Viruses! Malwares! and More Malwares!
January 24, 2007Just as when I thought I can relax after a number of nights removing a new malware that has infected several of my PC's here- even the two newly acquired units, I got another one this afteroon!
The last time , I was able to get rid of the malwares and all its residues and other ill effects without reformating my units except for one which still keeps popping up error message. The first time I saw the same error message in two or three of the PCs I knew right then a malware has propagated itself in the network. I'm not sure if it came from the internet or one of disk brought in by one of the students.
I updated my AVG anti-virus and Spybot anti-spyware (I always use this combination and so far satisfied with the results) and scanned the computers. The scans found several viruses and malwares and got rid of it. Unfortunately, there is still an unamed malware that cannot be removed permanently.
So I knew I have to use a more effective but dangerous tool! This is like using a double egded sword, coz I might accidentaly disable a valid program. I used hijackthis. But even with this, the malware keeps coming back right after I take it out from the registry! I can't even delete the file it executes (even if I did it in safe mode)!
Eventually I was able to trick the malware! I reckon, that the malware monitors the registry entries. So when the entry which runs it during startup is deleted, it writes it again. Even spybot's teatimer cannot prevent it. So Instead of deleting the registry entries that it use to run itself at the early stage of the windows startup, I simply edit the data and added a letter to the file name it is supposed to run. 
.
I was right! after I restarted the computer, the registry cannot find the now miss-spelled file. And since it's no longer loaded in the memory, I was able to delete the malware safely.
Now, I got here a more trickier malware, although Spybot and now the AVG-Anti-spyware has detected and removed the RavMone.Exe malware. There are two startup entries which runs two exe files that are NOT where they are supposed to be!!! Worse is, regedit is hijacked to run notepad instead of the valid registry editor!!! WOW!!! Now I gotta get more info on this!!!
So I got into the net and entered the keyword RavMone. I got several info and downloaded Autoruns- A more sophistacated and complicated tool! But with it, I found out that the regedit was hijacked and restored it, and restarted my PC. Used the now functioning regedit and cheated the malware again. They I tried spybot again to remove the malware's startup entry. This time it did not return!!! I still havent found the file it executes though. Yet, 2 more points for me against the malwares!!!
Previous Comments
All comments are moderated. Your comments will not appear here unless approved by the blog owner. Thank you.
If you do find those infected files, you can first of all upload it to http://virusscan.jotti.org. If it’s infected(even if it does not show at Jotti), you can compile it using WinRar or WinZip and password protect it and send it to ‘technicalsupport@grisoft.com’ together with the password of course.
New definitions you can download should be made quickly by Grisoft.
Hope that helped.
Posted by Matthew at February 2, 2007, 11:14 am