Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 06-29-2011, 09:32 AM
quinnlaup quinnlaup is offline
 
Join Date: Feb 2011
Location: N. Ireland
Posts: 114
quinnlaup is an unknown quantity at this point
Default recurring .exe problems

Hey all,

I know probably everyone is familiar with the rogue infections messing up the file associations particularly the .exe extension but in the last couple of weeks we have had 3 that we havent been able to fix permanently. What i mean is we run the .exe fix (usually the SAS fix) and it works until you do a restart then the issue returns. In all cases the machine has been left "clean" but we have had to create a new profile for the user and copy the data over. Not sure if we are missing a trick here but thought it better to ask for a second opinion.

kind regards

quinnlaup
Reply With Quote
  #2  
Old 06-29-2011, 12:51 PM
kotarel's Avatar
kotarel kotarel is offline
 
Join Date: Aug 2010
Location: QC (near Ottawa), Canada
Posts: 69
kotarel is an unknown quantity at this point
Send a message via MSN to kotarel
Default

I would check startup entries from remnants of the malware. It is possible some registry key is being added at every boot from multiple startup places which would make it come back even tho the malware exe is gone. Some malware removers will only remove the exe and leave other stuff there.
__________________
I don't always monitor threads in which I posted. If you need a reply, please PM me instead. Thanks!
Reply With Quote
  #3  
Old 06-29-2011, 01:10 PM
OldSchoolPC OldSchoolPC is offline
 
Join Date: May 2010
Location: East Greenville PA
Posts: 373
OldSchoolPC is on the way
Default

+1 to what kotarel said
__________________
Old School PC Services
www.OldSchoolPC.net
Please +1 my website above, and "Like" using personal Facebook account. :)
Reply With Quote
  #4  
Old 06-29-2011, 03:21 PM
Xander's Avatar
Xander Xander is offline
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,730
Xander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the roughXander is a jewel in the rough
Default

+2

Either you've missed something (what scans are you running to doublecheck your work?) or something has corrupted (tried a new profile?)
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or Speccy reports.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.

D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
  #5  
Old 06-29-2011, 07:52 PM
quinnlaup quinnlaup is offline
 
Join Date: Feb 2011
Location: N. Ireland
Posts: 114
quinnlaup is an unknown quantity at this point
Default

Ordinarily I would agree but we have a system for removing these which is serving us pretty well ie very low rates of reinfection and we follow up every job by phoning customers after 1 week. However i will take the suggestion on board particularly if we get another one like these in.


Thanks as always

quinnlaup
Reply With Quote
  #6  
Old 06-30-2011, 02:59 PM
Eureka's Avatar
Eureka Eureka is offline
 
Join Date: Feb 2011
Location: Port-Vendres France
Posts: 134
Eureka is on a distinguished road
Default

This thread has givven me an idea: we can prevent the registry entries from being changed by changing the acl permissions.

This would allow to have the extensions fixed until we disinfect the machine completelly.

We give everyone permissions to read the registry values, but deny everyone to modify/delete them.

I'll make a script and post back later on today.
Reply With Quote
  #7  
Old 06-30-2011, 03:26 PM
FoolishTech's Avatar
FoolishTech FoolishTech is offline
 
Join Date: Aug 2010
Location: Manteo, NC (USA)
Posts: 2,755
FoolishTech is a jewel in the roughFoolishTech is a jewel in the roughFoolishTech is a jewel in the rough
Default

Quote:
Originally Posted by Eureka View Post
This thread has givven me an idea: we can prevent the registry entries from being changed by changing the acl permissions.

This would allow to have the extensions fixed until we disinfect the machine completelly.

We give everyone permissions to read the registry values, but deny everyone to modify/delete them.

I'll make a script and post back later on today.
I've used that tactic before in fighting malware on a live system. At least at the time, the malware was smart enough to change the permissions for itself again.

Still, it's a worthwhile effort because no malware seems to be consistent in it's effectiveness related to such things, so perhaps this will stop some or most of today's malware in it's tracks...

But in the OP's case, and overall in these situations, the problem becomes that you want to know when malware tries to change the entries - it lets you know the malware is still there and your job isn't done!
__________________


Author of d7 & d7II, and TONS of other FREE PC technician's tools. www.FoolishIT.com

Author of CryptoPrevent - Crypto/Malware prevention for any OS.

Latest free tool: dBug - Neutralize malware preventing you from running removal tools.

NEW d7II single technician pricing!
Reply With Quote
  #8  
Old 06-30-2011, 04:32 PM
Eureka's Avatar
Eureka Eureka is offline
 
Join Date: Feb 2011
Location: Port-Vendres France
Posts: 134
Eureka is on a distinguished road
Default

Hi FoolishTech, I agree with you when you say that this isn't the solution while we didn't kill the malware, but as I said, it will allow us to run our set of malware removal tools with peace of mind and prevent future changes to the registry keys/values.

Thanks to your warning, the script will also block dacl changes to the related keys and values. If we think it's worth it, we can make it also deny owner changes.

Edit: How could I forget that I can use user SID's instead of names? I think I should go see a doctor. Anyway, It works for all languages now

The script fixes six file extensions: .exe, .msi, .reg, .bat, .cmd and .com, and protects all of them from being changed again.

I'll add this feature to UVK on the next release.
Attached Files
File Type: zip FixExtDenyChanges.zip (505 Bytes, 51 views)

Last edited by Eureka; 06-30-2011 at 06:39 PM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 02:08 PM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.