Find and remove Malware with Sysinternals Tools - Part 3

In the third and final part of this series, I will show you how to use the Process Monitor tool to detect changes made by malware to the registry and file system .

In part one and part two of this three-part series, we showed you how to use Process Explorer and Autoruns to identify malicious software on Windows systems. Now the new version of Process Explorer (v15.01) has been released this month, you can download it to use its latest version here.

This new version uses less memory, it effectively displays GPU usage and allows you to restart the service. In addition, performance charts also have a more beautiful interface.

Install and use Process Monitor

Process Monitor replaces the old FileMon and RegMon tools, which combine and upgrade the functions of both tools. The current version of Process Monitor is v2.95 and you can download it here.

So what can you do with Process Monitor? This tool is used to capture all real-time data about processes on a computer, including image paths, command lines, users, session IDs and process relationships. With great filtering, you won't have to worry about losing information when setting up filters. With the information obtained, you can analyze the malware found and determine what it is and how to remove it.

You can download and install Process Monitor on your computer (about 1.26 MB). Process Monitor will install a device driver to capture information, then display it in a user-friendly graphical interface. As shown in Figure 1, Process Monitor displays a flow of information for each activity that occurs on the system. By default, the columns shown here include the time, process name and PID, the operation it directs, the path, the result of the activity and the details of the operation (in the picture, we have hidden information). Message path because it contains identification information about user accounts, computer names and domain names.

Figure 1

You can add more columns to get more information about applications, events, and processes, as shown in Figure 2.

Figure 2

The amount of information that Process Monitor provides is very much because there are so many processes running in the background on a Windows system. That means that we need to filter if we want to capture information related to the task of finding malware. Interestingly, the Process Monitor filters restrict what will be displayed, not what is captured. So all data will still be captured but you only see what you need. So you can display entries that match the process name, user, specific time of the day, etc. Many options are shown in Figure 3.

Figure 3

It is possible to create multiple filters to find entries, such as entries created by a particular process at a specific time of the day or may also choose other conditions. This versatility significantly enhances the ability to detect events without being distracted by too many other irrelevant information.

There are many useful buttons on the toolbar that allow you to display registry actions, network actions, file system actions, processes and events, etc. You can take notes and set timelines. need to record to limit the total number of stored events.

When a malware program automatically installs on your system, it extracts files to different locations on the hard drive, copies the driver file to the Windows system directory, adds keys to the Windows registry, and so on. Monitor, you can identify what is creating those files and what appears again after you have deleted, or what are creating suspicious registry entries.

To find out what a process is suspecting, you first need to set up filters to display entries for the process with that name. You can further filter the results or you can review each result line to show what the process is doing. For example, you can choose to display only registry access events to determine what registry keys the process is accessing, changing or adding. Then check that registry value to find out the effect of the changes that are taking place. You can check the file system access entries to find out what files are being taken by a process, or which files are being deleted or added to the system.

It may be easier to review information in other programs, such as Excel or Office. In addition, you can save a copy of information under one of those formats. In that case, you can export the data to a .CSV or .XML file using the 'save to file' option (you can also save the file as the original Process Monitor format, .PML, if you want to open it. re it in Process Monitor.

Process Monitor can be used together with Process Explorer and AutoRuns creates a set of powerful tools in monitoring and removing malware from the system.

What happens if the Sysinternals tool doesn't work?

As I have demonstrated in this three-part series, Sysinternals tools are great help in finding and killing malware, especially useful when using 'zero day' days, when not yet There are new signatures provided by anti-malware vendors. However, sometimes Sysinternals tools do not work because the malware author has thoroughly studied and knows how to bypass these popular tools (as well as commercial anti-virus and anti-malware products) to infiltrate your system. Now you can use Process Explorer, Process Monitor or Autoruns to find the malicious process.

Conclude

In this three-part series, I showed you how to use tools like Process Explorer, Autoruns and Process Monitor to find and kill malware. Besides the free Sysinternals tools, it also provides good support for anyone who wants to learn more about malicious code and wants to exclude it from their system. All can be downloaded for free from the Microsoft website.