Jump to content


Photo

virus/spyware in safe mode


  • Please log in to reply
18 replies to this topic

#1 operat0r

operat0r

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 25 July 2006 - 07:49 PM

EDIT EDIT

Edited by operat0r, 29 July 2006 - 10:38 AM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,533 posts

Posted 28 July 2006 - 07:11 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please post a link to your log in Not getting help with your log?.

To assure the best advice, it is likely that your helper will want to see an updated HijackThis log. Please post one here in this thread.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 operat0r

operat0r

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 29 July 2006 - 10:39 AM

90% of the time I can boot safemode and get rid of everything but once in a while I run into a real nasty one that sticks even in safe mode.

using process explorer there is nothing else running so it has to be a DLL or .service right ?

what else can it be ?

#4 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 29 July 2006 - 04:26 PM

Hi operat0r,

To be honest, I have no clue what you are talking about though... get rid of everything? Can you start with posting a hijackthislog? Also let me know with WHAT exactly you are dealing. What your scanner flags (because I assume a scanner is flagging this all the time?)
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#5 operat0r

operat0r

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 30 July 2006 - 07:03 PM

* I dont have a problem. I just want to be able to "stop" a virus.
* I am not a virus n00b. I just want to know how they work and say running even it killed often.

I just want to know how come I cant "stop" a virus in safe mode sometimes is it DLL's or a service ? on some computers I kill the virus and it starts back how does it do this ? Is there a list of all the possible things that could allow this to happen ? I just want to be pointed in the right direction as far as researching how they can't be killed via taskmgr or procexp.exe etc ....

Edited by operat0r, 30 July 2006 - 07:08 PM.


#6 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 31 July 2006 - 01:47 AM

Many malware runs in safe mode - depends where it is loading/starting from.
Read here: http://www.bleepingc...tutorial44.html
It also happens a lot that more than one file is involved and are watching eachother, so when you kill one, the other one is responsible for reinstalling it.
Or it watches itself, preventing itself from being killed.
But there are so many different types of malware and each has its own manner to prevent being killed. You'll also find a lot of info about certain types of malware on the most antivirus sites, how it acts, where it loads from etc....
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#7 operat0r

operat0r

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 July 2006 - 02:23 AM

Thanks for the reply !

The part where you said "Or it watches itself, preventing itself from being killed." ok .. well ... that sounds like something a windows app would @#%ing do :)

I procexp.exe to kill tasks is there some kind of better task killer that will kill the task and not let it restart by itself ?

I know you can configure services to restart when you kill them.

I wish it was like UNIX when you type KILLALL -9 it @#%ing kills it !! I mean you can kill the kern if you want unlike windows that is protected from you killing anything that "it does not want you to kill"

when ever I goto Symantec they just say the basic crap HKLM/run reg key here or a dll there. I never had one say anything other then "run a scan and it will fix it" I mean come on tell me how the @$#%^er works so I can kill it next time. I would like to find or write a really in depth article about HOW these things run and keep running.

#8 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 31 July 2006 - 02:52 AM

Hi operat0r,

As I already explained, every type of malware uses different ways to load.
If you already know where it is loading from (and that is what most articles are telling you); then you can have an idea how to remove it. If you search good enough, many of the AV Vendors do explain some malware in detail though, how it acts.
http://www.f-secure.com/weblog/
http://www.sophos.co...t/disinfection/
http://uk.trendmicro...ncyclopedia.php
http://www.viruslist...es/encyclopedia
and so many more.

By the way, a nice tool is Unlocker: http://ccollomb.free.fr/unlocker/

Anyway, I really can't explain all tools that I know of and how several types of malware acts in this thread.
You have to understand that there are a lot of users here that need help with malware on their system and they are a priority.
If you want to know more about this all, what tools you can use and more about malware in general, I recommend you join bootcamp here:
http://forums.spywar...hp?showtopic=34
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#9 esoterica

esoterica

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 July 2006 - 02:58 AM

If it was just as simple as writting an "in depth" article on any of this info then just one in depth article would contain all the solutions to every problem you could ever run up against and the MFr's who do this crap would then just figure out a different way to do it and the article you spent all that time writting would be instantly obsolete information.

