Manual Removal of Malware

So, I am sure most of you have been there. You just downloaded this great little free app from freeware heaven, clicked “next” through the series of endless disclaimers and dubious EULA’s, and have now watched the progress bar hit 100 per cent.

You fire up the new program and notice that it has now executed IE at the same time and has brought you to a page telling you that your system is infected. Damn, Damn Double Damn….haven’t I been down this road before?

Well, at least it didn’t lie. Your machine truly is infected and the longer it stays this way, the worse off you’ll be.

Malware is more than a nuisance though; it is an honest-to-god security threat and any real computer professional will give this class of software the prudent respect it deserves. Malware costs the world billions of dollars in lost productivity and is responsible for an unimaginable amount of identity theft and fraud. You may be inclined to chuckle at the colourful new icon that has been magically installed in your system tray, but this truly is no laughing matter.

Luckily, there are a ton of good tools out there that can deal with Malware reasonably well and are freely available. This article isn’t about recommending any of them (although I will plug an excellent product called Combo Fix recommended to me by Kevin, one of my co-workers) but rather this is for the unfortunate souls that have already run a program only to see that their malware is still alive and well.

So, where do we start.  Sometimes malware can be ridiculously easy to spot. Simply opening the task manager will show you a process that you know shouldn’t be there and allow you to terminate and remove it. Then opening up MSCONFIG and disabling/deleting the startup item stops it from ever coming back. Great!  But this does sound too easy, doesn’t it.

Modern malware almost never lends itself to easy removal and if it did, that nifty little program you downloaded to cleanse your system would have grabbed it anyway. Malware nowadays usually consists of several parts/processes and these processes work together to ensure that when one process is terminated, the other will fire it right back up.  This is a cat and mouse game that you will not win using standard Windows management tools.

What I recommend doing, is downloading process explorer from Sysinternals. This tool will be invaluable in your fight against rogue software and will give you the weapons you’ll need to be victorious. Download Here.

Open up process explorer and you will now be privy to all sorts of system information that task manager doesn’t have (although the Windows 7 task manager is greatly improved).

Now look for processes that look unusual. Watch how your system behaves and look for processes that suddenly appear in the list when the malware itself executes. By default, these will be highlighted green and easy to see.

Now, when you find something unusual, double click on the process and go to strings tab. Look for something in there such as .com since most malware out there is designed to make some sort of a connection to a website to steal information or redirect your browsing experience in some way.  Use your best judgement – if it is pointed to www.blackhathackerz.com that might be a clue that this file should not be there.

 image

Once you have found your suspect exe file, do not kill it. Instead right click on it and suspend the process. This will prevent the other parts of the malware from restarting it as the program is still loaded in memory but just suspended and not terminated. Go through and suspend all of the suspect processes that appear. Then, once you are sure that you have got them all. Terminate them. (make a note of where they are located first in the environment tab in process explorer.)

Now, simply go through and delete the files off of your disk and clean up any registry entries that the product may have made. Use msconfig to disable any additional startup locations. Remember always export your registry and keep it safe before modifying your registry in any way.

Manually removing spyware doesn’t have to be painful. Nevertheless, some malware is going to involve a lot of work to track down on your part, but you will find that in time you will become more proficient at it and be able to clean machines up very quickly.

Last piece of advice, however. If you find yourself dealing with a root kit please disregard all that you have learned here today. There really is no way of trusting any machine that has been infected with a rootkit and your best bet is to just format windows and reinstall the OS.

I hope that this little tutorial helps!

Cheers.

Understanding Disks and Disk Management

Well, today’s post isn’t a fix per se. It isn’t even a tutorial, but I think that the information contained herein is invaluable for understanding disks and troubleshooting disk management issues.

A lot of us have a real rudimentary understanding of how disks and volumes are managed in Windows. Most of this comes from the overly simplistic and dumbed down models that we are given when studying for the A+ designation or it is an understanding that we gained long ago when FAT32 was the predominant file system in use.

