined: Nov 2006
From: Beach Town

AVG Anti-Rootkit Free

This post has been edited by rich8833: Aug 1 2007, 12:10 PM
post Aug 25 2007, 05:11 AM

Getting Started
Group: Junior Member
Posts: 212

Joined: Aug 2007

Ice Sword is good in handling running process. You can view the process that hide with rootkits.
post Nov 7 2007, 06:20 PM

Group: Senior Member
Posts: 1,429

Joined: Sep 2006

Add microworld e'scan antivirus. Quite good and fast too.
post Dec 3 2007, 10:17 AM

Getting Started
Group: Junior Member
Posts: 128

Joined: Oct 2007

Thanks for the info mod. By the way, I have a question. My computer has been infected by something( don't know how to call it and it is invisible to my Kaspersky and Adaware and Spybot ), when I delete the folder, minutes later it pops out. The folder name's is MSOCache. Any ideas?
post Dec 3 2007, 11:42 AM

Look at all my stars!!
Group: Senior Member
Posts: 3,109

Joined: Jun 2005

QUOTE(emiya_shin @ Dec 3 2007, 10:17 AM)
Thanks for the info mod. By the way, I have a question. My computer has been infected by something( don't know how to call it and it is invisible to my Kaspersky and Adaware and Spybot ), when I delete the folder, minutes later it pops out. The folder name's is MSOCache. Any ideas?
everybody who using Microsoft Office 2003 also will have this folder (including the computer I using now)
no need to remove it because it is legit

and please use google next times

btw, that folder should located in the systemroot and is a hidden system folder...
post Dec 22 2007, 08:34 AM

Getting Started
Group: Junior Member
Posts: 124

Joined: Aug 2005
From: 2°49'8"N 101°44'1"E

Since many AV cant detect KAVO / NTDELECT, I've show how to remove it manually

Remove kavo / kava / ntdelect


run CMD,

Type this to show hidden and system files since ur regedit n folder opt has been kacau by kavo0.dll,
CD \windows\system32
ATTRIB kavo.exe -R -A -S -H
ATTRIB kavo0.dll -R -A -S -H
ATTRIB kavo1.dll -R -A -S -H

by using unlocker (DL Here)


Change Value
"CheckedValue" to 2
"DefaultValue" to 2

"CheckedValue" to 1
"DefaultValue" to 2

post Dec 29 2007, 02:01 PM

Bad-Badtz Maru FREAK !!!
Group Icon
Group: Elite
Posts: 2,396

Joined: Jan 2003
From: Pandan Perdana, Cheras, KL

Dear Mod/Enthusiast/Sifu,

I've got a case of virus infection date back last Tuesday which is spread through email with an .exe attachment entitled Princess.Diana.Killing.Revealed.exe

According to the user, she didn't even double-click on the email, just highlighting (system on double-click settings, not single-click mode) it and the attachment triggered. Some of the symptoms are:

1. Floppy drive keeps on running intermittenly with or without any diskette inserted.
2. Unable to use Task Manager
3. Unable to use the Run command box
4. Unable to use Ctrl-Alt-Del for Task Manager too
5. Command prompt had been disabled by Administrator (I'm the Administrator and it was never set to disabled)
6. Trying to run any .exe (programs) will be terminated in split-seconds blink.
7. When attempt to use Safe Mode, all the 3 Safe Mode options were not successful only Boot Windows Normally enabled.
8. Folder Options to view Hidden Files were disabled.
9. The PC is connected to a Domain and after the infection, a force restart of the PC leads to the removal of the PC from the Domain. Since logging in as a Domain user is impossible, I can only log in as Local but the PC name had been changed to "VirusBenci". Due to the use of Malay language and the email also sent from a user with email address who83@yahoo.com I suspect that it's another Indonesian creation of Brontok.
10. When plugged in a USB drive and view the content, it'll infect file within and append the .exe extention to some documents within. When plugged to a healthy PC without using the Autoplay or viewing under Windows Explorer, the virus will not be triggered. An attempt to view the content within the USB drive with Command Prompt didn't show any hidden files at all except when the syntax "dir /ah" is used to view files with hidden attribute. There were 2 files shown within the infected USB key, Word.exe and autorun.inf. Using Microsoft Editor, the autorun.inf file content shows that it's pointing to the Word.exe file. The file itself is Read-Only attribute therefore the file cannot be edit. I manage to create 2 blank text file and change the extention and filename same like the 2 and overwrite 2 virus file before deleting both safely. Somehow, I should have tried a different way like changing the file attributes so that I can see the files and the Antivirus software would be able to detect it.


I planned to removed the infected HDD, and use it as external drive and perform a scan via a healthy PC. But virus were not detected as I suspect it's a new strain.

Also, I would like to know if there's anyway I can access to the registry of the OS installed on the external HDD? Where is the location and how to edit it so that the BRontok will be crippled?
post Jan 11 2008, 02:23 PM

New Member
Group: Junior Member
Posts: 6

Joined: Jan 2008
From: KL


recently my friend's pc infected a virus named "W32.mamuwow.Flint" that named on his Norton Anti Virus.

have anyone know how to kill this??
post Jan 13 2008, 04:18 PM

Getting Started
Group: Junior Member
Posts: 111

Joined: Sep 2005

post Jan 24 2008, 10:00 AM

Nothing is Possible!
Group: Senior Member
Posts: 9,233

Joined: Jan 2008
From: S'wak||KL||SG

Er... My comp got 36 virus healed by AVG... One of them is explorer... My explorer infected by trojan/virus... After AVG healed it, a pop up ask me insert Windows XP SP2 CD because my explorer is unrecognized version?? I got no taskbar now... Desktop is so clean... How to handle this? I'm thinking to reformat it...
post Jan 24 2008, 10:17 AM

Group: Junior Member
Posts: 344

Joined: Feb 2006
From: Klang, Kuala Lumpur

hmm.. explorer deleted.. best way it reinstall your OS.. but repairing your OS can work too i think. i never facing this prob, hope expert will guide u better
Grand Inquisitor
post Jan 30 2008, 01:54 PM

Group: Junior Member
Posts: 403

Joined: Jan 2008
As you said that youe explorer.exe was infected by virus. In that case your explore.exe backup files in dllcache also deleted by AVG. This thing only can be fix by installing or repairing your Windows.

PS: For me I just reformat it.
post Feb 15 2008, 05:54 PM

New Member
Group: Junior Member
Posts: 8

Joined: Jul 2006
From: hidden directory,
before that try this, copy any explorer.exe form any pc but have the same version with ur winxp...it might work, but try it first....if the prob still contineu..repair or format ur pc...thx

This post has been edited by amysiko: Feb 15 2008, 05:55 PM
post Feb 23 2008, 01:38 AM

Group: Senior Member
Posts: 652

Joined: Jan 2003
From: γƒžγƒ¬γƒΌγ‚·γ‚’γ¨ζ—₯ζœ¬γ¨γƒ‰γ‚€γƒ„γ§γ™

QUOTE(respectMYprivacy @ Feb 20 2008, 10:37 PM)
i guess reformat is the solution for all troubleshootings.
I think everyone knows that.
Still, there are alternatives to counter this issue rather than format it. Easier, reliable if you ask me.

16 Pages  1 2 3 > » Top
Bump TopicReply to this topicTopic OptionsStart new topic

Switch to:
| Lo-Fi Version
0.1078sec    5.19    6 queries    GZIP Disabled
Time is now: 18th January 2019 - 07:39 PM