| How many of you have struggled with annoying | | | | everything tab is the default tab that is displayed, and is |
| pop-up browser windows, unexplained toolbars | | | | often the most useful when trying to find where |
| showing up in your browser, or even the dreaded fake | | | | malware is hiding on your machine. Below the tabs are |
| antivirus application on your PC? | | | | the registry keys themselves with the key values listed |
| This guide is intended to provide you with a basic | | | | below them with check marks to the left. |
| knowledge level for manually detecting and cleaning | | | | For each registry value (filename), autoruns goes out |
| most of today's virus infections that have found their | | | | and looks at the associated file on your disk and |
| way onto your Windows based computer. While there | | | | provides us additional information that it queries from |
| are many automated tools out there that can be | | | | the file itself (description, publisher, and full path). The |
| helpful for detecting and removing malicious software | | | | description, and publisher are not always poplulated |
| from your PC (malwarebytes, ad-aware, hijack-this, | | | | since not all applications will provide this information. In |
| etc), the problem lies in the fact that malware is | | | | the image path column, you will either see the path of |
| beginning to become more and more effective at | | | | the file, or "file not found". If you see "file not found", |
| finding ways to hide, trick, and attack the software that | | | | autoruns was unable to see the file referenced in the |
| you are counting on to protect your PC. | | | | registry. It may be missing, or have already been |
| I am a firm believer in learning the fundamentals first. | | | | deleted by your virus scanner. In the worst case it is |
| Once you have a firm grasp on these topics, you will | | | | hidden by a rootkit. |
| not be at the mercy of an automated tool. Plus, I think it | | | | Let me say this before I go any further. This application |
| can actually be fun to see if you can best a nasty | | | | will directly modify the registry. When the registry is |
| piece of malware (I know, I am a sick man). | | | | modified, the changes are applied immediately, and |
| Know your Enemy - Persistence | | | | while autoruns is easy to use, you must be careful that |
| Almost all viruses, trojans, and worms (malware) have | | | | you do not remove any enries that are important to |
| the same initial goal. Persistence. | | | | the operation of your system. Be especially careful |
| What does that mean? It means that writers of the | | | | with modifying anything in the "drivers" section, as any |
| software want to ensure that the malware is | | | | missteps here could cause your system to become |
| re-launched each time the computer is started. Of | | | | unstable. |
| course, this makes perfect sense. How effective | | | | Let's remove some malware! |
| would a piece of malicious software be if it was | | | | So enough chatter, right? How do you use this tool to |
| unable to run after your computer was rebooted? | | | | find the malware that is driving you crazy and remove |
| That would make our jobs just a little too easy, as the | | | | it? Start by clicking on the options menu item and |
| good ol' three finger salute (ctr-alt-del) would literally | | | | choose "hide microsoft and windows entries". This will |
| solve all of our problems. Unfortunately, virus writers | | | | limit the display to entries that are not related to |
| have become very, very good at making sure that | | | | Microsoft applications, as these will not be interesting to |
| their software remains persistent. (To our chagrin) | | | | us in our hunt for malware as it will just clutter up the |
| Fortunately for us, there is a bit of a silver lining. While | | | | screen with things that are nomal for your system. To |
| the number of ways a program can tell windows to | | | | do this, click on "options", and check "hide microsoft |
| start it at boot-up time is great, there are some great | | | | and windows entries". After checking this option, click |
| (and free) tools available to find where they are trying | | | | on the refresh button (second from the left) and it |
| to hide. With a little bit of understanding on how these | | | | should rescan the registry and show you only |
| tools work, you can become an expert "verminator" in | | | | non-microsoft application related entries. |
| no time. In Step 2 of this document, we will dive into | | | | Now we are ready to start looking! What I like to look |
| this head first. | | | | for first is anything that does not have a publisher |
| Motives | | | | listed, or the publisher is not related to software that |
| Before we get into the details of rooting out malware, | | | | you know is installed on your PC. Application |
| lets have a quick discussion about the motives behind | | | | programmers can purchase and apply something |
| the ever increasing avalanche of malware. I am sure | | | | called a digital signature (code signing) from Microsoft |
| many of you remember the movie "Wargames", you | | | | when they publish their applications. This give us some |
