Advanced Malware Cleaning Techniques
This tutorial provides information and guidance for IT professionals about investigating, analyzing, and—when possible—removing malware from an infected computer.
Except in special situations, we recommend the use of antimalware software tools, for keeping computers free from malware, rather than the manual techniques described in this tutorial.
This tutorial is expected for cutting edge clients who have a decent comprehension of the inward workings of PCs and Windows, and who wish to comprehend the sanitization process—how malware can be expelled without the guide of antimalware software. It is intended to enable IT experts to comprehend the effect of malware, see how malware works, figure out how to utilize some specific software tools, and make a simple guide for cleaning infected PCs in uncommon circumstances.
This tutorial includes the utilization of a few Windows Sysinternals tools. Sysinternals is a suite of cutting edge diagnostics and investigating utilities for the Windows stage that is accessible for download at no charge from the Microsoft Download Center.
Disconnect from the Network
Disconnecting the infected computer or computers from the network is an essential part of the malware removal process, because it ensures that infected computers do not spread malware to other computers on the network.
Identify Malicious Processes and Drivers
The subsequent stage in the purification procedure is to distinguish any malevolent processes. This progression includes searching for indications, for example:
By themselves, these signs do not conclusively indicate a malicious process. For example, many legitimate executables and other files are packed, and many legitimate processes run without custom icons. Also, not all malware files and
processes exhibit all the signs listed here. However, these signs generally serve as useful clues for detecting malware on an infected computer. A Sysinternals tool called Process Explorer can help spot malicious processes.
Windows Core Concepts
Windows NT has always had a rich access control model to protect sensitive system resources from modification by or disclosure to unauthorized entities. Within this model, user accounts are typically given Administrator rights or User rights. Administrators have complete and unrestricted access to the computer and all its resources, while Users are restricted from making changes to operating system configuration or accessing data belonging to other users. For historical reasons, however, until recently end users on Windows computers were frequently granted administrative access, so many people have remained unaware that these distinctions exist.
Many of the Sysinternals utilities always require administrative rights, while many have full functionality without them. Some, however, are able to work correctly with standard user rights but have features that need administrative rights, and thus operate in a “partially degraded” mode when executed with standard user rights.
Windows Vista and UAC changed everything when it came to running programs with administrative rights. Running as a standard user is now the default state for users programs, even when run by a member of the Administrators group.
If you log on to a computer running Windows Vista or newer with an account that is a member of Administrators (the first account is the only one that defaults to Administrators group membership on computers not joined to a domain), the Local Security Authority (LSA) creates two logon sessions for the user, with a distinct access token for each. One of these tokens represents the user’s full rights, with all groups and privileges intact. The other is a filtered token that is roughly equivalent to one belonging to a standard user, with powerful groups disabled and powerful privileges removed. This filtered token is used to create the user’s initial processes, such as Userinit.exe and Explorer.exe, and is inherited by their child processes. Starting a process with the user’s full token requires UAC elevation, mediated by the Application Information (Appinfo) service.
UAC elevation can be triggered for a new program by user explicitly requests that the program run elevated—for example, by right-clicking it and choosing Run As Administrator from the context menu.
Processes, Threads, and Jobs
A program is a static sequence of instructions, whereas a process is a container for a set of resources used to execute a program.
Windows provides an extension to the process model called a job. A job object’s main function is to allow groups of processes to be managed and manipulated as a unit. For example, a job can be used to terminate a group of processes all at once instead of one at a time and without the calling process having to know which processes are in the group. A job object also allows control of certain attributes and provides limits for the process or processes associated with the job. For example, jobs can enforce per-process or job-wide limits on user-mode execution time and committed virtual memory.
As mentioned, a process is merely a container. Technically, it is not the process that runs—it is its threads. A thread is the entity within a process that Windows schedules for execution.
User Mode and Kernel Mode
To prevent user applications from accessing or modifying critical operating system data, Windows uses two processor access modes: user mode and kernel mode.
All processes other than the System process run in user mode, whereas device drivers and operating system components such as the executive and kernel run only in kernel mode.
Kernel mode refers to a mode of execution in a processor that grants access to all system memory and to all CPU instructions.
Although each Windows process has its own private memory space, the kernel-mode operating system and device driver code share a single virtual address space that is also included in the address space of every process.
Threads of user-mode processes switch from user mode to kernel mode when they make a system service call.
Thus, it is normal for a thread in a user-mode process to spend part of its time executing in user mode and part in kernel mode. In fact, because the bulk of the graphics and windowing system also runs in kernel mode, processes hosting graphics-intensive applications can spend more of their time in kernel mode than in user mode. You can see these two modes in the Process Explorer CPU usage graphs: the red portion of the graph represents time spent in kernel mode, and the green area of the graph represents time spent in user mode.
Handles
A Handle is a logical association with a shared resource like a file, Window, memory location, etc. When a thread opens a file, it establishes a "handle" to the file, and internally it acts like a "name" for that instance of the file. Handles are used to link to transitory or environmental resources outside the processes memory structure.
Using Process Explorer
Knowing what processes are running at any given time can help you understand how your CPU and other resources are being used, and it can assist you in diagnosing problems and identifying malware.
To help provide Windows users with insight into process activity on their systems, Windows has always included Task Manager, an easy-to-use application for viewing the processes (applications and services) that are running on your system. To avoid overwhelming users, Task Manager provides limited details. It often doesn’t provide deep enough insight into what is causing a process to misbehave, nor does it show key data that can help a technical user to identify a process as malware.
Process Explorer is a kind of “super Task Manager” that provides a variety of general troubleshooting capabilities, including the discovery of DLL versioning problems, handle leaks, and locked file information; performance troubleshooting; and detailing hung processes.
Here are just some of the key features of Process Explorer:
The Process Explorer main window provides a simple paneled display of information about the processes that are running on the computer. Each row in the process list represents a process object running on the computer that has its own virtual address space and one or more threads that could conceivably execute code at some point.
The names of malicious processes often mimic the names of legitimate processes, which can make them difficult to identify in Task Manager. Using Process Explorer makes it easier to identify processes that run from suspicious locations, or that display suspicious characteristics. By default, processes are listed in a hierarchical view called the process tree, which shows parent/child relationships between processes. Columns display a range of properties for each process, including the name of the company that published the image, a brief description, version information, and more.
When investigating an infection, pay attention to the Company Name, Description, and Version columns. Legitimate software publishers usually provide values for some or all of these columns, but malware authors sometimes
neglect them. To display more columns or hide columns already in the display, click the View menu, and then click Select Columns.
Rows can be highlighted in different colors, which provides additional information:
Moving the mouse pointer over a row displays a tooltip with information about the process, such as the full path to the process image, which can help you identify processes running from unusual or suspicious locations. Tooltips also provide additional information for system processes, such as DLLs hosted by Rundll32.exe, services hosted by Svchost.exe and other service processes, and COM server information for Dllhost.exe. Malware often attempts to disguise its presence by attaching itself to system processes such as these, so pay attention to tooltips when investigating the source of an infection.
To research a process you don’t recognize, select Search Online from the Process context menu or press Ctrl + M keys to search for the process name using the configured browser and search engine.
Malware sometimes uses random or semi-random strings for process and file names, so even if you can’t locate affirmative evidence that a process is a malicious one, a search that produces no results at all for a process name can sometimes indicate that the process is suspicious.
Above screenshot shows a malicious process created by a variant of the worm family Win32/Rimecud. This process has no icon, company name, or description, and a name that produces no results in an Internet search.
Malware can cover up inside a honest to goodness process as a DLL, utilizing a method called DLL injection. Process Explorer's lower pane (which can be shown by clicking the Show Lower Pane button on the toolbar or pressing Ctrl + L) lets you list the contents of the process selected in the upper pane. The lower pane can be configured to display in either DLL view or Handle view. DLL view lists all the DLLs and other files mapped into the process’ address space, and Handle view lists all the kernel objects opened by the process. Pressing Ctrl + D opens DLL view. Pressing Ctrl + H opens Handle view.
DLL view lists the DLLs and other files used by a process
In DLL view, each row in the lower pane lists information about a DLL, executable file, or other memory-mapped file that is being used by the process. For the System process, DLL view lists the image files mapped into kernel memory, including Ntoskrnl.exe and all the loaded device drivers. As with processes, any packed files are highlighted in purple.
Double-clicking a row displays a Properties dialog with information about the file, including any strings found in the file on disk and in memory. DLL view also supports the same Search Online functionality that the Process view does.
You need to run Process Explorer with administrative rights to list DLLs loaded in processes running as a different user, but administrative rights are not required to list the images loaded in the System process.
Double-clicking a process launches the Properties dialog.
This process Properties dialog provides detailed process information, much of which can be useful when investigating malware. Process information is arranged on a number of tabs, including:
Image. This tab displays information about the executable file that launched the process, including the path to the file, the command-line argument used to launch it, the user account under which it is running, the creation time of the file, and the time the process was started.
Services. This tab provides detailed information about the services registered in the process. This information includes the name used to identify the service in the registry, the display name of the service, an optional description, and (for Svchost.exe DLLs) the DLL path.
Strings. This tab lists any Unicode strings found in the executable file. Look for suspicious URLs, names, or debug strings—malware binaries are often “signed” by their creators, or include URLs for command-and-control (C&C) or download servers. Process Explorer allows you to view strings in the file’s address space in memory as well as on disk, which can be helpful in the investigation of packed files. (Strings.exe, another Sysinternals utility, provides a command-line interface for extracting strings from a file.) Clicking the Memory option button causes Process Explorer to list the strings visible in the file’s memory mapping, which can reveal strings that might be encrypted in the on-disk version of the file.
The second field in the Image tab serves as a Verified Signer field, showing the company name from the version resource or the subject name from the verified signing certificate. If signature verification has not been attempted, you can click the Verify button to perform that verification. Clicking the Verify button causes Process Explorer to check the Certificate Revocation List (CRL) for the certificate to ensure that it is valid, and to check the cryptographic hash of the file to verify that it has not been tampered with since being signed. (Validating certificates requires reconnecting the computer to the Internet, which should only be considered if the risk of additional exfiltration or infection is low.)
A malware author who takes the trouble to do so can easily add the name of a legitimate company, such as Microsoft, to the Company field of an executable file. Therefore, to provide assurance that their products are genuine, legitimate software vendors digitally sign most of the program files they publish. A digital signature can be used to verify that a file has been signed by the vendor using a private key and that the file has not been modified since being signed.
To configure Process Explorer to automatically verify the signatures for all running processes and files, click the Options menu, and then click Verify Image Signatures.
The Verified Signer field, which displays next to the file icon in the Properties dialog and as a column that can be shown in the process list and DLL View, indicates the status of any signature check that has been performed.
Explorer is able to verify the signature, the field displays “(Verified)”, followed by the subject name from the certificate.
If signature verification has not been attempted, or if the selected file is not an executable file type, the field is blank or displays “(Not verified)” followed by the company name from the file’s version resource. “(Unable to verify)” followed by the company name indicates that the file is not signed or that a signature check has failed. You can also use the command-line Sysinternals Sigcheck tool to verify signatures on specific files as well as view detailed version information and their MD5, SHA1, and SHA256 hashes. Sigcheck tool also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
Autorun.A, masquerading as a system process but failing signature verification
Some malicious files are designed to load as device drivers, so it’s important to investigate drivers as well. Click the System process to display all the currently loaded drivers in DLL View. From this display, you can inspect the same properties that are available for DLLs and other files, such as the path to the driver file, the verified signer, strings found in the file on disk or in memory, and so on. To change the column selection that appears in DLL view, right-click on the column header in the lower pane and choose Select Columns.
To change the column selection that appears in Handle view, press Ctrl + H to open Handle view, and then right-click on the column header in the lower pane and choose Select Columns.
How to Identify Malware Infections with Process Explorer Utility
You can use another Sysinternals tool, Process Monitor, to examine events in detail, including error messages and short-lived processes.
Process Monitor records many different kinds of activity as it runs; each row represents a specific event. Events tracked by Process Monitor include process starts and exits, thread starts and exits, network events, registry events, and many more. Each row gives a selection of information about the associated process, such as the operation performed, the path to the associated file or registry key, time information, and additional details.
To see short-lived processes in Process Monitor, open the Process Tree window by clicking the Tools menu and then clicking Process Tree, or by pressing Ctrl + T. The Process Tree window displays a list of all processes that have run since Process Monitor was launched, including processes that have exited.
Double-clicking a row displays a Properties dialog with all of the available information about the event, including the call stack—the hierarchical list of nested function calls that led to the event. By examining the call stack of a malicious event, you can determine which function directly invoked it, which may alert you to the presence of additional malware.
You can integrate Process Monitor with Debugging Tools for Windows, which are available for download at no charge from the Microsoft Download Center, to make it easier to interpret the function calls in the stack.
Terminate Malicious Processes
After you locate the malicious processes, record the full path to each malicious file so you can remove them after terminating their processes.
Malware infections may include multiple processes, each of which monitors the others and restarts them when they are terminated. Instead of simply terminating malicious processes one by one, right click the process and from the context menu click Kill Process Tree.
While ending processes, look for any recently began or restarted processes in the list (identified by green highlighting). If terminating malicious processes causes others to restart, it could be an indication that you’re overlooking one or more sources of infection.
Use Autoruns Tool to Identify and Delete Malware
Malware persists on an infected computer by configuring itself to run when Windows starts, or when a user logs in. Software that runs automatically without being intentionally started by a user are include drivers and services that start when the
computer is booted; applications, utilities, and shell extensions that start when a user logs on; and browser extensions that load when Internet Explorer is started. There are over 100 locations in the file system and registry that allow autostarts to be configured on x86 versions of Windows, and many more on x64. These locations are often referred to as Autostart Extensibility Points, or ASEPs.
