Monday, April 11, 2011

Windows XP Startup/Logon Process and Malware

Recently I had to rescue my daughter's PC from some nasty malware. For many security professionals, troubleshooting family systems is a common weekend / after hours challenge, and a lot of us are not in the business of desktop remediation.

I find that the ISO based whole system virus scanners are not a bad starting point to get rid of the low hanging fruit. I have used F-Secure, and Kaspersky among others.

I also find that after the scanning/remediation process, XP registry entries are often still broken leading a lot of people to the point of just re-installing. Of course, re-installing is sometimes the only option for deeply embedded malware and/or rootkit.

A tool I found useful when I was poking through the HKEY_USER registry hive was 'USER2SID' since those registry entries are keyed by the SID. I also found that the malware I was dealing with had re-written the 'exefile' and '.exe' startup shell keys to be its own EXE file which was somewhat frustrating when that malware exe file was finally missing. (ie: Windows kept asking what program to open an exe with!!)

Also, age old advice is to remember those program startup registry keys which are often used to infect/re-infect things:

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
%systemdrive%\Documents and Settings\All Users\Start Menu\Programs\Startup
%systemdrive%\Documents and Settings\username\Start Menu\Programs\Startup
%windir%\Profiles\All Users\Start Menu\Programs\Startup
%windir%\Profiles\username\Start Menu\Programs\Startup

Don't forget about our old SysInternals tools, particularly 'AutoRuns' and 'Process Explorer' which I continue to find extremely useful.

The Windows utility SFC.EXE is useful for a diff scan of critical system files as long as it has not been compromised.

*** Always use READ-ONLY media when in a desktop incident response situation like this otherwise anything goes with regard to what is written to your favorite USB memory stick!

No comments: