Mark's Blog - All Comments

re: Hunting Down and Killing Ransomware

JMH3143 — Sat, 26 Jan 2013 01:40:36 GMT

Good informative "stuff."

Thank you!

re: Hunting Down and Killing Ransomware

ZigZag3143x — Fri, 25 Jan 2013 08:28:01 GMT

Mark

Thanks for a great post on a a topic that is a pet peeve of mine.

Ken J

re: Hunting Down and Killing Ransomware

Mark Russinovich — Fri, 18 Jan 2013 03:54:35 GMT

@Trevor65535 I'm surprised - my email address is posted all over the place.

In any case, email me at markruss@microsoft.com.

re: Hunting Down and Killing Ransomware

Trevor65535 — Fri, 18 Jan 2013 01:23:18 GMT

Mark, I wanted to email you about the program Desktops, but couldn't find a way to do that, so I'm commenting on your latest blog entry. I think Desktops is one of the cleanest virtual desktop managers out there, and would absolutely love to use it, unfortunately my team can't because we require the feature of labeling or renaming workspaces. Even though Virtual Dimension lacks the ability to preview the desktop we are forced to use it because it has the feature of renaming a workspace. If you find the time to add that feature my team would be very happy, thanks for reading, and sorry for having to post this in this blog entry.

re: Hunting Down and Killing Ransomware

kandy2kane — Wed, 09 Jan 2013 14:37:44 GMT

Mark, great post as always! The timing of your post couldn't be better. Just this past weekend, my kid's computer got infected with some malware. Similiar to the Official Government software window, it took over his session, couldn't click or type anything. Fortunately, pressing CAD still worked and I was able to 'switch user' to my Admin account. (Kids account don't have admin rights) Did exactly as your posted outlined, ran AutoRuns, and Process Explorer. The 2 malware processes stood out like a soar thumb. It was named with some long random text filename. Checking the path of the image, it resided on parent directory of my kids user profile (c:\users\Username\) I searched within Autoruns for the filename, it returned 0 results. So had to do a Reg search for it, and found 3 locations (don't recall the exact keys). Deleted the regkeys and the filenames, all back to normal. Kid's can log back in and play games again. Needless to say, I had a sit down talk with them on safe web browsing practices.

re: Hunting Down and Killing Ransomware

wrootw — Mon, 07 Jan 2013 20:02:50 GMT

Thanks for the tips (about pointing to other profile and offline scanning). I'm using Autoruns to investigate issues quite often and just a week ago have spotted 2 trojans leftovers in the user's startup registry. Usually i don't use filters as i'm quite familiar with the stuff (MS or not) sitting in the Windows installation. We also had 3-4 fake antivirus & hdd failure scareware issues. Symantec antivirus didn't catch them until i have submitted the files. Was surprised that this happened with 3 new Windows 7 PCs and never happened before with XP and Vista. Thought it should be better protected. HDD failure scareware was interesting as it made all user files hidden (also start menu entries) so it looked like something wrong happened with the files.

re: Hunting Down and Killing Ransomware

JS2010 — Mon, 07 Jan 2013 19:38:31 GMT

'Hide Microsoft entries' seems to mean something different whether you have 'Verify code signatures' checked or not. I see more entries with verify unchecked.

re: The Case of My Mom’s Broken Microsoft Security Essentials Installation

D. Charles Pyle — Sun, 06 Jan 2013 19:04:12 GMT

Hit the exact same problem with a friend's PC. From what evidence I could see, a piece of fake antimalware software had installed the errant references in the registry in order to prevent the MSE software from functioning and from being reinstalled. MSE had the appearance of having been installed twice even though a previous install had somehow been disabled by the malware and had not been reinstalled at that point.

Registry entries and permissions had been altered in strange ways as well. Like many PC users my friend had been surfing the web using the only account set up during installation of PCs when taken out of the box--the Owner (or Administrator) account. That is like giving malware carte blanche to do whatever it wants to your system!

It was a long and tedious process of searching the registry and deleting Keys and Values, as well as removing hidden files given the same names as the real files after removing the originals, followed by a thorough cleaning of no less than 71 pieces of malware. I never was able to determine which specific piece of malware did it, though, but it is something to watch for now that I have seen another case of the same like this one you mention. In my opinion, it is very likely some sort of trojan like fake, antimalware security software. That was the kind of error that was being seen over and over at first, anytime my friend would try to visit antivirus software sites to download real antivirus and antimalware software.

I wish I could recall the exact name of the malware, though. That would have been very useful information.

re: The Case of the Unexplained FTP Connections

jgrose — Wed, 26 Dec 2012 20:47:12 GMT

Interesting and quick read. Thanks for sharing.

re: Pushing the Limits of Windows: Virtual Memory

Thomas Weller — Fri, 21 Dec 2012 22:06:31 GMT

@Brian:

The limit is per process and not per computer. Windows itself (the Kernel) seems to use AWE.