Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #31  
Old 09-24-2008, 12:18 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 564
Wheelie is on a distinguished road
Default

Quote:
Originally Posted by TimeCode View Post
But can they do it if there is a buried registry entry? I certainly prefer faster and more complete methods but scanning a registry on an infected PC from a clean PC, how is that done?
Excellent questions. And - yes - ultimately you do have to clean the registry as a part of the virus removal process. That is an important step. But that is not really where the virus itself is removed. Virus removal is a 2 step process: 1) remove the bad files, and 2) remove the callouts in the registry to run the bad files. That's what Spybot, Ad-Aware and Malwarebytes do: scans the PC for bad files and scans the registry for bad callouts. They are just not perfect programs and thus they miss things or are intentionally mislead by the virus to miss things (i.e. rootkits).

The registry simply contains PC settings and configurations. It can tell the PC where to find files and when and how to run files but the registry itself does not contain files or CPU level coding per se. A virus must be executed from a file or files and the registry can only call out a file to be run. It cannot contain the virus itself.

So. If you take away all the bad files off the hard disk - when you reboot the (formerly) infected PC the registry can only lodge a complaint (i.e. an error message may pop up saying it can't run badfile.exe). After you put the hard drive back in the infected machine and scan with Spybot or Malwarebytes (or do it manually) you will finish the cleaning of the registry callouts.

Another way to look at this: if you leave all the bad virus files in place on the PC's hard disk - but you remove all the callouts to launch those viruses in the registry - the PC will not show signs of infection because the viruses cannot and will not launch even though the PC still has all the files that are the virus (technically it is still infected ... it's just not actively running).

Rootkits use the operating system against you. They can hide themselves and any files, folders, and running processes they choose. They are very good at that. That is why I am now recommending the infected hard drive be pulled and scanned on an uninfected PC. That way the rootkit cannot hide. All its files and folders will be viewable and thus removable.

Be aware that Microsoft's published method for dealing with a rootkit is to backup data, delete the partition (and thus the MBR), repartition, full format (not quick), and reload Windows. This is also the method many of the Federal government offices deal with them as well. In fact, I believe organizations like the FBI, etc are doing periodic disk re-images of the hard drive from clean sources to ensure sensitive PC's are not infected with rootkits.
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
  #32  
Old 10-20-2008, 07:10 AM
SaylorComputer SaylorComputer is offline
 
Join Date: Oct 2008
Location: Long Beach, CA
Posts: 5
SaylorComputer is an unknown quantity at this point
Default

AV2008/2009 is keeping me busy the last few weeks as well. Got two machines here in the office that have critical data on them, and I havent been able to clean them with any of my usual ways. My normal way of handling it is a nuke/pave also like everyone else has mentioned. Its the worse I have dealt with since the Kama Sutra outbreak in 2004/05. Has anyone had luck with a removal tool?
__________________
+++++++++++++++++++++++++++++++++++++
Saylor Computer Consulting
Small to Medium Sized IT Professionals
(888) 478-1117
http://www.SaylorComputer.com
Reply With Quote
  #33  
Old 10-20-2008, 12:52 PM
Wheelie's Avatar
Wheelie Wheelie is offline
 
Join Date: May 2008
Posts: 564
Wheelie is on a distinguished road
Default

As others here have posted - Malwarebytes does a good job on this infection. However, I have now seen 2 cases in the last 30 - 40 days of PC's infected with rootkits by AV XP 2008/09. I ran Malwarebytes on case #2 and it detected but could not remove it.
__________________
"I clicked on the blue thingy in the little window and now it won't show the screen ... can you fix it?"
"Absolutely. Is today at 3 o'clock good?"
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:11 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.