recurring .exe problems

[quinnlaup]

Hey all,

I know probably everyone is familiar with the rogue infections messing up the file associations particularly the .exe extension but in the last couple of weeks we have had 3 that we havent been able to fix permanently. What i mean is we run the .exe fix (usually the SAS fix) and it works until you do a restart then the issue returns. In all cases the machine has been left "clean" but we have had to create a new profile for the user and copy the data over. Not sure if we are missing a trick here but thought it better to ask for a second opinion.

kind regards

quinnlaup

[kotarel]

I would check startup entries from remnants of the malware. It is possible some registry key is being added at every boot from multiple startup places which would make it come back even tho the malware exe is gone. Some malware removers will only remove the exe and leave other stuff there.

[OldSchoolPC]

+1 to what kotarel said

[Xander]

+2

Either you've missed something (what scans are you running to doublecheck your work?) or something has corrupted (tried a new profile?)

[quinnlaup]

Ordinarily I would agree but we have a system for removing these which is serving us pretty well ie very low rates of reinfection and we follow up every job by phoning customers after 1 week. However i will take the suggestion on board particularly if we get another one like these in.


Thanks as always

quinnlaup

[Eureka]

This thread has givven me an idea: we can prevent the registry entries from being changed by changing the acl permissions.

This would allow to have the extensions fixed until we disinfect the machine completelly.

We give everyone permissions to read the registry values, but deny everyone to modify/delete them.

I'll make a script and post back later on today.

[FoolishTech]

Quote:

Originally Posted by Eureka

This thread has givven me an idea: we can prevent the registry entries from being changed by changing the acl permissions.

This would allow to have the extensions fixed until we disinfect the machine completelly.

We give everyone permissions to read the registry values, but deny everyone to modify/delete them.

I'll make a script and post back later on today.

I've used that tactic before in fighting malware on a live system. At least at the time, the malware was smart enough to change the permissions for itself again.

Still, it's a worthwhile effort because no malware seems to be consistent in it's effectiveness related to such things, so perhaps this will stop some or most of today's malware in it's tracks...

But in the OP's case, and overall in these situations, the problem becomes that you want to know when malware tries to change the entries - it lets you know the malware is still there and your job isn't done!

[Eureka]

Hi FoolishTech, I agree with you when you say that this isn't the solution while we didn't kill the malware, but as I said, it will allow us to run our set of malware removal tools with peace of mind and prevent future changes to the registry keys/values.

Thanks to your warning, the script will also block dacl changes to the related keys and values. If we think it's worth it, we can make it also deny owner changes.

Edit: How could I forget that I can use user SID's instead of names? I think I should go see a doctor. Anyway, It works for all languages now

The script fixes six file extensions: .exe, .msi, .reg, .bat, .cmd and .com, and protects all of them from being changed again.

I'll add this feature to UVK on the next release.