My first two favorite resources I go to when someone brings me their hosed up computer after they install this garbage on it is the Symantec web site, which if it's a known issue and documented already has a ton of more information than "just run this to remove it" on their web site. They ALWAYS have step by step directions listed for manual removal. Problem is just like all the simular sites, you could be infected or affected weeks or months before something gets wide spread enough that they catch it and become aware of it before publishing a fix to the problem.

Another one of my favorite haunts for information is the Microsoft Knowledge Base.

If I can't find an answer first at one of those two places then I know I'm own my own in figuring out how a problem I'm expected to fix needs to be dealt with. A lot of digging into the Operating System and the Windows registry to find little pieces that just don't belong, then mythodicaly ripping them out one by one while searching for more remnants.

#10 esoterica

esoterica

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 July 2006 - 03:03 AM

What I would realy like to know is how do all you people manage to install this garbage on your computers in the first place?

I have a house full of computers and I have never once had a single problem. I run zero crappy antispyware nor do I run any of the crappy antivirus software that slows your system down worse than if you had one of the viruses it's supposed to be preventing.

Never once, a single problem, ever!

All the xxxxxx that bring me their computers to fix for them always say the same thing "I didn't install anything" or "I didn't change anything", always I didn't I didn't I didn't. Well, you must have because there it is.

Edited by miekiemoes, 31 July 2006 - 03:10 AM.


#11 miekiemoes

miekiemoes

    Malware Expert

  • Global Moderator
  • PipPipPipPipPip
  • 20,026 posts

Posted 31 July 2006 - 03:08 AM

I am going to move this thread since this is no malware problem, but rather asking/telling some general info. :)

esoterica, can you watch your language please?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow!---My Blog---Follow me on Twitter.
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

#12 esoterica

esoterica

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 31 July 2006 - 03:19 AM

Sorry, I never met anyone who considered "moron" a bad word, it's in the dictionary...

http://dictionary.re...om/browse/moron

and not refered to as any type of profanity in it's definition.

#13 operat0r

operat0r

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 31 July 2006 - 05:32 AM

Thanks for the reply. I did to the boot camp but you guys are WAY to picky with the way you do repairs. I do the “remove everything and reboot" what ever is running when you start up is the virus simple as that. I know some people don’t have the pleasure of removing all the startup items and BHO’s

I am currently looking into the 2 little bat programs that use locate and string and find … I will toy with them and figure out what they actually DO ..

As for esoterica post .. It appears to me they all do the same stupid crap and are found in the same place over and over again since the dawn of windows 95. Ok maybe with the c:\docs and settings , temp and other folders you find them in but really they all end up in 1 of like 5 places.

I just need to get a copy of a few nasty ones and see how they “stick” I think it is services or dll and then you got your BHO’s other then that and startup there is not much more. ok ya old school stuff like win.ini and system.ini but that’s stupid stuff. I know if it is a services that can be easily found but as for if it is some kind of dll ….. that would be a pain in the arse .. that is why that string.exe and such interest me. I was thinking of a large database of somewhat known common dlls but then you get the arses that use common file names. Then I was thinking of a more advanced database with a md5 hash for every know version of that dll…. But that is only if that is a common way they stay injected.

Just a thought I have a few scripts I run for cleanup you may find interesting
http://rmccurdy.com/scripts/ not all the quick*.exe’s ( you can open them in winrar etc they are just SFX files with bats and a few other stuff in them )

the quick host needs to be updated and I would like to finish the easy outlook but …. I hate outlook I force my clients to use Eudora when they have too many probs with email.

Again thank you for your time I know it is hard to read long messages when you have loads of xxxx that can’t even follow directions 

PS. Ohh as for you Unlocker procexp.exe can do that with the find button and kill the thred or what not. I did how ever note the "unload dll" I do have a dll killer.exe that is old as dirt I shall update it with this. Thanks again.

Edited by miekiemoes, 31 July 2006 - 02:11 PM.


#14 mjc

mjc

    Member

  • Retired Staff
  • Pip
  • 36 posts

Posted 31 July 2006 - 03:02 PM

esoterica...it is very simple.

