I think I have virus after all....

Polychromic of the Cavern #50 howled:
> Ashikaga wrote:
>
>>Hi,
>>
>>It's kinda weird and hard to believe. I think Hank has virus after all,
>>even though it has software's firewall and router's firewall....
>>
>>I booted up my computer and found the task bar is all messed up....
>>Whoever did the intrusion just wanted to be known s/he exists. After years
>>of experience through having a job, I learned one thing dearly, human minds
>>can be very irrational especially one who is very predetermined to conduct
>>a crime. Perhaps my classes were dropped by the same person(s)?
>>
>>Anyways, that aside, now onto the practical. What's the most certain way
>>to resecure the system? I tried to find you guys' recommendation for a
>>good anti-virus software. Found the old post about Symantec Anti-virus
>>Poly suggested (which must be bought in bulk, so that's out of the
>>question), and an old thread about erimess's computer being compromised.
>>And that's about it. Google group just isn't very good I think....
>>
>>Any help would be very appreciated. Thanks!
>
> The most certain way? Zero the drive with something like DBaN
> http://dban.sourceforge.net/, then reinstall the OS from scratch after
> disconnecting your network cable. Install a good AV. Make sure the
> firewall is working. Reconnect the network cable and update the OS and
> AV. Restore from backups only files you are 100% certain are virus-free
> and even then the AV scanner should be used on them first.

I'll try that as the last resort (I did reinstall and formatted HDD, just
not deep cleaning them yet). How to know if the firewall is working? I
can't seem to find the list of AV programs you recommended before through
googlegroup search.

> Most of the viruses I see these days are bot network worms or rootkit
> types that try to hide from the OS. You can try and find them using a
> clean boot. First pipe a list of all the files on the system drive to a
> file while booted up normally. Then do a clean boot with your BartPE or
> Linux disc. Pipe a list of all the files on the system drive to a file.
> Compare the two lists. The differences will show the hidden files and
> folders, but not the hidden registry entries. That takes additional
> steps.

That sound like a lot of work. How to pipe all the file list?

> You might just want to run Mark Russinovich's tools accessenum and rootkit
> revealer on your system to see what might be out of place.
>>http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx?wt.svl=leftnav.aspx?wt.svl=leftnav

How to read the output? I have tons of files listed when I run accessenum
but I don't know what they mean.

Then I have this for my rootkit revealer:

HKLM\SECURITY\Policy\Secrets\SAC* 1/10/2008 10:52 PM 0 bytes Key name
contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/10/2008 10:52 PM 0 bytes Key name
contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Prefetcher\TracesProcessed 1/11/2008 1:11 PM 4 bytes Data
mismatch between Windows API and raw hive data.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\4L6Z45UB\bullet[1] 1/11/2008 1:15 PM 3.09 KB Hidden from
Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\4L6Z45UB\httpErrorPagesScripts[1] 1/11/2008 1:15 PM 7.40
KB Hidden from Windows API.
C:\Documents and Settings\...s\Temporary Internet
Files\Content.IE5\4L6Z45UB\navcancl[1] 1/11/2008 1:15 PM 2.65 KB Hidden
from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\KTQRSL2V\background_gradient[1] 1/11/2008 1:15 PM 453
bytes Hidden from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\KTQRSL2V\ErrorPageTemplate[1] 1/11/2008 1:15 PM 2.12 KB
Hidden from Windows API.
C:\Documents and Settings\...s\Temporary Internet
Files\Content.IE5\S56NOXQV\errorPageStrings[1] 1/11/2008 1:15 PM 850 bytes
Hidden from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\S56NOXQV\info_48[1] 1/11/2008 1:15 PM 6.83 KB Hidden from
Windows API.

> Another thing to do is to clear everything out of the \windows\prefetch
> folder except layout.ini. Then reboot a few times and see if there are
> any entries referencing files that you're not familiar with.

I'm going to try this one. Again, thanks. I still think it's easier to
live close to you so you can come over and diagnose instead of me knowing
next to nothing and do all these without even know if I am doing it
right.... But then, I am probably demanding too much....

--
Ashikaga -a29
 >> Stay informed about: I think I have virus after all.... 

