Virus Trouble Shooting Tips

This is a collection of techniques I use to trouble shoot suspected viruses.

Basically, this is a summary of troubleshooting techniques and registry locations on my other pages.

Once you locate a likely candidate, comment it out - if the key is automatically recreated, then it is usually a virus. (Some antivirus programs may also recreate "missing" keys.)

I've tried to be complete, but remember - most registry entries can occur in both HKCU and HKLM - be sure to check both when either is specified.

Startup | Run / RunOnce | Safe Mode Infector | IE Defaults | Browser Helper Objects
Tools - AgentRansack RegMon FileMon Process Explorer
Domain Names and Related Tools - ping, tracert, and nslookup Web Based DNS Tools whois

Programs run at Startup

In Windows, there are many places that programs are listed so that they will start automatically when windows starts. Just to keep it interesting, each version of Windows uses different places to hide this info.

In Windows XP, the StartUp menu is located at

but that can be changed by modifying the registry.

To see running services, use

Fake device drivers can be used to hide viruses.

win.ini and system.ini (in the Windows directory) can be used to start a virus.

Run / RunOnce

The registry provides a number of keys to define which programs are run when Windows starts. These programs are not run when starting in Safe Mode.

Examples of Infected Values

No valid program modifies the registry in this way If the program name appears to be just random letters, search google and see if it is legitimate. If the name is not found, it is probably a virus ... or custom software created for your company. (Used by the Aurora virus.)

I have never seen rundll32.exe in a valid Run or RunOnce key. In this case (WinFixer),

(Used by the Aurora virus.)

Safe Mode Infector

This key is executed each time Windows starts ... even in Safe Mode

Example of an Infected Value

Used by the Aurora virus.

Safe Mode Infector 2

The dll's listed in the Notify keys are executed each time Windows starts ... even in Safe Mode I have seen 4 to 10 valid entries in this section.

Example of an Infected Value

Notice that there is no difference between infected and normal entries ... you must search the internet for the dll names to determine which are which.

Used by the SystemDoctor/vacac.dll virus.

IE Defaults

Examples of Infected Values

Browser Helper Objects

This is a common IE backdoor to run programs - some are legitimate, others are not. A list of valid CLSID's is not enough since new ones are created for each valid program you might want on your system.

The procedure is to manually check out each CLSID.

Another approach is to comment them all out and see which ones recreate themselves ... those are usually the bad guys.


To debug new viruses, I find these tools valuable


If you ever search your hard drive for files, you should have this application. The Windows Explorer search function is worthless, I have documented several instances where it simply lies.

Once it is installed, in Windows Explorer right click and select AgentRansack from the menu.


The first step with most parasites is to run RegMon. This cycle was repeated about every 3 seconds. (I've added spaces in the trace below to make it easier to read.)

Rundll32:FFFECA37 is very unusual in a RegMon trace. In this case, it was the WinFixer virus. Both the RunOnce and Browser Helper Objects keys pointed to files that had to be deleted.


Unusual file activity generally indicates a virus. On many machines, you can actually hear the hard drive running way too often. Frequently, this activity will significantly slow down your system.

FileMon will identify which program is using the hard drive.

Because the Aurora virus read the registry and wrote the data to a cookie - FileMon was useful in identifying it and evaluating the risk.

Process Explorer

This program allows you to stop programs that the Windows Task Manager is not able to stop. It also provides much more information ... including which registry keys are currently open.

In some cases (specifically winlogon.exe and explorer.exe), this program will allow you to stop specific threads without actually stopping the program.

Windows Recovery Console

The overclockersclub explains how to use the recovery console to remove files. Note: I do NOT suggest disabling System File Checker, this is just a reference on how to use the Recovery Console.

Domain Names and Related Tools

To host a web site under your own name, you
  1. Purchase a Domain Name from a "registrar"
  2. Rent web space from an ISP
  3. Associate your Domain Name with the IP address provided by the ISP
When a user tries to access your web page Note: All internet access is by IP address - DNS allows one or more registered names to be associated with a given address. In that case, the ISP provides additional DNS type resolution to keep the sites separate. Frequently, a single IP address is used by several related parasites.

Given a URL, I use several methods to determine the associated IP address

The has been useful in identifying families of parasites owned by a single person - such as winfixer, errorsafe, winantivirus, and the like - all associated with WinSoftware Ltd.

ping, tracert, and nslookup

ping, tracert, and nslookup are MS Windows programs available via a command prompt, available via All 3 programs will accept a Domain Name and provide DNS Lookup to determine (and display) the associated IP address.

This trace (from my SystemDoctor page) was made 11-09-06 (reformatted to be more readable)

Notice that the IP address for resolves (via reverse DNS) to

Also notice that shawcable and provide the actual access. Additional research on those names indicates that the physical server is located in Canada.

Web Based DNS Tools

Files on your machine can be used to provide Domain Name/IP address associations - you can use these to block adware, spam, and many parasites. In fact, there are a number of anti-parasite programs and techniques that work by using this method to always return the LocalHost IP address ( when your computer tries to reach one of the known parasites.

However, sometimes it is useful to bypass local blocks and see what other people get for a specific Domain Name. To do this, I use web based DNS Lookup and Reverse DNS tools.

Specifically, in April 2007, was returning the LocalHost IP address ( when using ping, tracert, and nslookup. In order to determine if this was caused by something on my machine, or if it was real, I used a web based solution - NSLookup.

This proved that it wasn't just my machine. However, there is no data about who might have removed this from the web.

This was interesting, using another web based tool, winfixer apparently has its own name server ... and that server returns

Besides ping and tracert, provides Geolocation by IP Address to find the city and country of an IP - pretty cool.


When a Domain Name is *registered*, the owner and billing information is collected - whois is the generic name of programs used to provide that information.

Just search the internet for *whois* and use one of the free programs. The available whois sites change so often it is hard to give a good recommendation. I normally have to use several sites to get all the information I want about a single Domain Name.

Unfortunately, there is no way to keep people from providing false information when they register a Domain Name - as a result, obviously fake information is one indication of a parasite.

Author: Robert Clemenzi
URL: http:// / Parasites / TroubleShootingTips.html