removing malware with strong self-protection

Hi. I recall doing some test in a virtual environment, and I’ve stumbled upon
a malware with a random name (executable). I tried removing it, but I couldn’t. I couldn’t
even terminate the process.

After some thought, I had a hunch, so I went to see the drivers active on my system. And
there it was - the driver with the same random name was there and active.

So what the malware had been doing was the same as what AntiViruses do today -
employ a form of process self-protection. The problem was that this protection was very strong.

The driver was being loaded in safe mode as well, so I couldn’t remove it.

Even third party dedicated virus removal tools didn’t work.

So, is there any way to unhook these persistent threats and remove them?

I reckon that a separate Linux Live environment or a rescue disk would be able
to do that, but I am not sure.

Were you using CIS? If so it should have alerted of an unknown executable trying to install a driver (if using hips) or otherwise the sandbox should have blocked it.

Anyway, you could perhaps use some more specific rootkit scanners like TDSSKiller or similar. Linux live environment would probably work as well.

I usually do this inside a virtual environment - for testing purposes.

That is where I observed this behaviour. But the machine was compromised later on
so I couldn’t get hold onto the sample.

However, I wasn’t aware that hooks can go so deep into the OS - not even
antiviruses employ such aggressive self-protection.


you should look at your services, there has to be a service that is running that file (otherwise it couldn’t load in Safe mode). You have to stop and delete the service. Than you download the Unlocker (UNLOCKER 1.9.2 BY CEDRICK 'NITCH' COLLOMB). Installing it make sure you do a custom install so you don’t get the “bloatware”. After the install you delete the virus file, the unlocker will kill any process that is preventing you from deleting it. Than you check your “Autorun” folder because sometimes there is a copy of the file but it has a different name. After that you go to the registry (regedit) and go to: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

and delete any trace of it from there. Then you go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and check if there is any trace of it there. After you are done delete the “temp” folder “Users/username/appdata/local/Temp”.
After that you reboot and you should be Virus free. To be sure, you should Install CIS (clean install) and run a scan, also you should run HijackThis, and at least Spybot Search and Destroy…



EDIT: Just out of curiosity, are you using x86 or x64 Windows? If x64 things get really interesting. Since Vista x64 drivers have to be signed by MS in order to get installed (you can disable that but I assume you didn’t do that) so it would be Interesting how the Virus Author got the Driver signed or how he was able to bypass the Security…

I am running 64-bit Windows 10.

But as far as I know, 64-bit is not more secure now than 32-bit architecture (it used to be, but vulnerabilities/exploits
have been found in time).

So, in my opinion, nothing is secure online anymore.


safe on the Internet? There is no safety on the Internet, you can “feel safe” or “safer” with tools, VPNs and so on but you are not really safe, just my opinion. 32 and 64 bit are almost the same, but in 64bit Windows there is the driver signature. Every driver has to go to MS and get signed in order to install it under 64bit Windows. You can disable that (Reboot, “F8”, Repair, disable driver signature as far as I remember) if you have a driver from someone that can’t afford the signing process with MS. So it would be Interesting how the virus could install a driver on 64 bit Windows. From the top of my head I can think of three possibilities, the user turned the driver signing of, the virus author found a way to automatically disable it (there was a “bug” which allowed that but on Win 7 and it got fixed fast) and the third possibility and that is the worst one, the virus author somehow got his hands on the MS Certificate and signed it by himself which would mean that no 64bit Installation is safe anymore until the Certificate gets revoked…