My experience is that if the malware has its hooks into the system that far, it's quicker and less painless to just wipe the system. I can never trust, from that point on, that I've gotten everything out of the system. With malware like that, it's like trying to rip blackberry bushes out of your garden -- make damn sure you've gotten every fragment of every root out of the ground, or you're going to be seeing it again soon.
-- Devin L. Ganger, Exchange MVP Email: [EMAIL PROTECTED] 3Sharp Phone: 425.882.1032 14700 NE 95th Suite 210 Cell: 425.239.2575 Redmond, WA 98052 Fax: 425.558.5710 (e)Mail Insecurity: http://blogs.3sharp.com/blog/deving/ > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Moratz- > Coppins > Sent: Tuesday, March 18, 2008 6:33 AM > To: [email protected] > Subject: More along the lines of malware disinfection > > I thought I would ask this considering the level of response I had > on > the last thread I started, in the hope that someone might suggest a > technique for this problem. > > When removing malware of one sort or another, I have had the > situation > quite a few times where a dodgy dll/exe couldn't be removed/renamed > in > normal or any safe mode, and attempts to remove its links from the > registry to stop it from starting result in the malware recreating > those > links instantly (for example, a bit of malware inserts itself into > the > winlogon notify list). Normally I will boot off the XP CD to the > recovery console and rename the offending file(s) there, however, > the > Windows XP recovery console does not allow you into the "Documents > and > Settings" folder (access denied), and I have had it once or twice > where > a bit of malware is stored inside that directory structure and has > full > privs on the system. > > On one occasion I tried inserting an extra command into the session > manager's BootExecute key, just telling it to delete the file in > question. Admittedly I was hastily trying multiple strategies, so > I > don't know whether this particular strategy worked, but I doubt it > did > since the delete command is stored in cmd.exe. Perhaps a batch > file > could have done it but I doubt that the BootExecute system would > allow > commands to spawn other processes. > > Anyway, any ideas, as I probably will come up against this scenario > again :) > > > -- > Mike Moratz-Coppins > [EMAIL PROTECTED] > http://www.mikeymike.org.uk/
