The Case of the Malicious Autostart

re: The Case of the Malicious Autostart

Ramesh — Sun, 03 Apr 2011 05:53:59 GMT

Great article! Reminds me about hex editing of "Regedit.exe" to circumvent the "DisableRegistryTools" Policy.

re: The Case of the Malicious Autostart

Chris Hutchcroft — Fri, 25 Mar 2011 01:05:23 GMT

Great story, every one I read I end up using one more of the tools on a regular basis. I hadn't even thought of using boot time logging with procmon until I saw it at Tech-Ed last year.

@wanderSick thanks for the tip on the EULA batch file

re: The Case of the Malicious Autostart

AndrewRichards — Mon, 21 Mar 2011 17:03:41 GMT

@ advcom: A rootkit can hide a virus completely (if it is weel written). And yes a virus can be verified - it just take $70 to buy a signing cert. The majority of virus' are not signed though.

re: The Case of the Malicious Autostart

Ncage — Sun, 20 Mar 2011 05:09:18 GMT

Curious if at the time of infection (if it was windows 7) the user would have got a UAC dialog. Moral of the story is don't run under and administrative account. I wish i could heed this device but i can't. I'm a developer and i just run into to many problems IIS, ect....but running under a limit account. God knows i've tried. My solution is just to run utilities like sandboxie & appguard though i know these things are just to dang complicated for the general user.

re: The Case of the Malicious Autostart

advcom — Sat, 19 Mar 2011 05:47:05 GMT

Mark,

I do about 10 or so virus removals per week and I refuse to reinstall unless there is corruption to the os. I can remove most virus in an hour, but occasionally I will run into a virus that keeps me up half the night. My question is this. Can a rootkit completely hide it's autostart entries from Autoruns. Does a rootkit hide it's malicious files from all software or just software it is programmed to be aware of? And my last question. Can a virus show as "verified" in Autoruns? In other words, can I trust all files that show as verified in Autoruns? Just things I have wondered and never really got a straight answer on.

Thanks,

Miles

Advanced Computing

re: The Case of the Malicious Autostart

mohdtarmizie — Wed, 16 Mar 2011 07:09:25 GMT

Good job done! What an awesome tech article! :)

re: The Case of the Malicious Autostart

Keith — Sun, 13 Mar 2011 04:56:42 GMT

I am very impressed with story, the tech and the the description of tools used. It was a very interesting and entertaining read as well as informative. It was loaded with information regarding the registry and what happens at Windows start-up. I really enjoyed it, thank you.

re: The Case of the Malicious Autostart

jader3rd — Thu, 10 Mar 2011 16:32:26 GMT

Anti-virus doesn't flag an unverified dll, gotta love the usefullness of A/V.

re: The Case of the Malicious Autostart

wanderSick — Thu, 10 Mar 2011 02:25:23 GMT

@Hector Santos

For PsExec, there's the switch -accepteula.

To accept all EULAs for all tools at once, you may 'Bing' this script by a Sysinternal forum member: "syseula.cmd". It will set the AcceptEula key in the registry for all tools.

Alternatively, there's a third party automated tool to install all Sysinternals tools, accept the EULA, update system path, unattended, all at once. You may 'Bing' 'SSIBuild'. It is a tool made by DarkShadows of the MSFN forum.

HTH

re: The Case of the Malicious Autostart

Hector Santos — Thu, 10 Mar 2011 01:28:39 GMT

Probably a side note or note for a new topic, but pstools has been and now the suite is part of my everyday usage. Is it possible to make it a 1 time "I AGREE" for all the tools rather than have it for each tool, for every machine, for every profile they are run under? It is so ignored anyway and a few time I got stuck with a passive psexec hung on another machine waiting for the "I AGREE" user input.