Jump to content


Photo

Ability of malware to hide from HijackThis


  • Please log in to reply
12 replies to this topic

#1 dcdcdc

dcdcdc

    Member

  • New Member
  • Pip
  • 3 posts

Posted 01 February 2005 - 08:20 PM

Hi
I recently read that only 80% of spyware is detected even if you use the two most efficient removers in conjunction.
I wondered if there currently is spyware that can hide itself from HijackThis, and a process viewer like Task Info ?

#2 Gwyrox732

Gwyrox732

    Gwy|is|here

  • Helper
  • PipPipPipPipPip
  • 514 posts

Posted 01 February 2005 - 09:46 PM

I'm not sure if it's as low as 80% but some registry keys escape by HijackThis by using special characters, if i remember correctly...
Quote from Original CWS Article at SWI: "There could be other domains involved in the future." ... We've come a long way since then

Malware esan mala, ji mi disaman. SWI ji kikan ekster!

PM me if you know what that says. Whoever gets it right gets put here!
Bagman wins, good job!

#3 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 02 February 2005 - 12:43 AM

dcdcdc,
That's why I reformat my harddisk twice a year, to get rid of the other 20% :)
ErikAlbert
Simplicity is always brilliant.

#4 Bobbi Flekman

Bobbi Flekman

    The computer whisperer.

  • Retired Staff
  • PipPipPipPipPip
  • 1,357 posts

Posted 02 February 2005 - 05:13 AM

dcdcdc,
That's why I reformat my harddisk twice a year, to get rid of the other 20% :)

View Post

Wouldn't a imaging program like Ghost be easier?

#5 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 02 February 2005 - 08:44 AM

Bobbi Flekman,

I thought Norton Ghost is for backups? (Correct me if I'm wrong.) Do you mean that we can use this to backup all existing data, then reformat using the image created?

Enlighten me, please... :D

Edited by LostAccount, 02 February 2005 - 08:44 AM.

<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#6 Bobbi Flekman

Bobbi Flekman

    The computer whisperer.

  • Retired Staff
  • PipPipPipPipPip
  • 1,357 posts

Posted 02 February 2005 - 09:11 AM

Ghost is a program to make an image copy of a hard disc on CD/DVD/Hard Disc. It is a spitting imgae of the moment you made it. And restoring it takes about 3 minutes in my example (4 GB's).

I've partitioned my disks into several drives, with C being the drive for OS and programs, D for Data, etc...

With that I can make an image of my various drives on another harddisc, do whatever I want (like getting infected with a virus and seeing what it does). If I'm done playing around with it, I restore my freshly made backup. No more spyware/virus/whatever...

So... yes it's a backup medium but all imagers are that.It depends on whether you just write away the files (like Backup) or make a sector for sector copy of a disc (like imagers do).

#7 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 02 February 2005 - 10:03 AM

I remember someone writing about a virus from hxxp://www.piaodown.net (deliberately unlinked) which attaches itself to other hardware other than the hard drive (such as the disk controller). Like the CIH virus, I don't think that they can be reformatted away.
<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#8 cnm

cnm

    Mother Lion of SWI

  • Retired Staff
  • PipPipPipPipPip
  • 25,317 posts

Posted 02 February 2005 - 10:44 AM

In case this isn't obvious: if the image you make with Ghost has the malware in it, it won't help. :)
Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE

#9 lonewolf

lonewolf

    Advanced Member

  • Full Member
  • PipPipPip
  • 233 posts

Posted 02 February 2005 - 01:18 PM

Cnm is completely right. If you restore an image with hidden malware in it, you'll just keep reinfecting yourself. And don't fool yourself there are very sinister forms of malware that are very difficult to detect.

That's why many people create an image right after they install Windows with all the updates, and then again right after they install all their trusted security apps.

A reformat is about the best way to nearly guarantee that your system will be totally free of malware. It can take you some time, but you will be starting again with a clean slate.... malware free. If you can make a regular habit of this, you'll be way ahead of the game. ;)

#10 ErikAlbert

ErikAlbert

    Typical User

  • Full Member
  • PipPipPipPipPip
  • 787 posts

Posted 02 February 2005 - 03:40 PM

A reformat is about the best way to nearly guarantee that your system will be totally free of malware. It can take you some time, but you will be starting again with a clean slate.... malware free. If you can make a regular habit of this, you'll be way ahead of the game.

I second that.
I cherish these two brief moments of having a CLEAN computer twice a year after reformatting my harddisk.
It's like going on holiday. :)
ErikAlbert
Simplicity is always brilliant.

#11 dcdcdc

dcdcdc

    Member

  • New Member
  • Pip
  • 3 posts

Posted 02 February 2005 - 08:36 PM

According to this study
http://windowssecret...tudyRelease.pdf
and subsequent analysis by Brian Livingston, the figure is actually only 70% detected using Giant Antispyware and SpySweeper in conjunction.

So am I to take it that most of the remaining 30% would still be undetected by Hijack ?

Have not had to clean reinstall 98SE for 4 1/2 years, and in spite of trying literally hundreds of pieces of software PC is faster than when I got it. Also only average 2 spam/ day. So if , as I prob do, have spyware, it is more a question of principle at the minute.

Apart from reformatting, is there anything a top tech would do apart from using a process viewer which would also show all open files ?

#12 LostAccount

LostAccount

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,291 posts

Posted 03 February 2005 - 01:37 AM

I think that the study is talking about the miscellaneous files such as .ini files and not the executable files like .exe, .dll and .inf. These will just slow down the computer (because the space they consume) but I think that it will not harm the computer.

Edited by LostAccount, 03 February 2005 - 01:37 AM.

<span style='font-size:8pt;line-height:100%'><b>Useful Software</b>:</span>
<a href='https://www.kaspersky.com'target='_blank'><i>Kaspersky</i></a>, <a href='https://housecall.trendmicro.com/' target='_blank'>Housecall <i>Trendmicro</i></a>, <a href='https://www.emsisoft.com' target='_blank'><i>a2 free edition</i></a>, <a href='https://www.kerio.com' target='_blank'><i>Kerio Personal Firewall</i></a>, <a href='https://www.lavasoftusa.com' target='_blank'><i>Ad-aware SE</i></a>, <a href='https://security.kolla.de' target='_blank'><i>Spybot S&D</i></a>, <a href='https://www.merijn.org/files/hijackthis.zip' target='_blank'><i>HJT</i></a>, <a href='https://www.cwshredder.net' target='_blank'><i>CWShredder</i></a>, <a href='https://www.mvps.org/winhelp2002/hosts.htm' target='_blank'><i>MVPS HOSTS file by WinHelp2002</i></a>, <a href='https://netfiles.uiuc.edu/ehowes/www/resource.htm' target='_blank'><i>IE-SPYAD by eburger68</i></a>, <a href='https://www.javacoolsoftware.com/' target='_blank'><i>Spywareguard and Spywareblaster</i></a>, <a href='https://www.winpatrol.com' target='_blank'><i>Winpatrol</i></a>, <a href='https://www.mozilla.org' target='_blank'><i>Mozilla & Firefox</i></a>

#13 dcdcdc

dcdcdc

    Member

  • New Member
  • Pip
  • 3 posts

Posted 03 February 2005 - 04:15 PM

Good point, LostAccount.
Tried SpySweeper and it found 150 items (over 100 by WindTangent) but they were all residuals.
Will have to investigate further.




Member of UNITE
Support SpywareInfo Forum - click the button