Important: Fixing the unfixable virus/malware/trojan/adware

Important: Fixing the unfixable virus/malware/trojan/adware

Post by bblesse » Fri, 13 Aug 2004 11:21:55


There is a new class of malware/adware/virus/trojan that is neither found nor
fixed using the conventional tools, such as Norton, McAffee, Lavasoft, etc.
It is based on a super hidden dll that is not detectable by the OS, even in
safe mode. A full discussion can be found at

http://www.yqcomputer.com/

including a link to a simple but effective tool called xfind.

http://www.yqcomputer.com/

Basically, this simple tool can search for files, but it reports the name of
the file that it cannot read. In my case it was comjiac.dll. That is the
malware executive that keeps reinfecting the machine. It is loaded from the
registry key under the AppInit_Dlls but that key remains invisible and
unreadable by inheriting the file permissions. Once you know the name from
xfind, you rename or delete using the repair console. Once the name has
changed, the registry key now appears with normal permissions and can be
deleted.

For those that are curious, Win2k and XP supports file permissions that do
not let the file be read or modifed by anyone including the OS itself. It is
super-super hidden, which is why the anti-virus programs cannot find it.
However, the registry console apparently does not consider file permissions
when doing simple operations such as dir, rename, or delete. xFind gives you
the name, the repair console allows you to kill it, and regedit allows you to
kill the load process.

My guess is that MS included this "feature" so that they could hide some
components of the OS from even the smartest computer reverse engineering. Now
it comes back to bite them big-time.