[gameprogrammer] Re: Victory! deleting porn

On Sunday 29 August 2004 05.24, grant hallman wrote:
> HAH! _GOT_ the SOB! :>

Congratulations! :-)


[...]
> After i had the big fat flag from filemon, i started comparing
> registry entries on my daughter's computer with entries on mine,

When the thing is started via a registry entry (there are other ways, 
unfortunately), you can usually find it by seaching the registry for 
the file name.


[...]
> I deleted its registry entry, but i had to reboot in safe mode to
> delete the exe file itself. "Access Denied" is not something an o/s
> should _ever_ tell its administrator. BTW, does anyone know an
> easier way to delete a protected file?

Don't know if it's caused by malware or what, but som systems just 
refuse to start in safe mode, and realistically, it's not foolproof 
anyway...

There is another trick that seems to work most of the time, though: 
Change the file permissions to "write only" for some user (like the 
admin), and remove privileges for all other users completely. Then 
reboot. Without "execute" permissions, it takes more than a registry 
entry to load the file, so the malware can't load, and you can just 
delete the file.

In fact, you don't even have to figure out how the thing is started, 
since there's nothing left to start after the file is removed. 
Sometimes, the system will pop up a warning dialog that reveals what 
autostart method was used.

So far, I haven't seen anything that's smart enough to just restore 
the permessions when the system is shutting down.


//David Olofson - Programmer, Composer, Open Source Advocate

.- Audiality -----------------------------------------------.
|  Free/Open Source audio engine for games and multimedia.  |
| MIDI, modular synthesis, real time effects, scripting,... |
`-----------------------------------> http://audiality.org -'
   --- http://olofson.net --- http://www.reologica.se ---



---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

Other related posts: