Focus on Microsoft
More along the lines of malware disinfection Mar 18 2008 01:33PM
Mike Moratz-Coppins (mike mikeymike org uk)
I thought I would ask this considering the level of response I had on
the last thread I started, in the hope that someone might suggest a
technique for this problem.

When removing malware of one sort or another, I have had the situation
quite a few times where a dodgy dll/exe couldn't be removed/renamed in
normal or any safe mode, and attempts to remove its links from the
registry to stop it from starting result in the malware recreating those
links instantly (for example, a bit of malware inserts itself into the
winlogon notify list). Normally I will boot off the XP CD to the
recovery console and rename the offending file(s) there, however, the
Windows XP recovery console does not allow you into the "Documents and
Settings" folder (access denied), and I have had it once or twice where
a bit of malware is stored inside that directory structure and has full
privs on the system.

On one occasion I tried inserting an extra command into the session
manager's BootExecute key, just telling it to delete the file in
question. Admittedly I was hastily trying multiple strategies, so I
don't know whether this particular strategy worked, but I doubt it did
since the delete command is stored in cmd.exe. Perhaps a batch file
could have done it but I doubt that the BootExecute system would allow
commands to spawn other processes.

Anyway, any ideas, as I probably will come up against this scenario again :)

Mike Moratz-Coppins
mike (at) (dot) uk [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus