





Stopping Unstoppable Malware? 155
A frustrated troubleshooter asks: "I've recently been asked to fix a friend's computer, and for once, I'm stumped. There is a piece of malware on his computer that puts up Aurora popup windows. Neither Spybot nor Ad-Aware detect this, so I've had to try to manually clean the system. However, the files re-write themselves, making the malware grow back as fast as you can remove it. The only "solution" is to run an uninstaller written by the people who wrote the Aurora pop-up itself. Has anyone dealt with this particularly painful piece of pop-up programming, and if so, how have you successfully removed it?" What other pieces of Malware have you found that was difficult to remove? Aside from using programs like the afore mentioned Spybot and Ad-Aware (and others of their ilk), what other methods of Malware removal have proven to be the most successful?
You're half way there (Score:5, Informative)
Re:You're half way there (Score:2)
Scan with one, clean, scan with another, clean more... always on the bad systems it is needed for both virus and spywares.
Random anecdote... I got a call from a sales person at Panda AV, trying to get a feel for what we sell. They asked if I had ever tried their software. Truthfully, yes, I ran a scan on a system and cleaned a tonne of stuff of it, then ran trend and cleaned more. I told the
Re:You're half way there (Score:2)
two things... (Score:1)
Re:two things... (Score:3, Informative)
Re:two things... (Score:2)
Re:two things... w/ links (Score:3, Informative)
KillBox [bleepingcomputer.com]
Tech Guy Support Forums [techguy.org]
and most notable: MyPCTuneUp [mypctuneup.com] which I am assuming is that Aurora Uninstaller you were talking about. According to the forum link above, the uninstaller really works. And it can't hurt to try, considering Aurora has already hijacked your PC, what more can an uninstaller do besides uninstall the malware.
And from personal experience, I've had a few Malware uninstallers from the official comp
Re:two things... (Score:3, Insightful)
I ended up with something installed, it was very odd:
1. It was not a seperate process, it bounded itself to IE. No process to end other than IE and in a work environment where Firefox is not an option that's a problem.
2. When uninstalled and files deleted it reinstalled itself. The files had to be deleted manually. Yet they reinstalled with random file names, the only way to identify them was by working out they were always a combo of 5 letters and had the same file size.
3
Re:two things... (Score:2, Insightful)
You're kidding, right? This stuff makes it harder to keep your PC safe. Expect it to become dominant.
Here's how to do it on Win2k (Score:5, Informative)
step 1) try to kill off all the procs you can. Most malware will say "Access Denied", but some can be killed.
step 2) delete all the DLLs and activeX controls from your IE Downoads directory. Many of them will be held 'open' and won't be deletable.
step 3) check the start menu -> Startup folder. Delete any links from here that aren't familiar.
step 4) open your system services (from Computer Management; Administrative tools, whatever). Check for any services that look fishy. I typically sort them by status and look at the 'started'/active services.
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run". We don't search the registry for "Run" because it appears like 1000 times. Delete any keys in the "Run" folder that don't look right. Search about 3 more times for this entry - it appears in multiple places.
step 6) unplug the machine (DON'T power it down). Some malware will try reinsert registry keys at shutdown. Worst case scenario here is that you get a checkdisk warning/error at startup.
step 7) start the machine back up in DOS mode (or Safety with DOS prompt). Go back to the Internet Explorer Downloads directory and delete the DLLs/ActiveX controls. They should get deleted now because the malware processes won't be holding the files open.
step 8) Reboot.
step 9) open the registry back up and see which processes re-inserted registry keys in the "Run" folder (see step 3 above).
I had one particularly nasty one (News.net) that Spybot couldn't delete. I finally killed it by using the process I described above. The trick with news.net, however, was to pull the plug IMMEDIATELY after deleting the registry key. The malware process re-inserts the registry key every 2 seconds, so I had to delete the key and pull the plug on the machine before it could re-insert the registry entry. One of the tricky things that news.net did was not allow me to search in RegEdit. So I used Spybot's startup/registry tool to remove the key. News.net was somehow able to circumvent Spybots registry blocker.
As I'm writing this, I'm using a Windows 2k(sp2) machine from 2001. It hasn't been remastered since then and it's my daily driver. Interestingly, I've never done a single Windows Update on it, and I have fewer problems with exploits and malware than I've had on the 4 other machines that I've had to remaster (again and again) that I ran Windows Update on frequently. Maybe none of the malware writers are wasting time with the old exploits because they figure they've all been patched. Luckily for me, by not doing Windows Update, I've saved myself from all of the Exploits that the new patches have created.
I'm running Office 2000, Firefox, and Thunderbird. I never ever use IE or Outlook, ever. Oh yeah, and I also use a modified hosts file (from http://accs-net.com/hosts/ [accs-net.com]) for ad/malware blocking.
Oh yeah, and use TeaTimer and SpybotSD services to prevent new spyware/malware.
Happy computing.
Re:Here's how to do it on Win2k (Score:2, Informative)
Re:Here's how to do it on Win2k (Score:3, Informative)
I've had some malware manage to autoexecute from there. The last one was particularly surprising.
Also, permissions in the registry can cause a lot of problems.
This said, there is ALWAYS a way to remove malware.. WITHOUT having to cut the power dangerously. They key steps are always:
1) Close all of its running components.
2) Find and remove all of its
Re:Here's how to do it on Win2k (Score:5, Interesting)
Re:Here's how to do it on Win2k (Score:5, Informative)
at 14:32
That will produce (at 2:32pm) an instance of the Task Manager running as 'Local System', which has even higher privileges than Administrator. From there you can kill nearly everything!
XP? (Score:2)
Re:XP? (Score:2)
Re:Here's how to do it on Win2k (Score:2)
Re:knoppix & ntfs (Score:2)
I tried `mount -t captive-ntfs
I don't fancy having to roll my own.
Re:Here's how to do it on Win2k (Score:4, Informative)
Works best on things that do the service and run at startup tricks.
I dare say this will be lost in the arms race eventually, but a useful weapon never-the-less.
Re:Here's how to do it on Win2k (Score:4, Informative)
But often you can rename them even when you can't delete them. It's always worth a try. On reboot it can't find the offending file.
Re:Here's how to do it on Win2k (Score:3, Informative)
If you get access denied error messages, the chances are that the executable is running as a service. In which case
1. Open regedit
2. Browse to HKLM\System\CurrentControlSet\Services
3. Search for registry for 'data' that matches the executable name.
4. Start > Run > Services.msc
5. Find the service located in step3
6. Stop and disable the service.
Re:Here's how to do it on Win2k (Score:2)
Also, IIRC NT4 allows you to rename a locked file from the console. So you can rename all the files, reboot, and delete them.
Re:Here's how to do it on Win2k (Score:2)
Re:Here's how to do it on Win2k (Score:2)
Re:Here's how to do it on Win2k (Score:2)
The post above has some registry edits to fix the problem. However, I can tell you that won't always fix the
Aurora is FAR more malicious than that. (Score:5, Interesting)
step 5) open the registry (RegEdit) and search for "RunOnce"; directly above it will be "Run".
Sadly, you can't do that with Aurora [I was up with it until 5AM last night, and I'll be at it for the rest of tonight, and much of tomorrow]. I'll expound on the registry stuff in a moment, but first let me outline a few other things you'll have to deal with.
Aurora installs at least two services [Start | Programs | Administrative Tools | Services]; they're down at the bottom, called "Win" this, and "Win" that [I forget the exact names, but they're pretty obviously malware services]. It also installs executables and "cabinet" [.CAB] files all over your computer, as well as desktop links and web browser plugins, and probably a whole host of other things I didn't discover. And every user who logs in after the infection will get copies of this crap installed throughout the entirety of their "Documents and Settings" folder.
If you have a second copy of the operating system [at worst, take the hard drive out and install it in another computer as a secondary drive], then you can search the entire hard drive for files that were introduced on or later than the date of infection and delete MOST of the crap that was installed.
However, in our case, the underlying file that invoked "Aurora" was \WINNT\zbkiebmtvti.exe [it might have a different name for you], but it was somehow installed with a modification date of 04/09/2004 [our infection was yesterday, 05/08/2005], so a simple search on recently-modified files will not find that one [and may not find other newly-introduced files, with fake modification dates, that are lurking in other parts of your hard drive].
However, even if you disable the services installed by Aurora, and even if you could delete all the files it installs, it does something FAR more malicious - something that I've never before seen in malware, which gets back to the point I wanted to make at the beginning of this reply: At or near the registry point HKLM\Software, Aurora inserts an "infinitely large" subtree into your computer's registry [I assume that they used either the maximum size of a registry subtree in Windows, or the maximum size of an entry in the underlying MSJet database, or something similar]. When either regedit.exe or regedt32.exe encounters this "infinitely large" subtree, they both crash, and tend to exit Dr Watson style [I guess it never dawned on the poor guys who designed regedit.exe and/or regedt32.exe that someone would do something quite so evil]. You can't search beyond this "infinitely large" subtree, and neither regedit.exe nor regedt32.exe are capable of deleting any of its branches [at either the beginning of the subtree, or at its end], so you can't do the old trick of searching for "RunOnce" and then moving up one key to get to Run.
Anyway, it seems to me that anyone who would do something as malicious as purposely inserting an "infinitely large" subtree into your registry, with the intent of crashing regedit.exe and regedt32.exe, is precisely the sort of person who would install a keyboard sniffer to record your VISA and Mastercard info. So I'm basically wiping the drive clean and reinstalling the operating system from scratch.
Quite frankly, if I ever meet the bastards who wrote this crap [and who thought that it would be some kinduva nifty-cool business plan to go around inserting "infinitely large" subtrees into people's registries], then I will be sorely tempted to shoot them and throw their God-damned corpses in a swamp.
And no, I am not kidding.
Re:Aurora is FAR more malicious than that. (Score:2, Funny)
Perhaps you can find a 'registry' to shove that 'infinitely large tree' up.
Re: (Score:2)
FDISK (Score:5, Informative)
Neat little trick - NTFS permissions (Score:4, Informative)
If you are one Win9x or have FAT32 on your drive, this won't work for you... but good luck anyway.
Finally, I hate to give in, but go ahead and run the uninstaller - their malware already 0wnzors the computer you are working on, this is not likely to make it any worse...
-Jack Ash
PS: Another thing you might try is booting up one of those WinPE environments (bootable windows on a cd) floating around the net, and deleting it from there...
Re:Neat little trick - NTFS permissions (Score:1)
Also, make sure that you're not running/surfing as administrator - common sense I know, but some still do it. Assuming the malware isn't to sophisticated, this will often prevent it from getting itself fully installed (like in the Run/RunOnce registry keys). While it may still get installed, its usually easier to get rid of if it wasn't "
Re:Neat little trick - NTFS permissions (Score:2)
More info on using NTFS permissions (Score:4, Informative)
(I do all my perm editing from the command prompt using the CACLS utility that comes with XP)
1. Instead of having to create a bogus account and deny specific users, just use the command-line switch "/D Everyone" to do the same thing. By doing this you are explicity denying everyone access to that particular file, which gives the added benefit that Windows will not be able to start the process after a reboot! NOTE: Use this with caution! Please do NOT try to execute this command on, say, any files or directories needed for Windows to run!
2. Once you have found and edited the ACLs of the offending processes, reboot the machine. See if any other rogue processes start, and if so repeat step 1 on those.
3. All the registry entries used by the spyware will still be there, but since the reboot they can't run, i.e., you can now delete the reg entries without them coming back.
4. Once you are certain you have found and deleted all the malware entries in "Run", "RunOnce", the Startup folder, etc., re-edit the ACLS of all the malware files (you wrote them down, right?) so that you can delete them (easily done by granting Everyone Full Permission: "cacls /G Everyone:F")
5. To get rid of bogus / malware Services, do the above and then find the Services reg key (HKLM\System\CurrentControlSet\Services) and look for the malware filenames (found by viewing the properties of the service in the Services applet). NOTE: Do NOT delete random keys here...that can be rather dangerous for the stability of the system! When in doubt, leave the entry. As long as the file is safely deleted using the above methods, it should not come back. This process is only to make the malware service disappear from the Services applet.
6. The last tip I have is to use a free utility from SysInternals called RegMon. It monitors the registry hives for any process making changes. Malware and spyware are seemingly *always* making changes, which means they will be rather easy to spot. Use the Filter option liberally to filter out generic Windows processes and other known good ones. By using this method, you may find malware processes accessing the registry that DO NOT SHOW UP in Task Manager or directory listings. While these files definitely exist, they are hooked into the OS in such a way that they hide their presence. You can neither find these files in Explorer, nor using "dir" in a command prompt...but CACLS will still operate on them! (I had to use this method to clean a laptop over the weekend...12 hours of cleaning, because the girl couldn't find her WinXP Home CD, and I didn't have one laying around--irritating, to say the least.)
Now for the usual disclaimer: I am a sysadmin, I know what I'm doing, and I'm responsible for what I screw up. I am NOT responsible for your screwups though, so please be VERY careful when using the above methods...you can really hose your system if done improperly. If you feel like this is a bit too tech for you, I highly recommend SpyBot S&D and TrendMicro's HouseCall. In fact, I used both of those on that laptop along with the above methods to clean the thing entirely.
Happy malware hunting!
Most Important Step... (Score:2, Funny)
Hate malware? (Score:1, Informative)
Re:Hate malware? (Score:3, Informative)
Another good tool is a boot cd called "Hiren's Boot Disk". It has lots of commercial software so I believe you'd have to loo
Re:Hate malware? (Score:2)
Every
Re:Hate malware? (Score:2)
If you're using Captive NTFS, however, then your way IS the best - nuke those files. Same goes for a Windows PE (BartPE or Winternals ERD Commander) boot CD.
If all else fails... (Score:2, Interesting)
Safe mode! (Score:2)
Cut/Paste into recycle bin (Score:1)
Re:Cut/Paste into recycle bin (Score:2)
Move it to the recycle bin, then restart. On startup, the file is not where it should be, so it does not run, and then you can empty the recycle bin.
Worked for me a few times.
Safe mode works too.
stopping unstoppable malware? (Score:1)
otherwise, you would need to make it stoppable first.
Re:stopping unstoppable malware? (Score:1)
Have to remember previewing first.
Title makes no sense (Score:3, Funny)
Which leads me to the next question: God is omnipotent, so I wonder, could God create a malware program that even HE could not remove? If you have a computer that is behaving badly, start it working on that problem. While it's distracted and busy trying to figure it out, WHAM, you hit it in the head, just like Captain Kirk in that M-5 episode.
Had a similar issue (Score:1)
Got rid of it with a combination of SpySubtract [intermute.com] and system restore under XP. I don't know if SpySubtract will work, but its free for 30 days and worth a shot.
Incidentally, did you google [google.com] for some help?
HiJack this (Score:5, Informative)
This program doesn't actually detect spyware/adware/malware, but rather it shows all items that are currently loaded on your system. It does have some helpful hints as to what these itmes might be, but doesn't specifically tell you if something is malware. You have to be saavy enough to figure it out yourself. I've gotten rid of a few nasty progs with this helpful tool.
Re:HiJack this (Score:2)
Re:HiJack this (Score:2)
The only thing it does not find are rootkit things(yes, ther is spyware with rootkit behaviour!). There is very little software to find the rootkit in windows land.
