Automating the Sysinternals "Hunting Malware" technique
My friends and family often ask for my help in fixing their computer. I actually enjoy it, but I can't be there for them all the time. When I "fix" their Microsoft Windows PC, I use Mark Russinovich's Hunting Malware procedure. This can take quite a bit of time and effort depending on how bad the system is overwhelmed.
My interpretation of Mark's technique:
- Unplug the system from the network
- Run Process Explorer, click Options, Verify Image Signatures, and Options, VirusTotal, Check VirusTotal.com.
- Add the Verified Signer and VirusTotal columns if not already visible.
- Suspend any process that is unverified and/or ranks high (red) in the VirusTotal column. Suspend is necessary at first since many unwanted software will have a "brother" that will re-spawn the other.
- Kill all of the processes you just suspended.
- Follow up with Autoruns.exe to "root out" the unwanted software.
- Reboot and repeat as necessary.
To make everyone's life a bit easier, I wrote the Aggressive System Sanitizer or "BadASS" for a short, catchy name. It basically sees any process that is unsigned to be a foe. Any process that is signed, but the publisher is not on the "trusted" list will also be considered a "foe". Processes that are signed and on the "trusted" list are considered "friendly". The "trusted" list is populated with a static list of well known publishers such as Microsoft. In addition, the manufacturer of the PC is also trusted even it if is not statically on the list.
IMPORTANT: This is *not* a replacement for anti-virus software. This is intended as a last resort to allow you to gain back control of your system temporarily. Consider options such as restoring your system to a known good restore point, restoring to a known good backup, or resetting the device to factory defaults.
The "BadASS" Powershell script automates steps 2 through 5 above at this time. It downloads the appropriate Sysinternals tools, runs SigCheck.exe to scan each process image (executable) and then presents you with a list of "suspects" ready for the chopping block. You can respond with Y (yes) or N (no) to kill them off or spare them. Keep in mind that the unwanted software can certainly be re-spawned, so this is not a permanent solution until the software is killed off from its starting point, so you will still want to follow step 6 and 7 manually until I can automate that part too.
Download the BadASS Powershell script from my personal OneDrive at:
... and then, go to the BadASS folder.
Also, I will likely convert this into some kind of Powershell module and publish it to the Powershell Gallery soon.
I hope this makes your life a bit easier.