Automating the Sysinternals “Hunting Malware” technique


My friends and family often ask for my help in fixing their computer. I actually enjoy it, but I can't be there for them all the time. When I "fix" their Microsoft Windows PC, I use Mark Russinovich's Hunting Malware procedure. This can take quite a bit of time and effort depending on how bad the system is overwhelmed.

My interpretation of Mark's technique:

  1. Unplug the system from the network
  2. Run Process Explorer, click Options, Verify Image Signatures, and Options, VirusTotal, Check VirusTotal.com.
  3. Add the Verified Signer  and VirusTotal columns if not already visible.
  4. Suspend any process that is unverified and/or ranks high (red) in the VirusTotal column. Suspend is necessary at first since many unwanted software will have a "brother" that will re-spawn the other.
  5. Kill all of the processes you just suspended.
  6. Follow up with Autoruns.exe to "root out" the unwanted software.
  7. Reboot and repeat as necessary.

To make everyone's life a bit easier, I wrote the Aggressive System Sanitizer or "BadASS" for a short, catchy name. It basically sees any process that is unsigned to be a foe. Any process that is signed, but the publisher is not on the "trusted" list will also be considered a "foe". Processes that are signed and on the "trusted" list are considered "friendly". The "trusted" list is populated with a static list of well known publishers such as Microsoft. In addition, the manufacturer of the PC is also trusted even it if is not statically on the list.

IMPORTANT: This is *not* a replacement for anti-virus software. This is intended as a last resort to allow you to gain back control of your system temporarily. Consider options such as restoring your system to a known good restore point, restoring to a known good backup, or resetting the device to factory defaults.

The "BadASS" Powershell script automates steps 2 through 5 above at this time. It downloads the appropriate Sysinternals tools, runs SigCheck.exe to scan each process image (executable) and then presents you with a list of "suspects" ready for the chopping block. You can respond with Y (yes) or N (no) to kill them off or spare them. Keep in mind that the unwanted software can certainly be re-spawned, so this is not a permanent solution until the software is killed off from its starting point, so you will still want to follow step 6 and 7 manually until I can automate that part too.

Download the BadASS Powershell script from my personal OneDrive at:
http://aka.ms/ClintH
... and then, go to the BadASS folder.

Also, I will likely convert this into some kind of Powershell module and publish it to the Powershell Gallery soon.

I hope this makes your life a bit easier.


Comments (0)

Skip to main content