Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stopping Unstoppable Malware?

Posted by Cliff on from the difficult-surgery-required dept.

A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?

3 of 155 comments (clear)

  1. Here's how to do it on Win2k by bergeron76 · · Score: 5, Informative

    Here's how to do it on Win2k:

    step 1) try to kill off all the procs you can. Most malware will say "Access Denied", but some can be killed.

    step 2) delete all the DLLs and activeX controls from your IE Downoads directory. Many of them will be held 'open' and won't be deletable.

    step 3) check the start menu -> Startup folder. Delete any links from here that aren't familiar.

    step 4) open your system services (from Computer Management; Administrative tools, whatever). Check for any services that look fishy. I typically sort them by status and look at the 'started'/active services.

    step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run". We don't search the registry for "Run" because it appears like 1000 times. Delete any keys in the "Run" folder that don't look right. Search about 3 more times for this entry - it appears in multiple places.

    step 6) unplug the machine (DON'T power it down). Some malware will try reinsert registry keys at shutdown. Worst case scenario here is that you get a checkdisk warning/error at startup.

    step 7) start the machine back up in DOS mode (or Safety with DOS prompt). Go back to the Internet Explorer Downloads directory and delete the DLLs/ActiveX controls. They should get deleted now because the malware processes won't be holding the files open.

    step 8) Reboot.

    step 9) open the registry back up and see which processes re-inserted registry keys in the "Run" folder (see step 3 above).

    I had one particularly nasty one (News.net) that Spybot couldn't delete. I finally killed it by using the process I described above. The trick with news.net, however, was to pull the plug IMMEDIATELY after deleting the registry key. The malware process re-inserts the registry key every 2 seconds, so I had to delete the key and pull the plug on the machine before it could re-insert the registry entry. One of the tricky things that news.net did was not allow me to search in RegEdit. So I used Spybot's startup/registry tool to remove the key. News.net was somehow able to circumvent Spybots registry blocker.

    As I'm writing this, I'm using a Windows 2k(sp2) machine from 2001. It hasn't been remastered since then and it's my daily driver. Interestingly, I've never done a single Windows Update on it, and I have fewer problems with exploits and malware than I've had on the 4 other machines that I've had to remaster (again and again) that I ran Windows Update on frequently. Maybe none of the malware writers are wasting time with the old exploits because they figure they've all been patched. Luckily for me, by not doing Windows Update, I've saved myself from all of the Exploits that the new patches have created.

    I'm running Office 2000, Firefox, and Thunderbird. I never ever use IE or Outlook, ever. Oh yeah, and I also use a modified hosts file (from http://accs-net.com/hosts/) for ad/malware blocking.

    Oh yeah, and use TeaTimer and SpybotSD services to prevent new spyware/malware.

    Happy computing.

    --
    Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
    1. Re:Here's how to do it on Win2k by canadiangoose · · Score: 5, Informative

      There's another way to kill processes that say 'access denied' without having to download additional software. Using the commandline 'at' command, schedule taskmgr.exe to run in interactive mode. If the clock on my system tells me that it's 2:30:56pm, I'll run the following command:
      at 14:32 /interactive taskmgr.exe
      That will produce (at 2:32pm) an instance of the Task Manager running as 'Local System', which has even higher privileges than Administrator. From there you can kill nearly everything!

      --
      Never eat more than you can lift -- Miss Piggy
  2. HiJack this by iamzack · · Score: 5, Informative

    You need to use HiJack This. http://www.spywareinfo.com/~merijn/downloads.html

    This program doesn't actually detect spyware/adware/malware, but rather it shows all items that are currently loaded on your system. It does have some helpful hints as to what these itmes might be, but doesn't specifically tell you if something is malware. You have to be saavy enough to figure it out yourself. I've gotten rid of a few nasty progs with this helpful tool.