I was recently given a netbook to look at after it was hit by some malware. The malware exe had already been removed but it left a few common system utilities like the Task Manager and the Windows Registry Editor in a dysfunctional state. Furthermore, popular anti-malware utilities and anti-virus utilities were also not able to run. For example, trying to run taskmgr.exe or regedit produced the following error: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…”
Posts Tagged ‘Autoruns’
Posted by William Diaz on June 5, 2012
Posted by William Diaz on June 1, 2012
This was initially described as a log off each time the user opened Outlook. This was the first time I heard of Outlook logging someone off their system when it was opened. This sparked my curiosity, of course, so I asked the techs working on this to leave it alone until I had a chance to look after hours. I started by connecting remotely to the Windows Event Viewer for the problem workstation to see if anything obvious stood out. After about a minute, the MMC console became hung and I could no longer browse events. I thought maybe the workstation became disconnected from the network, so I waited and tried again a few minutes later. I resumed browsing the event logs … only to get disconnected again. Logging in via RDP or VNC was also a no go, as I was getting disconnected after about 2 minutes, barely enough time to get pass the initial desktop and application loading and analyze what was happening. My next approach was to query the workstation for all the running processes via PsList from SysInternals (using the Front End for PsTools); maybe something might stand out and allude to what was happening:
Posted by William Diaz on April 2, 2012
I love Autoruns. Think msconfig on steroids. It truly reveals everything that starts up with Windows. Well almost everything. A couple days ago a user complained to me of a popup error they were receiving after logon. I had no doubt I would find the offending process in Autoruns, since the error message revealed the process name:
Posted by William Diaz on October 1, 2011
I don’t trust uninstallers. They always tend to leave something behind. Every now and then one of these orphaned components still ends up not playing well with some other application or the OS, resulting in crashing user-mode apps or the kernel. A good example of this was a previous post where I was experiencing a BSOD when running Process Monitor (read about it here) after installing a Microsoft application.
So, we have a workstation that is about to be sent off to be re-imaged because iLinc, a web conferencing application, is crashing when the user tries to join a session. I intervene because I hate to see these issue written off as unexplained. Who knows, the system gets re-imaged, the user installs some application again and the problem repeats itself (which it would have been the case here).
It happened that Dr. Watson, the Windows XP post-mortem default debugger, was capturing the user-mode crash so I jumped in without hesitation:
Read the rest of this entry »
Posted by William Diaz on August 18, 2011
Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.
54 68 65 20 43 61 73 65 20 6f 66 20 74 68 65 20 4d 79 73 74 65 72 69 6f 75 73 20 53 79 73 74 65 6d 20 44 65 6c 61 79 73
Posted by William Diaz on November 14, 2010
The complaint: Excel would hang while opening. When it finally did come to life, it would keep getting hung doing almost any task. Often, these issues are troubleshot in a predictable manner: Repair Office, Uninstall Office, Reinstall Office, and, finally, take a shotgun to the user’s Windows profile and blow it away. Personally, I frown on these approaches; they only serve to make the user start from scratch while doing nothing in revealing the problem. Another downside to this approach is you may be dealing with something impacting several users/workstations, each being handled independently of an identical issue by the tech in the next cubicle. And, being that the problem was related to the user profile, specifically in HKCU, it is likely each one would have resulted in a Windows Profile recreation. If you have had to recreate a profile, these can be timely since not all setting’s in today’s large enterprise environments are copied into the roaming profile (think folder exemptions, for example). Read the rest of this entry »
Posted by William Diaz on October 6, 2010
If you have not had a chance, set aside some time to watch Advanced Malware Cleaning, an excellent webcast by Mark Russinovich. I used some of the techniques from that presentation to identify and remove malware on systems I have come across.
In the case here, the user would open Internet Explorer but was not able to connect to the Internet. This would happen a couple times a day. The problem was tracked down to the Proxy field not populating with the office ISA address and the field remained grayed out so it could not be toggled on directly. The issue could be worked around temporarily by editing the registry to enable the proxy but at some point it was getting removed again. I was already suspicious that this was related to malware because each day the user logged on, the virus protectionsuite would catch the same Dlls’ attempting to downloaded to the system and being deleted.
I would be using Process Explorer and Autoruns as my tools. Here were the first things I noticed:
Read the rest of this entry »
Posted by William Diaz on October 2, 2010
In an earlier post, I blogged about a request where the user no longer wanted to be annoyed by the IE’s security information prompt when visiting secure sites and the problem involved in trying to circumvent this setting in an environment where this is controlled via group policy. This time, I came across an issue where the user was being interrupted by the same prompt when visiting an internal resource that should not be displaying the IE “Security Information” prompt for secure sites.
Read the rest of this entry »
Posted by William Diaz on July 9, 2010
This case provided a good opportunity to use Sysinternal’s Autoruns to detect and remove some malware that had found its way onto one of our workstations. What was happening was that some unknown process on this workstation was going out to the Internet at the same time every hour and attempting to download a suspicious executable named Zl0.exe and drop in it the local temp folder for the user, which by default is C:\Documents and Settings\username\Local Settings\TEMP\ for Windows XP (actually, we redirect this to a custom folder).
We knew this because our virus protection had been configured to stop all unknown exe files from writing to or starting from from this location. The attempt to download the file was stopped by the host intrusion detection but the process responsible for trying to download it was undetected.
Before starting, I verified Zl0.exe was, in fact, malware by searching it on the Internet. A quick scan of the system’s running processes with Process Explorer didn’t reveal anything out of the ordinary. Since the download was taking place each hour, I assumed the Windows Task Scheduler job was involved. The Task Scheduler is actually a service hosted within svchost.exe, along with many other services, so killing the process was not really practical. Another advantage to relying on the Task Scheduler was that the suspicious process could be started by a legitimate process, run, attempt to do what it wants to do, stop, and when you go to investigate with process monitoring utilities, it is not detected.
To confirm my suspicion, I opened the Task Scheduler. However, there were no abnormal scheduled jobs, even after checking the View Hidden Tasks from the Advanced menu: