- Feb 22, 2007
- 16,240
- 7
- 76
I had to talk a friend through finding rogue malware when AV doesn't work so figured I would post it here as well.
Sometimes AV or anti-malware applications do not detect infected systems. When that happens you can have things like keyloggers, URL redirection, and other problems occurring and sometimes without even knowing it is going on .
A free way to find these is with a network monitor. Netmon is free from MS and works on all their OS.
Download network monitor
http://www.microsoft.com/downloads/...FamilyID=983b941d-06cb-4658-b7f6-3088333d062f
Click new capture
Under select networks , select just the adapter that connects to the internet
Click the start button on the menu
This will show all your network traffic.
Try not to run any programs that use a internet connection as it generates lots of extra traffic making it harder to locate the problem. Let it run for about 15 minutes. Start by looking for lines that have DNS under the protocol name. Most programs that need to access the internet will do a DNS query before they make the connection. All programs do not do this, some use ip addresses in the software but that is rare.
A DNS query will look like this:
If you see DNS queries to sites you do not recognize that is a good indicator the system is infected.
In the left pane under the title 'network conversations' is a list of the applications making connections.
Make sure the programs listed are ones you want to have internet access. You can click on each program and it will isolate the results for just that program in the capture window.
Malware will most likely show up under the unknown category.
The great thing about using something like netmon is that you can see what the actual data of the packet contains. If you think it is malware sending personal information you can look at the packet and see exactly what it was sending. It is nice to be able to run AV programs and remove infections but it is even better if before you remove them you can see what they were up to before removal. For me just removing an infection is like putting locks on your home after you have already been robbed and never checking the home for what was stolen. I like knowing what something was doing on my system and what it accessed.
Clicking one of the suspected packets and looking at its content in the lower right panel I see:
In another packet I see:
So something is either trying to install a SQLite related program or corrupt one already installed.
I can now remove the malware or at least have a better idea of what it was doing while it was running on the system. Often the packet data will look like garbage, but usually you can read a word every now and then to get an idea on what that malware is doing.
Good Luck !
Sometimes AV or anti-malware applications do not detect infected systems. When that happens you can have things like keyloggers, URL redirection, and other problems occurring and sometimes without even knowing it is going on .
A free way to find these is with a network monitor. Netmon is free from MS and works on all their OS.
Download network monitor
http://www.microsoft.com/downloads/...FamilyID=983b941d-06cb-4658-b7f6-3088333d062f
Click new capture
Under select networks , select just the adapter that connects to the internet
Click the start button on the menu
This will show all your network traffic.
Try not to run any programs that use a internet connection as it generates lots of extra traffic making it harder to locate the problem. Let it run for about 15 minutes. Start by looking for lines that have DNS under the protocol name. Most programs that need to access the internet will do a DNS query before they make the connection. All programs do not do this, some use ip addresses in the software but that is rare.
A DNS query will look like this:
If you see DNS queries to sites you do not recognize that is a good indicator the system is infected.
In the left pane under the title 'network conversations' is a list of the applications making connections.
Make sure the programs listed are ones you want to have internet access. You can click on each program and it will isolate the results for just that program in the capture window.
Malware will most likely show up under the unknown category.
The great thing about using something like netmon is that you can see what the actual data of the packet contains. If you think it is malware sending personal information you can look at the packet and see exactly what it was sending. It is nice to be able to run AV programs and remove infections but it is even better if before you remove them you can see what they were up to before removal. For me just removing an infection is like putting locks on your home after you have already been robbed and never checking the home for what was stolen. I like knowing what something was doing on my system and what it accessed.
Clicking one of the suspected packets and looking at its content in the lower right panel I see:
In another packet I see:
So something is either trying to install a SQLite related program or corrupt one already installed.
I can now remove the malware or at least have a better idea of what it was doing while it was running on the system. Often the packet data will look like garbage, but usually you can read a word every now and then to get an idea on what that malware is doing.
Good Luck !
Facebook
Twitter