SecurityFocus

More along the lines of malware disinfection Mar 18 2008 01:33PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)

RE: More along the lines of malware disinfection Mar 18 2008 06:08PM
Express Web Systems, Inc. (mailinglist expresshosting net) (1 replies)

Re: More along the lines of malware disinfection Mar 18 2008 06:28PM
Mike Moratz-Coppins (mike mikeymike org uk) (1 replies)

RE: More along the lines of malware disinfection Mar 28 2008 01:46AM
Murda Mcloud (murdamcloud bigpond com)

RE: More along the lines of malware disinfection Mar 18 2008 05:46PM
Devin Ganger (DevinG 3sharp com)

My experience is that if the malware has its hooks into the system that far, it's quicker and less painless to just wipe the system. I can never trust, from that point on, that I've gotten everything out of the system. With malware like that, it's like trying to rip blackberry bushes out of your garden -- make damn sure you've gotten every fragment of every root out of the ground, or you're going to be seeing it again soon.

--
Devin L. Ganger, Exchange MVP Email: deving (at) 3sharp (dot) com [email concealed]
3Sharp Phone: 425.882.1032
14700 NE 95th Suite 210 Cell: 425.239.2575
Redmond, WA 98052 Fax: 425.558.5710
(e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Mike Moratz-
> Coppins
> Sent: Tuesday, March 18, 2008 6:33 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: More along the lines of malware disinfection
>
> I thought I would ask this considering the level of response I had
> on
> the last thread I started, in the hope that someone might suggest a
> technique for this problem.
>
> When removing malware of one sort or another, I have had the
> situation
> quite a few times where a dodgy dll/exe couldn't be removed/renamed
> in
> normal or any safe mode, and attempts to remove its links from the
> registry to stop it from starting result in the malware recreating
> those
> links instantly (for example, a bit of malware inserts itself into
> the
> winlogon notify list). Normally I will boot off the XP CD to the
> recovery console and rename the offending file(s) there, however,
> the
> Windows XP recovery console does not allow you into the "Documents
> and
> Settings" folder (access denied), and I have had it once or twice
> where
> a bit of malware is stored inside that directory structure and has
> full
> privs on the system.
>
> On one occasion I tried inserting an extra command into the session
> manager's BootExecute key, just telling it to delete the file in
> question. Admittedly I was hastily trying multiple strategies, so
> I
> don't know whether this particular strategy worked, but I doubt it
> did
> since the delete command is stored in cmd.exe. Perhaps a batch
> file
> could have done it but I doubt that the BootExecute system would
> allow
> commands to spawn other processes.
>
> Anyway, any ideas, as I probably will come up against this scenario
> again :)
>
>
> --
> Mike Moratz-Coppins
> mike (at) mikeymike.org (dot) uk [email concealed]
> http://www.mikeymike.org.uk/

[ reply ]

Re: More along the lines of malware disinfection Mar 18 2008 05:46PM
Jon R. Kibler (Jon Kibler aset com) (3 replies)

RE: More along the lines of malware disinfection Mar 18 2008 07:57PM
Wayne S. Anderson (wfrazee wynweb net) (2 replies)

RE: More along the lines of malware disinfection Mar 18 2008 09:07PM
Monahan, Jim (MONAHAJ ccf org)

Re: More along the lines of malware disinfection Mar 18 2008 08:56PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)

Re: More along the lines of malware disinfection Mar 19 2008 04:03PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)

Re: More along the lines of malware disinfection Mar 19 2008 05:31PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)

Re: More along the lines of malware disinfection Mar 20 2008 09:21AM
Vincent Archer (archer tms frmug org)

Re: More along the lines of malware disinfection Mar 19 2008 08:33PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (2 replies)

RE: More along the lines of malware disinfection Mar 19 2008 11:21PM
Mark Brunner (mark_brunner hotmail com) (1 replies)

RE: More along the lines of malware disinfection Mar 28 2008 02:22AM
Murda Mcloud (murdamcloud bigpond com)

Re: More along the lines of malware disinfection Mar 19 2008 09:12PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)

Re: More along the lines of malware disinfection Mar 23 2008 01:06AM
pinowudi (pinowudi gmail com)

RE: More along the lines of malware disinfection Mar 20 2008 08:34AM
John Lightfoot (jlightfoot gmail com) (1 replies)

Re: More along the lines of malware disinfection Mar 20 2008 04:54PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)

Re: More along the lines of malware disinfection Mar 23 2008 04:26AM
pinowudi (pinowudi gmail com)

Re: More along the lines of malware disinfection Mar 20 2008 12:41AM
Geekwench (geekwench hotmail com)

RE: More along the lines of malware disinfection Mar 18 2008 11:55PM
Devin Ganger (DevinG 3sharp com)

RE: More along the lines of malware disinfection Mar 18 2008 11:31PM
Wayne S. Anderson (wfrazee wynweb net)

Re: More along the lines of malware disinfection Mar 18 2008 07:26PM
M Lists (m-lists lucretia ca)

Re: More along the lines of malware disinfection Mar 18 2008 06:26PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)

RE: More along the lines of malware disinfection Mar 19 2008 01:39PM
Devin Ganger (DevinG 3sharp com)

Re: More along the lines of malware disinfection Mar 18 2008 09:51PM
Colin Copley (colin 75 btinternet com) (1 replies)

RE: More along the lines of malware disinfection Mar 28 2008 01:55AM
Murda Mcloud (murdamcloud bigpond com)