While attending TechEd 2006 in Boston, I caught Sysinternals' malware expert Mark Russinovich's presentation entitled "Enterprise Malware Solutions." He began the presentation by saying, "Discovering malware is all well and good, but most people don't know how to actually remove it from their system once they find it." Given that many popular antivirus and antispyware tools don't always remove the malware they discover, I appreciated Russinovich's intent to show us how to eliminate malware by hand.
Russinovich was careful to identify rootkits as their own monster in the malware world. Rootkits have a way of disguising themselves as other types of files and processes that can hide from tools typically used to remove other forms of malware. He addressed rootkits more in depth toward the end of the discussion.
Russinovich laid out these steps to remove malware from your system.
STEP 1: Disconnect from the network
If you are connected to the network, you are vulnerable to attacks from malicious software. You are not invincible while running system scans, so the first step is to disconnect entirely.
STEP 2: Download all available auto-remove tools
Many spyware tools will show you that your system is infected with malware but won't actually remove it for you, cautioned Russinovich. Also, some tools will run free system scans and display discovered malware, but only remove it if you then pay and register for the product. Obviously, you would prefer to simply have an anti-malware program remove the infections for you.
So why not just download a well known industry-leading solution that does just that? Well, according to Russinovich, no matter how effective a tool is, free or paid for, it is highly unlikely that it will be able to remove everything in one fell swoop.
Perhaps as the founder of Sysinternals, he is a little biased, but he suggested (and demonstrated) the use of freeware tools like Process Explorer, Autoruns, and TCPView to identify malware on your system.
STEP 3: Clean autostarts
When booting up your system, some programs start automatically. These programs include those in your startup folder, Run, RunOnce, and other Registry keys, and some of these programs may in fact be malicious software. After you have removed malware and restarted your computer, Autoruns will show you a list of these programs. Running Process Explorer will identify what you need to remove.
Russinovich warned of these tell-tale signs that you have malware:
- File found in Windows32 or Windows directory
- Suspicious DLL
- No source for file found
- Process explorer highlights file pink
- Process begins immediately after you kill it
When using Process Explorer to terminate identified processes and files, you may notice other processes (usually randomly named, for example ytsfctrl.exe or arwaxite.exe) begin immediately after another process is terminated. This means that the malware on your system is being watched by a "watchdog". The watchdog starts the same process by another name when the first process is killed. Process Explorer gives you the option to "suspend" the process rather than kill it. This typically prevents the watchdog from recognizing that a process has stopped running.
STEP 4: Run a full refresh
After you have removed malware and malicious autostarts, Russinovich recommends repeating the entire process; just to be sure you have removed 100% of your system infection.
If malware issues persist, particularly on the enterprise level, you are advised to completely reinstall Windows. This is the only way to totally ensure that you have removed every piece of infected software.
Rootkits are a particularly nasty form of malware that Russinovich defines as "software such as files, processes or registry keys that hides itself from view of standard diagnostic and administrative tools". Repeating the steps listed above and running Rootkit Revealer can prove an effective way to keep your system malware free. Visit Rootkit.com for up-to-date information on rootkits and rootkit removal tools.
In some instances, rootkits avoid detection by not hiding themselves. If a file or registry key is not hidden, Rootkit Revealer will not report it as a threat and thus it will remain on your system. This is where running every tool at your disposal comes into play. While such an infection will not be detected by Rootkit Revealer, another program like Process Explorer or Autoruns can catch those threats.
While Russinovich focused his discussion on Sysinternals' tools, there are other antirootkit tools available, like F-Secure's Blacklight.
David Nielson is the Assistant Editor of SearchWindowsSecurity.com.
Be sure to listen to next week's podcast interview with Mark Russinovich, where he will give his opinions on Microsoft security, Vista and rootkits.