Honing Computer Forensics Skills with Process Explorer

Wednesday Dec 24th 2008 by Lyne Bourque

Need to cleanse a malware infected Windows system? Learning to use a free and handy tool called Process Explorer is an essential first step.

So how do you actually go about removing malware?

The reality is that most detection software, even after all this time, is still in the growing stage. Depending on whom you ask, the proactive success rate is potentially as low as 40 percent (or a detection failure rate as high as 60 percent). Which means detection primarily happens after a system has been infected.

The challenge is how to deal with systems that have been infected and remove those nasties when the virus or malware prevents antivirus software from actively quarantining or removing it, or when it prevents the operating system from getting security fixes to address it.

The only way to ensure a clean system is a fresh install of the operating system. This isn't always an option and should only be a last resort. As with any system, you should have valid and working backups to minimize any data loss when this option is the last recourse on a system.

Process Explorer

Last month I talked about some of the tools that you can use for forensic purposes on a system infected or compromised. One of those tools is very helpful in regards to removing nasties: Process Explorer. I've used Process Explorer for at least the last five years to troubleshoot Windows processes.

One of the first things you should have is an idea of what is normal in your list of process. Looking at the screenshot below, I can see that my system is running fine.

Process Explorer - Forensics

This happens to be my virtual machine as identified by the processes listed near the 1. All other processes are normal running processes. If anything appears out of the ordinary, then I can be concerned. So when I look at it again, oh no!

Process Explorer - Forensics

I see three processes dc.exe, Fun.exe and SVIQ.EXE that are running now. As it turns out, an application called Spyware Terminator, a rogue version of the malware protection suite, infected my system.

Well, time to remove them.

Play it Safe (Mode)

I boot into safe mode by rebooting and hitting F8 (useful on XP systems but also can work on others). Booting into safe mode avoids the possibility of the trojan downloading something and re-infecting the machine.

I relaunch Process Explorer and use the Kill Process Tree to kill the parent process of the trojan along with the child processes. The next step will be to turn off System Restore. I do this because I know this particular set of malware utilizes that to recover.

It does mean I have to be very careful about what I do and ensure I tackle all the problem children I can find. I right-click on My Computer and choose Properties. I then go to System Restore tab of the System Properties dialog box. I select Turn Off System Restore on all drives and click OK. I say Yes to the confirmation (because this is a pretty big deal) and I'm all set.

I then go to the Start button and type regedt32. Using Find I look for fun.exe (which will have the other two near by in the same area) and delete any and all keys related to that. I also look for winsit.exe, which is an associated file and remove any references to it. I then check once more for each file through the registry to see that I got all instances of it.

Process Explorer - Forensics

My next step is to search through the %systemfolder% to find all instances of all four files and delete those. Most of these files reside in the System or System32 as well as startup areas. To be sure I get everything, I run HiJackThis to see if I got them all.

Process Explorer - Forensics

Once everything is clean, I reboot once and ensure everything is gone. Assured that it is, I re-instate System Restore by reversing my previous actions and reboot once more. If the malware is gone, I can go forward. If not, I'll have to dig some more.

One should be aware, however, of how long it can take to remove a virus. I'm lucky enough to have a virtual machine, which has a boot up time of a few seconds. This is in stark contrast to a physical machine that can take a couple of minutes or more to boot and reboot. I also have the advantage of a snapshot so that if the malware couldn't be removed, I could just revert to the last known good (although I was able to successfully remove it with these steps).

The trick to doing something like this is to have patience and a bit of time.

I performed these activities in about 45 minutes. This may be the same amount of time it would take to do a restore from a working backup. Process explorer, however, is a great tool for ferreting out these kinds of nasties and helping to kill them far faster than TaskManager (attempts with TaskManager always resulted in the processes respawning).

Anti-virus, malware detection and other security-minded products are getting better at detection but they aren't perfect. And as much as we want to build a better mousetrap, nothing beats having an old fashioned cat watching the door.

This article was first published on EnterpriseITPlanet.com.

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved