Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hacked while on my computer!
-
12-06-2007 01:22PM#1
Comments
-
here is what i initially do when checking a system for malware.
start autoruns, if you haven't got it, download it HERE from the sysinternals website.
if its the first time you run on the system, it will scan and display all entries, so hit ESC key to stop it, we need to change the options.
the next part will make finding malware alot easier.
Go to options and enable both 'Verify Code Signatures' and 'Hide Signed Microsoft Entries' as you can see in this picture.
Now refresh (hit F5) to begin scanning again.
Each tab shows you majority of locations on the system, software can startup.
These include plugins in internet explorer, system services, drivers..think of a place, and its probably covered.
Most "good" software will be signed (verified) and trusted by the operating system.
It doesn't mean a signed file is not malicious, but the chances of it being so are alot less likely than if its (not verified)
Also, just because its (not verified) doesn't mean its malicious either.(don't get confused, because finding malicious signed files rarely happens)
Remove the suspicious entries, make the best use of Process Explorer also, its great for looking a process in detail.
For example, you can check a process for TCP/IP ports, threads, loaded DLL modules, any dependencies, what files it has opened.
If you're unsure, search online using the drop down box or CTRL+M
If a situation occurs that you have all microsoft entries displayed, then its possible that the catalog files have either been removed/corrupted maliciously or some software is preventing autoruns from verifying the executable image through hooking API.
Autoruns and Process Explorer are very powerful, useful tools in tracking down basic types of malicious software.
there are more extensive tests to be carried out from here should this not work. ;]0 -
-
-
mickoneill30 wrote:If it was me and I didn't know what bykwzwyo.exe did I'd do a format and reinstall. You don't know if some service or exe has been replaced. Something could be running on your machine with an innocent name.
I understand your concerns here, but let me explain the useful feature of autoruns, where it verifies an executable image.
When i said 'Hide Signed Microsoft Entries', autoruns will still verify that any Microsoft executeable is trusted, and if not, display it..
Process Explorer can also verify DLL modules inside a process, as seen here.
if you want a command line tool, check out sigcheck
you can recursively search through many directories, or verify just one file like below.
Reasons why i'd recommend using AR+PE before any virus scan or re-install.
1. virus scanners only identify malware from signatures in its database, which are constantly updated to reflect NEW threats.
If the software was in the wild (NEW unidentified threat) , then chances are a virus scan won't pick it up as being malicious.
Also, some scanners take too long, time is critical ;]
2. re-installing might not be necessary.If its simply a matter of removing the startup entry, and deleting the files, sometimes that is enough, if done carefully.
If you're running a large server, re-installing is a time consuming process, meaning money.0 -
-
Advertisement
-
-
-
-
-
-
Advertisement
-
-
-
-
Advertisement