You probably don't run a default Windows setup. In fact, I'm willing to bet that you don't do html email, having scripting enabled in your browser or do several dozen other things that the typical user running Windows does. I bet you also keep on top of updates, too.

'Drive by' infections DO EXIST and are a fact of life.

Most of these type infections are in existence because of holes, flaws and errors in the basic Windows code. Most people do not patch, do not follow security updates/practices. In fact many of them wil scream if you want to tighten things up enough so they won't get infected...

Just because they don't know any better, doesn't make them mentally deficient.
“When men yield up the privilege of thinking, the last shadow of liberty quits the horizon.” - Thomas Paine

#15 esoterica

esoterica

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 02 August 2006 - 12:02 AM

operat0r my good person,
Your desire to learn more is very admirable, the world certainly needs more people like you rather than being over stuffed with people who just partake in the endless cycle of infecting themselves, then expecting others to just always fix it for them, not truly caring how they got infected in the first place, not caring how it got fixed, just confident that someone will always be there to fix it for them. These are the exact people who often annoy me, because they'll just keep making the same dumb mistakes over and over again and again. It's not just viri, spyware or any of the other likes they do this with either. I fix more computers for people who have just installed extremely poorly written yet well intended drivers or software than systems infected with anything truly "bad". Poorly written drivers can stop a computer dead in it's tracks without even being able to boot up at all. You fix it for someone who thinks they have a virus, you tell them it wasn't a virus, it was the drivers you installed for that fancy keyboard you just bought and 1 day later they are bringing the computer back to you because they no sooner got it back and turned right around and installed those drivers again after you told them the drivers were causing their problem. I see it happen again and again.

I just need to get a copy of a few nasty ones and see how they “stick” I think it is services or dll and then you got your BHO’s other then that and startup there is not much more. ok ya old school stuff like win.ini and system.ini but that’s stupid stuff. I know if it is a services that can be easily found but as for if it is some kind of dll ….. that would be a pain in the arse .. that is why that string.exe and such interest me.


We'll, how about this, I typicaly look for web sites that are infecting people with this stuff in an effort to stop it before it happens b y contacting the Host service and getting the web site shut down. It's about 75% more effective I'd guess than just telling people not to do something or count on this or that software to protect you.

I read your request yesterday and have been searching since reading it for a good example to supply you with. Better than just giving you the infected file I thought it might be best to instead take you in your quest all the way to square one, to an active web page with content that would lead a person into thinking they were getting what they were looking for, when in fact they are directly exposing themselves to a Trojan.

WARNING:
The link (sorry, it was the best example I could find for you) contains explicit material. Unfortuneatly, most of the websites people are getting infected from contain such material so finding you a good example on a less offensive web site was proving to be difficult. If such content offends you, close one eye and consider your purpose there solely for the sake of science and research.

Opening the main web page poses no real risk, delete all your cookies after doing so though...

Pornographic link removed - Indrid_Cold

We won't comment further on the rest of the page in non scientific detail, but concentrate instead on how the biggest misconception most people have exists. You'll note, there are no links or content here that says, "click here and download a virus, trojan or spyware". I swear to you, most people seem to subconciously believe that they can spot such things much in the same way you'd think you would spot a snake on the side of the trail getting ready to bite you. Oh, a snake, I'll step around it and it won't bite me. It's important to understand computer infections are better crafted to not be obvious.

Next thing to note, another big misconception, as you open that web page no anti virus software you may be running warns you of any problems, certainly not the real pending threat contained within the page. Antivirus software up to date? Got all the latest windows security fixes installed, if not go ahead and do so before we proceed, got all your antispyware defenses up and working?

Wow, you've done everything you've been advised by the experts to do, yet on that page, there it sets, a Trojan infection just waiting for it's next victim. Most people are under the misconception, and this is a fine example and important to note, such warnings, bells and whistles do not occur all to often as they may otherwise be expecting to happen.

So our hapless porn surfing little freak wants to add one of the video clips on that page to his already extensive collection. He's smart, he's been educated, has his antivirus software up and running. He procedes still with caution, hovers his mouse over the link that says "Click here to download Extra High size 193.46Mb". Notices at the bottom of his browser what he's about to download is listed as...

