Slashdot Mirror
Stopping Unstoppable Malware?
A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?
Unplug the hard drive, and dump it into a specially-configured "disinfectant" computer. Make sure it has up-to-date malware scanners - the four mentioned earlier should do the trick - and then scan it a lot. That should help get rid of some that loads on bootup. Then you might have to go in by hand to get rid of the rest, but it should get you started.
http://unelite.freelinuxhost.com - Rock/Scissors/Paper and RPGs shouldn't mix.
I have found that very little if any spyware ever shows up on my Windows computer if I have Microsoft Anti-Spyware Beta 1 installed. It has grabbed a few things, and kept me relatively nuisance free.
I've been experimenting with combinations of software for security, and this is by far the best combination for general use:
FireFox (Browser)
Avast! Home Edition (Anti-virus)
Part of my experiment was to operate as an Administrator at all times. I've been running like this for several months now, and have not encountered a single problem!
No viruses, No Spy-ware/Mal-ware, no annoying restrictions (I'm not using SP2).
Anyone else use this combination? It is by far the strongest combination I've ever used.
I just pooped your party.
- To kill "unkillable" Processes, use pskill from sysinternals.com. Also try pslist instad of the taskmanager to list the processes. The taskmanager does not give you all the information you might want to know, like many other tools from Redmond.
- Try to kill a whole bunch of suspicious processes at once, so that no part of the malware has a chance to restart another process. Again, pskill can do this.
- Boot another system, preferably one that can not execute EXEs, DLLs and so on: Get Knoppix or some other CDROM-based Linux (that is able to write NTFS if you use NTFS for Windows). Use it to browse the WWW, especially to search information about the malware. Use it to delete all executable files (*.EXE, *.DLL, *.OCX,
...) of the malware. (Malware registry entries should be harmless if all executables of the malware are deleted.) If you use Knoppix, this is not much harder than deleting files using Windows. You just have to find the right harddrive partition (usually hda1) containing windows and mount it read-write (use the right mouse button on the hdd icon). The real hard job is to find each and every executable of the malware.
- Disconnect the network plug / modem / isdn / whatever, switch off WLAN router, etc., before you boot windows to prevent the remaining parts of the malware to re-install itself from the net.
- Re-enable network only for the time you run Knoppix on the machine, until you are really, really sure that there are no traces left from the malware.
Tux2000Denken hilft.
Forget Maxblast - boot back into Knoppix and zero the drive with dd.
/dev/hda. Of course, if you have any other drives (or if the target HD isn't /dev/hda), you'll want to use hdb/hdc/etc. If it still acts up, you can drop "count=100" entirely from that line to zero the whole drive byte by byte.
# dd if=/dev/zero of=/dev/hda bs=1M count=100
The count=100 is a bit of overkill (you'd probably get away with just 1), but this will zero the first hundred megs of
If you still run into corruption, blame hardware.
With NTFS there's another option which can be handy as well. As people have noted the registry keys can help one track down where the files are. A liberal application of "deny all" to the malware, can be both an effective stop-gap measure, and as a step in deleting the files.
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run".
Sadly, you can't do that with Aurora [I was up with it until 5AM last night, and I'll be at it for the rest of tonight, and much of tomorrow]. I'll expound on the registry stuff in a moment, but first let me outline a few other things you'll have to deal with.
Aurora installs at least two services [Start | Programs | Administrative Tools | Services]; they're down at the bottom, called "Win" this, and "Win" that [I forget the exact names, but they're pretty obviously malware services]. It also installs executables and "cabinet" [.CAB] files all over your computer, as well as desktop links and web browser plugins, and probably a whole host of other things I didn't discover. And every user who logs in after the infection will get copies of this crap installed throughout the entirety of their "Documents and Settings" folder.
If you have a second copy of the operating system [at worst, take the hard drive out and install it in another computer as a secondary drive], then you can search the entire hard drive for files that were introduced on or later than the date of infection and delete MOST of the crap that was installed.
However, in our case, the underlying file that invoked "Aurora" was \WINNT\zbkiebmtvti.exe [it might have a different name for you], but it was somehow installed with a modification date of 04/09/2004 [our infection was yesterday, 05/08/2005], so a simple search on recently-modified files will not find that one [and may not find other newly-introduced files, with fake modification dates, that are lurking in other parts of your hard drive].
However, even if you disable the services installed by Aurora, and even if you could delete all the files it installs, it does something FAR more malicious - something that I've never before seen in malware, which gets back to the point I wanted to make at the beginning of this reply: At or near the registry point HKLM\Software, Aurora inserts an "infinitely large" subtree into your computer's registry [I assume that they used either the maximum size of a registry subtree in Windows, or the maximum size of an entry in the underlying MSJet database, or something similar]. When either regedit.exe or regedt32.exe encounters this "infinitely large" subtree, they both crash, and tend to exit Dr Watson style [I guess it never dawned on the poor guys who designed regedit.exe and/or regedt32.exe that someone would do something quite so evil]. You can't search beyond this "infinitely large" subtree, and neither regedit.exe nor regedt32.exe are capable of deleting any of its branches [at either the beginning of the subtree, or at its end], so you can't do the old trick of searching for "RunOnce" and then moving up one key to get to Run.
Anyway, it seems to me that anyone who would do something as malicious as purposely inserting an "infinitely large" subtree into your registry, with the intent of crashing regedit.exe and regedt32.exe, is precisely the sort of person who would install a keyboard sniffer to record your VISA and Mastercard info. So I'm basically wiping the drive clean and reinstalling the operating system from scratch.
Quite frankly, if I ever meet the bastards who wrote this crap [and who thought that it would be some kinduva nifty-cool business plan to go around inserting "infinitely large" subtrees into people's registries], then I will be sorely tempted to shoot them and throw their God-damned corpses in a swamp.
And no, I am not kidding.