Honing Computer Forensics Skills with Process Explorer: Page 2

Posted December 24, 2008

Lyne Bourque

(Page 2 of 2)

Play it Safe (Mode)

I boot into safe mode by rebooting and hitting F8 (useful on XP systems but also can work on others). Booting into safe mode avoids the possibility of the trojan downloading something and re-infecting the machine.

I relaunch Process Explorer and use the Kill Process Tree to kill the parent process of the trojan along with the child processes. The next step will be to turn off System Restore. I do this because I know this particular set of malware utilizes that to recover.

It does mean I have to be very careful about what I do and ensure I tackle all the problem children I can find. I right-click on My Computer and choose Properties. I then go to System Restore tab of the System Properties dialog box. I select Turn Off System Restore on all drives and click OK. I say Yes to the confirmation (because this is a pretty big deal) and I'm all set.

I then go to the Start button and type regedt32. Using Find I look for fun.exe (which will have the other two near by in the same area) and delete any and all keys related to that. I also look for winsit.exe, which is an associated file and remove any references to it. I then check once more for each file through the registry to see that I got all instances of it.

Process Explorer - Forensics

My next step is to search through the %systemfolder% to find all instances of all four files and delete those. Most of these files reside in the System or System32 as well as startup areas. To be sure I get everything, I run HiJackThis to see if I got them all.

Process Explorer - Forensics

Once everything is clean, I reboot once and ensure everything is gone. Assured that it is, I re-instate System Restore by reversing my previous actions and reboot once more. If the malware is gone, I can go forward. If not, I'll have to dig some more.

One should be aware, however, of how long it can take to remove a virus. I'm lucky enough to have a virtual machine, which has a boot up time of a few seconds. This is in stark contrast to a physical machine that can take a couple of minutes or more to boot and reboot. I also have the advantage of a snapshot so that if the malware couldn't be removed, I could just revert to the last known good (although I was able to successfully remove it with these steps).

The trick to doing something like this is to have patience and a bit of time.

I performed these activities in about 45 minutes. This may be the same amount of time it would take to do a restore from a working backup. Process explorer, however, is a great tool for ferreting out these kinds of nasties and helping to kill them far faster than TaskManager (attempts with TaskManager always resulted in the processes respawning).

Anti-virus, malware detection and other security-minded products are getting better at detection but they aren't perfect. And as much as we want to build a better mousetrap, nothing beats having an old fashioned cat watching the door.

This article was first published on EnterpriseITPlanet.com.

Page 2 of 2

Previous Page
1 2

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.