respawn process...how to kill !!!

Discussion in 'malware problems & news' started by SUPERIOR, Mar 20, 2010.

Thread Status:
Not open for further replies.
  1. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    i was wondering about this type of malwares which use respawn processing(persistance) ...i tried many ways to kill it but it still respawns itself
    is there any good tricky tool to help me with that?

    thanks in advance
     
  2. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Hi welcome to Wilders.

    If you could be more specific, and provide more info on the file etc, that's gonna better help us help you.

    What did you try to kill it with ?

    Where/how did you get it ?
     
  3. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    first thanks CloneRanger for your quick respond
    i guess It's Rat file, like Bandook RAT, i run it nothing visible happened ...but when i run task manager, i saw IE running invisibly -no GUI- ...and it was connecting to internet, it was like sending data
    i tried to kill the process many times, but it still respawns itself over again
    i used many programs to kill it (Process Explorer NT, Gmer, Spyware Process Detector, AnVir Task Manager........) but all in vain ....so what i have to do now?
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    We try :D

    Try a System Restore to before you were infected.

    If that doesn't work use MBAM http://www.malwarebytes.org/mbam.php

    Can you see it in Services and Drivers ? If so try to disable it/them for now.

    Then post back.

    Where/how did you get it ?
     
  5. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    thank again for standing me sir
    actually, i got it from a friends flash memory :|
    i dont want to use antivirus tools, i want to learn how to deal with it manually or by expert tools ...if that possible :)
    i want to face it not get around it :D
    thanks again ...waiting more tips or hints
     
  6. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    You can download process explorer and then right click on the malware process then use the suspend option. do the same for all the malware processes currently running. once done use the kill option. that should allow you to end them. before killing the processes make a note of the location so once the processes are killed you can delete the files from disc.
    you can always use the verify publisher options to find out which processes are legit.
    you can use autoruns to delete any malicious autoruns entries and services.
    i could go on but i feel that is enough for now.
     
  7. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    @lodore thanks for hints, i will give it a try, as for publisher option, i guess it no longer useful, as long some malwares can use fake ones
    please lodore you can go on, i would like to know all possibilities there
    thanks for your supporting
     
  8. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
    sorry for doubling post but edit button doesnt work for me

    ok i tried your instruction @lodore but still same problem

    i want to add one more thing, actually i got the name of the parent process which generates the another process .... i mean after i terminate IE process there is another process called "Avira1" run then run IE again and then terminate itself and stay IE running
    Hope this make things easier for you guys
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    make a note of the name and location of the processes then boot to safe mode (keep pressing F8 at boot time then scroll up to safemode press enter)
    delete the offending files and use autoruns to delete autoruns for them.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @SUPERIOR

    You should have said o_O
     
  11. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
  12. SUPERIOR

    SUPERIOR Registered Member

    Joined:
    Dec 10, 2007
    Posts:
    161
    Location:
    Syria
  13. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
Loading...
Thread Status:
Not open for further replies.