ASEPs have legitimate and valuable purposes. For example, if you want your instant messaging contacts to know when you are online, having the messaging client start when you log on is a great help. Users enjoy search toolbars and PDF readers that become part of Internet Explorer. And much of Windows itself is implemented through ASEPs in the form of drivers, services, and Explorer extensions. On top of that, malware almost always hooks one or more ASEPs, and virtually every ASEP in Windows has been used by malware at one point or another.
Although Windows offers the System Configuration Utility (msconfg.exe) to let you see some of these autostarts, it shows only a small subset and is of limited usability.
The information that Autoruns exposes can be discovered manually if you know where to look in the registry and file system. Autoruns automates that task, scanning a large number of ASEPs in a few seconds, verifying entries, and making it easier to identify entries with suspicious characteristics such as the lack of a digital signature.
Launch Autoruns and it immediately begins filling its display with entries collected from known ASEPs.
Each shaded row represents an ASEP location in either the file system or the registry. The rows beneath a shaded row indicate entries configured in that ASEP. Each row shows the item’s description, publisher, and path. Click a row to display more information about the item at the bottom of the Autoruns window, including file size, version number, and any command-line arguments used to launch the item. Double-clicking an item in the list displays the item in either Regedit or an Explorer window, depending on whether the item is a registry entry or a file on disk. For registry entries, you can also open the folder that contains the file associated with the selected entry by clicking the Entry menu and then clicking Jump to Image.
On most computers, Autoruns is likely to display hundreds of entries for startup items. To reduce the number of items you have to investigate, enable the Hide Microsoft and Windows Entries and Verify Code Signatures options in the Options menu, and then click Refresh on the toolbar to filter out items with verified Microsoft signatures.
Autoruns can also be used to display autostart entries for other profiles, and for offline computers (for example, an offline virtual machine, or a physical computer booted into a preloader environment with Autoruns installed). To display entries
for another profile, click the User menu, and then click the user account you want to check. To check an offline computer, click the File menu, and then click Analyze Offline System.
Look out for suspicious autostart items like files with no icon, entries with blank Description and Publisher fields, files with unusual or random-seeming names, files that can’t be verified, and files in unexpected locations, among others. To quickly search for information about a filename online, click the Entry menu and then click Search Online, or press Ctrl + M.
To delete a selected autostart entry, click the Entry menu and then click Delete, or press Ctrl + D. To disable an entry without deleting it, clear the check box at the left end of the row. Before deleting any entries, record the full path to each malicious file, so you can remove them later.
After terminating malicious processes and deleting autostart entries, the next step is to remove the malicious files themselves by visiting the file locations you recorded during the investigation, locating the malicious files, and deleting them.
To verify that you’ve eliminated the malware, reboot the computer and check for sign of malware infection using all the Windows Sysinternals tools.
Did you find this tutorial helpful? Don’t forget to share your views with us.
Except in special situations, we recommend the use of antimalware software tools, for keeping computers free from malware, rather than the manual techniques described in this tutorial.
This tutorial is expected for cutting edge clients who have a decent comprehension of the inward workings of PCs and Windows, and who wish to comprehend the sanitization process—how malware can be expelled without the guide of antimalware software. It is intended to enable IT experts to comprehend the effect of malware, see how malware works, figure out how to utilize some specific software tools, and make a simple guide for cleaning infected PCs in uncommon circumstances.
This tutorial includes the utilization of a few Windows Sysinternals tools. Sysinternals is a suite of cutting edge diagnostics and investigating utilities for the Windows stage that is accessible for download at no charge from the Microsoft Download Center.
Disconnect from the Network
Disconnecting the infected computer or computers from the network is an essential part of the malware removal process, because it ensures that infected computers do not spread malware to other computers on the network.
Identify Malicious Processes and Drivers
The subsequent stage in the purification procedure is to distinguish any malevolent processes. This progression includes searching for indications, for example:
- Processes without custom icons.
- Processes that have no description or company name associated with them.
- Files that represent themselves as being from Microsoft, but don’t have digital signatures.
- Unfamiliar processes running from the Windows directory.
- Files that are packed, which means that they have been compressed or encrypted. Most malware files are packed by their distributors in an effort to make them more difficult for security software to identify.
- Strange URLs in strings embedded in files.
- Processes with open TCP/IP endpoints.
- Processes that host suspicious dynamic-link libraries (DLLs) or services.
By themselves, these signs do not conclusively indicate a malicious process. For example, many legitimate executables and other files are packed, and many legitimate processes run without custom icons. Also, not all malware files and
processes exhibit all the signs listed here. However, these signs generally serve as useful clues for detecting malware on an infected computer. A Sysinternals tool called Process Explorer can help spot malicious processes.
Windows Core Concepts
Windows NT has always had a rich access control model to protect sensitive system resources from modification by or disclosure to unauthorized entities. Within this model, user accounts are typically given Administrator rights or User rights. Administrators have complete and unrestricted access to the computer and all its resources, while Users are restricted from making changes to operating system configuration or accessing data belonging to other users. For historical reasons, however, until recently end users on Windows computers were frequently granted administrative access, so many people have remained unaware that these distinctions exist.
Many of the Sysinternals utilities always require administrative rights, while many have full functionality without them. Some, however, are able to work correctly with standard user rights but have features that need administrative rights, and thus operate in a “partially degraded” mode when executed with standard user rights.
Windows Vista and UAC changed everything when it came to running programs with administrative rights. Running as a standard user is now the default state for users programs, even when run by a member of the Administrators group.
If you log on to a computer running Windows Vista or newer with an account that is a member of Administrators (the first account is the only one that defaults to Administrators group membership on computers not joined to a domain), the Local Security Authority (LSA) creates two logon sessions for the user, with a distinct access token for each. One of these tokens represents the user’s full rights, with all groups and privileges intact. The other is a filtered token that is roughly equivalent to one belonging to a standard user, with powerful groups disabled and powerful privileges removed. This filtered token is used to create the user’s initial processes, such as Userinit.exe and Explorer.exe, and is inherited by their child processes. Starting a process with the user’s full token requires UAC elevation, mediated by the Application Information (Appinfo) service.
Information
With UAC enabled, there is one exception to this rule. By default, UAC token filtering and “admin approval mode” does not apply to the built-in Administrator account. Anything run under that account always runs with full administrative rights. However, the built-in Administrator account is disabled by default.
UAC elevation can be triggered for a new program by user explicitly requests that the program run elevated—for example, by right-clicking it and choosing Run As Administrator from the context menu.
Processes, Threads, and Jobs
A program is a static sequence of instructions, whereas a process is a container for a set of resources used to execute a program.
Windows provides an extension to the process model called a job. A job object’s main function is to allow groups of processes to be managed and manipulated as a unit. For example, a job can be used to terminate a group of processes all at once instead of one at a time and without the calling process having to know which processes are in the group. A job object also allows control of certain attributes and provides limits for the process or processes associated with the job. For example, jobs can enforce per-process or job-wide limits on user-mode execution time and committed virtual memory.
As mentioned, a process is merely a container. Technically, it is not the process that runs—it is its threads. A thread is the entity within a process that Windows schedules for execution.
User Mode and Kernel Mode
To prevent user applications from accessing or modifying critical operating system data, Windows uses two processor access modes: user mode and kernel mode.
All processes other than the System process run in user mode, whereas device drivers and operating system components such as the executive and kernel run only in kernel mode.
Kernel mode refers to a mode of execution in a processor that grants access to all system memory and to all CPU instructions.
Although each Windows process has its own private memory space, the kernel-mode operating system and device driver code share a single virtual address space that is also included in the address space of every process.
Threads of user-mode processes switch from user mode to kernel mode when they make a system service call.
Thus, it is normal for a thread in a user-mode process to spend part of its time executing in user mode and part in kernel mode. In fact, because the bulk of the graphics and windowing system also runs in kernel mode, processes hosting graphics-intensive applications can spend more of their time in kernel mode than in user mode. You can see these two modes in the Process Explorer CPU usage graphs: the red portion of the graph represents time spent in kernel mode, and the green area of the graph represents time spent in user mode.
Handles
A Handle is a logical association with a shared resource like a file, Window, memory location, etc. When a thread opens a file, it establishes a "handle" to the file, and internally it acts like a "name" for that instance of the file. Handles are used to link to transitory or environmental resources outside the processes memory structure.
Using Process Explorer
Knowing what processes are running at any given time can help you understand how your CPU and other resources are being used, and it can assist you in diagnosing problems and identifying malware.
To help provide Windows users with insight into process activity on their systems, Windows has always included Task Manager, an easy-to-use application for viewing the processes (applications and services) that are running on your system. To avoid overwhelming users, Task Manager provides limited details. It often doesn’t provide deep enough insight into what is causing a process to misbehave, nor does it show key data that can help a technical user to identify a process as malware.
Process Explorer is a kind of “super Task Manager” that provides a variety of general troubleshooting capabilities, including the discovery of DLL versioning problems, handle leaks, and locked file information; performance troubleshooting; and detailing hung processes.
Here are just some of the key features of Process Explorer:
- Tree view shows parent/child process relationships.
- Color coding identifies the process type, such as services, .NET processes, processes running as the same user as Process Explorer, processes that are part of a job, and packed images.
- Tooltips show command-line and other process information.
- Highlighting to call attention to new and recently exited processes.
- Fractional CPU so that processes consuming less than 1 percent of CPU time do not appear completely inactive.
- More accurate indication of CPU consumption based on CPU cycle counts or context switches.
- Task Manager replacement—you can have Process Explorer run whenever Task Manager is requested.
- Identify which process owns any visible window on your desktop.
- Identify a top-level window belonging to a given process, and bring it forward or close it.
- Identify all dynamic-link libraries (DLLs) and mapped files loaded by a process and all handles to kernel objects opened by a process.
- Find which processes have open handles to kernel objects such as files or folders.
- Find which processes have loaded a DLL, and identify its path and other attributes.
- Graphical representations of CPU activity, memory usage, and I/O activity, both system wide and per-process.
- Detailed metrics of memory usage and I/O activity.
- Detailed information about a process security context.
- Detailed information about process TCP/IP endpoints.
- View process threads, including their start addresses and stacks.
- Create process dumps.
The Process Explorer main window provides a simple paneled display of information about the processes that are running on the computer. Each row in the process list represents a process object running on the computer that has its own virtual address space and one or more threads that could conceivably execute code at some point.
The names of malicious processes often mimic the names of legitimate processes, which can make them difficult to identify in Task Manager. Using Process Explorer makes it easier to identify processes that run from suspicious locations, or that display suspicious characteristics. By default, processes are listed in a hierarchical view called the process tree, which shows parent/child relationships between processes. Columns display a range of properties for each process, including the name of the company that published the image, a brief description, version information, and more.
When investigating an infection, pay attention to the Company Name, Description, and Version columns. Legitimate software publishers usually provide values for some or all of these columns, but malware authors sometimes
neglect them. To display more columns or hide columns already in the display, click the View menu, and then click Select Columns.
Rows can be highlighted in different colors, which provides additional information:
- Light blue These processes (“own processes”) are the processes that are running in the same user account as Process Explorer. Generally, this means that it’s running under the active user account, rather than a system or service account. Note that although they are running in the same user account, they might be in different Local Security Authority (LSA) logon sessions, integrity levels, or terminal sessions, and therefore are not all necessarily running in the same security context.
- Pink indicates that the process is hosting one or more Windows services. Services can run on their own, or as part of the services DLL inside a Svchost.exe process.
- Violet indicates that the image has been packed (compressed or encrypted). Malware often uses this technique to evade anti-malware and then unpack itself in memory and execute. Note that sometimes the heuristics result in false positives, most commonly with debug builds of Microsoft Visual C++ applications.
- Brown Indicates jobs. These are processes that have been associated with a job. A job is a Windows construct that allows one or more processes to be managed as a unit. Jobs can have constraints applied to them, such as memory and execution time limits. A process can be associated with at most one job. Jobs are not highlighted by default.
- Yellow Indicates .NET processes. These are processes that use the Microsoft .NET Framework.
- Dark gray Indicates suspended processes. These are processes in which all threads are suspended and cannot be scheduled for execution. Processes that have crashed might appear as suspended while Windows Error Reporting handles the crash. (Don’t confuse this gray with the lighter gray color that, with default Windows color schemes, indicates the selected row when the Process Explorer window does not have focus.)
- Green and red indicates that the process has just started or exited, respectively. By default, rows are only highlighted green or red for 1 second, which can make them difficult to track. You can change this default length by clicking Difference Highlight Duration in the Options menu.
Moving the mouse pointer over a row displays a tooltip with information about the process, such as the full path to the process image, which can help you identify processes running from unusual or suspicious locations. Tooltips also provide additional information for system processes, such as DLLs hosted by Rundll32.exe, services hosted by Svchost.exe and other service processes, and COM server information for Dllhost.exe. Malware often attempts to disguise its presence by attaching itself to system processes such as these, so pay attention to tooltips when investigating the source of an infection.
To research a process you don’t recognize, select Search Online from the Process context menu or press Ctrl + M keys to search for the process name using the configured browser and search engine.
Malware sometimes uses random or semi-random strings for process and file names, so even if you can’t locate affirmative evidence that a process is a malicious one, a search that produces no results at all for a process name can sometimes indicate that the process is suspicious.
Above screenshot shows a malicious process created by a variant of the worm family Win32/Rimecud. This process has no icon, company name, or description, and a name that produces no results in an Internet search.
