Printable View
Hmmm,
1. You must keep the OS up to date.
2. Use an AV and keep it up to date
3. Use a firewall and keep it up to date.
4. If your e-mail has "preview" turn it off (it launches malware)
5. http://www.winpatrol.com
6. http://www.diamondcs.com.au/index.php?page=products There are some nice free tools on that site ;)
RegistryProt and WinPatrol will give some protection against nasties trying to install and register themselves.
Another good monitoring program like WinPatrol is WinPooch.
http://sourceforge.net/projects/winpooch/
Gee Whizz, walk away to get some coffee... and so many responses before I pressed submit....lol
As you mentoned, "the lack of running windows update or via web pages..." Another family member using the computer, Instant Messengers, Chatrooms, receiving .jpgs from others, and now the re-emerging threat of malware in Word Document attachments - to mention only a few. As you see the list goes on and on. I don't want to start a family disruption, but event logs, history logs, router logs, and the like; may very well lead you to the person that unknowingly or knowingly downloaded the junk. Just to relate a story...
I remember several times my teenage son's computer would come to a screeching halt and he would say the same thing. "But I didn't download a virus." A quick check of the logs and I found he was surfing anime sites and I would just follow the trail. In amongst the files were some of the most erotic pictures imaginable. And of course he did click on them, thus the download was completed. Some he didn't click on, but just viewed the page.
Bottom line, after a rootkit... a format & install is most likely forth coming. If you are attempting to restore the system exactly as it was, be sure to download a hdd washer as well. It will place 0's via alogrythm selection, on a multitude of the sectors. Slave their drive to another and run the program. The reasons should be self-explanatory, but it may help disrupt a possible re-emergence of the same malware or other programs.
Then complete your build up and follow Nihil's 1 thru 6.
cheers
You might also have your parents quit the IE habit. Don't know about this one, but a lot of this stuff installs itself on PC's via Internet Explorer. The default config for IE is wide open to this kind of thing, and properly config'ing IE is beyond most users. Put them in Firefox or Opera.
I also recommend home users, especially newbies, switch to Yahoo, Hotmail or some other web-based email system that has built-in AV protection. If this one came in via email, it wouldn't have made it past Yahoo's system into the PC.
Just the facts...
yes IE is full of holes
so is FF ,Opera, and all the other browsers out there but the holes just havent been discovered yet...
you just need to find the browser that isnt a priority target for attackers.
Getting on the internet is like driving through the worst part of town at the worst time of night in a brand new car. If you are lucky you can get through.. if not... someone pulls out there '9mm rootkit semi-auto' and no more new car.
Jeez, I drive thru the worst part of town all the time, and with the full intent of getting lucky.
;)
When the only idea is Reinstall the whole purpose of the thread is wasted..
Currently my most reliable method of dealing with rootkits is remote scanning of the partition/drive.
That is either remove the HDD from the machine and scann it in a clean machine with the appropriate tools..OR as is my current practice.. A BootCD with a USB drive with the updated tools.. the boot cd currently is BartPE.. you could do the same with a *Nix OS..
When a remote scanning technique is used the "Cloaking" is ineffective.. then all you need is to be able to identify the files..
NEXT.. you need a Registry Scanner.. to get the troublesome Keys removed.. like the keys that prompt your boxen to auto download a new version of the rootkit..nice huh
THEN.. the clean up.. remove the files mentioned earlier.. Windows/temp, doc&settings/user/localsettings/temp and temp internet.. not forgetting windows/prefetch
But in all this even with the best tools, the cleanup is only as good as the observation skills of the tools user..
If your reason to do the cleanup is to have a clean machine.. then clean install.. if it is to remove the malware and not spend weeks restoreing software, and finding data.. then learn from the exercise
Hmmmm,
There is another aspect to it, in that it is his parents' box and I believe he is also looking for ideas on how to stop it happening again.Quote:
When the only idea is Reinstall the whole purpose of the thread is wasted
:)
true.. a point I failed to mention/clarifyQuote:
he is also looking for ideas on how to stop it happening again.
Not sure if I missed it, but how did you uncover this file in the first place? Just by checking the running processes?
Either way, adding to what Und3ertak3r was saying:
There are a few useful utilities out there for cleaning up the registry should you find some unwanted entries.Quote:
When a remote scanning technique is used the "Cloaking" is ineffective.. then all you need is to be able to identify the files..
NEXT.. you need a Registry Scanner.. to get the troublesome Keys removed.. like the keys that prompt your boxen to auto download a new version of the rootkit..nice huh
THEN.. the clean up.. remove the files mentioned earlier.. Windows/temp, doc&settings/user/localsettings/temp and temp internet.. not forgetting windows/prefetch
RegClean4.3 - Easy to read GUI, very easy to use program which displays reg keys for installed software...whether new or old and allows for effortless cleanup/removal of reg keys.
and in case you stumble across any reg entries that prove to be stubborn in deleting
check out a few of Sysinternals reg tools:
Rootkit Revealer - Good for locating hidden reg keys... usually registry keys that contain embedded-null characters.
These keys sometimes will not let you manually delete them, Sysinternals has another handy tool for removing those reg keys called REGDELNULL
Good luck!