Pornographic link removed - Indrid_Cold

Hmm he thinks, it's ok, it's just a .wmv file, so all it is is a movie file, not a script or anything dangerous, cool, he clicks on it. Gets a pop up that says right click to save target as, normal, nothing off about that. He does so, notices that he is actually downloading a .wmv Windows Media Video file. The file downloads to your computer, it's the same size the website said it should be, it shows up in Windows with a Windows Media Player icon just like any other video file would.

We have here though a smarter than average porn surfer in our example. Just to be safe, he decides maybe I better virus scan this file just to be safe before I actually open it, so he does, hmm, no problems with the file detected. We'll go one step further, he shuts off his antivirus software and goes on line to one of many free web scans offered like Panda, or Symantec and again scans the file there (since we are doing this for research, feel free to do the same). No problems found with this file. Clearly, if every antivirus anti spyware program out there isn't detecting any problems with this "bat-reg-006-xl.wmv" file it must be safe (note also the file could be named anything, why they chose that name I have no idea, you could even change the name of the file to "trojan.wmv" on your local computer if you wanted to and it wouldn't matter, it still wouldn't get detected as such).

So anyhow, back to our discussion here for scientific purposes, you said you would like to get a hold of a nasty one for you to analyze further. There you have one now. It's a great example for you to further study because it's easily hidden, easily tricks people into accepting it, doesn't get detected by your antivirus software when your downloading it, or after it's setting on your computer.

I have a couple peoples computers here that they brought me to fix for them, they are running three examples of the most popular Antivirus softwares out there and I infected all three of them with this in a closed environment to see how the various antivirus softwares would respond. Not a single one of them picked up the infected file. In one case with one of them, the only reference after a virus scan (and I purposely infected the machines with this file by running it), I noticed in the scan log it detected something, unfortuneatly though, it didn't detect it as even the right virus.

What this file is actualy infecting you with is a Trojan known as "Trojan.Wimad" (amongst it's other names).

What I found in the scan log of one Antivirus program was it detected this infection as Adware, not a Trojan, "isearch" to be more specific and it referenced a file that didn't even exist in the %windir%\downloaded program files\initial.inf

It also picked up a new Spyware entry after the infection listed as "iesearchtoolbar" within the Windows registry.

Again, making this infection a great example for your research project lets look into what Symantecs website tells us in how to remove what a different Antivirus program is now telling us what we got infected with. We do a search on the Symantec website for "isearch" and we find details in how to remove it...

http://www.symantec..../...-99&tabid=3

Here's an interesting thing to note, if you go through all the listed steps in search of .dll files and registry entries referenced for the removal of the isearch infection, you'r going to find that none of it exists on your computer, leading you to believe your not actually infected, despite a Panda scan telling you that this infection does exist on your system. Now, since we've done this in a controlled environment for test purposes, we also know what Panda detected, and the others didn't detect anything at all, isn't even what we've purposely infected ourselves with. Making it even more interesting is the question of how if none of the isearch .dll's or registry entries exist, why did Panda wrongly detect this Trojan infection as only an isearch adware or iesearchtoolbar spyware infection?

So, anyhow operat0r, this is a great example for you of an infection that isn't using .dll or .inf files or any of the other you refer to as "basic" forms of delivery to infect you with, and your antivirus software isn't even going to pick it up, despite being a well "known" infection you'll find reference to on all the antivirus web sites.

Panda even has screen shots of the infection taking place, you'll recognize these same screen shots if for the sake of interest and scientific research you purposely infect yourself with this...

http://www.pandasoft...n...7266&sind=0

Here is further reference to this infection as well...

http://smallbiz.syma...p...-99&tabid=1

http://xforce.iss.ne...orce/xfdb/19268

If a person wasn't experienced in such matters, they probably wouldn't even know they were infected in the first place, and if they relied solely on their antivirus program for protection, they'd have detected the wrong type of infection and if even semi sharp would have to question and wonder why it detected this (wrong) infection despite none of the files or entries for the (wrongly) detected infection seem to exist.

