Slashdot Mirror
Stopping Unstoppable Malware?
A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?
even in Windows. Remove the registry keys, keep killing the tasks and then remove all the files.
IE Popups ( I don't use IE so this is pretty annoying.) Nothing removes it properly. SD startup watcher can't prevent it's install.
I'm formattting this weekend.
You need advanced trojan detection to fully eliminate malware. You need Trojan Hunter as well as Trend Micro Housecall in addition to Spybot and Adaware. At the Trend Micro site, be sure to choose the complete scan. Also, you may have to run Trojan Hunter in Safe Mode along with Adware and possibly Spybot. It depends how much malware is left over after the scan. Some of it might not be able to be removed unless you boot into safe mode. If you run less than those four programs, you will probably miss some malware. I'm saying that from my own experience. The four programs essentially compensate for one another.
one, look for hitman pro anti spyware utility. two, if you really need help look for killbox follow the directions to kill the process and delete the files. three, good luck
Sig Hansen?
Here's how to do it on Win2k:
step 1) try to kill off all the procs you can. Most malware will say "Access Denied", but some can be killed.
step 2) delete all the DLLs and activeX controls from your IE Downoads directory. Many of them will be held 'open' and won't be deletable.
step 3) check the start menu -> Startup folder. Delete any links from here that aren't familiar.
step 4) open your system services (from Computer Management; Administrative tools, whatever). Check for any services that look fishy. I typically sort them by status and look at the 'started'/active services.
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run". We don't search the registry for "Run" because it appears like 1000 times. Delete any keys in the "Run" folder that don't look right. Search about 3 more times for this entry - it appears in multiple places.
step 6) unplug the machine (DON'T power it down). Some malware will try reinsert registry keys at shutdown. Worst case scenario here is that you get a checkdisk warning/error at startup.
step 7) start the machine back up in DOS mode (or Safety with DOS prompt). Go back to the Internet Explorer Downloads directory and delete the DLLs/ActiveX controls. They should get deleted now because the malware processes won't be holding the files open.
step 8) Reboot.
step 9) open the registry back up and see which processes re-inserted registry keys in the "Run" folder (see step 3 above).
I had one particularly nasty one (News.net) that Spybot couldn't delete. I finally killed it by using the process I described above. The trick with news.net, however, was to pull the plug IMMEDIATELY after deleting the registry key. The malware process re-inserts the registry key every 2 seconds, so I had to delete the key and pull the plug on the machine before it could re-insert the registry entry. One of the tricky things that news.net did was not allow me to search in RegEdit. So I used Spybot's startup/registry tool to remove the key. News.net was somehow able to circumvent Spybots registry blocker.
As I'm writing this, I'm using a Windows 2k(sp2) machine from 2001. It hasn't been remastered since then and it's my daily driver. Interestingly, I've never done a single Windows Update on it, and I have fewer problems with exploits and malware than I've had on the 4 other machines that I've had to remaster (again and again) that I ran Windows Update on frequently. Maybe none of the malware writers are wasting time with the old exploits because they figure they've all been patched. Luckily for me, by not doing Windows Update, I've saved myself from all of the Exploits that the new patches have created.
I'm running Office 2000, Firefox, and Thunderbird. I never ever use IE or Outlook, ever. Oh yeah, and I also use a modified hosts file (from http://accs-net.com/hosts/) for ad/malware blocking.
Oh yeah, and use TeaTimer and SpybotSD services to prevent new spyware/malware.
Happy computing.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
Comment removed based on user account deletion
After all the time you spend cleaning it, its probably faster to just backup his important files and re-install. And tell him to browse his porn with opera or firefox.
I came up with this one last year while going through a similar problem - I managed to delete a number of files the malware was using and then discovered it was repopulating itself from one source file I couldn't get rid of. So, I repermissioned the file so no one had access to it except some made up account I created on the spot. I think I even used negative NTFS permissions (block access to this file to System, Adminstrators, etc.). There were some more steps such as searching and removing every instance in the registry of any file that this thing copied, but the NTFS repermissioning was the key.
If you are one Win9x or have FAT32 on your drive, this won't work for you... but good luck anyway.
Finally, I hate to give in, but go ahead and run the uninstaller - their malware already 0wnzors the computer you are working on, this is not likely to make it any worse...
-Jack Ash
PS: Another thing you might try is booting up one of those WinPE environments (bootable windows on a cd) floating around the net, and deleting it from there...
Boot into Safe-Mode first, then... ...do everything else that will be suggested here.
Ditch M$ and install Linux!