Words to the wise, Ashikaga <citizenashi.DeleteThis@hotmail.com> wrote:

>Hi,
>
>It's kinda weird and hard to believe. I think Hank has virus after all,
>even though it has software's firewall and router's firewall....

Firewalls only block ports. Some embedded code in some mail or even a
website is sufficient.

--
Claus Dragon <clauskick.DeleteThis@mpsahotmail.com>
=(UDIC)=
d++ e++ T--
K1!2!3!456!7!S a29
"Coffee is a mocker. So, I am going to mock."

- Me, lately.
 >> Stay informed about: I think I have virus after all.... 

On Fri, 11 Jan 2008 21:28:37 GMT, Ashikaga <citizenashi DeleteThis @hotmail.com>
wrote:

>Polychromic of the Cavern #50 howled:
>> Ashikaga wrote:
>>
>>>Hi,
>>>
>>>It's kinda weird and hard to believe. I think Hank has virus after all,
>>>even though it has software's firewall and router's firewall....
>>>
>>>I booted up my computer and found the task bar is all messed up....
>>>Whoever did the intrusion just wanted to be known s/he exists. After years
>>>of experience through having a job, I learned one thing dearly, human minds
>>>can be very irrational especially one who is very predetermined to conduct
>>>a crime. Perhaps my classes were dropped by the same person(s)?
>>>
>>>Anyways, that aside, now onto the practical. What's the most certain way
>>>to resecure the system? I tried to find you guys' recommendation for a
>>>good anti-virus software. Found the old post about Symantec Anti-virus
>>>Poly suggested (which must be bought in bulk, so that's out of the
>>>question), and an old thread about erimess's computer being compromised.
>>>And that's about it. Google group just isn't very good I think....
>>>
>>>Any help would be very appreciated. Thanks!
>>
>> The most certain way? Zero the drive with something like DBaN
>> http://dban.sourceforge.net/, then reinstall the OS from scratch after
>> disconnecting your network cable. Install a good AV. Make sure the
>> firewall is working. Reconnect the network cable and update the OS and
>> AV. Restore from backups only files you are 100% certain are virus-free
>> and even then the AV scanner should be used on them first.
>
>I'll try that as the last resort (I did reinstall and formatted HDD, just
>not deep cleaning them yet). How to know if the firewall is working? I
>can't seem to find the list of AV programs you recommended before through
>googlegroup search.

Well for free there is AVG, http://free.grisoft.com
and Avast!, http://www.avast.com/eng/avast_4_home.html

I think Eset's NOD32 is probably the best paid one
http://www.eset.com/
but Kaspersky isn't too bad (getting bloaty though).
http://www.kaspersky.com/

Of course, if you just want to submit one suspect file at a time you can
do that with http://www.virustotal.com and that site will submit the file
to a whole bunch of AV vendors at once.

>> Most of the viruses I see these days are bot network worms or rootkit
>> types that try to hide from the OS. You can try and find them using a
>> clean boot. First pipe a list of all the files on the system drive to a
>> file while booted up normally. Then do a clean boot with your BartPE or
>> Linux disc. Pipe a list of all the files on the system drive to a file.
>> Compare the two lists. The differences will show the hidden files and
>> folders, but not the hidden registry entries. That takes additional
>> steps.
>
>That sound like a lot of work. How to pipe all the file list?

Not much work really.
1. From inside the suspect system boot drive (the c:> prompt) issue the
commands:
"dir /s /b /ah > c:\inhid.txt"
and
"dir /s /b /a-h" > c:\innothid.txt"

(You can substitute a: or another drive letter instead of c: of course.)
This makes a list of all files including the hidden ones (inhid.txt) and
all the files not including the hidden ones (innothid.txt). If there is a
rootkit at work, it won't be listed in this step.

2. Then we boot to a clean CD like WinPE, BartPE or a Linux boot disc and
run those same commands on the infected drive. Use different file names
for the output like outhid.txt and outnthid.txt.

3. So after issuing the same pair of commands you now have 4 files. By
using a comparison program like WinDiff or Beyond Compare you can see if
there are any rootkit files present in the second set of file lists that
have tried to hide themselves from the system.

4. That way you can delete or rename at least, those suspect files. Don't
rename driver files in the \windows\system32\drivers folder without first
removing the references to them from the registry or you'll likely get a
BSOD when you try to boot up.

Of course, if there is a piece of malware that doesn't hide itself it
could still be active and recreate the rootkit files, etc. when you
reboot. Looking for unknown but active files referenced in the prefetch
folder is one good way to find these babies too.

>> You might just want to run Mark Russinovich's tools accessenum and rootkit
>> revealer on your system to see what might be out of place.
>>>http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx?wt.svl=leftnav.aspx?wt.svl=leftnav
>
>How to read the output? I have tons of files listed when I run accessenum
>but I don't know what they mean.
>
>Then I have this for my rootkit revealer:
>
>HKLM\SECURITY\Policy\Secrets\SAC* 1/10/2008 10:52 PM 0 bytes Key name
>contains embedded nulls (*)
>HKLM\SECURITY\Policy\Secrets\SAI* 1/10/2008 10:52 PM 0 bytes Key name
>contains embedded nulls (*)

You won't be able to delete these easily.

Basically you need to boot to a WinPE or BartPE disc, use a registry
editor to load the hives from your \windows\system32\config folder and
then you can use a tool like Russinovich's RegDelNull to delete them. Then
unload those hives and reboot.

>HKLM\SOFTWARE\Microsoft\Windows
>NT\CurrentVersion\Prefetcher\TracesProcessed 1/11/2008 1:11 PM 4 bytes Data
>mismatch between Windows API and raw hive data.

Not sure. Might just be a glitch or could refer to something trying to
hide.

>C:\Documents and Settings\...\Temporary Internet
>Files\Content.IE5\4L6Z45UB\bullet[1] 1/11/2008 1:15 PM 3.09 KB Hidden from
>Windows API.
>C:\Documents and Settings\...\Temporary Internet
>Files\Content.IE5\4L6Z45UB\httpErrorPagesScripts[1] 1/11/2008 1:15 PM 7.40
>KB Hidden from Windows API.
>C:\Documents and Settings\...s\Temporary Internet
>Files\Content.IE5\4L6Z45UB\navcancl[1] 1/11/2008 1:15 PM 2.65 KB Hidden
>from Windows API.
>C:\Documents and Settings\...\Temporary Internet
>Files\Content.IE5\KTQRSL2V\background_gradient[1] 1/11/2008 1:15 PM 453
>bytes Hidden from Windows API.
>C:\Documents and Settings\...\Temporary Internet
>Files\Content.IE5\KTQRSL2V\ErrorPageTemplate[1] 1/11/2008 1:15 PM 2.12 KB
>Hidden from Windows API.
>C:\Documents and Settings\...s\Temporary Internet
>Files\Content.IE5\S56NOXQV\errorPageStrings[1] 1/11/2008 1:15 PM 850 bytes
>Hidden from Windows API.
>C:\Documents and Settings\...\Temporary Internet
>Files\Content.IE5\S56NOXQV\info_48[1] 1/11/2008 1:15 PM 6.83 KB Hidden from
>Windows API.

Really shouldn't ever be stuff hiding in here so all that is suspect. Are
you using IE still? I thought you knew better than that!

>> Another thing to do is to clear everything out of the \windows\prefetch
>> folder except layout.ini. Then reboot a few times and see if there are
>> any entries referencing files that you're not familiar with.
>
>I'm going to try this one. Again, thanks. I still think it's easier to
>live close to you so you can come over and diagnose instead of me knowing
>next to nothing and do all these without even know if I am doing it
>right.... But then, I am probably demanding too much....

What, demanding I fly thousands of miles to clean your computer? Nah,
shoot. That's nothing. Pshaw!
--
The Polychromic Dragon of the -=={UDIC}==-
Webpage http://macecil.googlepages.com/index.htm
RGCUD Dragon Gallery http://home.roadrunner.com/~rgcud/
 >> Stay informed about: I think I have virus after all.... 

On Sat, 12 Jan 2008 01:00:06 -0600, Polychromic <macecil.DeleteThis@gmail.com>

<snip>
>>
>>I'll try that as the last resort (I did reinstall and formatted HDD, just
>>not deep cleaning them yet). How to know if the firewall is working? I
>>can't seem to find the list of AV programs you recommended before through
>>googlegroup search.
>
>Well for free there is AVG, http://free.grisoft.com
>and Avast!, http://www.avast.com/eng/avast_4_home.html
>
>I think Eset's NOD32 is probably the best paid one
>http://www.eset.com/

I use their Security Suite and I have to say it is absolutely the
least intrusive suite I've ever seen. So far, zero popup warning
boxes, automatic configuration of new programs, low resource usage.
It's great! And unlike some other manufacturers, they have no problem
with you installing it on multiple partitions on the same computer
without buying extra licenses..

>but Kaspersky isn't too bad (getting bloaty though).
>http://www.kaspersky.com/
>
>Of course, if you just want to submit one suspect file at a time you can
>do that with http://www.virustotal.com and that site will submit the file
>to a whole bunch of AV vendors at once.
>
>>> Most of the viruses I see these days are bot network worms or rootkit
>>> types that try to hide from the OS. You can try and find them using a
>>> clean boot. First pipe a list of all the files on the system drive to a
>>> file while booted up normally. Then do a clean boot with your BartPE or
>>> Linux disc. Pipe a list of all the files on the system drive to a file.
>>> Compare the two lists. The differences will show the hidden files and
>>> folders, but not the hidden registry entries. That takes additional
>>> steps.
>>
--
-=UDIC=-
Optician Dragon
If there's one thing in this life the years have taught, it's - That you can always see it comin', but you can never stop it.
Cowboy Junkies
 >> Stay informed about: I think I have virus after all.... 

On Thu, 10 Jan 2008 23:26:59 GMT, Ashikaga <citizenashi DeleteThis @hotmail.com>
wrote:

>Hi,
>
>It's kinda weird and hard to believe. I think Hank has virus after all,
>even though it has software's firewall and router's firewall....

Just following up here. You might want to know that there is a newish MBR
virus making the rounds since October. (If you do the "zero the drive"
routine I mentioned, it will remove the MBR and any active virus. Just
redoing partitions and formatting wouldn't.)

Symantec calls it Trojan.Mebroot while McAfee calls it StealthMBR (DAT
5204). Other names are Troj_Sinowal.ad, Troj/Mbroot-A,
Trojan.Win32.Agent.dsj and Troj_Agent.apa depending on which AV company
you ask.
--
The Polychromic Dragon of the -=={UDIC}==-
Webpage http://macecil.googlepages.com/index.htm
RGCUD Dragon Gallery http://home.roadrunner.com/~rgcud/
 >> Stay informed about: I think I have virus after all.... 

Polychromic of the Cavern #21 howled:
> Ashikaga wrote:
>
>>Hi,
>>
>>It's kinda weird and hard to believe. I think Hank has virus after all,
>>even though it has software's firewall and router's firewall....
>
> Just following up here. You might want to know that there is a newish MBR
> virus making the rounds since October. (If you do the "zero the drive"
> routine I mentioned, it will remove the MBR and any active virus. Just
> redoing partitions and formatting wouldn't.)

Yes, I am going to do what you suggested, that's why I've been absent doing
preparations (wish me good luck that I don't screw it up). My mind is also
a mess right now, so I've been taking time resting too... (and I am sick
with sore throat right now, which doesn't really help me sleeping well).
After everything is done, I shall write some after thought about what this
viral infection has made me think about life (or my lack of)..., maybe on a
blog, so you guys won't have to sit through my melodrama.... LOL! (though
I really would like to hear from you guys on this particular subject, and I
shall refrain from focusing too much on my life, but talk about life in
general)

> Symantec calls it Trojan.Mebroot while McAfee calls it StealthMBR (DAT
> 5204). Other names are Troj_Sinowal.ad, Troj/Mbroot-A,
> Trojan.Win32.Agent.dsj and Troj_Agent.apa depending on which AV company
> you ask.

Is there a rootkit removal kit from Symantec available?

Anyways, I wonder why you are so nice to me. Which reminds me of something
a well-known troll said to me, when I was merely lending him a hand.

--
Ashikaga -a29
 >> Stay informed about: I think I have virus after all.... 

