Virus Trouble Shooting Tips

This is a collection of techniques I use to trouble shoot suspected viruses.

Basically, this is a summary of troubleshooting techniques and registry locations on my other pages.

Once you locate a likely candidate, comment it out - if the key is automatically recreated, then it is usually a virus. (Some antivirus programs may also recreate "missing" keys.)

I've tried to be complete, but remember - most registry entries can occur in both HKCU and HKLM - be sure to check both when either is specified.

Startup | Run / RunOnce | Safe Mode Infector | IE Defaults | Browser Helper Objects
Tools - AgentRansack RegMon FileMon Process Explorer
Domain Names and Related Tools - ping, tracert, and nslookup Web Based DNS Tools whois

Programs run at Startup

In Windows, there are many places that programs are listed so that they will start automatically when windows starts. Just to keep it interesting, each version of Windows uses different places to hide this info.

In Windows XP, the StartUp menu is located at

C:\Documents and Settings\[UserName]\Start Menu\Programs\Startup

but that can be changed by modifying the registry.

To see running services, use

ControlPanel / Administrative Tools / Services

Fake device drivers can be used to hide viruses.

win.ini and system.ini (in the Windows directory) can be used to start a virus.

Run / RunOnce

The registry provides a number of keys to define which programs are run when Windows starts. These programs are not run when starting in Safe Mode.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

Examples of Infected Values

No valid program modifies the registry in this way

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
 SystemSearch = REGEDIT.EXE -s C:/WINDOWS/xyz.reg

If the program name appears to be just random letters, search google and see if it is legitimate. If the name is not found, it is probably a virus ... or custom software created for your company.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  sgbifq = c:\windows\system32\zkqnlf.exe r

(Used by the Aurora virus.)

I have never seen rundll32.exe in a valid Run or RunOnce key. In this case (WinFixer),

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
 *OPPON = rundll32.exe C:\WINDOWS\SYSTEM\OPPON.DLL,CreateProtectProc rerun

(Used by the Aurora virus.)

Safe Mode Infector

This key is executed each time Windows starts ... even in Safe Mode

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  shell = Explorer.exe

Example of an Infected Value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
  shell = Explorer.exe C:\WINDOWS\Nail.exe

Used by the Aurora virus.

Safe Mode Infector 2

The dll's listed in the Notify keys are executed each time Windows starts ... even in Safe Mode

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[SomeName]
  DLLName = SomeProcess.dll

I have seen 4 to 10 valid entries in this section.

Example of an Infected Value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vacac
  DLLName = vacac.dll

Notice that there is no difference between infected and normal entries ... you must search the internet for the dll names to determine which are which.

Used by the SystemDoctor/vacac.dll virus.

IE Defaults

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix

  default =   http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes

  ftp     =    ftp://
  gopher  = gopher://
  home    =   http://
  mosaic  =   http://
  www     =   http://

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs
 blank              = res://mshtml.dll/blank.htm
 NavigationCanceled = res://shdoclc.dll/navcancl.htm
 NavigationFailure  = res://shdoclc.dll/navcancl.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
 Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
 Start Page  = http://www.xyz.com/

Examples of Infected Values

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\Prefixes
 www = http://www.xyz.com/cgi-bin?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
 default = http://www.xyz.com/cgi-bin?

Browser Helper Objects

This is a common IE backdoor to run programs - some are legitimate, others are not. A list of valid CLSID's is not enough since new ones are created for each valid program you might want on your system.

The procedure is to manually check out each CLSID.

Another approach is to comment them all out and see which ones recreate themselves ... those are usually the bad guys.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\
 Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}

Tools

To debug new viruses, I find these tools valuable

AgentRansack

Use this to find files and directories that Windows Explorer hides from you

SysInternals (bought by Microsoft 07-18-2006)

These are (currently) free

Process Explorer - see what programs are currently running
TCPView - see all the active internet connections
Process Monitor - As of 2012, RegMon and FileMon are no longer available as separate tools, but are now combined in Process Monitor
- RegMon - see all Registry activity in real-time
- FileMon - see all file system activity in real-time

Recovery Console

Use this to delete files that are normally locked

tracert

Use this to determine the IP address of a URL

whois

This helps to identify the owner of a URL

Reverse DNS

Given an IP address, this helps to find the owner

AgentRansack

If you ever search your hard drive for files, you should have this application. The Windows Explorer search function is worthless, I have documented several instances where it simply lies.

