Feature Request

[Bryan Wiegand]

Hello all,

I don't know exactly were this thread really belongs, but
I suppose you can point me in the correct direction.

Some of the more recent malware infections load
themselves as DLL Modules into Memory. This makes them
very hard to kill. One malware in particular will load
itself with a new file name upon every reboot!

The new Microsoft AntiSpyware should also have a window
in the System Explorer in Advanced Tools to list the
Running Modules, much like the existing 'Running
Processes' already does.

There should also (Not sure if AntiSpyware alone could do
this, or some changes in Windows itself) be a way to End
Modules or Remove a running Module from Memory, so it can
be deleted without constant reboots. Like I say ealier,
some of these new malware infections load themselves as
DLL Modules, Protect thier Registry entires (they remake
an entry you delete), make copies of themselves with
differening files names, and load one of those variations
on every boot.

The ability to have more control over running Modules
would be a great blow to this particular infection.

If more technical information is needed about the
particular infections I'm refoerring to, it can be
provided.

Sufficed to say, this is my feature request:
A List of Running Modules (Just like the list in the
System Information Tool)
A way to End running Modules just like you end a running
Executable.

Well, thats my input. Let me know what you all think, or
where I should properly contact to make the feature
request.

Bryan Wiegand

 

[The Unknown P]

I'm a little confused as to what exactly you are
reffering. There already is a way to end modules, it's
called "Task Manager". You can also get free tools like
Process Explorer from www.sysinternals.com, that will list
all running processes and their various modules and dll's
as well as give you the option to end the process and it's
related dll's. XP also has "safe" mode so that these
programs are not loaded, only the default windows "needed"
processes and modules are loaded. You can then find and
remove any offending software. You can also remove any reg
entries and reset the reg without rebooting by simply
opening the task manager and ending the explorer process,
and leaving the task manager open you then click file\new
task(run)--- and then type in explorer and hit enter on
your keyboard or OK below the run line. That resets the
desktop for you. TTFN.

 

[Guest]

Good Questions!

Check this Thread at TechSupportForums:
http://www.techsupportforum.com/showthread.php?
p=131153&posted=1#post131153 for one example of this type
Malware Infection. It makes changes in the hosts file,
causes specific pop-ups, and loads itself with new names
every boot. Often accompanied with this infection are
other infections that make changes to the LSPs and such.

This particular Malware infection will load itself as
DLL's into memory binded to various Windows system
processes. In one case even in the form of an EXE! These
processes can not be eneded, and therefore modules not
directly deleted. And I'm not talking about things like
explorer.exe. I mean system processes such as winlogon,
that load even in Safe-Mode certain start-up Modules from
the registry
(HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify) and are protected from
being ended. I have tried ending winlogon.exe task
particulartly in Safe-Mode with Special Tools, but the
task is automatically restarted. <-- I had to go a round
about way to delete those files.

This kind of infection also will recreate the registry
entries that cause it to run on boot as you delete them.

This kind of infection also is loaded when you boot into
Safe-Mode!

To remove it is a long and drawn out task of booting into
safe-mode, then booting into normal mode performing some
actions that require great accuracy. If you fail, the
DLL's reload themselves on reboot under new names,
causing you to have to rediagnose the files names you
have to delete.

How many users in General know how to do just those 3
simple things? Load Safe Mode, End some Processes, delete
some files, load to Normal Mode, end some certain tasks,
edit the registry, and delete certain files?! Easy for me
and you, sure.

In order for the Microsoft AntiSpyware to remove just
this one infection, it will need to have better control
of ending or removing a loaded module from memory,
*without having to end the associated process*. This
would at least make the whole Task much simpler for the
program to remove it.

Does this answer your question? Is there a way to do
this that I am not aware? I did research for days to
unload a DLL from Memory without wnding the process
associated with it, but I came up empty.

Let me know what you come up with.

Bryan Wiegand

 

[Bill Sanderson]

Getting a Tools, suspected spyware report
from a machine with such an infection might be useful.

 

[Guest]

Hey Mr. Sanderson,

I can get past logs if you need. I have no computers
currently infected right now, I have already cleaned them.

Had to do it manually though, not SpyBot or Ad-Aware can
currently successfully remove these type infections.

Here are some references and thier logs, and solutions to
the malware infection I speak of. You will see why it
becomes so complicated just to delete these small DLLs.

http://www.techsupportforum.com/showthread.php?t=27264

http://www.techsupportforum.com/showthread.php?t=27687

http://www.techsupportforum.com/showthread.php?t=30394

http://www.techsupportforum.com/showthread.php?t=32939

http://www.techsupportforum.com/showthread.php?t=32237

From the instructions provided by the techs in these
threads, you can see hoe complicated and time consuming
it is to manually remove this infection.

One of the things that makes it inconvinient is that it
loads as a DLL with winlogon.exe eveytime you boot, and
it changes names every boot. Take a look.

Not even Ad-Aware or Spy-Bot can yet kill this thing
automatically.

Be sure to take a look specifically at the instructions
the techs there provide to remove it, you'll see the
commonalities to removing it. It's not a simple task, and
if you don't know what your looking for, its even more
complicating to locate this self renaming bug.

Now all we got to do is make Microsoft AntiSpyware kill
it.

Let me know hoe else I can be helpful.
Bryan Wiegand

 

[Bill Sanderson]

I know they are tough to remove--I've done it myself a few times, and
without the instruction manual.

You can bet that the folks at Microsoft know about these bugs and are
actively working on providing the technology to get rid of them--the active
agents in the current product should prevent these things from getting
started in most cases.

Reports from infected machines--particularly if it turns out to be something
new or changed, are what will keep this product effective as the spyware
mutates to avoid detection.

 

[Bryan Wiegand]

And being effective in this case is what I was thinking
of in my feature requests.

With the Microsoft AntiSpyware able to provide a list of
loaded Modules one can track better the different types
of spyware runing on the system, and certain things about
how they run.

With also the capacity to delete at least these DLL files
without some special boot up procedures it becomes much
easier to maintain a clean computer. Just imagine if
someone had this idea but for a Virus! It becomes even
more imperative in order to keep a *secure* computer.

Bryan Wiegand

 

[Bill Sanderson]

And thanks for that request--Microsoft does read these messages, although
they respond to very few.