Some of my favorite sessions from Microsoft’s Ignite Conference (Mark Russinovich & Paula Januszkiewicz)

Malware Hunting with Sysinternals Tools
Date: May 6, 2015 from 5:00PM to 6:15PM Day 3 Arie Crown Theater BRK3319
Speakers: Mark Russinovich

Adventures in Underland: What Your System Stores on the Disk without Telling You
Date: May 8, 2015 from 12:30PM to 1:45PM Day 5 E450 BRK3320
Speakers: Paula Januszkiewicz

Recalling Windows Memories: A Useful Guide to Retrieving and Analyzing Memory Content
Date: May 8, 2015 from 9:00AM to 10:15AM Day 5 S102 BRK2342
Speakers: Paula Januszkiewicz

Hidden Talents: Things Administrators Never Expect from Their Users Regarding Security
Date: May 7, 2015 from 3:15PM to 4:30PM Day 4 N231 BRK3323
Speakers: Paula Januszkiewicz

The Ultimate Hardening Guide: What to Do to Make Hackers Pick Someone Else
Date: May 7, 2015 from 10:45AM to 12:00PM Day 4 S503 BRK3343
Speakers: Paula Januszkiewicz

I recently was given a job of cleaning up an HP Laptop with 38 pieces of malware.

  Malware Creators

Just last week I faced a job of removing the malware from a Windows 7 64bit HP Laptop, and getting the computer back to a usable condition. It was only 6 months old, and the owner complained that they could not do anything on the internet because the computer kept shutting itself off. She even talked about being ready to send it back to HP. I asked her if she had antivirus and kept it up-to-date, and she said she had installed AVG about a week after she brought the laptop home, and it often updated itslef while she was trying to use the computer. The first thing I did when I received the laptop was simply attempt to go online with each of the browsers. The computer had only 19 gb used out of 750, yet it had about 12 toolbars, and rebooted 5 minutes after I started trying to browse the web. I immediately installed MalwareBytes, and started to run a scan, while i proceeded to remove each of the different toolbars and I installed CCleaner so I would be able to clean the cache, cookies, and temporary files. MalwareBytes immediately found 30 malicious items in the first 5 minutes of the scan. I started looking at the AVG logs and settings to see why AVG had let this happen to the computer. I thought that maybe AVG was not turned on or had not run a scan in a while. However, I noticed that AVG was set to scan everyday at 5pm, and it had indeed run 20 times in the last month but had not found any malware. I checked the logs and found out that the only things AVG reported was actually files related to Microsoft .Net Framework 3.0 and 3.5 SP1 (which it labeled as a probable rootkit).

Malware Bytes finished its scan finding 45 malicious items (7 tracking cookies and 38 malicious trojans and toolbars). Next I ran an AVG scan (just to see if it would find any of these same items, before I removed them with Malware Bytes. I updated AVG’s signatures and then AVG scanned the entire system in about 15 minutes, and found nothing yet again. At this point, I had found an ASCII to UTF converter with a chinese logo, and an instance of LogMein rescue hidden in the temporary files folders. I called up the woman and asked if she had evr had anyone try to help her by remotely logging in to her computer and she said no, never. I realized that one of those toolbars she had installed had likely been a trojan with an Asian hacker on the other end that had been remotely running commands on her computer. I used the Netstat utility but did not see any current activity. At this point I had to do some proprietary investigation and forensics, in order to prevent this hacker from ever accessing this computer again. I completed this in an hour or two and ran a ComboFix Scan.

Okay, I then decided that either this AVG install was corrupted, or that AVG is no longer an effective player in the Anti-Virus industry. Well ,I did not have time to further investigate, as i needed to have this computer back to new condition by tomorrow. I removed all of the items found by Malware Bytes, then I restarted and deleted all the system restore points. I checked each of the browsers for any left over debris, (firefox, IE, and Chrome) and I rebooted the system. I next typed “MRT” in the search box which ran the Microsoft Malicious Software Removal Tool, but it did not find anything. I then ran a portable BitDefender scan on the entire system, as well as an online scan by ESET. The system was coming up clean. I completely removed all remnants of AVG except for the AVG secure search bar, (because utilizing the AVG safe search couldn’t hurt the owner.)

Next, I installed Microsoft Security Essentials, and set MalwareBytes’ real-time protection to off. MSE’s real-time protection will hopefully be good enough to protect the owner in the near future. I ran a full system scan, which came up clean, and used Revo Uninstaller to uninstall any leftover programs that the owner did not need. I then went ahead and tweaked all of the browsers’ settings and configured her firewall, and updated her Adobe Reader, Flash player, and her Java (which apparently had come installed on the laptop when she bought it. ( I used Secunia PSI to notify me of updates available for all installed programs.) Then I went online and tried to perform some everyday tasks to verify that the computer was back to a usable condition. Note: I had documented all of my work, and I handed over the documentation to the owner when I gave back the computer. In the end, the laptop was back to its OOBE (Out of the Box Experience), and the owner was very appreciative.