Articles > Software
Printer Friendly Version
Views: 4331

Advanced Spyware / Virus Techniques

Last Updated: 2/5/11

This info is most useful for fighting very sophisticated viruses and/or spywares in Windows 2000 or Windows XP.

Spybot - [Link1] [Link2]
HiJackThis - [Link1] [Link2]
CWS Shredder - [Link1] [Link2] [Link3]
LSP Fix - [Link1] [Link2]
Winsock fix - [Link1] [Link2]
MWAV Removal Tool - [Link1] [Link2]
MWAV Cleanup Tool - [Link1]
Temp File Cleaner - [Link1]

Advanced Tools
Autoruns - [Link1]
About Buster - [Link1]

Advanced Process Termination - [Link1]
Process Explorer- [Link1]
xcalcs (NTFS permission changer from command line) - [Link1]
More Tools...

Folder Rename Technique

Recently I have ran into many malwares which are smart enough to load into memory even when booting into safe mode and to resist being removed. I normally use MWAV to detect these malwares (MWAV no longer removes malware, it only detects it) and then manually delete the file using Windows explorer or Windows command window. Many of these malwares run as services or run from not standard startup locations in the registry. Here is some help on how to remove them.

Run a full scan of the system with MWAV in safe mode. If threats are detected go delete them all. Then run Autoruns and select "Show Services". Delete any service that has a file missing or looks malicious. If you run into any files that can't be deleted then you have found one of these new sophisticated malwares. Here is what you do:

1) While still in safe mode, right click on one of the files and select properties. Select the security tab and make sure the group "users" has full control of the file. If they don't check the full control check box and select "apply". If there is no group "users" visible, select add and type in "everyone" in the box and push ok. Then give "everyone" full control. Now try to delete the file. If it still fails move to step 2.

2) Now if step 1 didn't work and the file is a ".exe" ,then open up task manager by pushing Ctrl + Shift + Esc. You should see the file file listed on the process tab. If you try to delete this file or rename it you will fail. If you try to "End Task" on it, you will see that it doesn't go away. If you try to "End Task" on it once you will notice that you can delete the file and rename it, but you will see that the file comes back when this is done. What you have to do is "End Task" on the bad process once, then rename the folder that the file is running from, Once the folder is renamed just go delete the file. Then "End Task" on the process again and it should go away. Then rename the folder back. The file should now stay gone.

3) If step 1 and 2 didn't work then then easiest thing to do is to probably try removing the file from a bootable disk or another computer. I recommend BartPE for a bootable cd or Recovery Console if you can't get bartpe easily. Be sure to check the NTFS security permissions when deleting the files.

Notepad Exploring Technique

This technique is commonly used with the previous one. This technique applies to anti-virus programs that detect a virus in a file located on the hard drive that can't be removed. When you try to delete it you get an error about the file being in use. When you boot into safe mode you can't see the file anymore. To solve this boot into safe mode, then go to Start Menu > Run > Type "notepad". When notepad opens click File > Open. When the open file dialog appears use it to locate the file that you can't see. Basically if you can't see a file in safe mode that you can in normal mode, than you need to use notepad to explore instead of Windows Explorer. When ever you run into a file like this check the "AppInit_DLLs" section to see if the file is listed there.
Read more about it here: Backdoor.Agent.BA or d3dmdaf.dll

Delete Undeletable File Technique

Keywords: spyware virus malware removal advanced Techniques