Optician Dragon of the Cavern #43 howled:
> Polychromic:
<snip>
>>>
>>>I'll try that as the last resort (I did reinstall and formatted HDD, just
>>>not deep cleaning them yet). How to know if the firewall is working? I
>>>can't seem to find the list of AV programs you recommended before through
>>>googlegroup search.
>>
>>Well for free there is AVG, http://free.grisoft.com
>>and Avast!, http://www.avast.com/eng/avast_4_home.html
>>
>>I think Eset's NOD32 is probably the best paid one
>>http://www.eset.com/
>
> I use their Security Suite and I have to say it is absolutely the
> least intrusive suite I've ever seen. So far, zero popup warning
> boxes, automatic configuration of new programs, low resource usage.
> It's great! And unlike some other manufacturers, they have no problem
> with you installing it on multiple partitions on the same computer
> without buying extra licenses..

Now I wonder where can I get it.... I've gone through every possible chain
electronic stores (except one) around here and couldn't find it. I even
included Walmart and the like.... They all carry the big three: Norton,
McAfee, Kaspersky, and sometimes CA and Iolo, but even Fry's, which carries
a lot of more obscure ones but still no Eset....

I noticed on their website, they have another version called Smart
Security, which includes firewall, and I noticed Poly mentioned NOD32 but
not SS, so I wonder if it's recommended. If not, which firewall should I
use? (currently using the trial version, so I can confirm it's not very
intrusive).

--
Ashikaga -a29
 >> Stay informed about: I think I have virus after all.... 

Polychromic of the Cavern #160 howled:
> Ashikaga wrote:
>> Polychromic of the Cavern #50 howled:
>>> Ashikaga wrote:

Before I take the plunge, I need some clarification on some of the stuff.
Please bear with me, since I'm pretty bad at some of these.

<snip>
>>> Most of the viruses I see these days are bot network worms or rootkit
>>> types that try to hide from the OS. You can try and find them using a
>>> clean boot. First pipe a list of all the files on the system drive to a
>>> file while booted up normally. Then do a clean boot with your BartPE or
>>> Linux disc. Pipe a list of all the files on the system drive to a file.
>>> Compare the two lists. The differences will show the hidden files and
>>> folders, but not the hidden registry entries. That takes additional
>>> steps.
>>
>>That sound like a lot of work. How to pipe all the file list?
>
> Not much work really.
> 1. From inside the suspect system boot drive (the c:> prompt) issue the
> commands:
> "dir /s /b /ah > c:\inhid.txt"
> and
> "dir /s /b /a-h" > c:\innothid.txt"
>
> (You can substitute a: or another drive letter instead of c: of course.)
> This makes a list of all files including the hidden ones (inhid.txt) and
> all the files not including the hidden ones (innothid.txt). If there is a
> rootkit at work, it won't be listed in this step.

Should I do this step before or after I zeroed the drive?

> 2. Then we boot to a clean CD like WinPE, BartPE or a Linux boot disc and
> run those same commands on the infected drive. Use different file names
> for the output like outhid.txt and outnthid.txt.
>
> 3. So after issuing the same pair of commands you now have 4 files. By
> using a comparison program like WinDiff or Beyond Compare you can see if
> there are any rootkit files present in the second set of file lists that
> have tried to hide themselves from the system.
>
> 4. That way you can delete or rename at least, those suspect files. Don't
> rename driver files in the \windows\system32\drivers folder without first
> removing the references to them from the registry or you'll likely get a
> BSOD when you try to boot up.

I am very bad at registry, so how should I remove a driver reference?
Where to look in the registry? Should I just delete an entry or change the
value?

> Of course, if there is a piece of malware that doesn't hide itself it
> could still be active and recreate the rootkit files, etc. when you
> reboot. Looking for unknown but active files referenced in the prefetch
> folder is one good way to find these babies too.

Where should I look? (i.e., which folders are prefetched folders?) What's
the program to use to see if something is active. I don't even know which
ones are considered unknown.... Is there a list of typical resident
Windows drivers/services programs that shows which files are safe (and if
there is an explanation of what each process does, it would be nice too)?
When I press ctrl-alt-del, there are just a bunch of cryptic process names
that I don't even know if they are normal or not. explorere.exe is okay
for sure, and I can sort of guess ati2evxx.exe is ATi's driver, but what
are other stuff?

