Recently, I got a backdoor (Backdoor.beastdoor.202) which shut all my
defences: Zone Alarm, VirusScan, TC-Monitor & TC-Active modules of The
Cleaner from Moosoft. Those two didn't have time to alert me because they
were disabled prior to the Registry Run keys were modified !
I was alerted by ZALogPlus surveying ZoneAlarm ! It popped up a window
saying thar VSMON and ZAPro were stopped.
Then noway to run any antivirus or scanner except AdAware. Even Windows
SFC.exe utility was disabled !
This kind of malware installs modules in several places, surveying
themselves. The only way to get rid of them is to troubleshoot by yourself
from the safe mode of windows because it doesn't load the drivers nor the
programs launched through the run keys of the registry.
You've to remove all the occurrences at once. Either, due to the fact the
modules are redundant, they restore themselves as soon as windows is
launched in normal mode ! @^@ !
The tools:
- The anti-xxx (with xxx=virus, trojan, malware, spyware, ...) of course.
- Windows "MSconfig.exe" as far as you know what programs are normally
launched, you can compare the list contents two or three times a week. Very
good for troubleshooting. It may reveal things not seen by antivirus. To
help you to identify the malware among all the programs launched at start,
go to this site:
http://www.pacs-portal.co.uk/startup_pages/startup_full.php
or better, download
http://www.pacs-portal.co.uk/startup_pages/startups_all.zip.
http://www.answersthatwork.com/Tasklist_pages/tasklist.htm may also be
useful.
- "HiJackThis"
http://www.spywareinfo.com/~merijn/ : good program scanning
your entire configuration. It proposes everything which could contain
malware. Again, you need to establish a reference and then compare the scan
results to it. It completes the other tools.
- Windows "SFC.exe". I don't know how to use it with efficiency because
everytime you install a new program, you should launch it prior to the
installation, then after and compare and register the new modules. Probably
very efficient but quite painful. Needs to be automated.
- "CWShredder"
http://www.spywareinfo.com/~merijn/ which detects hijacked
entries, especially when your browser home page is squatted. The remove
option is without confirmation and cleans the hosts file if any, reducing it
to the first line only and the comments ! ! ! Don't use this option ! ! !
So should you use the hosts file to redirect IP addresses or domain names to
your local address to protect yourself against unwanted home calls or web
beacons, make a copy of the "hosts" file first !
- "ACDSee" (yes ! thisn't a mistake): it allows to browse Windows system
directories, quickly and in details. Use an old 3.x version. New ones (4.x,
5.x, 6.x) don't unhide all the information. Point the Windows directory and
explore the file pane for system directories. Take care, they don't appear
in the directory tree.
With it you can see porn diallers for example installed within Windows
Downloaded files, inside the trash can and it's easy also to browse the
history and the cache. You can even repair the recycle bin. Antivirus don't
ring on porn diallers.
- "Cookie editor"
http://www.proxoft.com/cookieEditor.asp or "Cookie Pal"
http://www.kburra.com/ are good to manage cookies. Cookie pal also protects
your computer during browsing.
- "The cleaner" from Moosoft
http://www.moosoft.com/thecleaner/, I love it !
It's rather light, two modules (TCActive & TCMonitor) are resident. You're
alerted as soon as trojans modify Autoexec.bat, Config.sys, Win.ini,
System.ini or the registry's run keys. You can also scan on demand
directories or disks even on a network. Don't forget to update the
signatures.
- "Zone Alarm" from
http://www.zonelabs.com/ . In addition to the firewall
functions, it filters the incoming e-mail attachments. More than 35
extensions are filtered. Lot of trojans or backdoors are installed through
mail attachments, automatically if you're aren't protected enough or by
launching manually an infected file. With ZA, the risks are drastically
reduced. To check the firewall efficiency,
http://scan.sygate.com/ proposes
a set of tests.
- "Ad Aware" launched two or three times a month finds some peculiar files.
Mainly Spyware. Needs to update the signatures on a regular basis.
- I recently discovered another protection hole with files having a
malformed extension. Unwanted hta code may be executed on your computer. The
results are numerous: disk formatting, repartitioning, file erasing, ...
everything might be envisaged. I purely deleted Win\Systel\mshta.exe. If
needed I'll restore it from the CD-ROM ! Have a look on this page:
http://www.trojanscan.com/emailsecuritytest/
- Antivirus on line scanning. My preference goes to "RAV online"
http://www.ravantivirus.com/scan/.
Have also a look on this page. It describes several backdoor mechanisms,
some of them shutting down the protections.
http://www.spywareinfo.com/~merijn/cwschronicles.html
Good luck