Unplug the hard drive, and dump it into a specially-configured "disinfectant" computer. Make sure it has up-to-date malware scanners - the four mentioned earlier should do the trick - and then scan it a lot. That should help get rid of some that loads on bootup. Then you might have to go in by hand to get rid of the rest, but it should get you started.
http://unelite.freelinuxhost.com - Rock/Scissors/Paper and RPGs shouldn't mix.
After playing whack-a-mole with processes that would respawn themselves after being killed via task manager and would re-write themselves into the registry if you deleted the reg key, I finally remembered to start up in Safe Mode (press F8 repeatedly as soon as your computer finishes POST) and then remove the keys. My kid borked up a machine pretty bad and after running SB:S&D and AA that was what it took to kill the last little bugger.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
one other thing that SOMETIMES works is that although they don't allow themselves to be deleted, these files do like to be copied. So try Cut/Paste into the recycle bin, then Empty it. Has worked a few times for me.
if you stop it, then it's not stoppable, is it?
:)
otherwise, you would need to make it stoppable first.
You can't stop an unstoppable malware program, by definition. So, to say that you can stop an unstoppable malware program would imply that he program wasn't truly unstoppable.
Which leads me to the next question: God is omnipotent, so I wonder, could God create a malware program that even HE could not remove? If you have a computer that is behaving badly, start it working on that problem. While it's distracted and busy trying to figure it out, WHAM, you hit it in the head, just like Captain Kirk in that M-5 episode.
Fascism trolls keeping me up every night. When I starts a preachin', he HITS ME WITH HIS REICH!
With another piece of crapware.
Got rid of it with a combination of SpySubtract and system restore under XP. I don't know if SpySubtract will work, but its free for 30 days and worth a shot.
Incidentally, did you google for some help?
Religion is for people afraid of going to hell.
You need to use HiJack This. http://www.spywareinfo.com/~merijn/downloads.html
This program doesn't actually detect spyware/adware/malware, but rather it shows all items that are currently loaded on your system. It does have some helpful hints as to what these itmes might be, but doesn't specifically tell you if something is malware. You have to be saavy enough to figure it out yourself. I've gotten rid of a few nasty progs with this helpful tool.
Stop downloading Porn.
Currious, Ad-Aware and Spybot now include "report ware" or whatever they call it, is there any truly free 3rd party program scanner?
I've been hit a couple times by downloading shareware with addons, or some popup that both have ignore, that leads me to a DDL/Reg hunt also.
Even microsoft's beta scanner doesnt catch them. Was wondering when someone would bring this up on Slashdot, its been crazy.
I have found that very little if any spyware ever shows up on my Windows computer if I have Microsoft Anti-Spyware Beta 1 installed. It has grabbed a few things, and kept me relatively nuisance free.
KillBox
Tech Guy Support Forums
and most notable: MyPCTuneUp which I am assuming is that Aurora Uninstaller you were talking about. According to the forum link above, the uninstaller really works. And it can't hurt to try, considering Aurora has already hijacked your PC, what more can an uninstaller do besides uninstall the malware.
And from personal experience, I've had a few Malware uninstallers from the official company that did a better job removing the malware than SpyBot, MS Anti-Spyware, and Lavasoft Ad-aware.
removing ALL start-up programs is really dirty.. that should be a last resort thing.
http://www.spywareinfo.com/~merijn/downloads.html Hijack This will create a log of possible Malware. Google all the entries to figure out which ones aren't legit. Not always easy since some malware will randonly rename themselves. Remove questionable entries, either by googling the specific manual removal instructions or let HT delete the entry for you. Also use msconfig to turn off all startup items. then got to "services", hide the MS services and turn off everything left. Reboot. Turn all services left and reboot. Turn on each item turned off and reboot till Malware shows itself. Once the baddie is located research manual removal instructions. I had a similiar problem with my PHB's wife's PC. The above helped though the biggest problem turned out there were 6 worms hiding out and turning Norton off at each reboot. Had to download and burn to CD 20 something worm/virus detect and removal progs.
I've been experimenting with combinations of software for security, and this is by far the best combination for general use:
FireFox (Browser)
Avast! Home Edition (Anti-virus)
Part of my experiment was to operate as an Administrator at all times. I've been running like this for several months now, and have not encountered a single problem!
No viruses, No Spy-ware/Mal-ware, no annoying restrictions (I'm not using SP2).
Anyone else use this combination? It is by far the strongest combination I've ever used.
I just pooped your party.
Burn the important files to CD. Get an external harddrive, whatever.
Then nuke the harddrive and start over. In my experience going through the pain of finding all of the problems is worse than finding old install disks. You can also start with a clean build of XP SP2 which makes it *much* harder to get infected.
