Focus on Microsoft
More along the lines of malware disinfection Mar 18 2008 01:33PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
RE: More along the lines of malware disinfection Mar 18 2008 06:08PM
Express Web Systems, Inc. (mailinglist expresshosting net) (1 replies)
> I thought I would ask this considering the level of response
> I had on the last thread I started, in the hope that someone
> might suggest a technique for this problem.
>
> When removing malware of one sort or another, I have had the
> situation quite a few times where a dodgy dll/exe couldn't be
> removed/renamed in normal or any safe mode, and attempts to
> remove its links from the registry to stop it from starting
> result in the malware recreating those links instantly (for
> example, a bit of malware inserts itself into the winlogon
> notify list). Normally I will boot off the XP CD to the
> recovery console and rename the offending file(s) there,
> however, the Windows XP recovery console does not allow you
> into the "Documents and Settings" folder (access denied), and
> I have had it once or twice where a bit of malware is stored
> inside that directory structure and has full privs on the system.
>
> On one occasion I tried inserting an extra command into the
> session manager's BootExecute key, just telling it to delete
> the file in question. Admittedly I was hastily trying
> multiple strategies, so I don't know whether this particular
> strategy worked, but I doubt it did since the delete command
> is stored in cmd.exe. Perhaps a batch file could have done
> it but I doubt that the BootExecute system would allow
> commands to spawn other processes.
>
> Anyway, any ideas, as I probably will come up against this
> scenario again :)

I have had the misfortune of having to remove several rootkits from Windows
2003 servers in the past. I know it isn't exactly what you are referring to,
but the concepts are generally the same.

Most likely you were dealing with onboot services that are hooking into the
Windows API to hide themselves from Windows all together. What you need to
do is get a listing of onboot services, and start looking at which ones are
not properly signed (most onboot services will be properly signed by a
reputable company i.e. MS, Adobe, etc). I recall that I used HiJackThis to
get me a list of the onboot services, and then looked at each of them to
verify that they were legit.

Armed with this list of "questionable" services you can boot into the
recovery console and run "disable <service>" to remove the services.

The problem with accessing the "Documents and Settings" folder is a tough
one to crack, as I didn't have to deal with it in my instance (the files
were located in a hidden directory in C:\Windows\). You might want to try
liveCD that supports reading and writing to NTFS (if they are using NTFS, or
if you are lucky, just access the drive via FAT32).

As a different avenue of approach, maybe you can accomplish something with
BartPE. That would allow you to boot into windows and run various apps
independent of the compromised OS.

Good luck,

Tom Walsh
Express Web Systems, Inc.
http://www.expresswebsystems.com/

[ reply ]
Re: More along the lines of malware disinfection Mar 18 2008 06:28PM
Mike Moratz-Coppins (mike mikeymike org uk) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 01:46AM
Murda Mcloud (murdamcloud bigpond com)
RE: More along the lines of malware disinfection Mar 18 2008 05:46PM
Devin Ganger (DevinG 3sharp com)
Re: More along the lines of malware disinfection Mar 18 2008 05:46PM
Jon R. Kibler (Jon Kibler aset com) (3 replies)
RE: More along the lines of malware disinfection Mar 18 2008 07:57PM
Wayne S. Anderson (wfrazee wynweb net) (2 replies)
RE: More along the lines of malware disinfection Mar 18 2008 09:07PM
Monahan, Jim (MONAHAJ ccf org)
Re: More along the lines of malware disinfection Mar 18 2008 08:56PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: More along the lines of malware disinfection Mar 19 2008 04:03PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: More along the lines of malware disinfection Mar 19 2008 05:31PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)
Re: More along the lines of malware disinfection Mar 20 2008 09:21AM
Vincent Archer (archer tms frmug org)
Re: More along the lines of malware disinfection Mar 19 2008 08:33PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (2 replies)
RE: More along the lines of malware disinfection Mar 19 2008 11:21PM
Mark Brunner (mark_brunner hotmail com) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 02:22AM
Murda Mcloud (murdamcloud bigpond com)
Re: More along the lines of malware disinfection Mar 19 2008 09:12PM
Mike Moratz-Coppins (mike mikeymike org uk) (3 replies)
Re: More along the lines of malware disinfection Mar 23 2008 01:06AM
pinowudi (pinowudi gmail com)
RE: More along the lines of malware disinfection Mar 20 2008 08:34AM
John Lightfoot (jlightfoot gmail com) (1 replies)
Re: More along the lines of malware disinfection Mar 20 2008 04:54PM
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net) (1 replies)
Re: More along the lines of malware disinfection Mar 23 2008 04:26AM
pinowudi (pinowudi gmail com)
Re: More along the lines of malware disinfection Mar 20 2008 12:41AM
Geekwench (geekwench hotmail com)
RE: More along the lines of malware disinfection Mar 18 2008 11:55PM
Devin Ganger (DevinG 3sharp com)
RE: More along the lines of malware disinfection Mar 18 2008 11:31PM
Wayne S. Anderson (wfrazee wynweb net)
Re: More along the lines of malware disinfection Mar 18 2008 07:26PM
M Lists (m-lists lucretia ca)
Re: More along the lines of malware disinfection Mar 18 2008 06:26PM
Mike Moratz-Coppins (mike mikeymike org uk) (2 replies)
RE: More along the lines of malware disinfection Mar 19 2008 01:39PM
Devin Ganger (DevinG 3sharp com)
Re: More along the lines of malware disinfection Mar 18 2008 09:51PM
Colin Copley (colin 75 btinternet com) (1 replies)
RE: More along the lines of malware disinfection Mar 28 2008 01:55AM
Murda Mcloud (murdamcloud bigpond com)


 

Privacy Statement
Copyright 2010, SecurityFocus