Once it is installed, in Windows Explorer right click and select AgentRansack from the menu.

RegMon

The first step with most parasites is to run RegMon. This cycle was repeated about every 3 seconds. (I've added spaces in the trace below to make it easier to read.)

43  3.73025036  Rundll32:FFFECA37  OpenKey       HKLM\Software\Microsoft\Windows\CurrentVersion                  SUCCESS	hKey: 0xC188F7B0
44  3.73029375  Rundll32:FFFECA37  QueryValueEx  HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber SUCCESS	20 0 	
45  3.73031759  Rundll32:FFFECA37  CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion                  SUCCESS		

46  3.73088241  Rundll32:FFFECA37  OpenKey       HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce          SUCCESS	hKey: 0xC1896600
47  3.73094153  Rundll32:FFFECA37  QueryValueEx  HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*OPPON   SUCCESS	72 75 6E 64 6C 6C 33 32 ...
48  3.73097134  Rundll32:FFFECA37  FlushKey      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce          SUCCESS		
49  3.73099685  Rundll32:FFFECA37  CloseKey      HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce          SUCCESS		

50  3.73112655  Rundll32:FFFECA37  OpenKey       HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}  SUCCESS  hKey: 0xC1896600
51  3.73115849  Rundll32:FFFECA37  FlushKey      HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}  SUCCESS
52  3.73118734  Rundll32:FFFECA37  CloseKey      HKLM\SOFTWARE\...\Browser Helper Objects\{B313D637-F405-4052-AC37-E2119AB3C8F8}  SUCCESS

53  3.73230720  Rundll32:FFFECA37  OpenKey       HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS	hKey: 0xC1896600	
54  3.73237038  Rundll32:FFFECA37  QueryValueEx  HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS	43 3A 5C 57 49 4E 44 4F ...
55  3.73240161  Rundll32:FFFECA37  FlushKey      HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS		
56  3.73242640  Rundll32:FFFECA37  CloseKey      HKCR\CLSID\{B313D637-F405-4052-AC37-E2119AB3C8F8}\InprocServer32 SUCCESS		

57  3.73249292  Rundll32:FFFECA37  OpenKey       HKLM\Software\Microsoft\Windows\CurrentVersion                   SUCCESS	hKey: 0xC188F7B0
58  3.73253036  Rundll32:FFFECA37  QueryValueEx  HKLM\Software\Microsoft\Windows\CurrentVersion\SubVersionNumber  SUCCESS	20 0 	
59  3.73255205  Rundll32:FFFECA37  CloseKey      HKLM\Software\Microsoft\Windows\CurrentVersion                   SUCCESS

Rundll32:FFFECA37 is very unusual in a RegMon trace. In this case, it was the WinFixer virus. Both the RunOnce and Browser Helper Objects keys pointed to files that had to be deleted.

FileMon

Unusual file activity generally indicates a virus. On many machines, you can actually hear the hard drive running way too often. Frequently, this activity will significantly slow down your system.

FileMon will identify which program is using the hard drive.

Because the Aurora virus read the registry and wrote the data to a cookie - FileMon was useful in identifying it and evaluating the risk.

Process Explorer

This program allows you to stop programs that the Windows Task Manager is not able to stop. It also provides much more information ... including which registry keys are currently open.

In some cases (specifically winlogon.exe and explorer.exe), this program will allow you to stop specific threads without actually stopping the program.

Windows Recovery Console

The overclockersclub explains how to use the recovery console to remove files. Note: I do NOT suggest disabling System File Checker, this is just a reference on how to use the Recovery Console.

Domain Names and Related Tools

To host a web site under your own name, you

Purchase a Domain Name from a "registrar"
Rent web space from an ISP
Associate your Domain Name with the IP address provided by the ISP

When a user tries to access your web page

The user types in (or clicks on) a URL
The first part of the URL (up to the first slash) contains the Domain Name you purchased in step 1 above - DNS Lookup is the process of sending that name to a program that returns the associated IP address you obtained in step 2 above
The web browser then tries to retrieve the page using the IP address

Note: All internet access is by IP address - DNS allows one or more registered names to be associated with a given address. In that case, the ISP provides additional DNS type resolution to keep the sites separate. Frequently, a single IP address is used by several related parasites.