Malware can cover up inside a honest to goodness process as a DLL, utilizing a method called DLL injection. Process Explorer's lower pane (which can be shown by clicking the Show Lower Pane button on the toolbar or pressing Ctrl + L) lets you list the contents of the process selected in the upper pane. The lower pane can be configured to display in either DLL view or Handle view. DLL view lists all the DLLs and other files mapped into the process’ address space, and Handle view lists all the kernel objects opened by the process. Pressing Ctrl + D opens DLL view. Pressing Ctrl + H opens Handle view.
DLL view lists the DLLs and other files used by a process
In DLL view, each row in the lower pane lists information about a DLL, executable file, or other memory-mapped file that is being used by the process. For the System process, DLL view lists the image files mapped into kernel memory, including Ntoskrnl.exe and all the loaded device drivers. As with processes, any packed files are highlighted in purple.
Double-clicking a row displays a Properties dialog with information about the file, including any strings found in the file on disk and in memory. DLL view also supports the same Search Online functionality that the Process view does.
You need to run Process Explorer with administrative rights to list DLLs loaded in processes running as a different user, but administrative rights are not required to list the images loaded in the System process.
Double-clicking a process launches the Properties dialog.
This process Properties dialog provides detailed process information, much of which can be useful when investigating malware. Process information is arranged on a number of tabs, including:
Image. This tab displays information about the executable file that launched the process, including the path to the file, the command-line argument used to launch it, the user account under which it is running, the creation time of the file, and the time the process was started.
Services. This tab provides detailed information about the services registered in the process. This information includes the name used to identify the service in the registry, the display name of the service, an optional description, and (for Svchost.exe DLLs) the DLL path.
Strings. This tab lists any Unicode strings found in the executable file. Look for suspicious URLs, names, or debug strings—malware binaries are often “signed” by their creators, or include URLs for command-and-control (C&C) or download servers. Process Explorer allows you to view strings in the file’s address space in memory as well as on disk, which can be helpful in the investigation of packed files. (Strings.exe, another Sysinternals utility, provides a command-line interface for extracting strings from a file.) Clicking the Memory option button causes Process Explorer to list the strings visible in the file’s memory mapping, which can reveal strings that might be encrypted in the on-disk version of the file.
The second field in the Image tab serves as a Verified Signer field, showing the company name from the version resource or the subject name from the verified signing certificate. If signature verification has not been attempted, you can click the Verify button to perform that verification. Clicking the Verify button causes Process Explorer to check the Certificate Revocation List (CRL) for the certificate to ensure that it is valid, and to check the cryptographic hash of the file to verify that it has not been tampered with since being signed. (Validating certificates requires reconnecting the computer to the Internet, which should only be considered if the risk of additional exfiltration or infection is low.)
A malware author who takes the trouble to do so can easily add the name of a legitimate company, such as Microsoft, to the Company field of an executable file. Therefore, to provide assurance that their products are genuine, legitimate software vendors digitally sign most of the program files they publish. A digital signature can be used to verify that a file has been signed by the vendor using a private key and that the file has not been modified since being signed.
To configure Process Explorer to automatically verify the signatures for all running processes and files, click the Options menu, and then click Verify Image Signatures.
The Verified Signer field, which displays next to the file icon in the Properties dialog and as a column that can be shown in the process list and DLL View, indicates the status of any signature check that has been performed.
Explorer is able to verify the signature, the field displays “(Verified)”, followed by the subject name from the certificate.
If signature verification has not been attempted, or if the selected file is not an executable file type, the field is blank or displays “(Not verified)” followed by the company name from the file’s version resource. “(Unable to verify)” followed by the company name indicates that the file is not signed or that a signature check has failed. You can also use the command-line Sysinternals Sigcheck tool to verify signatures on specific files as well as view detailed version information and their MD5, SHA1, and SHA256 hashes. Sigcheck tool also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.
Autorun.A, masquerading as a system process but failing signature verification
Some malicious files are designed to load as device drivers, so it’s important to investigate drivers as well. Click the System process to display all the currently loaded drivers in DLL View. From this display, you can inspect the same properties that are available for DLLs and other files, such as the path to the driver file, the verified signer, strings found in the file on disk or in memory, and so on. To change the column selection that appears in DLL view, right-click on the column header in the lower pane and choose Select Columns.
To change the column selection that appears in Handle view, press Ctrl + H to open Handle view, and then right-click on the column header in the lower pane and choose Select Columns.
How to Identify Malware Infections with Process Explorer Utility
You can use another Sysinternals tool, Process Monitor, to examine events in detail, including error messages and short-lived processes.
Process Monitor records many different kinds of activity as it runs; each row represents a specific event. Events tracked by Process Monitor include process starts and exits, thread starts and exits, network events, registry events, and many more. Each row gives a selection of information about the associated process, such as the operation performed, the path to the associated file or registry key, time information, and additional details.
To see short-lived processes in Process Monitor, open the Process Tree window by clicking the Tools menu and then clicking Process Tree, or by pressing Ctrl + T. The Process Tree window displays a list of all processes that have run since Process Monitor was launched, including processes that have exited.
Double-clicking a row displays a Properties dialog with all of the available information about the event, including the call stack—the hierarchical list of nested function calls that led to the event. By examining the call stack of a malicious event, you can determine which function directly invoked it, which may alert you to the presence of additional malware.
You can integrate Process Monitor with Debugging Tools for Windows, which are available for download at no charge from the Microsoft Download Center, to make it easier to interpret the function calls in the stack.
Terminate Malicious Processes
After you locate the malicious processes, record the full path to each malicious file so you can remove them after terminating their processes.
Malware infections may include multiple processes, each of which monitors the others and restarts them when they are terminated. Instead of simply terminating malicious processes one by one, right click the process and from the context menu click Kill Process Tree.
Note
Suspending or terminating Svchost.exe and other core system processes might cause parts of the system to become non-responsive or cause it to reboot.
While ending processes, look for any recently began or restarted processes in the list (identified by green highlighting). If terminating malicious processes causes others to restart, it could be an indication that you’re overlooking one or more sources of infection.
Use Autoruns Tool to Identify and Delete Malware
Malware persists on an infected computer by configuring itself to run when Windows starts, or when a user logs in. Software that runs automatically without being intentionally started by a user are include drivers and services that start when the
computer is booted; applications, utilities, and shell extensions that start when a user logs on; and browser extensions that load when Internet Explorer is started. There are over 100 locations in the file system and registry that allow autostarts to be configured on x86 versions of Windows, and many more on x64. These locations are often referred to as Autostart Extensibility Points, or ASEPs.
ASEPs have legitimate and valuable purposes. For example, if you want your instant messaging contacts to know when you are online, having the messaging client start when you log on is a great help. Users enjoy search toolbars and PDF readers that become part of Internet Explorer. And much of Windows itself is implemented through ASEPs in the form of drivers, services, and Explorer extensions. On top of that, malware almost always hooks one or more ASEPs, and virtually every ASEP in Windows has been used by malware at one point or another.
Although Windows offers the System Configuration Utility (msconfg.exe) to let you see some of these autostarts, it shows only a small subset and is of limited usability.
The information that Autoruns exposes can be discovered manually if you know where to look in the registry and file system. Autoruns automates that task, scanning a large number of ASEPs in a few seconds, verifying entries, and making it easier to identify entries with suspicious characteristics such as the lack of a digital signature.
Launch Autoruns and it immediately begins filling its display with entries collected from known ASEPs.
Each shaded row represents an ASEP location in either the file system or the registry. The rows beneath a shaded row indicate entries configured in that ASEP. Each row shows the item’s description, publisher, and path. Click a row to display more information about the item at the bottom of the Autoruns window, including file size, version number, and any command-line arguments used to launch the item. Double-clicking an item in the list displays the item in either Regedit or an Explorer window, depending on whether the item is a registry entry or a file on disk. For registry entries, you can also open the folder that contains the file associated with the selected entry by clicking the Entry menu and then clicking Jump to Image.
On most computers, Autoruns is likely to display hundreds of entries for startup items. To reduce the number of items you have to investigate, enable the Hide Microsoft and Windows Entries and Verify Code Signatures options in the Options menu, and then click Refresh on the toolbar to filter out items with verified Microsoft signatures.
Autoruns can also be used to display autostart entries for other profiles, and for offline computers (for example, an offline virtual machine, or a physical computer booted into a preloader environment with Autoruns installed). To display entries
for another profile, click the User menu, and then click the user account you want to check. To check an offline computer, click the File menu, and then click Analyze Offline System.
Look out for suspicious autostart items like files with no icon, entries with blank Description and Publisher fields, files with unusual or random-seeming names, files that can’t be verified, and files in unexpected locations, among others. To quickly search for information about a filename online, click the Entry menu and then click Search Online, or press Ctrl + M.
To delete a selected autostart entry, click the Entry menu and then click Delete, or press Ctrl + D. To disable an entry without deleting it, clear the check box at the left end of the row. Before deleting any entries, record the full path to each malicious file, so you can remove them later.
After terminating malicious processes and deleting autostart entries, the next step is to remove the malicious files themselves by visiting the file locations you recorded during the investigation, locating the malicious files, and deleting them.
To verify that you’ve eliminated the malware, reboot the computer and check for sign of malware infection using all the Windows Sysinternals tools.
Did you find this tutorial helpful? Don’t forget to share your views with us.