Stopping Unstoppable Malware?

A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?

This is hilarious...

[adjuster]

The discussion threads for this article are killing me! You silly little Windows users w/ your cadres of anti-"spyware" programs, your bordering-on-mythos secondhand, thirdhand, and forthhand instructions on how to remove these unwanted programs, and your fun little superstitions-- you're hilarious!

I run Windows 2000 Profesional on a couple of my boxes, but I don't have a "spyware" problem. It baffles me that anybody else does, at least with any of the NT-based Windows OS's.

• Don't logon as a user with administrative rights except when absolutely necessary. If an application doesn't run right as a non-Administrator user, figure out why and fix the permissions causing the problem, or get a better app. There's no excuse for needing to run apps as an Administrator user in 2005.
• Don't install crappy software that you're not sure the origin of. You're monumentally stupid to install most peer-to-peer file sharing apps.
• Password protect all the user accounts on the PC with reasonably good passwords, lest file-and-print-based self-replicating programs copy themselves onto the PC via default "Administrative shares".
• Keep up-to-date with operating system and application patches.
• Consider using a browser other than Internet Explorer and a mail reader that doesn't use the IE engine to render HTML. Better yet, stop using HTML email.
• Install the OS with the PC disconnected from a LAN. Apply service packs and fixes via CD before plugging into the LAN.

Is it really all that hard?

The most hilarious things are the myths and superstitions. I liked the dude who suggested you should "unplug" the computer after removing "malware", because "Some malware will try reinsert registry keys at shutdown". That's suitably vague, and dangerous! Instead of just explaining WinLogon Notification Packages (the way that most of this unwanted software handles re-populating the registry with its references on shutdown) and how to disable them, the author just suggests you risk trashing your filesystem! It highlights the fact that most of you little Windows puppies don't have any idea how the OS works.

I'd clean a contaminated PC up by putting the contaiminated hard disk into a clean Windows PC, accesing the registry hives of the contaminated PC, and cleaning up its filesystem and registry carefully. Then you don't have to muck around with hostile programs detecting that you're excising them and trying to put themselves back. Don't have a second PC to do that on? Get a second hard disk drive, pull the contaminated one, install a clean OS on the new drive, then strap in the contaminated drive and clean away? (Don't boot the contaminated disk, though, or you get to start all over again.) Can't afford that? Use some rigged bootable CD thingamagig and take your chances... Sucks to be you.

The trick of using NTFS ACL's to deny the unwanted software access to its own files is cute, but the authors of this software are already working around that. They usually have SYSTEM privileges-- they don't need to worry about ACL's if they don't want to. In general, the days of troubleshooting contaminated PC's while booted in the contaminated environment are fast drawing to a close.

This is the state of the art in our industry... Sheesh. I'm so proud to work in IT.