Brian St. Marie - Sr. Systems Engineer
Spending most of my time working on servers, I don't often see malware issues these days. However, I ran into quite a mess today on a client’s Terminal Services server and discovered some interesting tidbits to help get things under control.
First, a very useful and important tool for malware removal is Sysinternals Process Explorer. This tool will let you see all running process trees on the system, so you can quickly isolate hijacked or illegitimate processes and kill them. In particular, it will let you search for open handles to malware files which may not have .exe or .dll extensions and so may not be obviously malware files.
Unfortunately, sometimes even if you kill a process with open handles to malware files, the process will immediately restart. A good way to get around this is to rename the root executable file used for the process. This way, when the process tries to restart, the executable file is essentially gone and so it can't run. You can then remove the malware files without getting a "File in use" or "Access denied" message. Then rename the process executable back and restart it manually.
However, what do you do when the root process is a legitimate Windows process, like svchost.exe? In that case, you have to dig a little deeper. Windows does its best to protect system files by keeping backups in the %systemroot%\dllcache folder. So if you need to keep a protected process from restarting, you'll have to go into the dllcache folder, rename the cached version of the executable, then rename the actual executable, and then kill the process. When the process tries to restart, it will find the executable missing and go hunting for it in the dllcache. Since it's also now missing from the cache, it will give up and you can now manually remove the malware files attached to the process. However, be sure to rename both the original executable and the version in the cache when you're done or you may end up with even worse problems down the road!
If you're struggling with malware or just want to be sure you're properly protected, feel free to Contact Us today and a Terminal.com engineer will be happy to help make sure your system is running at its best.