On Sat, 12 Mar 2005 18:41:03 -0800, "Mpls_Minnesota"
Thank you so much for your quick advice. I followed all of your
directions...disabled sys restore and opened in safe mode.
For malware, "safe mode" is often not safe enough.
I ran Sysclean (3hrs) and Ad-aware (15 min) however I couldn't run
Stinger (error stated a device attached to the system is not functioning).
Where were you running these from? The Stinger error could be fake,
the result of active malware detecting and blocking the cleaner.
Sysclean did detect 16 infected files and deleted them. AD aware
found a bunch of files and quaranteened them. The text file for
Sysclean has the following comments:
Could not set file for reading on c:\documents and settings\.....etc. and
also An error occurred while scanning file.
OK
All of those application files are still in my Windows directory.
Not OK. It seems they aren't known to your tools, or are active and
defeding themselves against them. This is to be expected, from raw
theory; we can't count on malware authors' cluelessness forever.
I could access them pretty quick in safe mode, however I couldn't
delete them because I'm still getting the message that a program
running is using the file....
Sure. The malware just has to run; Windows will protect them as "in
use" without the malware having to do anything further. What the
malware would have to do, is protect its in-memory process(es) from
being terminated by av tools, or by you via Task Manager.
The latter can be done in various ways; running as a service so they
don't show up as applications, running a tweedle-dee/tweedle-dum pair
of threads that relaunch each other (Task Manager can't multi-select,
right?) or doing deeper rootkit stuff to redefine "Task Manager".
But I cannot see any program using them.
As above.
Not sure if you have anymore suggestions
What I'd do is create a Bart PE bootable CDR on another, "known"-clean
PC. Then I'd copy a freshly-downloaded Trend SysClean and related
data, as well as any other tools you want to use, to a USB stick (once
again, doing this from a "known"-clean PC). Then I'd write-protect the
USB stick, stick it into the infected PC, drop the Bart PE CDR in the
CD drive, and switch it on. First, I'd stop off in CMOS to ensure CD
drive is visible and I'd select that as the boot drive.
Then Bart would boot, and because the USB stick is present at boot, it
will see that too. I'd then copy the files from USB to HD and run my
tools. When done, I might use the FC (Filke Compare) command to check
these against those on the write-protected stick to make sure they
were not altered by malware. I'd work from Cmd (command line) mainly,
at least until the scans were done.
Another option is to use Knoppix boot CDR and Linux av scanners, but
that requires knowledge of Linux and faith in Linux's ability to write
safely to NTFS. I have neither.
If FATxx not NTFS, I'd use DOS-based av from DOS diskette boot to scan
for malware. Can't do that if NTFS, though.
Finally, onbe can drop the HD into another XP system and scan it that
way. This is "easy" but carries the risk of infecting the host, as
well as the host infecting the HD of course.
In all of these cases, you may well have to manually clean up
integration references within the registry - because in all cases, the
OS either isn't registry-aware (DOS mode, Linux) or sees the "wrong"
(host) registry (Bart's PE, hosted scanning). In the latter case, you
can bind the HD's registry hives via RegEdit and check them that way;
geeky stuff, but at least it's possible.
Best (safest) practice is not to blindly delete the malware, but to
get a malware name (as opposed to a meaningless file name) and then
read up for caveats first, before cleaning it up.
-------------------- ----- ---- --- -- - - - -
Running Windows-based av to kill active malware is like striking
a match to see if what you are standing in is water or petrol.
