Today's IT administrator needs to be prepared to identify, analyze, and remediate malware that slips through layered defences since most anti-malware solutions depend on signatures of known threats. This session takes you on a tour of malware infection and persistence technologies, including rootkits, and shows you on real malware infections how to use sophisticated tools like Sysinternals.com freeware tools Process Explorer, Autoruns, and RootkitRevealer to clean malware.
Fantastic content from Mark, appalling delivery. The video lagged at least 10 mins behind the sound and made it almost impossible to watch.
I have no problem with the video sound sync.
Excelent VODcast i thoroughly egree with you 100 percent and your mentioned are almost foolproof if caried out correctly. The next best thing to doing better than what your saying is doing a reinstalll of the system.
Whenever I try to view a video, I get a Silverlight error:
(I have installed Silverlight 1.0)
I am not techie -- kind of a techie wanna be -- What I got from this presentation was a way to look for malware -- although I'm not sure that I'd want to actually delete anything -- however, I also appreciated learning how to delete the files that won't let you delete them. Seems like AVG antivirus identified something for me and I was able to find it but couldn't delete it. Now I can -- if I go back to this presentation first! This all started because of the recommendation of the autorun tool by tech republic -- which I downloaded -- then listened to this presentation -- then downloaded process exp. -- haven't run it yet.
Lots over my head but enough wasn't that I feel like I learned quite a bit. Thank you, Mr. Russinovich!
I'm having a slightly different problem with videos / Silverlight on this site. I get AG_E_NETWORK_ERROR MediaError 4001 popups for all videos I've tried, in particular this one. Tracing with Fiddler 2 shows a 404 for /emea/spotlight/xml/en/video/subtitle359.xml
In your webcast on Advanced Malware Cleaning you state that the first step should be ("One of the first things you should do") to disconnect from the network. You then detail the next steps, looking at and for processes with Process Explorer. You go on to recommend using the Search Online feature to look up suspicious processes.
But you've disconnected from the network! How should you search online? If you go back online you may allow the malware to update itself or to frustrate your search, surely?
This is not just pedantry about a detail of your webcast. It is a dilemma I find myself in right now (as yet without Process Explorer) as I try to track down an apparently signatureless Trojan which sporadically becomes active on my system. (Norton identifies it as Infostealer only when it actually tries to start.)
Incidentally, I find the video runs OK as long as I give it about 15 minutes to load before trying to start it.
Amsterdam, The Netherlands
Great stuff! I've been using your tools for some time; however, the kernel debugger is yet another level that I'm looking forwarding to learning. Also, I think that the presentation helped me to appreciate "Process Explorer" a bit more. I was aware of the "packed" processes feature, but the ability to find embedded strings (e.g., the "Memory" option) was a nice feature to learn about.
I have one point of confusion about autoruns. Recently, I found malware (a variation on the Virtumonde malware) that had hooked into winlogon.exe. Presumably, a file as important as winlogon.exe is going to have a digital signature that, when decrypted, shows that it's from Microsoft. But, if I then use the "Hide signed Microsoft entries" in autoruns, wouldn't this (malicious) auto-start entry be hidden when I attempt to use the "Verify code signatures" option *at the same time*? In other words, would the "winlogon.exe" entry in autoruns still show up even though I had asked signed Microsoft entries to be hidden (because, presumably, the infected winlogon.exe would have a bad code signature). How do these two options in autoruns interact?
Thanks, again, BTW. I don't know where I'd be without autoruns. It's saved my "network administrator" hide more times than I care to count (not to mention my "geek husband" hide).
link not working!