Slashdot Mirror
Stopping Unstoppable Malware?
A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?
Burn the important files to CD. Get an external harddrive, whatever.
Then nuke the harddrive and start over. In my experience going through the pain of finding all of the problems is worse than finding old install disks. You can also start with a clean build of XP SP2 which makes it *much* harder to get infected.
When you image the machine, make sure you set up at least two partitions so starting over in the future is less painful.
A speech...
I still have one small piece of spyware hiding somewhere that none of the above can find. It only runs when I run IE (which I very rarely do these days), pathetically raising popup windows with nothing in them! I haven't bothered to chase it down, since it isn't that much of a nuisance. But maybe I'll apply some of the tricks I learned today, just for the exercise!
Which brings me to the #1 anti-spyware measure: run Internet Explorer as little as you can!
No nearly so easy.
I ended up with something installed, it was very odd:
1. It was not a seperate process, it bounded itself to IE. No process to end other than IE and in a work environment where Firefox is not an option that's a problem.
2. When uninstalled and files deleted it reinstalled itself. The files had to be deleted manually. Yet they reinstalled with random file names, the only way to identify them was by working out they were always a combo of 5 letters and had the same file size.
3. Sure it had a registry entry, but when it spread it randomly named itself as in step 2. Manual registry editing was the only option, somewhat risky as entries could be deleted by mistake.
4. Because of 1, 2 and 3, there were no processes and files to be deleted automatically. It becomes a manual process.
The solution: We did a diff of the registry from a backed up version and went through line by line. Could have done a reinstall, and did in the end (with something this sneaky what elso could it have been doing?) but it was very interesting to see how it worked. Lets hope this type of malware remains in the minority.
You're kidding, right? This stuff makes it harder to keep your PC safe. Expect it to become dominant.
Question for the windows folks. If you're in msconfig and you change it to Selective Startup, is there a way to leave it in this default state with no popups that cancel the effect after rebooting? For my own machine I would be more than happy to be the person initiating everything. You can see clearly that the machine will work fine without loading any of that extra stuff... why cant i just NOT have autoloading events?
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue