Windows sysinternals

430 Part III Troubleshooting—”The Case of the Unexplained...”
When Paul started the laptop and entered his son’s password, a full-screen, always-on-top
window took over the screen. It claimed it was an anti-malware program and listed what it
said were numerous types of malware infecting the computer. It then demanded valid credit
card information before it could remove the “malware” that it had found. However, this
program was not the reputable anti-malware brand that Paul had purchased and installed
(yet had allowed this particular piece of malware to run).
Aaron popped in a CD containing the Sysinternals utilities and tried to run Procexp, Autoruns,
and others. None would start. Thinking about the “Case of the Sysinternals-Blocking
Malware” (earlier in this chapter), he tried running Desktops, but that failed to launch
also. The malware allowed no new process to run, including Command Prompt, Windows
PowerShell, or Task Manager. At most, the frame of a window would begin to appear, and
then immediately disappear.
Aaron restarted the computer in Safe Mode with Command Prompt, which loads a minimal
set of drivers and runs Cmd.exe instead of Windows Explorer. It also processes very few ASEPs
(described in Chapter 5, “Autoruns”). The malware did not launch at this point, indicating
that it depended on one of those ASEPs. Aaron ran Autoruns, opting to verify signatures
and to hide Microsoft and Windows entries. He found a number of suspicious items, including
several file-sharing programs, Internet Explorer toolbars, and browser helper objects,
each of which he disabled rather than deleted (shown in Figure 18-5), in case he changed his
mind later. The dates on the folder locations where these items were installed indicated that
they had been there for a long time and were therefore not the likely cause of the current
problem.
FIGURE 18-5 Autoruns in Safe Mode, disabling suspicious entries.
www.it-ebooks.info