Sunday, January 16, 2005

Nightmare !!!

How to get rid of ur worst nightmare (worms on ur system!)

Say you left your system to complete certain download tasks or to update itself when you come back, your firewall is crashed and u have a nasty worm/spyware on your system,
ever experienced a scenario where your trusted antivirus software cant help u, what do u do ???

well, the general answer would be I would check for the tasks/processes running on system to evaluate any suspicious activity u might use taskmanager or winspy etc then what ? this oneliner lol, is the most frequent one to my tech-support calls from my friends and friends of friends & ...

" i kill the task and it pops back again, i delete the file and it comes back again"

well we all have experienced that havn't we, so here's certain things to do / not to do

First restore your firewall (else disconnect from internet) to avoid further welcoming other malware! 

TIP: if u cant disable the internet from the taskbar connectivity tab then stop/disable terminal services on windows services

Now, for many new spywares there removal requires special downloads to clean it off the system let us assume we dont have one on board and that the spyware effected HOSTS file (many do @least few of the ones i encounter'd) forget trying to access any antivirus sites and dont get surprised if u get routed to some other offensive page, So what to do before system goes critical!

TIP: its generally wise to hav a latest virii scanner and cleaners like stinger,etc to be burn'd into a cd for emergency

if we kill the task it pops back up also if u delete the file say c:\windows\system32\loadnew.exe (yaa its a spyware) it too pops back up so any solution ? 

TIP: many worms take the user's ignorance to their 'benifit of the doubt', u watch a process being run from sys32 directly u might leave it to do its nasty work, so generally almost 90% of spywares/worms get downloaded to sys32 or win folder. dont fall for it!

Answer to this problem would sound funny but actually works better than the classical
{list the path of the file-reboot to dos-delete the file} this is good @least used to be good until we got NTFS say even our primary drive (drive on which OS is installed)

TIP: it is not a good practice to hav OS drive partitioned into NTFS as its timetaking and troublesome to fix any problems like the one above and many many more... 

taking the worst of worst case scenario lets consider we have a NTFS Primary drive so generally the only EXTREME alternatives i find people to be talking is - to either FORMAT or to make ur hardisk into slave run an antispyware scan from a different OS  etc, etc WORSE would be to run it ignoring the spyware! Coming back here is the answer what to do:

COPY CON IT :) Yes! create a file with the same name and make it a read-only and hidden file!

Example:

say my firewall failed and i got a headache spyware downloaded to my system "c:\windows\system32\loadnew.exe"

first terminate the process in the memory use taskmanager or winspy

next delete the file listed in the path u read on taskmanager or winspy. (if u wish to experiment rename it into a non executable extension!)

NOW CREATE A DUMMY FILE WITH THE SAME NAME AS SPYWARE

I USE CMD SHELL: copy con c:\windows\system32\loadnew.exe

what do u have/type in that dummy file ? Well, u can have/type your name LOL

then convert the file to hidden and read-only just as a precaution.

Once this is done be sure to get an application error even before u launched anything saying - "c:\windows\system32\loadnew.exe" is not a valid win32 file.

this is because the worm initially writes into the windows registry for auto-starting itself once its process is terminated but here when the process is restored or attempted to restore it launches a file with your name LOL, and since the file already exist the worm would not try to replace the file (remember the precaution thats for - if it tries)

Remember this procedure is only to get rid of the worm and to access internet for downloading of the removal tools remember u still have some registry to clean.

TIP: it is good to make your HOSTS file to read-only this will LIMIT the extent of any worms damage and ease up restoration and cleaning activity

Article details:
Name : ER from Spyware
level   : Anyone

No more a Nightmare ;) lol

No comments: