[gromittoo]

I Received a Malware attack on my home computer (Win2k Pro) at 8:16PM EDT, Friday 7/29. My Wife was using the computer at the time of the attack, and I don't know how the infection occured.

The computer was getting all sorts of Aurora Popups, and there was a 1800SearchAssistant tray icon.

I ran several Spyware removers (Yahoo, Search & Destroy, Adaware), but they could not remove some things. I did a search of all files that were created at 8:16 or 8:17PM on 7/29, and deleted them.

I started going through my task manager, and started googling all of the processes. I didscovered there was a process that was a random name of 7 or 8 all lower case leters with ".exe". It didn't show any google matches. I searched my drive, and found the exe in the system32 directory.

I did properties on the .exe, and it had no information. I tried to delete it, but it I couldn't. Idid a terminate tree from task manager. I then went to delete the file, AND IT WAS GONE!

What happened next was interesting, I noticed a new executable in the Task manager, with a random name. I searched System32, and there it was, with a totally differant file date.

I soon figured out what was happening, when that task receives the "Terminate Process" message, it renames itself to a new random name instead. It also changes all of the file dates to random values as well. It also creates a new key in the "Run" section of the registry, with a random name, that points to the new file name. What it doesn't do is change its file size: 83,456 bytes.

OK, so I fgured this out, now how did I get rid of it? First I tried deleting the "run" key in the registry. I thought that I would reboot, and then delete any file that was 83,456 bytes in my System32 directory.

The registry key stayed deleted, but then I realized that during shutdown, the malware file would simply rename itself, and create a new "run" key!

The solution: Delete the "Run" key, and then unplug the computer. On the next boot, the malware EXE would not automatically run. I could then delete the malware exe.

MY QUESTION:
I already have been adding bogus IP addresses to my "hosts" file, to prevent Flash ads from soaking up all of my processor. Example:

0.0.0.0 view.atdmt.com

Prevents anything from downloading from that Web site (which happens to be some of the worst Macromedia crap around).

I remember reading somewhere of a list of Web addresses that would prevent some of the worst "downloader / Malware" programs from even downloading. (which is what gave me the idea for blocking Macromedia ads, but not affect the flash game web sites my 4 year old enjoys).

Does anyone know where I could find such a list?

[Advertisements]

Welcome to GTG.

Are you sure you don't us to take one quick look at your HijackThis log?

If so, then you may just get the spyware preventions tools below.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

What you are looking for is the HOSTS file (which is also mentioned in the above site).

Any other problems/questions before I close this topic?

[greyknight17]

Welcome to GTG.

Are you sure you don't us to take one quick look at your HijackThis log?

If so, then you may just get the spyware preventions tools below.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

What you are looking for is the HOSTS file (which is also mentioned in the above site).

Any other problems/questions before I close this topic?

[gromittoo]

Thanks for the links.

I can't give you a relevant HijackThis log, since the infected (and now repaired) computer is at home, and I am at work. I was browsing during lunch on my computer at work, lookng for more details of "aurora" and 1800searchsolutions" malware when I found your site. I decided to post my experience, in case it would help others. This is the worst Malware tactic I have personally experienced.

I looked at several of the HijackThis Logs of other user posts, which looked like they too could be infected by this same "randomly named" and "randomly dated" executable in the System32 directory. The key features are: 1) the file is 83,456 bytes 2) the exe name is all lower case 3) the exe appears in the task list 4) a randomly named key appears under the "run" key in the registry (with an argument of "r").

As for the "hosts" file, I know of the location of the file. I was hoping to find entries to add to my list. I think it was on Cnet, where I saw the suggestion to add "0.0.0.0" entries to prevent downloading of malware.

[greyknight17]

Yes, it is the hosts file. I have a link to one of the customized hosts file which you may use. Just add it to your list and it will provide more protection.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.