I’ve been dealing lately with some pretty werid malware that none of the online scan engines or some of the offilne AV softwares (free versions) or antispyware software (including adaware and spy bot search and destroy) were able to pick up. Yet, there they were and nomatter how you deleted teh file, it came back again. I made a small check with sysinternals process monitor and came up that the actual process doing the recreation was winlogon.exe (which was not altered in any way).
So, I booted up in safe mode, sorted the files from windows\system32 after size and started with the smaller ones workign my way up to the 4 kb limit. whatever exe/dll/sys/etc I found there that looked suspicios, I renamed. Rebooted the system and voila: everything is fine 🙂
so I made a small script to take care of the problems
[code:1:8f3c3b125d]
mz.bat
@echo off
rename C:\WINDOWS\system32\Dcache.bin !!_Dcache.bin
rename C:\WINDOWS\system32\dpnaddr.dll !!_dpnaddr.dll
rename C:\WINDOWS\system32\dpnlobby.dll !!_dpnlobby.dll
rename C:\WINDOWS\system32\fastopen.exe !!_fastopen.exe
rename C:\WINDOWS\system32\fixmapi.exe !!_fixmapi.exe
rename C:\WINDOWS\system32\igxpxa32.vp !!_igxpxa32.vp
rename C:\WINDOWS\system32\keyboard.drv !!_keyboard.drv
rename C:\WINDOWS\system32\l_except.nls !!_l_except.nls
rename C:\WINDOWS\system32\loadfix.com !!_loadfix.com
rename C:\WINDOWS\system32\LTWND_n.lib !!_LTWND_n.lib
rename C:\WINDOWS\system32\mmtask.tsk !!_mmtask.tsk
rename C:\WINDOWS\system32\mouse.drv !!_mouse.drv
rename C:\WINDOWS\system32\mscdexnt.exe !!_mscdexnt.exe
rename C:\WINDOWS\system32\netware.drv !!_netware.drv
rename C:\WINDOWS\system32\nw16.exe !!_nw16.exe
rename C:\WINDOWS\system32\redir.exe !!_redir.exe
rename C:\WINDOWS\system32\rnr20.dll !!_rnr20.dll
rename C:\WINDOWS\system32\share.exe !!_share.exe
rename C:\WINDOWS\system32\sound.drv !!_sound.drv
rename C:\WINDOWS\system32\sysprint.sep !!_sysprint.sep
rename C:\WINDOWS\system32\sysprtj.sep !!_sysprtj.sep
rename C:\WINDOWS\system32\system.drv !!_system.drv
rename C:\WINDOWS\system32\systray.exe !!_systray.exe
rename C:\WINDOWS\system32\termcap !!_termcap
rename C:\WINDOWS\system32\vga.drv !!_vga.drv
rename C:\WINDOWS\system32\vwipxspx.exe !!_vwipxspx.exe
rename C:\WINDOWS\system32\winoldap.mod !!_winoldap.mod
rename C:\WINDOWS\system32\winsock.dll !!_winsock.dll
rename C:\WINDOWS\system32\winspool.exe !!_winspool.exe
rename C:\WINDOWS\system32\wowdeb.exe !!_wowdeb.exe
rename C:\WINDOWS\system32\wowfax.dll !!_wowfax.dll
[/code:1:8f3c3b125d]
some of the fiels might be genuine windows files. I never checked. But for the last 2/3 months since I am using this method, nobody complained of problems.
however, my preferred way is not to rename the files, but to replace their content with ome readable text (like this file was inoculated) and remove eberybodys access rights. Why is this the best way? Well, pretty simple: I am dealing with people not able to take care of them selfves so the chances of re-infections are very high; but with this method, next time the same worm/trojan/etc wants to infect, it will not be able to since the desired filename will not be writable 🙂
it is an ugly way to get rid of the pests but it works.
Related posts