While browsing the Internet last night from one of my home PCs, I was suddenly hit with the following full screen warning: “THE FBI Federal Bureau of Investigations. ATTENTION! Your PC is blocked due to at least one of the reasons specified below…”
Posts Tagged ‘Malware’
Posted by William Diaz on October 21, 2012
Posted by William Diaz on July 25, 2012
This is an XP workstation so likely the post-mortem default debugger is capturing the exception. I UNC-navigate to \\computername\Documents and Settings\All Users\Application Data\Microsoft\DrWatson. I grab both the drwtsn32.log and user.dmp files. They have recent time stamps of the day before which means that they were likely created as a result of the issue the user was experiencing. I start by examining the log file, starting from the bottom working my way up. The user’s initial complaint was the IE was crashing when going to various websites. I expected to find iexplore.exe process crashing in the log. A few searches in the text file later, I find IE crashing on that day:
Application exception occurred:
Posted by William Diaz on July 8, 2012
Just yesterday while taking a tour of my kids Standard User account on one of my Windows 7 system’s, I noticed I was unable to right-click a program and elevate it. The follow error was returned: “This program is blocked by group policy. For more information, contact your system administrator.”
Posted by William Diaz on July 5, 2012
I was recently asked by a tech to look at someone’s system because they were concerned it may have malware installed in it. The reason for their suspicion was because after running Process Explorer they saw that Internet Explorer was being run as a child process of one of the Windows service host processes, svchost.exe:
A quick search on the Internet by the tech lead to a lot of hits referring to malware infection of some sort, which is what originally raised his suspicion. For example, searching “svchost.exe launches iexplore.exe” returns on the first page numerous hits pointing to malware:
A more reasonable explanation for why you sometimes see the Windows service host hosting iexplore.exe is because you likely have launched IE via a URL shortcut before opening IE itself. This is because the URL shortcut isn’t a program itself and needs to leverage the DCOM Server Process Launcher service inside svchost.exe to open Internet Explorer.
Posted by William Diaz on June 28, 2012
I was originally introduced to this by co-worker who wanted me to look at someone’s netbook and wrote about it here. The malware-scareware program had already been removed from the system, but the damaged it done had been left behind. Cleaning it up manually, though, would not be too difficult. As pointed out, its counters the user attempt to stop it by taking advantage of a built in process that Windows uses for debugging applications by pointing the Task Manager and Regedit to its own fake anti-virus process. Further, it also counters anti-malware utilities and virus security suites by creating reg keys and using the same Debugger string to point to svchost.exe, which is not able to run other executables. The key to getting access to the registry and the task manager directly was to use AutoRuns.
As it happened, a couple days ago the wife starts complaining that she keeps getting persistent firewall popups. I told her to click allow and let me sleep. Then she mentioned another popup that she says is scanning the system and finding virus. This sounds like classic scareware and when I take a look I see this:
Posted by William Diaz on June 5, 2012
I was recently given a netbook to look at after it was hit by some malware. The malware exe had already been removed but it left a few common system utilities like the Task Manager and the Windows Registry Editor in a dysfunctional state. Furthermore, popular anti-malware utilities and anti-virus utilities were also not able to run. For example, trying to run taskmgr.exe or regedit produced the following error: “Windows cannot find ‘C:\Windows\system32\taskmgr.exe’…”
Posted by William Diaz on June 1, 2012
This was initially described as a log off each time the user opened Outlook. This was the first time I heard of Outlook logging someone off their system when it was opened. This sparked my curiosity, of course, so I asked the techs working on this to leave it alone until I had a chance to look after hours. I started by connecting remotely to the Windows Event Viewer for the problem workstation to see if anything obvious stood out. After about a minute, the MMC console became hung and I could no longer browse events. I thought maybe the workstation became disconnected from the network, so I waited and tried again a few minutes later. I resumed browsing the event logs … only to get disconnected again. Logging in via RDP or VNC was also a no go, as I was getting disconnected after about 2 minutes, barely enough time to get pass the initial desktop and application loading and analyze what was happening. My next approach was to query the workstation for all the running processes via PsList from SysInternals (using the Front End for PsTools); maybe something might stand out and allude to what was happening:
Posted by William Diaz on March 2, 2012
A user called in and requested one of our technicians to assist in removing some annoying autorun applications. Upon opening the Control Panel and going to Add or Remove Programs in Windows XP, the rundll32.exe process was crashing. The same applied for any process that required a CPL to run:
I was asked to assist and started by going to C:\Documents and Settings\username\Application Data\Microsoft\ Dr Watson. I opened the drwtsn32.log and scrolled to the bottom, confirming that some error in rundll32.exe was being encountered: Read the rest of this entry »
Posted by William Diaz on January 17, 2012
Leave it to the kids to finally infect my Windows 7 home system. This wasn’t a big deal; this system has since been hijacked by them to serve their Internet gaming addiction, and I had since moved my workload to my laptop. Anyway, I look forward to getting the occasional malware infection, it gives me a chance to explorer different methods for removing them. In this case, I was hit by what is known as Win 7 Security 2012. This may also go by the name of XP Home Security 2012, Vista Security 2012, or Windows XP Internet Security 2012 (and then some). It is part of the Braviax suite, a (somewhat non-malicious) form of “scareware” that attempts to convince you that your system has several malware infections. At the time it hit me, there was no definition for it so it creped past the Microsoft Security Essentials.
Here are some screenshots of some of the windows it presents the infected user with (click to enlarge):
Posted by William Diaz on August 18, 2011
Slides from Mark’s highly-rated Blackhat US 2011 presentation on how to use the Sysinternals tools to hunt down and eliminate malware.