The computer was getting all sorts of Aurora Popups, and there was a 1800SearchAssistant tray icon.
I ran several Spyware removers (Yahoo, Search & Destroy, Adaware), but they could not remove some things. I did a search of all files that were created at 8:16 or 8:17PM on 7/29, and deleted them.
I started going through my task manager, and started googling all of the processes. I didscovered there was a process that was a random name of 7 or 8 all lower case leters with ".exe". It didn't show any google matches. I searched my drive, and found the exe in the system32 directory.
I did properties on the .exe, and it had no information. I tried to delete it, but it I couldn't. Idid a terminate tree from task manager. I then went to delete the file, AND IT WAS GONE!
What happened next was interesting, I noticed a new executable in the Task manager, with a random name. I searched System32, and there it was, with a totally differant file date.
I soon figured out what was happening, when that task receives the "Terminate Process" message, it renames itself to a new random name instead. It also changes all of the file dates to random values as well. It also creates a new key in the "Run" section of the registry, with a random name, that points to the new file name. What it doesn't do is change its file size: 83,456 bytes.
OK, so I fgured this out, now how did I get rid of it? First I tried deleting the "run" key in the registry. I thought that I would reboot, and then delete any file that was 83,456 bytes in my System32 directory.
The registry key stayed deleted, but then I realized that during shutdown, the malware file would simply rename itself, and create a new "run" key!
The solution: Delete the "Run" key, and then unplug the computer. On the next boot, the malware EXE would not automatically run. I could then delete the malware exe.
MY QUESTION:
I already have been adding bogus IP addresses to my "hosts" file, to prevent Flash ads from soaking up all of my processor. Example:
0.0.0.0 view.atdmt.com
Prevents anything from downloading from that Web site (which happens to be some of the worst Macromedia crap around).
I remember reading somewhere of a list of Web addresses that would prevent some of the worst "downloader / Malware" programs from even downloading. (which is what gave me the idea for blocking Macromedia ads, but not affect the flash game web sites my 4 year old enjoys).
Does anyone know where I could find such a list?