Sysinternals Rocks

I just wanted to say that Windows Sysinternals is probably the single most valuable set of tools I have ever used. Here are my top picks:

Autoruns - Since discovering this tool, I haven't touched HiJackThis. If you're checking a system for spyware, this is probably the single best tool to check all of the entry points for possible malicious programs.

Process Monitor - This is the "marriage" of two of their older tools, FileMon and RegMon. I can use this program to troubleshoot problems with missing files or registry keys, or to see what a suspicious application is accessing on the system.

Process Explorer - This program is like Task Manager on crack. In addition to listing the open applications, as well as process trees, I can see which application has a particular DLL loaded. When using this for spyware removal, you can suspend processes that you can't kill (lsass.exe or winlogon.exe) that can house active malware so you can clean them up without the program adding itself back in.

TCPMon - This is like netstat, but a lot nicer of an interface to run, and you can see it in real time (even reloading netstat every second can miss some things).

Also check out BgInfo, PSTools, RootKitRevealer, and just about every other application on their site.

Just yesterday, I was checking some antivirus logs at a client site and we noticed several machines had old infections of soundmix.exe. The AV program could not remove it since it was currently active and couldn't just be killed. So we took a look at one of the machines and the first program I ran was AutoRuns. I saw that the program had hooked itself into exefile so it was launched every time you ran an executable. However it would come back on its own even if you removed it and killed the process.

So I ran Process Monitor (procmon) to see what exactly the application was doing. I noticed that it was polling the root of the C: drive for a file named stop.txt every second. Out of sheer curiousity, I ran the command "echo. > c:\stop.txt" just to put a file out there to see what it would do. Within a second, I saw the process terminate and the threads exit in procmon, and it removed its own entry points. This had to be the single easiest cleanup I have ever done. It did all of the work for me.

Because this was in a large, distributed network, some of these viruses had been in place for quite a while. We are being brought in to mop up after years of just getting by. Part of this process involved deploying modern Anti Virus clients to all of the machines. We use Kaseya to maintain this network. Rather than waiting to finish deploying all of the AV clients, I just wrote a Kaseya script to place the stop.txt file in the root of the system drive, and then removed the files.

By pushing this script out to every machine on the network with Kaseya, we were able to make sure that it was removed on a broad scale in a matter of minutes. Since the script tested for the existence of the file before performing any of the steps, there was no reason to not just run the script on every machine in the organization, which can be done with about two clicks once the script is written.

It is these types of tools, and management platforms like Kaseya that have enabled (yes, those in the IT consulting space might see the pun there) small consulting businesses like ours to maintain much larger user bases without increasing staff. The ratio of users to consultants is able to increase without losing our ability to take care of the clients.

My next project on this network is to get about 175 machines across 12 locations onto the newly created domain (they're in workgroups now) while preserving the user profile. Should be fun!