How to deal smartly deal with a smart virus\trojan\malware!!

khattam_ · 20-01-2007, 09:47 PM

How to deal smartly with a smart virus\trojan\malware!!

Hello People....
A tutorial in a long time from me!!

Hope it will be helpful.

How many times you have faced the problem of viruses. Maybe many times.
You may have one of the best antivirus installed but many antivirus programs cannot detect and/or remove all the viruses. You feel worst when the antivirus detects the virus but cannot remove it coz it is already running. So what will you do. Yeah a bootable recovery CD helps a lot but what if you don't have it ready. Lets discuss about that.

Let me explain what we are discussing here in detail. You have a virus\trojan\malware\spyware in your computer and your antivirus\antitorjan\antispyware detects it but cannot remove it coz it is running. But it needs to be stopped coz it may do further harms.

Ok, so you will just open the task manager, search for the running process and end then and there. Very smart of you. Thats actually a good idea. But what if the malware has disabled the task manager.
Simple, just enable the task manager by saving the following file as somefile.reg and double clicking it and merging the data to the registry.

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0

Ok, Ok. But what if the virus has disabled the registry tool too.

Simple, make a something.reg file with the following contents:

Code:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:0
"DisableRegistryTools"=dword:0

And then import it with the help of command "reg import something.reg".

Ok Smart enough. But what if the malware has disabled command prompt too.

Simple, use a third party registry editor and do the job.

Ok. But what if the malware is running and disables the task manager as soon as you enable it??

Use a third party task manager. Like "Process Explorer" from Sysinternals to kill it.

What if the process is locked and killing the process is not allowed even with Process Explorer??

Difficult?? Let me explain.

We will use a Debugger for this purpose. And that debugger is no other than OllyDebug from www.OllyDebug.de
Open Olly and File>Attach then select the process which is the virus. Then the process will be paused. Great!!
Now, just Press Alt+F2 or Debug>Close. Done.

But what if multiple viruses are running and they start each other when one is stopped.

Open multiple instances of Olly and attach each virus seperately all at once so that all process will pause at once.
Then close each of them.

And then scan again with your antivirus and remove all the files and startup entries of the virus......

Thats all for now....

If you dont understand anything, please PM me, but if you dont understand anything at all, don't bother.

incription · 22-01-2007, 07:03 PM

Well this is really great tutorial Thanks a lot.

Pathik · 22-01-2007, 08:50 PM

if registry editing is disabled then u cant even import reg files....
so run "gpedit.msc"> user config> admin templates> system> prevent access to regedit> disabled..

ravi_9793 · 22-01-2007, 11:23 PM

very useful dude..
thanx

ashisharya · 23-01-2007, 01:34 AM

gr8 tut

Popular Categories

Popular Articles

Content Categories

Sister Sites

Follow Us

Facebook Channels

Digit Magazine