Given a URL, I use several methods to determine the associated IP address

ping - this is the simplest
tracert - this provides the route used to transfer information between your machine and the target machine
A web based DNS Lookup program - files on your machine can be used to provide name/address associations - you can use this to block adware, spam, and many parasites. However, sometimes it is useful to bypass local blocks and see (or verify) what other people see for a specific Domain Name.

The has been useful in identifying families of parasites owned by a single person - such as winfixer, errorsafe, winantivirus, and the like - all associated with WinSoftware Ltd.

ping, tracert, and nslookup

ping, tracert, and nslookup are MS Windows programs available via a command prompt, available via

Start / Programs / Accessories / Command Prompt

All 3 programs will accept a Domain Name and provide DNS Lookup to determine (and display) the associated IP address.

>nslookup winfixer.com
Server:  cns.manassaspr.va.dc02.comcast.net
Address:  68.87.73.242

Non-authoritative answer:
Name:    winfixer.com
Address:  127.0.0.1

This trace (from my SystemDoctor page) was made 11-09-06 (reformatted to be more readable)

tracert systemdoctor.com

Tracing route to systemdoctor.com [66.244.254.63]
   ...  The first few hops are omitted - they add no useful information
 15    12 ms    15 ms    13 ms  rx0as.vx.shawcable.net                [68.86.88.126]
 16    18 ms    17 ms    17 ms  rc2hu-pos7-0.ny.shawcable.net         [66.163.77.49]
 17    17 ms    19 ms    17 ms  rc1hu-ge4-0-0.ny.shawcable.net        [66.163.74.5]
 18    27 ms    28 ms    28 ms  rc1sh-pos12-0.mt.shawcable.net        [66.163.76.13]
 19    27 ms    28 ms    29 ms  ra1sh-ge3-3.mt.shawcable.net          [66.163.66.33]
 20    30 ms    27 ms    28 ms  rx0sh-set-up-a-host.mt.bigpipeinc.com [66.244.223.98]
 21    47 ms    28 ms    28 ms  rr-grp1.yyz1.cl1.setupahost.net       [66.244.254.63]

Trace complete.

Notice that the IP address for systemdoctor.com resolves (via reverse DNS) to setupahost.net

Also notice that shawcable and bigpipeinc.com provide the actual access. Additional research on those names indicates that the physical server is located in Canada.

Web Based DNS Tools

Files on your machine can be used to provide Domain Name/IP address associations - you can use these to block adware, spam, and many parasites. In fact, there are a number of anti-parasite programs and techniques that work by using this method to always return the LocalHost IP address (127.0.0.1) when your computer tries to reach one of the known parasites.

However, sometimes it is useful to bypass local blocks and see what other people get for a specific Domain Name. To do this, I use web based DNS Lookup and Reverse DNS tools.

Specifically, in April 2007, WinFixer.com was returning the LocalHost IP address (127.0.0.1) when using ping, tracert, and nslookup. In order to determine if this was caused by something on my machine, or if it was real, I used a web based solution - NSLookup.

DNS Lookup Results

   Host       Type    Value 
winfixer.com    A   127.0.0.1

This proved that it wasn't just my machine. However, there is no data about who might have removed this from the web.

This was interesting, using another web based tool, winfixer apparently has its own name server ... and that server returns 127.0.0.1

C:\Documents and Settings\User>ping ns1.winfixer.com

Pinging ns1.winfixer.com [84.16.243.230] with 32 bytes of data:

Besides ping and tracert, IPAddressGuide.com provides Geolocation by IP Address to find the city and country of an IP - pretty cool.

whois

When a Domain Name is *registered*, the owner and billing information is collected - whois is the generic name of programs used to provide that information.

Just search the internet for *whois* and use one of the free programs. The available whois sites change so often it is hard to give a good recommendation. I normally have to use several sites to get all the information I want about a single Domain Name.

Unfortunately, there is no way to keep people from providing false information when they register a Domain Name - as a result, obviously fake information is one indication of a parasite.

Author: Robert Clemenzi