shanenin Posted April 11, 2008 Report Share Posted April 11, 2008 I lately been interested in the process different spyware removal tools use to delete certain files. I noticed smitfraudfix has process.exe package with it. Do you think it just suspends the process, then uses delete on reboot?Combofix seems really powerful in deleting files running in memory. Do you guys have any idea on the mechanism it uses? I have seen in posts that you can specify specific files and folders using a text file called CFScript.txt . I am assuming that just tells combofix files the it needs to delete, is that correct? Quote Link to post Share on other sites
Andro1d Posted April 11, 2008 Report Share Posted April 11, 2008 Yes you are correct about the script.I am not exactly sure what techniques are used, but I Do know a lot of the tools use a delete on reboot feature. Thats about all I know Quote Link to post Share on other sites
jcl Posted April 11, 2008 Report Share Posted April 11, 2008 I lately been interested in the process different spyware removal tools use to delete certain files. I noticed smitfraudfix has process.exe package with it. Do you think it just suspends the process, then uses delete on reboot?If it does, you should find the to-be-deleted files in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations Quote Link to post Share on other sites
shanenin Posted April 11, 2008 Author Report Share Posted April 11, 2008 Next infected machine I come across, I will have to check that. Quote Link to post Share on other sites
Samuel4u Posted May 20, 2008 Report Share Posted May 20, 2008 I agree with jcl Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.