Can malware replace legit Windows files?

[DigeratiPrime]

Although it's one hour I've watched that video before I will say it is very worthwhile if you want to improve your skills in manually troubleshooting problems.

For virus or rootkit type infections I always reformat because you cannot trust you system after that point. You antivirus might become ineffective and may also lie to the user and insist nothing is wrong. You would need to mount the disk offline, so its deactivated, and then scan it in a secure environment like a PE ramdisk. There is also the possibility that your infection is unique and no antivirus knows about it, or if they do that they completely remove it.

Virtually all system files that ship with Windows are signed and protected by 'Windows File Protection' in XP; or 'Windows Resource Protection' in Vista. You can check those signatures by using SFC. You can also run sigverif to check the signatures of 3rd party drivers. In Vista, WFP uses ACLs which allows the protection to be controlled on each object individually, WFP also protects certain areas of the Registry; the Administrators group is not the owner of system files anymore either.

Some drivers will have signatures some will not. You can usually tell if they dont because there wont be a CAT (Security Catalog) file and/or you will get a popup warning when you try to install it, although that warning message can be disabled globally. Vista x64 requires a boot option to disable integrity checks, and this was just removed with SP1 so you must use the F8 key to manually allow unsigned drivers each time you boot Windows.

As for a standard set of drivers to boot with, that is Safe Mode. Problem is on an infected system even those few drivers, and system files, that are loaded might have been modified. But if there is a problem with other drivers or files , then Safe Mode is useful.

If you use Imaging software like Acronis True Image you can selectively restore files and folders from a disk image. By just restoring the registry (system32/config) you might be able to deactivate a virus that has to be loaded each time Windows boots and keep your programs and user data intact, problem is your losing user and program settings, and again Windows itself might be corrupt. You can also restore the entire Windows folder but then you might be missing some libraries and drivers.

Trick is to keep the OS on a seperate partition from the Programs and User data, so restoring Windows is not a big deal; also keeps the image filesize small and the process fast.

[mraeryceos]

The differences between windows folders on the same machine are:

Windows\system32\WPA.DBL

one moved 01 within Windows\bootstat.dat

*.PNF files in Windows\inf\*.* (u can delete these i think they get recreated)

Windows\Registration\*.*

Windows\repair\*.*

Windows\security\Database\secedit.sdb

Windows\security\templates\setup security.inf (small difference)

Windows\system32\CatRoot\{number}\TimeStamp (2 files)

Windows\system32\CatRoot2\{number}\catdb (2 files)

Windows\system32\CatRoot2\{number}\TimeStamp (2 files)

Windows\config\*.*

Please double check for me as I'm not completely sure! On different machines, there are probably more files.

Edited September 26, 2008 by mraeryceos