Malware / Trojan / Virus Part Two
By Heather - Page 2
Success through ancient wisdom
Following instructions found on the Internet, I got hijackthis and ewido.
hijackthis was good at identifying dubious processes but stopping these made little impact. Ewido found everything it was supposed to but also didn't manage to get rid of the very last hostile process even after a few passes had been made and the PC rebooted several times. At this stage, the malware erupted into an explosion of endlessly replicating processes with silly names
From the anti-virus program and Ewido logs, I identified the last unkillable process to be 'Nail.exe' in the windows/prefetch directory. Ewido kept killing it but it was able to instantly start itself off from an other file. This suggests that the malware had a defence built into it which was doing something like "On deletion, copy the file to 'someotherdirectory/blah.exe' and run that. On deletion of 'blah.exe', copy it to 'Nail.exe' and run that again
There genuinely seemed to be no way to get rid of Nail.exe. It was even totally blatantly obvious - all the protection programs were pointing at it but couldn't delete it
On the "when all else fails, use the Command line" principle, I used run then cmd then a few old DOS commands to attack it.
First dir blah*.*/s on every drive to find and then del delete almost every rogue program that had been set up by the malware and identified by the av software. This had no impact on Nail.exe.
I checked its attributes with attrib na*.* from the directory I found it in. I tried to take off all system, read-only, hidden attributes but it still wouldn't let itself be destroyed
This is the bit where old DOS knowledge was the answer (confirmed ten minutes later by a post on a bulletin board that advised the same thing)
Take an innocuous text file and overwrite Nail.exe by using copy innocoustextfile.txt Nail.exe
Do this to every manifestation of Nail.exe you can spot using dir Nai*.*/s
Reboot and run ewido, hijackthis, your av program etc to make sure its not hiding in the registry. You can fix the registry and any stray attempts to run it again at a leisurely pace. Even if it tried to run, it will just find a non-executable and stop
Happy ending
The hard disks were saved. I had to bite the bullet and buy a new motherboard /CPU/different RAM/ box with a stronger PSU. (Cost about £300 and I couldn't afford the black one with flashing lights that looks like the helmets the robots used to wear in Battlestar Galactica). I learned I really had to use a firewall and update my AV, I learned to be more careful about downloading and proved that extinct knowledge might still be useful. I also got to visit a lot of brilliant sites and forums with advice on how to deal with malware and lists of what you should look out for.
