mraeryceos Posted July 30, 2008 Share Posted July 30, 2008 (edited) Could someone tell me if upon infection, Windows files get replaced with infected versions, such that deleting or renaming the infected file would make Windows unable to boot or function properly?Edit Aug 30th:Most users that have malware would prefer their computers be "fixed". They don't want a fresh install of windows, because it means having to reinstall everything, import everything, change settings on everything... I am looking for a way to avoid this. The following conversation attempts to find a better way. Edited September 1, 2008 by mraeryceos Link to comment Share on other sites More sharing options...
mraeryceos Posted August 24, 2008 Author Share Posted August 24, 2008 No one wants to talk about this? Link to comment Share on other sites More sharing options...
Kelsenellenelvian Posted August 24, 2008 Share Posted August 24, 2008 isass.exe i.e the sasser worm does just that...They do it all the time... Link to comment Share on other sites More sharing options...
FishBowl Posted August 24, 2008 Share Posted August 24, 2008 (edited) Even more would change system files and / or networking related stuff, to log your keyboard and steal passwords and phone home, or even to interfere with your online banking.Several also manipulate the system restore mechanics, to re-appear even after being removed by safety software.And worst is, they often try to get auto started extremely early after reboot, before any of your shields are up. And manipulate those then...In most cases, damaging the system to not boot anymore would not be in the interest of a bad guy, as this would also stop his misuse of your machine.This often includes spreading the malware even more over your machine, like to all of your contacts, or stealing even more critical data from you...So killing your machine kills his worthy tool.Keep in mind, after mistreating you, they may like to sell their access to other criminals, that would like to continue with hurting you and others. The first one may steal some of your internet accounts for gaming sites or e-mail, next may want to steal your bank account or attack your money transfers, third may want to spread <real dirt> or other illegal stuff over your machine. Then there are people attacking web servers they don't like.Most of all would like your system still to be up and running, at least until all they want is done...So it depends on the intention of the criminal.No more, no less. Edited August 24, 2008 by FishBowl Link to comment Share on other sites More sharing options...
mraeryceos Posted August 26, 2008 Author Share Posted August 26, 2008 (edited) Thanks FishBowl! Now the real reason I brought this up.(1) On an infected machine, if you replace the files that occur in every installation of Windows XP SP2, no matter what the hardware, will this eradicate the malware that may have leached onto legit system files?(2) Well, the registry would always be different, so you coudln't replace that. The registry may call out to drivers, dll's, etc that are malicious, and aren't part of the core system files in (1). But you can use your favorite boot cd to load up the registry and remove the offending startup entries. I can't remember if possible to use Sysinternals Autoruns to load the remote registry on the hard drive, while booting off a CD or USB device. Anyway, this is something you could do.Does anyone know which files are present on every installation of Win XP SP2? What I'm getting at, is that this would be a quick fix without having to reinstall windows, and everything else. Boot off a cd, overwrite files, remove startup reg entries, and you are good to go. You may still have some malware left on the machine, but it won't be active (and I assume harmless unless someone double clicks on a malware executable).Does anyone know which files are present on every installation of Win XP SP2? I've made some rough attempts at overwriting with the originals, but Windows would blue screen after I did it. Oops... killed the patient.AHA! I should have been reading Wikipedia! http://en.wikipedia.org/wiki/Rootkit#RemovalWhile most Administrators prefer a clean reinstall, a skilled Administrator using a PE can often delete and clean a rooted system if a reinstall is not a viable option. Edited August 26, 2008 by mraeryceos Link to comment Share on other sites More sharing options...
jcarle Posted August 26, 2008 Share Posted August 26, 2008 Malware can go a lot deeper then that. If you're patient enough, you'll learn a lot by watching this video : http://www.microsoft.com/emea/spotlight/se...spx?videoid=359 Link to comment Share on other sites More sharing options...
mraeryceos Posted August 26, 2008 Author Share Posted August 26, 2008 (edited) I am not interested so much in what it does, but how to get rid of it. I can rewrite the boot sector, if that is what you mean by "deeper". What do you mean by deeper? Yes, exactly what do you mean by deeper? Edited August 26, 2008 by mraeryceos Link to comment Share on other sites More sharing options...
submix8c Posted August 26, 2008 Share Posted August 26, 2008 "Replaced" files that are Malware can be overwritten with "legit" files can be done with an "over-top reinstall" without loss of data, profiles, post-installed software, etc. Bear in mind that Malware can have a module named the same as a good file in a different folder that will still cause damage (or whatever) becuse it gets executed before the good one (ref. the execution PATH).Best bet is use all recommended Malware Cleaners / Scanners, check the registry (HijackThis is a good one), then maybe (if necessary) do an "over the top reinstall". There will more than likely be lots of stray Malware hiding if you don't "clean" the system.Can you describe any symptoms that leads you to believe you're "infected"? There are usually tell-tale signs. If so, post here...HTH and Good Luck! Link to comment Share on other sites More sharing options...