When you image the machine, make sure you set up at least two partitions so starting over in the future is less painful.
A speech...
...therefor the only secure option is to format and reinstall from a known good backup. Otherwise, there's a big unknown whether or not you got rid of the compromising situation. Perhaps now is a good time to consider a platform that doesn't make your problem inevitable.
Help us build a better map!
Interesting that this story should show up the day after I spent several hours trying to reinstall a friend's downed computer.
:)
The symptoms it had when I got there was, the mouse didn't work, and various "properties" pages wouldn't come up, like "System" in the control panel did nothing, right clicking "My Computer" and clicking properties didn't work either, but clicking "Manage", and going to the device manager did work.
In there, I notice several strange things like yellow exclaimation marks on the "Terminal server keyboard", "Terminal server HID mouse", etc.. I disabled those, and the mouse began working again, but a dialog came up telling me the machine would reboot in 1 minute, so I opened 'cmd', and tried to cancel the shutdown, but it would reappear every time I did.
At this point I told him it was probably best that we reinstall, because I couldn't guarantee I could destroy either the virus/trojan/malware itself, or the source of infection. So I started the XP install, deleted the partition, created a new one, and tried to format it with NTFS. It spent a half hour doing that, and then said something to the effect of "Windows is unable to format this device due to corruption". Soooo.. I booted Knoppix, downloaded Maxblast, did the diagnostic thing (which said the drive is fine) in that, zero'd the drive with it, and tried again. Same damn message.
So I figured I would try booting a Win98 cd, and try with a FAT32 partition which I created and formatted there. When I booted the WinXP cd, and picked the FAT32 partition, and picked the 'leave filesystem intact (no changes)' option, it said "Windows had modified the partition table and must be restarted". And now it just keeps doing that.
I'm heading back there shortly to take another round at it, so if anyone has any suggestions I'd love to hear 'em.
AdAware & Spybot weren't that good lately. And surprisingly, MS antispyware is very good (although slow)
One that hath name thou can not otter
comb through the running processes running. A simple google search will turn up enough information (usually). If anything is identified as malware, running regedit and doing a search for said file names will often find those keys intentionally put in random sources. Delete them. Also be sure to clear any of the said files in "%systemroot%/system32" and the like.
Asking this question here you should expect 500 replies from people telling you to install Linux and be done with it. (which you should BTW)
(I do all my perm editing from the command prompt using the CACLS utility that comes with XP)
1. Instead of having to create a bogus account and deny specific users, just use the command-line switch "/D Everyone" to do the same thing. By doing this you are explicity denying everyone access to that particular file, which gives the added benefit that Windows will not be able to start the process after a reboot! NOTE: Use this with caution! Please do NOT try to execute this command on, say, any files or directories needed for Windows to run!
2. Once you have found and edited the ACLs of the offending processes, reboot the machine. See if any other rogue processes start, and if so repeat step 1 on those.
3. All the registry entries used by the spyware will still be there, but since the reboot they can't run, i.e., you can now delete the reg entries without them coming back.
4. Once you are certain you have found and deleted all the malware entries in "Run", "RunOnce", the Startup folder, etc., re-edit the ACLS of all the malware files (you wrote them down, right?) so that you can delete them (easily done by granting Everyone Full Permission: "cacls /G Everyone:F")
5. To get rid of bogus / malware Services, do the above and then find the Services reg key (HKLM\System\CurrentControlSet\Services) and look for the malware filenames (found by viewing the properties of the service in the Services applet). NOTE: Do NOT delete random keys here...that can be rather dangerous for the stability of the system! When in doubt, leave the entry. As long as the file is safely deleted using the above methods, it should not come back. This process is only to make the malware service disappear from the Services applet.
6. The last tip I have is to use a free utility from SysInternals called RegMon. It monitors the registry hives for any process making changes. Malware and spyware are seemingly *always* making changes, which means they will be rather easy to spot. Use the Filter option liberally to filter out generic Windows processes and other known good ones. By using this method, you may find malware processes accessing the registry that DO NOT SHOW UP in Task Manager or directory listings. While these files definitely exist, they are hooked into the OS in such a way that they hide their presence. You can neither find these files in Explorer, nor using "dir" in a command prompt...but CACLS will still operate on them! (I had to use this method to clean a laptop over the weekend...12 hours of cleaning, because the girl couldn't find her WinXP Home CD, and I didn't have one laying around--irritating, to say the least.)
