Jump to content
Tuts 4 You

How to remove and identify virus


REAP

Recommended Posts

Hello


 


I have a Win 7 computer that has been infected with a bruteforce password virus.


 


When the computer is able to connect to a DC the computer constantly tries to determine the password for some user account that it has chosen.


 


I've tried scanning the computer with a number of AV's without success:


 


MBAM


MBAR


TDSKiller


Gmer


Vipre


 


After doing some analysis on the computer I've been able to determine that the infected process on the computer is the Windows System process. Worked this out by identifying which ports the virus was using from the server logs and then using CurrPorts (from Nirsoft) and Process Monitor (SysInternals) to monitor the desktop.


 


I've also tried SysMon (SysInternals) but while SysMon does log activity, it doesn't log the relevant virus activity.


 


The questions that I have:


 


1. If I were to replace ntoskrnl.exe on this computer with a "clean" version of ntoskrnl.exe from another W7 system am I likely to remove the virus from this computer.


 


OK as I expected it's not as simple as that I can see from Process Explorer that there are many threads reported as "System". Even if replacing ntoskrnl were to work then this would fix this computer, but it wouldn't prevent a future infection.


 


2. Suggestions on how to identify or remove this malware?


 


greetz


Edited by REAP
Link to comment

Wouldn't start replacing files until you identify what is infected. 


Try using a boot cd for the scan.  Bitdefender rescue cd or KAV rescue disk should work.  


Perhaps this attack is coming remotely by a trusted resource after it's authenticated on the network instead.


Link to comment

I'll try KAV. Thanks


 


But if that doesn't detect anything, are there any programs that allow you to easily compare a binary hash / checksum of two sets of files?


 


This would be some sort of WinPE type utility that you could use to compute a set of hashes on the infected computer (for selected files) and then do the same thing against a "clean" computer. Then compare the results, which would identify those files that are different (of course they could be different for valid reasons - different Windows Updates etc). But if it didn't take that much work to do the compare, then it might be worth trying before rebuilding the desktop.


 


In this case rebuilding the desktop is not a big deal, but it means that the malware could get through again.

Link to comment

By installing all these programs you've installed toolbars, adware and various garbage u dont need that slows u down. The AV software (all of them) isn't going to detect the majority of bad code out there, and for the small part it does get - the malware authors change packers, change a few lines of source, etc and reinfect you the next day. Just read some of the many docs on how easy/practical AV evasion is for more info.


 


I wouldn't worry about hash checks, etc - just reformat.


Link to comment

Several md5sum sfv type utilities out there to create file lists.  


 


Since you say it only happens after the logging into the DC it might be a remote network attack instead.  Another PC in the network that has elevated membership in the domain.  Maybe an audit check is being run by the admins.   How are you detecting this?  

Link to comment

Since you say it only happens after the logging into the DC it might be a remote network attack instead.  Another PC in the network that has elevated membership in the domain.  Maybe an audit check is being run by the admins.   How are you detecting this?  

 

Definitely this PC. Detected by monitoring the Event logs on the DC.

 

When the PC is on the domain network, connects to the DC constantly.

 

When the PC is off the domain network periodically tries to connect to the DC.

Link to comment

Using Process Monitor I am able to identify the following:


 


Process Name: System


PID: 4


TID: 0


Parent PID: 0


 


In Process Explorer I can see PID: 4, but when I look at the Threads of the System process there is no TID of 4 or 0


 


How can I identify the actual process being executed?


Link to comment

I've made some progress on this, have been able to narrow down the suspect packets to two files: ntoskrnl.exe and tcpip.sys


 


Will replace these files with known good versions and see what happens.


 


Thanks for feedback and suggestions


Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...