A lot has changed since then, and I want to take you on the journey to understanding what is actually happening behind the Disk Management MMC.

So let’s begin at the root of disk management in modern versions of Windows. That swanky mmc that we all know and shown below is actually loaded through a Windows dll named dmdskmgr.dll. The functionality of this dll is simple. When it is loaded into memory it will in turn scan disks attached to the system looking for a LDM database. If it finds disks from the local computer, it will simply report the volumes that are present, however, if it happens to find an LDM from a foreigner computer it will then execute the import disk mgr which essentially just copies the foreign LDM and adds it to dmdskmgr.dll’s in memory copy of the database. Should you choose to import the disk, then it is essentially just committing the database write operation to the foreign disk which is actually done through a kernel mode dll called volmgrx.sys. Volmgrx.sys is actually the workhorse behind dmdskmgr.dll as it control the access to disk objects such as the LDM and the resident volumes.

image

Understanding this process alone goes a long way in troubleshooting why a disk might not be recognized or importable etc. While entirely out of the scope of this article, one could actually write a tool to manipulated the LDM itself and allow you to fix issues on a disk at a very low level.

Now, how does volmgrx.sys actually work. This is actually fairly straightforward in most cases.  Disks all contain disk relative offsets which are essentially a number of sectors from the start of a partition table to the actual partition itself.  The job of volmgrx.sys is to simply add the volume-relative offsets to the disk-relative offsets and allow the operating system to map I/O to the underlying partitions themselves.

On a multi-partition disk setup using spanned, mirrored, or some other flavour of RAID, thsi naturally becomes more complex. It is NTFS iself that allows us to create these types of volumes.

NTFS creates a bitmap file that can be added to or reduced at will. It is this file that tells the volmgrx.sys kernel mode dll where a logical volume begins and ends. Thus, to the OS itself the drive appears to be just a normal drive. In the days of FAT this was not possible as the whole partion table would have needed to be moved and thereby dislocating the data on one partition from the other. Then the volmgrx.sys will keep referring to the bitmap created to determine where free clusters are located and will logically write to these as necessary.

This process is virtually identical for all of the multi-partitioned types except for RAID 5 arrays where obviously the parity bit is also striped across the drives.

One last area that I would like to touch on is mirrored volumes. Some people have asked me why Windows cannot boot from spanned drives, Raid 5 arrays etc., but yet can boot from a mirrored volume which is a multi-partitioned volume.  The answer to this is simple. The Master Boot Record code sees the disk as one volume and only boots from half of the mirror which is marked as the boot volume.

Anyway, I hope this goes a long way toward helping you understand at a deeper level how Windows manages disks. I also want to give proper credit to Mark Russinovich et al. for the inspiration to write this article. Most of the material comes from his Windows Internals fifth edition book and I highly recommend this book for anyone who wants to understand Windows at a Engineering level.

Cheers.

IE8 Security Warning – HTTP/HTTPS

The more I use it, the more I love it. IE8 is actually a great product and I truly believe Microsoft got a lot of things right in this edition. Sure, there are still things that could have been done differently, but can’t that be said about Firefox and Chrome too?

Nonetheless, there is one pop up in particular that does drive me insane.  The infamous “Do you want to view only the webpage content that was delivered securely?’ security dialogue is almost enough to make me want to buy a Mac(……….. Just kidding – Macs, are they for me?)

ie8securitywarning

This issue is not new to IE8 actually, but the wording has now changed and people are forced to click NO instead of “Yes” as they would have in the past. The natural tendency of end users to never read any thing that suddenly pops up and just click “yes”, means that a lot of websites are not going to render properly after they have inadvertently been told not to display insecure content.

Let’s be clear about one thing though – this is not Microsoft’s fault. Web designers should strive to only deliver secure content on secure web pages. This is really just common sense.

Anyway, luckily, the fix for this issue is really easy and probably has a very minimal security impact for your average everyday web surfer.

