Before we proceed to hunt the bad stuff from the system, please read this section carefully.

The most important thing to remember is, you are dealing with the Operating System, so don't jump into your System folder and start deleting things without knowing the pros and cons of your action. It has been observed that as soon as people suspect trouble, they jump into the System Folders and start deleting stuff from there without proper understanding of what they are deleting and why they are deleting. If you don't want to screw your system big time and making it unbootable, avoid acting like a maniac the moment you are in a troubleshooting frenzy.

Second, for the worst case scenario, it is always important to have a backup plan. System Restore (in Windows XP) can safely return you to the point just before it crashed. It is recommended that before you start troubleshooting the problems, create a fresh Restore Point. To create a fresh Restore point, click Start, Programs/All Programs in XP, Accessories, System Tools, System Restore and select Create a restore point, and step through the wizard. I even suggest you to save some of your most important data files in other drives or maybe some removable storage device.

You may also need to make your system files visible. To do so, open Explorer or any folder window, and click Tools, Folder Options, View. Click Show hidden files and folders, and make sure that both 'Hide extensions for known file types' and 'Hide protected operating system files (Recommended)' are unchecked. Click Yes if you see any Windows warnings. At times, certain Malwares disable the Folder Options or may not let you to toggle between the Show Hidden Files and Hide Hidden Files options. We will deal with those scenarios later.

Also, before we make our hands dirty with the blood of the Malware, use the AV Software or AntiSpyware Software and delete all the detected threats. Most of the times, they do the dirty job and cleans these bad stuff. 

Uninstall any unwanted software of applications that you may notice in he Add Remove Programs Window. Also, take a look at the drives and directories and delete files that you strongly believe can be a part of Malware infestation. But remember, don't use this techniques to remove old DLLs or System files from your system folders.

Now to find out what's what programs and services are currently running on the System we will use SysInternals Process Explorer. Windows Task Manager can't authenticate each of the running applications, so you can download Process Explorer from the TechNet website.

When we open the Process Explorer, we can not only see the running processes but also we can see a lot of other relevant and useful information, displayed in various ways, that can help us to identify a process and the details about it. It shows if the process that's running are packed or digitally Signed by the company that created it. In the above figure you can clearly see that Process Explorer will show the Company name next to the process. One more thing that puts Process Explorer as one of the most important applications for Malware Analysis is the option to Verify the signature of a running process and identifying it as a valid digitally signed Microsoft process. Mostly all of Microsoft's code is digitally signed to create a hash of that process with Microsoft's Private Key. Process Explorer checks the Signature by decrypting signed hash with the public key and by connecting to the internet to check Certificate Revocation List (CRL) Servers (crl.microsoft.com). You can also selectively check for signatures with the Verify button on the process image tab.

The activity of Malware Hunting will begin with the identification of the malicious process that we are suspecting in our system. As far as our observation goes, there are certain characteristic features that differentiate a valid process from a Malware process. Some of the common features of a malicious process is described below:

. Have no icon associated or have unknown or fake icons
. Have no description or company name
. Unsigned Microsoft images
. Live in Windows/System32 directory
. Images that are packed
. Have strange URLs in their strings
. Have open TCP/IP endpoints
. Host suspicious DLLs or services

Process Explorer displays the processes in a parent-child relationship. The icon, description, company name and image version information are pulled from the process. Most Malware doesn’t have version information. This is where Process Explorer can unhide their cloaking motive.

Often Malware processes uses randomly generated pseudo names. But even if they use names that imitate the names of valid Microsoft processes then its just to elude the detection. Apparently, a process with the name Scvhost.exe or Svchostt.exe or Suchost.exe may resemble the System Process Svchost.exe but on a close look the difference is becomes obvious. However, a process running with the name Svchost.exe doesn't always mean that its a valid system process. A genuine system process will always be signed with the Microsoft's Private Key and Process Explorer will successfully validate that signature in its verification process. Moreover, a genuine Microsoft system process will carry a description along with the Company name. But it is possible that there can be Malwares that can pretending to be from Microsoft. To get an example on these kinds of Malwares, you can download the Malware Example binary I have created. This example Malware binary is completely harmless, but I would suggest you to read the Read Me.txt file that is inside the MalwareExample.zip file. You can download this file from Here.

In the below screenshot, it can be seen that the process ms-<random number>.exe is running and it doesn't have any Company Name associated nor it has any verification status. The absence of the verification status indicates that Process Explorer was unable to decrypting signed hash and check it with the Certificate Revocation List (CRL) Servers.

There are various color codes that Process Explorer uses to pass on different kinds of information about a process. Some of those are mentioned below:

. Red: process exited
. Green: new process

. Blue: It indicates that the processes are running in the same security context as Process Explorer
. Pink: It indicates that the processes host Windows services
. Purple: It indicates that an image is “packed”. In the above example the process ms-<random number>.exe is packed

Note: Malwares commonly uses packing (e.g. UPX) to make antivirus signature matching more difficult. Packing hides strings and other information about the binary.

To identify mysterious processes examine the Description, Company Name, and Command Line information for each process. You should be able to identify most of the programs associated with processes as software you installed or that was preinstalled in your System.

One very good functionality provided in Process Explorer is the feature of ToolTips. Taking the mouse pointer over the process name will show the path from where the process is executed. Any processes running from the Temp folder should raise a red flag. Spyware tends to install itself in and run from such out-of-the-way nooks as the Temp folder. Likewise, if a running process points to a DLL in the Temp folder, be wary. The only occasion when something should be running from the Temp folder is when you are installing an application that uses an installer program such as InstallShield. With Process Explorer you can easily identify the location from where the process is running and this comes very handy for identifying Malwares.

One legitimate Windows process that needs a little more investigation when found in the running-processes list is rundll32.exe. Some forms of Malware, distributed as DLL files, hide themselves by using this program as a launching pad. Malware more often hides behind Svchost and Rundll32 processes, so the ToolTip for Rundll32 processes shows hosted DLL and similarly ToolTip for service processes shows hosted services.

When a software maker has failed to include a Description and/or Company Name for its program, you'll need to dig a little deeper. Right-click its entry in Process Explorer's list, and choose Properties.

The information under the Image tab will reveal a lot of details like:

. Description, Company Name, version (from .EXE) 
. Full image path where the exe of the process exists  
. Command line used to start process
. Current directory where the process is initiated
. Parent process under which the existing process is running
. User name with which the process is running
. Start time of the process
             

Malware can hide as a dll inside a legitimate process. We have already talked about this method and have already seen this with Rundll32 and Svchost. Malwares not just load with an autostart entry but they can load by “dll injection” method as well. We can see which dll files are loaded by the running processes in runtime. Here also Process Explorer will use the color gradient to show which dll files and packed.
 

The dll view can be opened by clicking on the dll icon in the toolbar. Process Explorer shows more than just loaded dlls. It shows .exe and any “memory mapped files” and also gives us the option to search for a dll with the Find dialog option. Also the data from the Process, DLL and Handle views can all be copied easily to the clipboard.

One more feature provided by Process Explorer to aid the task of Malware hunting is the option of finding suspicious network endpoints with TCPView. You can do this by looking at the TCP/IP tab of each process. This view also uses refresh highlighting. It also gives us the option to “close connection”.

Before we proceed to identify a Malware infection hands on, let me recommend a few do's and don'ts.

When you identify a Malware process, don't kill or stop it until and unless you are sure that there are no watchdog processes. A watchdog process is or can be a sub process associated with the Malware that keeps track of the main process. These days, most of the Malware processes are often accompanied by these watchdogs and they get restarted by watchdogs when stopped or killed. Instead of killing it straightaway, suspend them. Suspending a process means they are put to sleep. If the Malwares authors are not very intelligent, they don't code their watchdogs to check the state of the actual process. So sleeping would mean, they will still be loaded in the memory but would be in a suspended or inactive state. Note that this might cause a system hang for Svchost processes. Once the actual process has been suspended and all the sub processes or watchdogs are identified, put all of these to sleep as well and then trace out the file path of these exe or dlls from where these are running. Only after all of the are suspended, kill them and delete (or archive them for later analysis) the associated exe or dll files.

If you suspect that a dll might be malicious, the first place to check is Microsoft's DLL Help Database. This will let you search for information about a dll by name. If you suspect a file may be connected to Spyware, search abut it in Computer Associates' Spyware Information Center, CastleCops Archives or simply Google it. Another great resource is the Pest Encyclopedia at the PestPatrol Center for Pest Research, which provides information about more than 27,000 forms of Malware. You can even search the Malware Analysis Forum with the files MD5 and there is a possibility that I might have added the analysis report for that Malware file.

If I can't tell whether a file is legitimate, then tools such as WinPatrol and Uniblue's WinTasks 5 Professional offer insight into whether a program or dll is Malware or not. Both offer an online database containing information about thousands of dlls and applications you might encounter.

The more you find out about a file before you search online, the less likely it is that you'll kill a legitimate program or dll or mess up your system.

However, there are certain types of Malwares that are more dangerous or elusive. These are called Rootkits. There are different types of Rootkits like Kernel Mode RootKits, User Mode RootKits etc. These RootKit methods permit malicious hackers to hide their tracks (and files) on an infected System. There are several available programs that can help you spot, and in some cases, remove, these dangerous RootKit files, but it is recommended that if you encounter such Malwares, then report them to the below mentioned links:

For reporting urls to download these Malwares use the link: http://report.malwareinfo.org

For submitting the actual zipped Malwares files use the link: http://www.malwareinfo.org/submit.html

We will analyze these Malwares and send you back the analysis reports and the removal process.

We will discuss about the below three applications later in separate sections:

. SysInternals AutoRuns 

. SysInternals FileMon

. SysInternals RegMon: