malware from hell (calling geeks)

[Tallpine]

I can usually deal with these things ... we had a bunch of adware/malware on my wife's pc a year or so back - all the recommended cleaners didn't get it all, and I finally did it myself by editing the "run" registry and then killing the power immediately before the intruder could reinsert itself. (then deleting the malicious exe files after rebooting)

But this one on my pc is re-inserting the registry entry several times per second so I haven't beaten it to the draw yet

On top of that, the Task Manager is disabled so I can't kill a process.

It's a dll that apparently is still running in safe mode-dos

any ideas besides just buying a new pc ? (this one is old enough that the work of reinstalling everything probably isn't worth it)

[charby]

Google it if you have the name of the said malware.

I deal with the nasty things on a daily basis and when I can't get rid of them using the adware/spaybot/your flavor anti spy ware program I google and check the geek boards. There are so many fixes out there and cool little programs that fix specific spyware/malware issues.

-C

[Harold Tuttle]

http://www.eweek.com/article2/0,1895,1945808,00.asp

Microsoft Says Recovery from Malware Becoming Impossible
By Ryan Naraine
April 4, 2006   


LAKE BUENA VISTA, Fla.In a rare discussion about the severity of the Windows malware scourge, a Microsoft security official said businesses should consider investing in an automated process to wipe hard drives and reinstall operating systems as a practical way to recover from malware infestation.

"When you are dealing with rootkits and some advanced spyware programs, the only solution is to rebuild from scratch. In some cases, there really is no way to recover without nuking the systems from orbit," Mike Danseglio, program manager in the Security Solutions group at Microsoft, said in a presentation at the InfoSec World conference here.

Offensive rootkits, which are used hide malware programs and maintain an undetectable presence on an infected machine, have become the weapon of choice for virus and spyware writers and, because they often use kernel hooks to avoid detection, Danseglio said IT administrators may never know if all traces of a rootkit have been successfully removed.

continues...

[Brian Williams]

Get a boot disk image from bootdisk.com and put regedit on that.  Then clean the registry from a clean floppy or Cd boot, make sure you use the same operating system.  Then with a clean registry, kill the DLLs and reboot.

[Guest]

Cyber Tech Home: http://www.cybertechhelp.com/

Forums here: http://www.cybertechhelp.com/forums/

Have assisted myself and others on various problems.

I am not to the level as many of you are.

I have sent many friends to CTH  -
running "Hi-Jack This" and having someone on the forum "read" the results, then offering steps has worked Great!

[Tallpine]

okay, thanks ... I will check out those links

In this case, I have identified the culprit - I just can't kill the SOB. (well, unless there is something else that I don't see...?)

It's a file named "ping.dll" and the registry entry is in:
"software/microsoft/windowsnt/current version/windows"  (this is win2k btw)

along with a few parameters like "transmission retry timeout" - I dunno how critical those are to rebooting or else I would just try to delete/rename that registry folder.

There were a whole bunch of other exe files that I deleted from "safe mode" so they couldn't run on the next boot, but this "ping.dll" cannot be deleted because it is running even in safe mode.

I can pretty much tell by the dates which exe files are malicious, because I haven't installed anything in a while.

If anyone has any experience with that ping.dll, please let me know........

[Brad Johnson]

I presume you've tried booting to Safe Mode and deleting it that way.

Have you tried booting to a disk and digging around manually? If you know DOS commands, boot from disk to a system prompt and delete the offending bug the old fashioned way.

Brad

[Tallpine]

I presume you've tried booting to Safe Mode and deleting it that way.

Have you tried booting to a disk and digging around manually? If you know DOS commands, boot from disk to a system prompt and delete the offending bug the old fashioned way.

Brad

1) Yes, in Safe Mode Dos prompt the offending dll is still running / cannot be deleted

2) thanks, I finally found my Win2K CD and will try that ....

[Harold Tuttle]

a new attack method, on boot makes an invisible ram disk, and runs the mal attack from there

[Tallpine]

Well, I finally killed the SOB (along with a few of his friends)

W2K install disk doesn't seem to have an option to boot to DOS, but by going into windows safe mode I was able to edit the registry without the malware timer over-riding my edit.

Then after rebooting I deleted the file, and went back into the registry and got rid of some more offending entries (that didn't seem to be on a renewall timer) and rebooted again.

Finally found the registry entry for the Task Manager (disable) and changed that from 0x1 to 0.


(if I ever catch up with one of the writers of this malware stuff, I am going to seriously kill that bastard)


Ok, thanks for all your replies...  I'm not really an expert in this stuff, but I can fumble my way around in it - if anyone else needs some help, I can tell you what I did to fix it.  I do seem to eventually do what the anti-spyware can't do.