Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

General question about malware

Status
Not open for further replies.
clapper62

clapper62

Programmer
Apr 17, 2003
113
US
Something that has been bothering me while viewing many of these threads is that when someone says they have found a file "anything.exe" that they have identified as malware the first suggestion is to post a hijackthis log or run ewido or any of a multitude of malware scanners. Now what is bothering me is why isn't the first suggestion simply to delete the suspect file? I realize that sometimes this is easier said than done but shouldn't you at least try this first?

This leads me to another question. Does it matter if a piece of malware has left values in your registry if the executable that uses them is gone(besides having unneeded keys in your registry)? For that matter does it matter if the malware executable file is still on your system as long as you have stopped it from running?

Now I realize that having programs infected with a virus and unneeded registry entries on your system can never be a good thing but if these programs have been stopped from running is your security at risk?

just wondering.
 
Sort by date Sort by votes
Well the reason id say sometimes i figure to see if they have any other on the computer. Also yes alot of times it is bad to have registry keys behind for sometimes those keys can be dangerous for they could be changing paths for certain files to run. Also sometimes certain malware simply will not let you delete it therefore you find the registry keys to stop it from running. Unless you get lucky and it lets you end its task.
 
Upvote 0 Downvote
Many users are beginners and wouldn't know where to look to delete the pest, and sometimes we don't know either, thats when tools like hijack this become our eyes into others computers and our own! Many pests these days can not simply
be simple deleted, many specialised tools are needed as the pests evolve and become more problemtic.

Just look at rootkits, like wareout/hclean32.exe, this bugger has a whole entourage of hidden helpers installed on your machine! I generally used Rkfiles, silent runners and FIndT just to find them all, but only after running a reg fix to flush them out into the open and stop them from hiding. Then the killbox was used to delete them and a Panda and Kaspersky scans were indespenable to make sure they were gone. Not to mention the random s***.exes which came along for the ride!


yes, we can leave traces of the pests in the registry when they are just left overs and dead entries! It's not advisable to ask beginners or those not comfortable editing the registry to go in there will nilly and start hacking away at reg keys. This is why at the TSG boards we prefer to use the killbox on exes and dlls as it takes them out without the user having to go in thre manually to find tham and maybe deleting a legitimate file!

Using tools like ewido will fix many spyware and other issues and clean up the registry, sometimes specialised fixes are written to delete the pests and repair the registry like the nail.exe fix, vundo fix and the l2me fix! otherwise, we can write our own reg fixes or, delete the pests and leave the dead entries.

You don't always need to clean out the registry as you would spend many days/weeks cleaning out all the leftovers from programmes you thought were totally uninstalled, there are always leftovers for either legit or illegitiamte programmes!
 
Upvote 0 Downvote
One more reason. Several of the nastier variants of spyware regen themselves. Taking out the .exe will allow the infection reoccur. A machine needs to be cleaned as thoroughly as (safely) possible.
 
Upvote 0 Downvote
-- "Well the reason id say sometimes i figure to see if they have any other on the computer" --

Yes I agree but what I am saying is shouldn't the first advice given be directed toward stopping the already known threat and then you can worry about seeing if thier is anything else to worry about.

On occasion I have come across a suspicious process running on a system and when I do a search on the internet a lot of what I find are other people asking about the same process in forums such as this. The answer they get is increasingly Post a hijackthis log not an answer as to whether or not the process is malware and if it is I believe some advice should be given on how to stop this process and keep it from starting again right away


-- "alot of times it is bad to have registry keys behind for sometimes those keys can be dangerous for they could be changing paths for certain files to run" --

This is a good point and one I hadn't considered.


-- "Also sometimes certain malware simply will not let you delete it therefore you find the registry keys to stop it from running. Unless you get lucky and it lets you end its task." --

As I said sometimes it's easier said than done to delete a bad file but I repeat why not do a search for it and at least try to delete it. If you can't then take the extra steps needed to delete it.

I ask these questions because this is my method of cleaning a system Detect / Delete and i'm wondering if even after I know nothing bad is running whether I have taken enough steps to make the computer safe. Your reply to the registry keys question makes me think that the answer may be No

 
Upvote 0 Downvote
aquias
-- "Several of the nastier variants of spyware regen themselves. Taking out the .exe will allow the infection reoccur."" --

This is one of the things I am curious about, is it possible for anything to regenerate itself if it no longer has a program running on the system regardless of how many remnants of it are left.
 
Upvote 0 Downvote
Yes. The .exe may be what is causing the Pop ups but, in some of the nastier variants, there is actually a trojan or backdoor program monitoring the system. If the file is removed the trojan/backdoor will make a call to re-download the file.
 
Upvote 0 Downvote
--"If the file is removed the trojan/backdoor will make a call to re-download the file."--

Ok but this means that some malware program is running on the system

I also have another question.(ughh so many questions in fact) Is it possible for a process to hide itself from the task manager in Windows XP or Windows 2000?
 
Upvote 0 Downvote
Yes. That is why there are so many programs to monitor and list out what is running. Additionally, some malware will modify the registry to disable the task manager.

And yes...it means something is running, but when cleaning a system, if you identify the .exe that is running, you won't identify the other programs monitoring the system.

An Example...

Delete Anyfile.exe. Pop Ups stop! I'm done! Next day they're back and the process renews itself.
 
Upvote 0 Downvote
Many exe's are dependent on other hidden exes and dlls to respawn them, the wareout/hclean.exe as a rootkit is a good example.

Many infections are just a single dll or a exe but some have a lot more baggage with them and as aquias says they can phone home and reistall themselves. Many make changs to the hosts file to stop you going to internet tech sites to run online scans or download ceanng tools like ewido, spysweeper etc! Use the hoster tool to repair the hosts file!

They also place trusted entries to their own sites so they can re downlaod their files even if you delete them. Use deldomains to remove all the trusted sites. this is why hijack this is invaluable, as it shows these host entries and trusted entries in the logs as well as some of the exes and dlls!


Download the Hoster from: UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.




Download DelDomains.inf from here:


Rightclick DelDomains.inf and choose install.
 
Upvote 0 Downvote
pechenegs,
Thank you, although I am familiar with the host file I have never thought to check this while cleaning a machine and I will definitely try the download out. The trusted sites is another thing I have neglected to check out.

I can see that I was wrong in my assumption that as long as you could stop all undesirable processes from running on the system that you were relatively safe.

By what aquias has said if a process can hide itself from the windows task manager are their any process listers out their that a process can not hide itself from? Does HijackThis list such programs?

I wrote a program a short time ago that uses the WMI to list the processes on a machine but I fear that it may not be able to do this. I was looking at Process Explorer by sysinternals(I think)



 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2ffat
  • Locked
  • News
MalwareBytes may have been hacked
Replies
0
Views
97
2ffat
2ffat
goombawaho
  • Locked
  • News
Malware Injected Into CCleaner 3
Replies
2
Views
101
goombawaho
goombawaho
Tiffc0922
  • Locked
  • Question
Virus / Malware Scans on Local PCs
Replies
5
Views
121
goombawaho
goombawaho
goombawaho
  • Locked
  • Helpful tip
Evil: Poweliks Malware 1
Replies
1
Views
76
kjv1611
kjv1611
kjv1611
  • Locked
  • Question
POS Malware Infections Detection and Protection
Replies
0
Views
78
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top