By the way, thank RIAA for this new method of infection payloading by their demands for Digital Rights Management being required in your media player software and your antivirus software being prevented from preventing it from happening.

mjc,
Your correct for the most part about me. I do have an advantage I suppose, my first computer was many years ago a 386, which is probably older than many of the people reading here, and I doubt I've been away from a keyboard for longer than one day ever since then. Where I'll bet your wrong about me though is you probably guessed I don't use the IE web browser, which would be wrong, unless I'm on one of my various UNIX based systems, where I can't, I use the IE web browser exclusively. I also don't install any additional software on my computer unless it's something not built into windows already that you absolutely need to operate like pdf file readers, or decent photo editing software, etc. No Quicktime, Real Player, Yahoo Messanger or any of the continuing long list of simular garbage software. I'm the same with with Hardware drivers, I never install hardware which absolutely requires you to also install their drivers (and usualy a bunch of garbageware along with it). The built in Windows drivers work bug free for me 99.9% of the time for any additional hardware devices I may require.

The trade off I get far outweighs the risks because I have a computer that runs fast, responds without delays, boots up in seconds and is far easier for me to regularly maintain.

I noticed someones HJT log they posted here the other day who I was initialy going to try to help them till I seen their log file. I can't easily find the specific post now or I'd link to it so you could see what I mean. They weren't infected with what ever it was they initialy thought they had, they were infected by other simple things that could have been easily fixed, and the funnier part was, they were infected with several simple things despite having, which you could also tell from the log file, Antivirus, software firewalls, and just about every kind of antispyware pop up blocking software known to man installed.

Just looking over their log file and seeing McAffee this and that listed in almost every other line of garbage running on that system was enough for me to loose my interest in wanting to help them. I figured with all that garbage installed and running in the background on that system it must take them 45 minutes just to boot up from a cold start, 1000 times what it should take for a web page to open or app to start and a system that must just run so slow or be so robbed of available resources that even if you could help them, it wouldn't matter, a person like that will just turn right back around and turn all that garbage back on.

Oh, I do by the way, which I should have mentioned, run a very good quality hardware firewall (not a software firewall) between my LAN and the WAN.

#16 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 7,070 posts

Posted 02 August 2006 - 01:21 AM

esoterica
Posting links to infectious or pornographic websites is a sure way to earn yourself a vacation away from these forums. Please do not do so again.

Thank you for anticipated cooperation.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#17 esoterica

esoterica

    Member

  • Full Member
  • Pip
  • 9 posts

Posted 03 August 2006 - 02:40 AM

esoterica
Posting links to infectious or pornographic websites is a sure way to earn yourself a vacation away from these forums. Please do not do so again.

Thank you for anticipated cooperation.


A given, I didn't think it was that great of an idea when I did it, though I did clearly state in doing so exactly what it was I was linking to when I did it.

Uniqe though to this web site I've yet to find a post here where any one has taken the actual time like I did to find an infectious website and bring it here as a clearly what not to do in the first place example for everyone.

The second phase intended of my post was to instruct step by step after being infected by such an example how you locate it and remove it when all the software the almighty's here suggest doesn't work in either the prevention or removal of such problems.

It was a perfect example and probably why you removed the link displaying exactly how all your suggestions and "expert" advice offered here clearly doesn't work. It was a prime example of how everything this web site suggests as expert advice doesn't work.

You removed the link I gave as a very hard to find example, that offends me because it wasn't easy for me to just spend countles hours looking for that perfect example. Sure I could have put the example up on one of my own many web sites but it would put me in direct violation of my contract with them and caused one of my many web sites I'm actually paying money for to get shut down. There is no legal defense in saying I just put a Trojan up on my hosted website as an example, and wrightfuly so.

I won't repost the link in respect for your ignorance by removing it, I'll go ahead now and do what I do, get the web site shut down, but in your taking over my initial instruction to the original poster I'd certainly like to see a written report from you as to why all the antivirus and antispyware software this web site suggests to its readers has absolutely zero affect on protecting them from the exact link I looked hard for and published a live example of here.

