PDA

View Full Version : Viral Processes CANNOT be terminated



MattInLA
2006-11-15, 19:38
Hi, I have been doing quite a lot of research in viral cleanout products including Spybot, I have disinfected many, many computers of some really nasty bugs and I have to say this: The blanket claim that viral cleanout programs can remove active trojan processes and then clear the virus/trojan is erroneous. I have run Spybot and many of these against trojans like Zlob.incodec (as well as a number of other) which install regenerative viral processes that CANNOT be terminated in safe mode, in normal mode, system restore off, etc, their registry entries cannot be removed because these processes monitor absolutely EVERYTHING or regenerate themselves through child viral processes, or they hook winlogon or explorer. I have used advanced process terminators, Sysinternals process terminators, I have terminated threads and NONE of these techniques work and obviously Spybot and others out there are using similar techniques that DO NOT WORK on these regenerating viral processes. The ONLY way I have seen, which is used by specific cleaners like COMBOFIX is to use a delete on reboot methodology (after killing explorer itself!) which I have not seen in any general cleaners. (Other guaranteed fix is to use UBCD4WIN boot disk and delete the offending files remotely) So the question to you technical Spybot people out there is 1)what is your response to this 2)why do you not go back and check the registry entry that was to be deleted (you would see it has been regenerated) and therefore flag these files for delete on reboot or put up a message? Hmmmm? Unless I am missing something here....

MattInLA
2006-11-16, 08:35
Nobody has answered this.

spybotsandra
2006-11-16, 10:31
Hello,

Please download HijackThis: http://www.downloads.subratam.org/hijackthis.zip
Double click HijackThis.exe.
Just start the program.
Hit Scan.
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Please mail that log to our detectives at detections(at)spybot.info.

Best regards
Sandra
Team Spybot