1

Let's say I was going to do a full system scan but I want to specify the scanner to look into certain directories.

What are the those directories for Windows XP, Vista, and 7?

I know the common one is /System32 but what are all the places malware could reside in?

Improve this question
2
  • entries in the registry are relevant to how malware installs itself, and far more relevant if you're asking about where.
    – barlop
    Commented Jan 24, 2011 at 23:59
  • 1
    i'm suprised that somebody with 1600 rep still starts a question saying "Hello" and writes "Thanks" at the end
    – barlop
    Commented Jan 25, 2011 at 0:00

4 Answers 4

Reset to default
2

It could reside anywhere if the program which planted it was ran under an administrative account and granted permissions. Typically you will also find malware in temp folders (e.g. IE cache), as some are guaranteed to be writeable by default, even for standard users -- a perfect breeding ground for malware.

Improve this answer
6
  • Yup. I'd like to add that I've found malware hiding in all sorts of unexpected places, so the best thing to do is run a full scan and bear with it.
    – user3463
    Commented Jan 24, 2011 at 23:46
  • Ok that makes sense, but what are the common directories (specially)?
    – ctzdev
    Commented Jan 24, 2011 at 23:46
  • 1
    Temp folders and C:\Windows (and subfolders) would be my best guess. C:\Program Files is notorious too. Like Randolph said, a full system scan is always good -- better safe than sorry. A good place to ask would be a popular AV's forums (e.g. symantec forums).
    – user1931
    Commented Jan 24, 2011 at 23:48
  • Thanks but u know there are those very very pesky customers who want their computer NOW and a full system scan is not really an option, I would know b/c I have tried to convince them countless times with no luck.
    – ctzdev
    Commented Jan 24, 2011 at 23:55
  • @ct6116 that's why most AV's have a "quick scan" option, they will do the dirty work for you. Personally, from a customer perspective, I would feel safer if the tech spent an extra hour or 2 with my computer rather than 10 minutes, wouldn't you? Try explaining that it is beneficial to them unless they want to be returning their PC again soon.
    – user1931
    Commented Jan 24, 2011 at 23:58
2

The most effective second stage malware or the ones that cause the most symptoms are rootkits - kernel-mode drivers so they're usually hidden in "c:\windows\system32\drivers" or infect the MBR. Use Autoruns to identify them. Often their initial payloads are deployed to temporary internet files or a hidden user directories. Knowing these directories usually doesn't even matter once the system is infected because they controlled by the rootkit and even if you did manage to delete them they would be quickly rewritten elsewhere. I've yet to find effective anti-virus software for removal so a combo platter, starting with a solid Cleanup or Cleaner; run Combofix from the admin profile in in Safe Mode (run as Administrator) and then sysinternals tools to nitpick out any stragglers

Improve this answer
1
  • Thanks for the answer. I ran Kaspersky Rescue disk and removed a lots of malware thinking the system its cleaned out, but when I logged back in it was still loaded with popups and rogues. Then I was able to run ComboFix which deleted 99% of everything but IE was still being redirecting on Google searches so I ran SuperantiSpyware which closed the deal.
    – ctzdev
    Commented Jan 29, 2011 at 18:06
1

Malware could be anywhere. From personal experience, I've usually found them in the Program Files folder. If it's a huge worry, you might want to run a scan once every few days. I highly recommend Microsoft Security Essentials: http://www.microsoft.com/security_essentials/

Improve this answer
1

I commonly find them in the user accounts Documents and Temp folders, IE Temporary Internet files folder.

Improve this answer

Not the answer you're looking for? Browse other questions tagged .