My own thoughts are, you didn't edit the link because of its actual content, you edited the link because it proved all the advice you give here isn't 100% solid and that link clearly proved all the best of advice offered here to people who accept it it all as being solid is anything but solid.

Please though "Indrid_Cold", in removing the actual link through your own obvious better infinate wisdom in doing so, explain how all the crappy software suggested to prevent such an infection fails. Then please also explain to everyone how they remove such an infection from their own system when your best suggested AV software knows of the threat but still is unable to recognize it like that perfect example.

If your incapable of doing that then I highly suggest you re-edit my post, put the link back and I'll go into what your obviously incapable of doing and explain to everyone how you detect such a threat when all your defenses fail to detect it and further more how you go about removing it. Did you do a search on that infection? No one tells you how to remove it, they all tell you to buy and install their AV software to get rid of it. Funny, how is their AV software going to get rid of it when all the AV software can't even properly detect it?

You know what you fool, go ahead and coach everyone on this, I'll take a back seat and not care if my own mother is infected with this, not a chance in heal thanks to you I'll help anyone with it. As people get infected with it because there isn't any AV software out there capable of detecting or removing it, we'll let everyone come to you for instruction on how to remove it. Go ahead please brilliant one, begin explaining to us how do you remove this?

#18 Indrid_Cold

Indrid_Cold

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 7,070 posts

Posted 03 August 2006 - 04:40 AM

A given, I didn't think it was that great of an idea when I did it,

It has been said that your first guess is usually the correct one and at least in this case that would prove to be true.

I'll go ahead now and do what I do, get the web site shut down,

Pleased to hear that your time and labors will bear some fruit.

Intelligent discussion and debate are always welcome here esoterica. Personal attacks and name calling are not. I would strongly suggest that you take this as an opportunity to once again reinvent yourself while you still have the time and we still have the patience.
Hope is not a method.

If I have helped in some way, please consider donating to SpywareInfo's crusade against Malware See Here

Member of ASAP since 2004 Alliance of Security Analysis Professionals
Member of UNITE since 2006 United Network of Instructors and Trained Eliminators

Fight back Malware Complaints

#19 operat0r

operat0r

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 August 2006 - 04:53 AM

[quote name='esoterica' date='Aug 3 2006, 04:40 AM' post='443359']
[quote]No one tells you how to remove it, they all tell you to buy and install their AV software to get rid of it. Funny, how is their AV software going to get rid of it when all the AV software can't even properly detect it?
[/quote]

I agree. The way items are injected is not really my question. It is more of how do they stay running even after I kill them.

let me sort of go over how I clean a system...
1) 1st I run a mass cleaner I wrote (deletes temp files and all such all over)
2) if I see a lot of proc running I run cax.exe that will kill all proc by user ( this works GREAT because what ever is left over is a virus or some kind of service or security software.
3) I boot safe mode and to an online scan "panda active scan pro"

Now most of the time (90%) this will clean everything up BUT sometimes I have to use tools like HJT and Autoruns.exe to kill any and ALL start up BHO's etc..

when all of that fails I end up with a machine that is still "running" this EXE that may change names and some how @#%^ing restart itself " somebody else noted that programs in m$ can watch themselves I don’t see how this is @#%ing possible" in *NIX you kill a task ... IT DIES and stays dead... if this is the case is there some kind of “kill this process NO REALL KILL IT AND STAY KILLED” maybe some kind of bat file I could write that would kill a task and rename it instantly before it restarted itself.

Other then services dlls and (possibly INF files) I just wonder how these programs stay running. I noted before I am looking into the little bat file apps you guys use

finditnt2000xp
rkfiles.zip

that seems to search for some kind of string or something I cant quite figure out how they work if anybody has any resources or can tell me what these programs search for let me know. With these bat files it seems like you can find any dll that is a potential badguy dll




Again thank you all for you time and input. I plan on posting my findings "or lack there of" on a www.TWATech.org webcast. I have been taking the time to copy or reproduce one of the "nasty" ones it turns out it was a DLL but with the insane ammount of dlls and bogus dlls names lajit services how in the hell do I find them.




Member of UNITE
Support SpywareInfo Forum - click the button