mraeryceos Posted August 27, 2008 Author Share Posted August 27, 2008 (edited) Bear in mind that Malware can have a module named the same as a good file in a different folder that will still cause damage (or whatever) becuse it gets executed before the good one (ref. the execution PATH). OK! Thanks!I don't have an infected computer at the moment. I'm a tech. I usually just get data off and reinstall windows.Best bet is use all recommended Malware Cleaners / Scanners, check the registry (HijackThis is a good one), then maybe (if necessary) do an "over the top reinstall". There will more than likely be lots of stray Malware hiding if you don't "clean" the system. Too much work. Also, running an antivirus scan is likely going to be ineffective in cleaning malware.Reference http://av-test.org papers titled:testing for rootkit detection and removalAlso of interest:getting rid of malware from infected pcsI was looking for a quicker method. For example, overwriting Windows files with a copy of files always existing on a standard Windows installation. Then perhaps rename or delete all files NOT on a standard Windows installation (can be automated). I like this method better than doing an "over the top" installation of windows, because, you don't know what the F*&& the "installation" does.So I still have the question:Does anyone know which files are present on every installation of Win XP SP2? Edited August 28, 2008 by mraeryceos Link to comment Share on other sites More sharing options...
Mr Snrub Posted August 27, 2008 Share Posted August 27, 2008 Bear in mind that Malware can have a module named the same as a good file in a different folder that will still cause damage (or whatever) becuse it gets executed before the good one (ref. the execution PATH).QFT - in fact due to Windows File Protection and the fact that a lot of the system binaries have open handles which prevent overwriting while the system is running, it's more likely that malware masquerading as OS files will be running from another (often temp) folder.Another trick that has been used is to have lookalike executable names - dllh0st.exe, for example.If suspicious of a running process, use Task Manager or Process Explorer to view the command line rather than just the process name - that can often give clues as to what a process is. Link to comment Share on other sites More sharing options...
FishBowl Posted August 28, 2008 Share Posted August 28, 2008 (edited) On my machines at home, I am keeping system / applications and documents / downloads / recordings strictly separate, on different HDDs / partitions.I am making image backups of the relatively small system partition(s) every couple of days, onto two big mobile HDDs, alternating those. And I even have a spare machine, almost similar hardware. Just in case...I am using Ghost 7.5 from inside of Win98SE (+NUSB), to write the images. Around five to ten minutes for an OS.Worst case, I could take the mobile (IDE) disk out of it's case and connect it directly to the board.Then MS-DOS and Ghost are enough to write back.Similar would also work with my old Knoppix LiveCD 3.4 and partimage, instead of '98, for example.Anyway, taking care and having a nice HW firewall protected me pretty well during the past years, so system reconstruction never was required to remove malware but only to move to bigger disks or to repair human mishaps and failing experiments. Edited August 28, 2008 by FishBowl Link to comment Share on other sites More sharing options...
mraeryceos Posted August 29, 2008 Author Share Posted August 29, 2008 FishBowl, I follow a similar backup strategy. I also have separate data and system partitions :-) My challenge is for systems you get that haven't had that preparation.Does anyone know which files are present on every installation of Win XP SP2? I may test if I find time. Instead I keep hoping someone has already done it! Link to comment Share on other sites More sharing options...
DigeratiPrime Posted August 30, 2008 Share Posted August 30, 2008 Malware, such as rootkits, can patch actual Windows binaries so they cannot be detected by API calls. You would have to verify the digital signatures, probably mounted offline, on the files to ensure they are authentic. While the new KPP in Vista x64 helps prevent this, its not impossible.http://en.wikipedia.org/wiki/Kernel_Patch_Protection Link to comment Share on other sites More sharing options...
mraeryceos Posted August 31, 2008 Author Share Posted August 31, 2008 Malware, such as rootkits, can patch actual Windows binaries so they cannot be detected by API calls. You would have to verify the digital signatures, probably mounted offline, on the files to ensure they are authentic.Do all files have digital signatures? Even driver files? Because even if all Windows XP SP2 files are the same, the driver files will be different for every computer, and the virus may have put itself in as a driver.1. Overwrite all standard WinXP SP2 files with originals2. Rename all extraneous files3. What to do about driver files???Can a standard set of driver files be used, that will allow the system to boot, so that you could reinstall drivers to non-infected versions?You know... if you delete the boot.ini file and other root files, then rename the windows, "program files", and "documents and settings" folders, you can do a blank install of windows. This would ensure all the files that are needed for the computer are there...Most people that have a virus would prefer there computers to be "fixed". They don't want a fresh install of windows, because it means having to reinstall everything, import everything, change settings on everything... I am looking for a way to avoid this. Link to comment Share on other sites More sharing options...
jcarle Posted August 31, 2008 Share Posted August 31, 2008 (edited) You should really refer to the video I posted in post #6 ( http://www.msfn.org/board/Can-malware-repl...453#entry791453 ). It explains a lot of methods that you can use to detect malware, even advanced malware like rootkits, as well as what you can do to remove it. Edited August 31, 2008 by jcarle Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now