Now for the usual disclaimer: I am a sysadmin, I know what I'm doing, and I'm responsible for what I screw up. I am NOT responsible for your screwups though, so please be VERY careful when using the above methods...you can really hose your system if done improperly. If you feel like this is a bit too tech for you, I highly recommend SpyBot S&D and TrendMicro's HouseCall. In fact, I used both of those on that laptop along with the above methods to clean the thing entirely.
Happy malware hunting!
There's enough tutorial here to get you started, after you (hopefully) remove the spyware from your friend's computer..
1. Get him a decent firewall that you can configure to only let certain executables through. I like sygate firewall.
2. Delete or disable Internet Explorer, if that's too extreme, remove it from the desktop.
3. Install FireFox
4. Uncheck "Hide extensions for known file types.", this is in Tools -> Folder Options..., in explorer
5. Tell him not to run any executable pr0n he downloads off of p2p.
6. Install Firefox & Thunderbird, tell him to never use Outlook & IE again.
it's a sig, wtf?
Step 1: back up all of the data on the machine that you care about. Try not to back up any applications.
Step 2: Reformat the hard drive. Reinstall. Patch, patch, and patch some more. Get the AV and anti-spyware tools in place. Reinstall applications. Restore backups.
Think of it as a test of your backup program.
Forward, retransmit, or republish anything I say here. Just don't misquote me.
Try using all of these programs:
Microsoft Anti-Spyware
Spybot
AdAware
HijackThis
Those are 4 programs I run regularly. I usually do these in this order:
1) Update all definitions in all programs
2) Reboot to Safe Mode
3) Run Add/Remove Programs and remove any unknown programs
3) Run AdAware, remove all infected files
4) Run Spybot, remove all infected files
5) Run Anti-Spyware, remove all infected files
6) Run HijackThis, remove all non-system files (only run this if you are an expert at it)
7) Clean out Internet Explorer Cookies
8) Clean out ALL temp files
9) Clean out all unknown files in the Windows & System32 directories (again, expert only)
10) Reboot (pick safe mode again)
11) Run all of the scanners again to be sure of removal
12) Reboot into normal mode, run scanners AGAIN (to verify)
Obviously if malware comes back shortly (within 10 minutes or so) check Services (start --> run --> "services.msc") and remove any that you don't recognize.
The only piece of malware that I haven't been able to remove was a variant of CoolWebSearch. Not even CWShredder got rid of it (or even detected it) as well as all of the other cleaners.
Good luck.
I had a similar problem.
A friend's computer was so badly infected with various kinds of malware that it had almost no spare cycles left for actual work.
I tried all the usual approaches, asked for help on the free PC support sites, downloaded and ran every anti-spyware that I could lay my hands on but still couldn't remove everything.
Then I removed the ineffective Norton AntiVirus from the machine and installed the free avast! 4 Home Edition.
It restarted the machine, cleaned up everything, restarted again and no problems so far.
format c:
www.sysinternals.com Lotsa good stuff. Especially: filemon regmon process explorer rootkitrevealer For filemon and regmon be sure to set some filters or you will be deluged with info on every process running on the system.
assert(birth_date<time-86400)
Funny you should ask :) I just removed this very same program from a friend's computer this weekend. I searched all over the web to find out how to remove it. The best answer I got was here.
I loaded Ewido Security Suite, rebooted, and on the way up, it detected and removed all traces of it (as far as I could tell).
Also consider booting into safe mode. In safe mode, Aurora's software isn't loaded, and you can do all sorts of interesting things. -- babI hesitate even asking this because it probably insults your skills, but, not knowing your skill level, did you turn off System Restore (Win XP) before attempting manual removal? After you successfully remove the malware, reactivate System Restore.
Ignorance is curable, stupid is forever.
hey guys, its not really adviseable to install anti-spyware software in order to get rid of a specific trojan. what you might end up doing is installing something that disables your trojan but then it installs another trojan(s).
i would recommend backing up your files, doing a windows re-install (takes 1-2 hours), install microsoft anti-spyware ONLY and then just being more careful in the future.
-- Betting on the survival of the media industry is a serious risk. I advise investing elsewhere.
You might want to look into Bart PE. It is a program to create a bootable cd that runs Microsofts Pre-execution Environment. There is a plugin for Ad-Aware, and you may be able to find plugins for Spybot-SD and MS Antispyware beta (not sure though). This is useful, because you are now running a lite version of your MS os from the CD. The antispyware software should now have a much easier time removing files, since the os won't have them open.
Here is the link to save some time.
http://www.nu2.nu/pebuilder/
How about reinstalling Windows and then setting up a limited user account for daily use so this crap never happens again? Seriously, anyone running as admin on Windows is just asking for a borked system. You could also spend hours trying to fix malware and still not be sure if it's all gone; might as well spend that time on a sure-fire fix.
your going to want to get a few things first, and your going to need some time to do this.
First get these. do a google search if you dont know where to get them.
HijackThis
Microsoft Antispyware
spywareblaster
winsockfix (it's at majorgeeks if you do a google search)
First off, make a restore point, then if you cant get online at all run the winsock fix which should fix that, then install spywareblaster, update it and enable all protection
From there update all of your existing anti-virus/anti-spyware to the latest revisions and defs, Then Install Microsoft Antispyware and update it to the latest defs. The reason you want MSAS is because MSAS will start prompting about any questionable activity it detects. make sure you set anything it considers questionable to block or remove. This will at least give you a general Idea what to look for and keep the reinfection down to a point. Then in MSAS, do a full system scan. Remove everything that it finds and restart the PC in safe mode with no network.
When it boots up in safe mode, stop and keep in mind that if you open up any explorer windows you just reinfected your PC again, so make sure everything you need is on the desktop or accessable in the start menu. From there do another scan with MSAS, as well as any other anti-virus/spyware app you updated in the first part with full system scans. Then using the command prompt, delete everything in the following folders
C:\documents and settings\\local settings\temp
C:\documents and settings\\local settings\temporary internet files
C:\windows\temp
From there run hijackthis and look it over. anything you see there that looks questionable in there you remove. in particular, startup entries going to temp folders, random named exe files, exe files in C:\windows or C:\windows\system32 and any bho or dpf that you cant remember installing, or has the word search, bar, smiley, sounds fishy or like it's trying to benefit something that should be ok by itself, especially if you dont have it, such as "Microsoft Antispyware Helper" (yes I saw a real nasty one using this as it's name). If you are really in doubt, and have access to another machine, go to http://www.hijackthis.de/en put the hijackthis log into it, and it will tell you what to delete and why. After you clean it up make a clean log from hijackthis and restart.
From there restart and it should be clear or relitively clear. If it's not, then run hijackthis again and compare it to the old file. It should give you clues on what to look for, but there is a good chance that your system is rootkited (something rootkitrevealer will tell you). If it is, I'd recommend a reinstall since there's no telling whats going on in the background, but if you still need to clean it the only way is to insert the hard drive into another PC and do another full anti spyware/virus scan on the drive. or use pebuilder to boot the machine into windows and do it that way.
In Soviet Russia, Trojan exploits YOU!
KIRA
About the deflector array -- is there any way to use it to deactivate the malware?
ROM
[confident]
Nope! I designed the files to be self-replicating. The only way to keep them from replacing themselves is to isolate them in an anti-graviton beam. The deflector array can't do that!
[Suddenly something occurs to him...]
Unless... you reconfigured the field generators...
[confidence crumbling]
-- and re-focused the emitters...
[deflated]
Which would turn the deflector array into one big anti-graviton beam!
KIRA
How can we disable the deflector array?
ROM
All you have to do to is access the EPS feed and overload the waveguide.
KIRA
Let's do it.
What the hell? So many comments, and nobody has yet mentioned safe mode?
As every tech support monkey knows, the first thing to try if malware keeps replacing itself is to run your scanner in safe mode, to stop said malware loading itself up in the first place. Upgrade your scanner first while still connected to the net, then restart the computer in safe mode and wipe out the little bastards to your heart's content.
You see, i hate using all these miscellaneous programs to find trojans. partly because i want to go in and quickly fix a person's problems.
/a" which will abort the shutdown command, and allow you to continue your cleanup.
The first thing i recommend is the Startup Control Panel which installs a very handy control panel. It will show you every startup that Windows has, including the registry-only ones that aren't apparent to the user. Install, run, and see what starts with the computer.
open the Task Manager (Ctrl-Shift-Esc), and using "End Process Tree," shut off any programs that you found in the Startup Control Panel
Then go in to the Startup Control Panel and turn off their registry entries for startup. If you've shut down the process, it won't reregister. then you can worry about tracking down the files later.
This has never failed me, regardless of the malware. Frankly, it surprises me how reliable it is. The one other concern is maybe you end up shutting down an infected vital system process (one virus not worth mentioning that infected lsass.exe). If in the process of killing processes, the computer suddenly says it's shutting down in 30 seconds (which happens when you kill the lsass process), then hit Windows-R for a run dialogue, and type "shutdown
Good advice.
Back up important files (finacial data etc.) format and reinstall the OS.
There are 11 types of people, those who know unary and those who don't.
I see a few threads in Broadband Reports' security forum.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
I ran into something nasty like this last night on an aquintance's computer. I was sure after using Spybot, Ad-Aware, msconfig, etc. that I had gotten everything, but still weird pop ups were appearing even when I started the browsers, both IE and Firefox (home page was set to be Google). Then I noticed that the search results I was getting from Google were a little... off. Also, I noticed Google and Yahoo and a few other sites were running a little slow. No idea why I looked, but I decided to have a boo at the HOSTS file on the machine, and lo and behold, it's stuffed with 7K of redirects. Every search engine, most well known portals, the lot, all going to these bastards instead of where they're supposed to be. Which explained the popups and the slowness. They were taking the query you enter and then firing it off at the real thing and scraping the result.
I blanked the HOSTS file, and all is good now.
Hi frustrated person.
I think it is almost *impossible* to do this while windows is running since there are ways to hide a process from the process list.
Even when starting windows in 'safe' mode, the program can be loaded in memory.
I suggest using a Live CD (like Knoppix) and mount your ntfs partition there. Writing to NTFS is supported these days. If you are afraid to screw your ntfs partition by deleting files, then you might want to do cat '' > file so that the disk structure doesn't change but you actually erase the contents of the file.
* prepare
In windows, identify as much related files as possible
* Boot from Live CD
Erase those files
Optionally
* use a 'offline' registery editor to remove the offending keys from the register. (google for it)
Boot windows
If needed, repeat steps
An additional note on the Live CD. Every good computer guru has one in its toolbox. Even if you are called to repair only windows systems, then still it has great use. Most Live CD's detect configure automatically all the hardware and the internet connection so if you are missing a driver to start windows, just pop in your Live CD, download the driver and restart in windows.
While you're at it, why not ask your friend to switch to 'nix for its daily taks (Surfing, Email, Chat, Office, Multimedia,...) and switch to Windows for games?
Kind regards
x_terminat_or_3
Only those who risk going too far can possibly find out how far they can go. T. S. Eliot
I couldn't get knoppix or knoppix STD to mount NTFS r/w.
/dev/partition /mnt` but it said that captive wasn't included in both versions.
I tried `mount -t captive-ntfs
I don't fancy having to roll my own.
A blog I run for the wealth
Isn't any of this a viable option for the ubergeek?
1a. Move your precious stuff to another partition.
1b. Insert a OSS distro (FreeBSD, BeOS, Linux, Solaris x86)
I don't know many applications not found on OSS (www.freshmeat.net, sourceforge.com, www.acroread.com, openoffice.org, gimp.org, mysql, Perl/PHP, C++ compiler) that can be done reliably in place of Microsoft Windows.
I mean, I got everything I need so far, why bother with the pain of many unsecured Windows APIs?
I find the name of that process with HijackThis, which also gives the filename. It'll be in %system32%, and the spyware will be in Program Files.
The directory in Program Files will have a few .dat files which contain the .exe and the .dll in %system32%. Obviously when you delete the reg key loading the dll, or delete the spyware .exe, the process spawned from the .dll will rewrite either.
My strategy is to keep a copy of vi.exe around. I can vi the .dat, dG the file (deleting all the contents), write it, and bingo! done. It appears console apps don't go throught the same permissions layer that Windows Explorer does.
So I: .dat .dll .exe
- kill the spyware process
- vi and delete the contents of the
- kill the process launched from the dll
- let HijackThis delete the registry entry calling the dll
- vi and delete the contents of the
- vi and delete the contents of the spyware
- reboot if necessary.
It's important to note that thesse things hook into Explorer, so opening a new Explorer or IE window starts them again. Don't do that during this process.
I have to say I'm impressed with the watchdog processes. I've always been reminded of this ccool hack when fighting them.
-jpeg
I still have one small piece of spyware hiding somewhere that none of the above can find. It only runs when I run IE (which I very rarely do these days), pathetically raising popup windows with nothing in them! I haven't bothered to chase it down, since it isn't that much of a nuisance. But maybe I'll apply some of the tricks I learned today, just for the exercise!
Which brings me to the #1 anti-spyware measure: run Internet Explorer as little as you can!
I'm no expert on this kind of thing, but I have found/read that somehow this kind of software can regenerate itself via system restore. Disable XP
System Restore, (My Computer->Properties->System Restore), then run you're virus scanner/spyware detector etc again.
This has saved a couple of friend's PC's from being reformatted, so it's worth a try.
Peter
The discussion threads for this article are killing me! You silly little Windows users w/ your cadres of anti-"spyware" programs, your bordering-on-mythos secondhand, thirdhand, and forthhand instructions on how to remove these unwanted programs, and your fun little superstitions-- you're hilarious!