| know, the 80's flick starring Matthew Broderick. | | | | assurance that their application is legitimate and will |
| Matthew played the part of the main character who | | | | probably be a good citizen (trusted application). |
| was some curious and talented "hacker" kid that could | | | | Let's say for example that you see something that is |
| steal software and change his grades in school with | | | | in the winlogon section that does not have a publisher |
| his ultra-uber computer skillz. (You had to love the | | | | listed. This is a common virus trick. This program is |
| sweet modem with the phone handset thingy, right?). | | | | very suspect, since there are not often entries that are |
| But anyway, that is what most people still think of | | | | ever added to winlogon for legitimate purposes. To |
| when they think of the people behind all of the | | | | confim our suspicions, you can right click on the entry |
| malware madness. Goofy, pimply kids having fun with | | | | and choose "properties". Take a look at the created, |
| us all. | | | | modified, and access times. If the date is recent (or |
| In reality, it is all about the money these days. Malware | | | | lines up to your infection timeline) this could be our |
| has become a cash cow. Backed by organized crime | | | | bogey. You click on the "search online" button as well. |
| organizations, there are billions of dollars in stolen credit | | | | This will start a Google search for you with the file |
| cards numbers, web banking logins, personal | | | | name pre-populated. Often times a Google search of |
| information, being harvested around the clock. It is | | | | the file name can be helpful, as it may identify the |
| important for the home user to understand this, and | | | | name of the malware. The problem with this is the |
| what is really at stake. Unless you think having your | | | | fact that most malware will use randomly generated |
| identity stolen sounds like something you would like to | | | | names with would not result in a good Google result. |
| try, getting serious about malware protection / removal | | | | So google doesn't help us? What do you try next? |
| is probably a good idea. | | | | Take a look at another one of our tutorials about We |
| Sysinternals Autoruns | | | | can send a sample of the suspect application to virus |
| Autoruns is one of the most powerful tools I have | | | | total, and they will scan it with over thirty different virus |
| seen for managing application persistence (remember | | | | scanners (for free). If the file comes up clean, it is |
| that term?). Microsoft has included some tools in XP | | | | possible this is a normal program (sometimes though it |
| Vista for managing this (msconfig, etc) but they are | | | | still is). Otherwise you should now have a name for the |
| not nearly as powerful as this tool. Sysinternals was | | | | virus. |
| purchased by Microsoft in 2006, and is now available | | | | Lets get back to our example in the winlogon section. |
| on the technet website. You can grab the entire suite | | | | In this case, we can be very confident this is not a |
| (including autoruns) here. While it is not specifically | | | | normal or useful entry. We sent it to virus total, and |
| designed to detect individual pieces of malware with | | | | have confirmed that it is malware. To remove it from |
| signatures like malwarebtes, or adaware, it is goes | | | | the registry, just uncheck the checkbox next to it on |
| about things differently. It shows us where in the | | | | the left hand side. This will remove it immediately. Now |
| regisrty malware is hiding so that it will start on a | | | | click on the refresh button and make sure it stays |
| reboot. This will point us to the location of most of the | | | | unchecked. If it is checked again, this means that the |
| malware startup points on your machine, unless | | | | virus is still active on you system and has re-added the |
| something called a rootkit was utilized (we will cover | | | | entry. This has become more common as well, which |
| this in a future tutorial). While rootkits are becoming | | | | is perfect segway into the tool that we will look in Part |
| more common, they are still the exception and not the | | | | 2: Process Explorer. Please notice that when you |
| rule. (and the rootkit itself needs to start on boot up as | | | | uncheck the value, it does not disappear. This is how |
| well) | | | | autoruns allows you to reverse your actions if you |
| Autoruns works by scanning the registry on your local | | | | think that you have removed something that you |
| PC, and finding every area that an application can add | | | | shouldn't have (this has saved me in the past). Now |
| itself so that it will start the next time your machine | | | | that the malware cannot start, it is time to reboot the |
| does. Autoruns will take a minute or two do do this | | | | system! When the machine starts back up, navigate |
| scan. The tabs that you see along the top of the | | | | over to the file and try to delete it. If you are |
| screen are the various windows services that have | | | | successful, you did it! Malware be gone! |
| the ability to launch programs at system boot time. The | | | | |