Simply go to:

  • Tools->Internet Options->Security
  • Select the ‘Security’ tab
  • Click the ‘Custom Level’ button
  • In the ‘Miscellaneous’ section change “Display mixed content” to Enable

    Voila, annoying pop up has magically disappeared.

    Enjoy your new browsing experience.

  • Add printer to all profiles – Server 2008 Terminal Server

    Profiles under terminal services can be really messy and problematic. Over the years, IT administrators have come up with various workarounds for profile issues under Windows Server 2003 Terminal Services.

    Server 2008, unfortunately brings a few new challenges. I recently ran into one of these when I was asked to add a printer under a user’s profile to which I had no access.  Naturally, I just assumed that the old trick of making a shared network printer appear local would work. It doesn’t.

    Server 2008’s add printer dialogue is very different from Server 2003 and many of the options that were available in 2003 are notably absent in 2008. Hmm….so how should I deal with this.

    I could just add it to the login script, but this user only wants this printer to appear in this profile on the terminal server…so that’s not going to work. I thought about the issue for a while and then I remembered an old shell command that I had once used under XP to add a printer to all profiles at one. 

    So, I fired up the command prompt, put in the command and much to my delight it worked.

    Here it is…..

    Rundll32 printui.dll,PrintUIEntry /ga /c\\localcomputername /n\\servername\printername

    The solution is wonderfully simple and can be executed with very little effort – this is exactly what Slick IT should be.

    Windows 7 installation - Versions

    It has been an exciting week for all computer aficianados – Windows 7 RTM hit MSDN and Technet and the frenzy has begun.

    However, there is one little catch to all of this. A lot of people have pre-ordered Windows 7 and are ready to install the MSDN/Technet editions but have not thought about versioning.

    Contrary to popular belief, Windows 7 is NOT exactly the same as Vista in the install phase and you will have to decide beforehand what version you want or make a modification to the install package to be able to select your flavour during the install. Windows 7 releases, despite containing the exact same images, have always been labelled with the version that they will automatically install. Windows 7, unlike Vista, does NOT allow you to choose what version you would like to install.

    But there is a workaround for this. If you are not sure which version you have or it is the wrong one, simply open up the files, go to the source directory and find a file called EI.cfg. This is the file that tells the installer which version to install automatically. By simply deleting this file you will be presented with the ability to select your OS as shown below.

    windows7version

    You could easily edit this file as well. Here is a screen shot of the easily edited cfg file below. Just adjust the parameters as necessary using the words “Basic” “HomePremium” “Professional” or “Ultimate”. Just deleting the file is probably the easiest though.

    ei.cfg

    When you finally do receive your pre-ordered key, simply use the slmgr.vbs script as also referenced in this blog.

    Enjoy your new Win 7 installation.

    The Time is 1234567890 – again!

    Earlier this year the time was 1234567890 - if you’re a computer running Linux, that is.  If you happen to be a real person, though, that particular moment passed without too much interest.  Well, here’s your chance to get even.  As I post this, the time is 12:34:56 07/08/09.

    By the way, you DO know the correct day / month / year ordering for your country, right?  Yes, there is indeed a format officially recognized as correct, but unfortunately, it changes by country.  The United States uses M/dd/yyyy, while Canada and the UK use dd/MM/yyyy (much more logical!).  For your country, just go to Region and Language in Control Panel, choose a country, and note the short date format.  If you’re trying to avoid confusion, though, you’d be best to use yyyy/MM/dd as your format.  If anyone gives you any grief, just mention you feel it’s very important to follow the recommendations put forth by the International Organization for Standardization and you are doing your best to follow ISO 8601.  By the way, this is often a great choice for giving dates as strings to computer programs – it works much more reliably than anything else (where supported).

    Wish everyone would just get their act together and be consistent?  You might get your wish sooner than you think!  Just hang on a couple years.  Soon, it will be 11:11:11 11/11/11.


    Copyright © 2010 Paul Guenette and Matthew Sleno.