I run Windows 2000 Profesional on a couple of my boxes, but I don't have a "spyware" problem. It baffles me that anybody else does, at least with any of the NT-based Windows OS's.
Is it really all that hard?
The most hilarious things are the myths and superstitions. I liked the dude who suggested you should "unplug" the computer after removing "malware", because "Some malware will try reinsert registry keys at shutdown". That's suitably vague, and dangerous! Instead of just explaining WinLogon Notification Packages (the way that most of this unwanted software handles re-populating the registry with its references on shutdown) and how to disable them, the author just suggests you risk trashing your filesystem! It highlights the fact that most of you little Windows puppies don't have any idea how the OS works.
I'd clean a contaminated PC up by putting the contaiminated hard disk into a clean Windows PC, accesing the registry hives of the contaminated PC, and cleaning up its filesystem and registry carefully. Then you don't have to muck around with hostile programs detecting that you're excising them and trying to put themselves back. Don't have a second PC to do that on? Get a second hard disk drive, pull the contaminated one, install a clean OS on the new drive, then strap in the contaminated drive and clean away? (Don't boot the contaminated disk, though, or you get to start all over again.) Can't afford that? Use some rigged bootable CD thingamagig and take your chances... Sucks to be you.
The trick of using NTFS ACL's to deny the unwanted software access to its own files is cute, but the authors of this software are already working around that. They usually have SYSTEM privileges-- they don't need to worry about ACL's if they don't want to. In general, the days of troubleshooting contaminated PC's while booted in the contaminated environment are fast drawing to a close.
This is the state of the art in our industry... Sheesh. I'm so proud to work in IT.
The Attitude Adjuster, I hate me, you can too.
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run".
Sadly, you can't do that with Aurora [I was up with it until 5AM last night, and I'll be at it for the rest of tonight, and much of tomorrow]. I'll expound on the registry stuff in a moment, but first let me outline a few other things you'll have to deal with.
Aurora installs at least two services [Start | Programs | Administrative Tools | Services]; they're down at the bottom, called "Win" this, and "Win" that [I forget the exact names, but they're pretty obviously malware services]. It also installs executables and "cabinet" [.CAB] files all over your computer, as well as desktop links and web browser plugins, and probably a whole host of other things I didn't discover. And every user who logs in after the infection will get copies of this crap installed throughout the entirety of their "Documents and Settings" folder.
If you have a second copy of the operating system [at worst, take the hard drive out and install it in another computer as a secondary drive], then you can search the entire hard drive for files that were introduced on or later than the date of infection and delete MOST of the crap that was installed.
However, in our case, the underlying file that invoked "Aurora" was \WINNT\zbkiebmtvti.exe [it might have a different name for you], but it was somehow installed with a modification date of 04/09/2004 [our infection was yesterday, 05/08/2005], so a simple search on recently-modified files will not find that one [and may not find other newly-introduced files, with fake modification dates, that are lurking in other parts of your hard drive].
However, even if you disable the services installed by Aurora, and even if you could delete all the files it installs, it does something FAR more malicious - something that I've never before seen in malware, which gets back to the point I wanted to make at the beginning of this reply: At or near the registry point HKLM\Software, Aurora inserts an "infinitely large" subtree into your computer's registry [I assume that they used either the maximum size of a registry subtree in Windows, or the maximum size of an entry in the underlying MSJet database, or something similar]. When either regedit.exe or regedt32.exe encounters this "infinitely large" subtree, they both crash, and tend to exit Dr Watson style [I guess it never dawned on the poor guys who designed regedit.exe and/or regedt32.exe that someone would do something quite so evil]. You can't search beyond this "infinitely large" subtree, and neither regedit.exe nor regedt32.exe are capable of deleting any of its branches [at either the beginning of the subtree, or at its end], so you can't do the old trick of searching for "RunOnce" and then moving up one key to get to Run.
Anyway, it seems to me that anyone who would do something as malicious as purposely inserting an "infinitely large" subtree into your registry, with the intent of crashing regedit.exe and regedt32.exe, is precisely the sort of person who would install a keyboard sniffer to record your VISA and Mastercard info. So I'm basically wiping the drive clean and reinstalling the operating system from scratch.
Quite frankly, if I ever meet the bastards who wrote this crap [and who thought that it would be some kinduva nifty-cool business plan to go around inserting "infinitely large" subtrees into people's registries], then I will be sorely tempted to shoot them and throw their God-damned corpses in a swamp.
And no, I am not kidding.
I had a piece of malware that had hooked itself in the WinLogon api, so even in safemode the malware ran.
/ah and still not see it. The file and process is effectivily hidden. The process also removes its own entries from the registry, so when you list a regkey, it doesn't appear, even though its there. :)
If you went into safemode, and removed the registry entries, it would put itself right back in.
The file couldn't be delted even in safemode because the process locked the file.
The solution was, in the end, easy:
Boot to a WinXP/2000 recovery CD, go into recovery console (DOS), delete the files from there, reboot.
Windows may complain about the lack of the files, but removing the registry entries then, tidies it all up.
Try to figure out which exploit the malware used to get it, and patch it.
Oh, and why is this the almost worst? The worst is malware that hooks in at kernel level and intercepts all the api calls and removes itself from every list (directory list, process list, memory usage list, everything). You can pop into DOS, do a DIR
With this piece of malware, the only way to remove it is as follows: Produce a complete filesystem list from windows with the filename and md5sum. Then boot to a CD (eg knoppix) and produce the same filesystem list with name and md5sum, compare the results. Files that appear in the 2nd list are ones that are hidden (or unreadbale).
Thats a bitch to remove, i'm just hoping someone will write the tools to do it for me.
I use to have a funny sig, but slash cut it off, and I forgot what the punchline was.
In my humble opinion, nuking a Windows machine every six months or so can be a healthy thing anyway, so long as important files are preserved. I typically nuke my Linux partitions on a comparable time frame, also. It's just a good way to clean up.
If the above partitioning idea doesn't work or is not feasible (say the solution is too complicated for the user), teach the user to make regular backups on CD, or to invest in a 1Gig thumbdrive or so, and keep his personal files there.
Kris Kerwin
kkerwin@insi__REMOVE_ME__ghtbb.com
Kris Kerwin kkerwin@insi__REMOVE_ME__ghtbb.com
A Mac Mini is only $500.00. . . .
If I find the malware was in a directory like C:\Program Files\Malware\ I delete the directory and then create a file with the same name. I put some text in the file like "This is here to prevent Malware infections." and then I change the mode to be read-only and hidden.
Not perfect but it helps and I haven't seen it mentioned here.
Because he's right.
...I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it.
Files don't suddenly become sentient and rewrite themselves, so the "manual clean" you did clearly didn't actually clean it. Probably, a running or startup process stuck around to restore them.
Ideas:
1. Reboot in safe mode, and do your manual cleanup. See if it recurs in normal mode.
2. Kill as many processes as possible before running a malware cleaner.
3. Instead of deleting identified malware files, replace them with blank read-only files, and reboot.
Terrorists can attack freedom, but only Congress can destroy it.
Click here or here or even here
I can throw myself at the ground, and miss.
Symantec Ghost is one of the single most useful programs ever written 1) do a format with a windows partition and a data partition and do a clean windows install 2)install all the apps you generaly use 3)run mircrosofts powertoy tweakui and move all the important folders from your windows partition to your data partition for example i move Desktop favorites My docs ...music...pics etc
ive also got batch files written to copy my media library files and other assorted usefull files to the data partition on every shutdown
4) run ghost and backup your system.
This solution has a number of advantages
*from a 4gb ghost image i can be back at my login screen in about 3and a half mins. Clean and crisp like windows installs always are :P (for the first few hours)
*any trials you intall after this point will have their 30day counters restarted when you ghost again
*if you really wanted you could have your machine ghost itself every night at say 5am that way its clean everyday without any hassles
Just an idea...
it works for me
good luck
Cwraig
I stopped using IE unless I absolutely have to, I modified my hosts.deny to incorporate most redirects to known spyware sites. I have disabled all Javascript execution no matter the browser. I also have had to write programs that removed these nasties. I have had a few that refused to die, while trying to ressurect a WinXP box for a freind. Since XP doesn't allow for true SafeMode Command Prompt Only booting ( I say that cause it loads thet malware anyways ) I had to write a program that simply deleted them and their respective registry entries before they were loaded into Windows.
Surprisingly enough adding a Reg entry into the Run folder of the registry is all that was needed to have it run before they did ( which I found a problem ) I had to first export the Key and add my entry first as apparently Windows executes registry entries in order of installation. This cured my problem from even the most hardened malware.
Unfortunately there is no one cureall app out there yet, best to go with an army, X may not catch Y etc etc, but using X, Y, and Z apps together you are assured to catch and stop much more than using any single one as a stand alone.
I am Bennett Haselton! I am Bennett Haselton!
Anyone tried this on XP (don't have an available XP machine at the moment)
Absolutely, without a doubt!
It must be Windows. It needs half a gig of RAM and a hardware-accelerated graphics card just to run Solitaire.
BHODemon should let you peak at your browser help objects and remove those that don't belong.
Quack, quack.
Install Ubuntu Linux.