Recent test show that even the best signature based anti spyware toosl only find 90% of de bad software. MS antipy and hitman pro (last i
Preventing Spyware (Score:1, Informative)
Re:Preventing Spyware (Score:2)
Using a non-IE browser, however, is almost certainly part of the solution.
Spybot and Ad-Aware (Score:2)
I've been hit a couple times by downloading shareware with addons, or some popup that both have ignore, that leads me to a DDL/Reg hunt also.
Even microsoft's beta scanner doesnt catch them. Was wondering when someone would bring this up on Slashdot, its been crazy.
Kill me now, I know... (Score:3, Interesting)
Experiment.... (Score:2, Interesting)
FireFox (Browser)
Avast! Home Edition (Anti-virus)
Part of my experiment was to operate as an Administrator at all times. I've been running like this for several months now, and have not encountered a single problem!
No viruses, No Spy-ware/Mal-ware, no annoying restrictions (I'm not using SP2).
Anyone else use this combination? It is by far the strongest combination I've eve
Nuke the machine. (Score:3, Insightful)
Then nuke the harddrive and start over. In my experience going through the pain of finding all of the problems is worse than finding old install disks. You can also start with a clean build of XP SP2 which makes it *much* harder to get infected.
When you image the machine, make sure you set up at least two partitions so starting over in the future is less painful.
Re:Nuke the machine. (Score:2)
Final point: Boot from Knoppix/Ubuntu/what-have-you, and back up useful data from that, not from Windoze...
--LWM
Your system is compromised... (Score:2)
Non-volatile malware?? (Score:2)
The symptoms it had when I got there was, the mouse didn't work, and various "properties" pages wouldn't come up, like "System" in the control panel did nothing, right clicking "My Computer" and clicking properties didn't work either, but clicking "Manage", and going to the device manager did work.
In there, I notice several strange things like yellow exclaimation marks on the "
Re:Non-volatile malware?? (Score:2)
Re:Non-volatile malware?? (Score:2)
Re:Non-volatile malware?? (Score:2)
Re:Non-volatile malware?? (Score:2)
What I find really interesting is that the Ubuntu live cd was running fine for two days on bad RAM, with no problems but the Windows installer couldn't handle the hype. Hehehe
Re:Non-volatile malware?? (Score:2)
Mod parent up please (Score:2)
Re:Non-volatile malware?? (Score:2)
# dd if=/dev/zero of=/dev/hda bs=1M count=100
Although I concur with using dd instead of third party programs, the gp did state that he used Maxblast to zero out the drive. Not sure how this would give different results. As far as I know dd does not have any magical drive fixing powers that I am aware of.
Re:Non-volatile malware?? (Score:2)
give up (Score:2)
Step 2: Reformat the hard drive. Reinstall. Patch, patch, and patch some more. Get the AV and anti-spyware tools in place. Reinstall applications. Restore backups.
Think of it as a test of your backup program.
All of these are good programs: (Score:3, Informative)
Microsoft Anti-Spyware
Spybot
AdAware
HijackThis
Those are 4 programs I run regularly. I usually do these in this order:
1) Update all definitions in all programs
2) Reboot to Safe Mode
3) Run Add/Remove Programs and remove any unknown programs
3) Run AdAware, remove all infected files
4) Run Spybot, remove all infected files
5) Run Anti-Spyware, remove all infected files
6) Run HijackThis, remove all non-system files (only run this if you are an expert at it)
7) Clean out Internet Explorer Cookies
8) Clean out ALL temp files
9) Clean out all unknown files in the Windows & System32 directories (again, expert only)
10) Reboot (pick safe mode again)
11) Run all of the scanners again to be sure of removal
12) Reboot into normal mode, run scanners AGAIN (to verify)
Obviously if malware comes back shortly (within 10 minutes or so) check Services (start --> run --> "services.msc") and remove any that you don't recognize.
The only piece of malware that I haven't been able to remove was a variant of CoolWebSearch. Not even CWShredder got rid of it (or even detected it) as well as all of the other cleaners.
Good luck.
Re:All of these are good programs: (Score:2)
One of these should help you out
http://www.theclairefiles.com/ms12steps.html [theclairefiles.com]
http://www.cio.com/archive/010102/shop.html [cio.com]
Re:All of these are good programs: (Score:2)
Avast! (Score:2)
A friend's computer was so badly infected with various kinds of malware that it had almost no spare cycles left for actual work.
I tried all the usual approaches, asked for help on the free PC support sites, downloaded and ran every anti-spyware that I could lay my hands on but still couldn't remove everything.
Then I removed the ineffective Norton AntiVirus from the machine and installed the free avast! 4 Home Edition [avast.com].
It restarted the machine, cleaned up everything, restarted again
Fool-proof solution (Score:3, Funny)
filemon, regmon (Score:2)
Did you turn off System Restore? (Score:2)
Bart PE (Score:4, Informative)
Re:Bart PE (Score:2)
cleaning the stubborn ones. (Score:5, Informative)
First get these. do a google search if you dont know where to get them.
HijackThis
Microsoft Antispyware
spywareblaster
winsockfix (it's at majorgeeks if you do a google search)
First off, make a restore point, then if you cant get online at all run the winsock fix which should fix that, then install spywareblaster, update it and enable all protection
From there update all of your existing anti-virus/anti-spyware to the latest revisions and defs, Then Install Microsoft Antispyware and update it to the latest defs. The reason you want MSAS is because MSAS will start prompting about any questionable activity it detects. make sure you set anything it considers questionable to block or remove. This will at least give you a general Idea what to look for and keep the reinfection down to a point. Then in MSAS, do a full system scan. Remove everything that it finds and restart the PC in safe mode with no network.
When it boots up in safe mode, stop and keep in mind that if you open up any explorer windows you just reinfected your PC again, so make sure everything you need is on the desktop or accessable in the start menu. From there do another scan with MSAS, as well as any other anti-virus/spyware app you updated in the first part with full system scans. Then using the command prompt, delete everything in the following folders
C:\documents and settings\\local settings\temp
C:\documents and settings\\local settings\temporary internet files
C:\windows\temp
From there run hijackthis and look it over. anything you see there that looks questionable in there you remove. in particular, startup entries going to temp folders, random named exe files, exe files in C:\windows or C:\windows\system32 and any bho or dpf that you cant remember installing, or has the word search, bar, smiley, sounds fishy or like it's trying to benefit something that should be ok by itself, especially if you dont have it, such as "Microsoft Antispyware Helper" (yes I saw a real nasty one using this as it's name). If you are really in doubt, and have access to another machine, go to http://www.hijackthis.de/en [hijackthis.de] put the hijackthis log into it, and it will tell you what to delete and why. After you clean it up make a clean log from hijackthis and restart.
From there restart and it should be clear or relitively clear. If it's not, then run hijackthis again and compare it to the old file. It should give you clues on what to look for, but there is a good chance that your system is rootkited (something rootkitrevealer will tell you). If it is, I'd recommend a reinstall since there's no telling whats going on in the background, but if you still need to clean it the only way is to insert the hard drive into another PC and do another full anti spyware/virus scan on the drive. or use pebuilder to boot the machine into windows and do it that way.
the easier way to do this (Score:3, Informative)
The first thing i recommend is the Startup Control Panel which installs a very handy control panel. It will show you every startup that Windows has, including the registry-only ones that aren't apparent to the user. Install, run, and see what starts with the computer.
open the Task Manager (Ctrl-Shift-Esc), and using "End Process Tree," shut off any programs that you found in the Startup Control Panel
Then go in to the Startup Control Panel and turn off their registry entries for startup. If you've shut down the process, it won't reregister. then you can worry about tracking down the files later.
This has never failed me, regardless of the malware. Frankly, it surprises me how reliable it is. The one other concern is maybe you end up shutting down an infected vital system process (one virus not worth mentioning that infected lsass.exe). If in the process of killing processes, the computer suddenly says it's shutting down in 30 seconds (which happens when you kill the lsass process), then hit Windows-R for a run dialogue, and type "shutdown
Re:the easier way to do this (Score:3, Insightful)
Try Broadband Reports' security forum... (Score:2)
Check the HOSTS file as well!!!!!!! (Score:2)
Re:Check the HOSTS file as well!!!!!!! (Score:2)
I know, I know, I know but seriously (Score:2)
1a. Move your precious stuff to another partition.
1b. Insert a OSS distro (FreeBSD, BeOS, Linux, Solaris x86)
I don't know many applications not found on OSS (www.freshmeat.net, sourceforge.com, www.acroread.com, openoffice.org, gimp.org, mysql, Perl/PHP, C++ compiler) that can be done reliably in place of Microsoft Windows.
I mean, I got everything I need so far, why bother with the pain of many unsecured Windows APIs?
Alas Microsoft (Score:4, Insightful)
I still have one small piece of spyware hiding somewhere that none of the above can find. It only runs when I run IE (which I very rarely do these days), pathetically raising popup windows with nothing in them! I haven't bothered to chase it down, since it isn't that much of a nuisance. But maybe I'll apply some of the tricks I learned today, just for the exercise!
Which brings me to the #1 anti-spyware measure: run Internet Explorer as little as you can!
Nothing is untouchable... (Score:2)
Re:Nothing is untouchable... (Score:2)
Re:Nothing is untouchable... (Score:2)
Re:Nothing is untouchable... (Score:2)
You're also right in wanting a varied toolset. Unfortunately, that doesn't do as much good as it should. LavaSoft has never put as much work into AdAware as they should, probably because they promised Steve Gibson that they'd always provide a free version of his invention -- which kind of removes their profit incentive. Spybot has only recently stopped
Re:Alas Microsoft (Score:2)
Removing the (almost) worst malware (Score:2)
If you went into safemode, and removed the registry entries, it would put itself right back in.
The file couldn't be delted even in safemode because the process locked the file.
The solution was, in the end, easy:
Boot to a WinXP/2000 recovery CD, go into recovery console (DOS), delete the files from there, reboot.
Windows may complain about the lack of the files, but removing the registry entries then,
After deleting, to prevent re-infection (Score:2)
If I find the malware was in a directory like C:\Program Files\Malware\ I delete the directory and then create a file with the same name. I put some text in the file like "This is here to prevent Malware infections." and then I change the mode to be read-only and hidden.
Not perfect but it helps and I haven't seen it mentioned here.
Manual "clean", huh? (Score:2)
Files don't suddenly become sentient and rewrite themselves, so the "manual clean" you did clearly didn't actually clean it. Probably, a running or startup process stuck around to restore them.
Ideas:
1. Reboot in safe mode, and do your manual cleanup. See if it recurs in normal mode.
2. Kill as many processes as possible before running a malware cleaner.
3. Inste
Anti spyware tool (Score:2)
Stopped using IE (Score:2)
Re:Everything can be cleaned manually (Score:4, Informative)
Some spyware either is, or borders on, the definition of a rootkit [rootkit.com]. Rootkits can be detected [sysinternals.com], but there are a growing number which cannot be removed without an fdisk/format.
Re:Everything can be cleaned manually (Score:2)
Chances are though, it's a combination of DLLS in system32, registry startup commands, and IE hooks. Go though the system32 directory with a fine tooth comb, and research each DLL that seems strange on a clean computer (don't forget to search the internet as well).
Re:Everything can be cleaned manually (Score:2)
Re:blah blah blah (Score:2)
Some of my best material comes from p2p . . .
Re:This is hilarious... (Score:2)
If you'll read most of the comments, it's usually not POSTERS with the problem, but rather relatives/friends/associates/coworkers. Since I myself don't have a spyware problem, I usually find myself less than entirely equipped to deal with others' problems out of the gate due to lack of first hand experience.
Which is, you'll note, the impetus for this A
Re:MS (Score:2)