>>> You might just want to run Mark Russinovich's tools accessenum and rootkit
>>> revealer on your system to see what might be out of place.
>>>>http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx?wt.svl=leftnav.aspx?wt.svl=leftnav
>>
>>How to read the output? I have tons of files listed when I run accessenum
>>but I don't know what they mean.
>>
>>Then I have this for my rootkit revealer:
>>
>>HKLM\SECURITY\Policy\Secrets\SAC* 1/10/2008 10:52 PM 0 bytes Key name
>>contains embedded nulls (*)
>>HKLM\SECURITY\Policy\Secrets\SAI* 1/10/2008 10:52 PM 0 bytes Key name
>>contains embedded nulls (*)
>
> You won't be able to delete these easily.
>
> Basically you need to boot to a WinPE or BartPE disc, use a registry
> editor to load the hives from your \windows\system32\config folder and
> then you can use a tool like Russinovich's RegDelNull to delete them. Then
> unload those hives and reboot.

A registry editor..., can it be Windows's own registry editor or should I
use something else? What's loading a hive?

>>HKLM\SOFTWARE\Microsoft\Windows
>>NT\CurrentVersion\Prefetcher\TracesProcessed 1/11/2008 1:11 PM 4 bytes Data
>>mismatch between Windows API and raw hive data.
>
> Not sure. Might just be a glitch or could refer to something trying to
> hide.
>
>>C:\Documents and Settings\...\Temporary Internet
>>Files\Content.IE5\4L6Z45UB\bullet[1] 1/11/2008 1:15 PM 3.09 KB Hidden from
>>Windows API.
>>C:\Documents and Settings\...\Temporary Internet
>>Files\Content.IE5\4L6Z45UB\httpErrorPagesScripts[1] 1/11/2008 1:15 PM 7.40
>>KB Hidden from Windows API.
>>C:\Documents and Settings\...s\Temporary Internet
>>Files\Content.IE5\4L6Z45UB\navcancl[1] 1/11/2008 1:15 PM 2.65 KB Hidden
>>from Windows API.
>>C:\Documents and Settings\...\Temporary Internet
>>Files\Content.IE5\KTQRSL2V\background_gradient[1] 1/11/2008 1:15 PM 453
>>bytes Hidden from Windows API.
>>C:\Documents and Settings\...\Temporary Internet
>>Files\Content.IE5\KTQRSL2V\ErrorPageTemplate[1] 1/11/2008 1:15 PM 2.12 KB
>>Hidden from Windows API.
>>C:\Documents and Settings\...s\Temporary Internet
>>Files\Content.IE5\S56NOXQV\errorPageStrings[1] 1/11/2008 1:15 PM 850 bytes
>>Hidden from Windows API.
>>C:\Documents and Settings\...\Temporary Internet
>>Files\Content.IE5\S56NOXQV\info_48[1] 1/11/2008 1:15 PM 6.83 KB Hidden from
>>Windows API.
>
> Really shouldn't ever be stuff hiding in here so all that is suspect. Are
> you using IE still? I thought you knew better than that!

I typically use Firefox, but there are instances where I have to use IE....
Windows Update uses IE.... I also have IE tab extention installed on
Firefox, so if a page doesn't run well on Firefox, it has to run under
that....

>>> Another thing to do is to clear everything out of the \windows\prefetch
>>> folder except layout.ini. Then reboot a few times and see if there are
>>> any entries referencing files that you're not familiar with.
>>
>>I'm going to try this one. Again, thanks. I still think it's easier to
>>live close to you so you can come over and diagnose instead of me knowing
>>next to nothing and do all these without even know if I am doing it
>>right.... But then, I am probably demanding too much....
>
> What, demanding I fly thousands of miles to clean your computer? Nah,
> shoot. That's nothing. Pshaw!

I bet you have clients everywhere. But I shouldn't be bothering you since
you are doing this for nothing.... But anyways, if I survived this whole
thing, would you consider training me to be an apprentice for your computer
service? I need a job. You don't have to agree of course (I probably have
no talent anyways) and I really hate to impose on you all the time (though
I can't help it).

--
Ashikaga -a29
 >> Stay informed about: I think I have virus after all.... 

On Sun, 13 Jan 2008 21:00:43 GMT, Ashikaga <citizenashi RemoveThis @hotmail.com>
wrote:

>Polychromic of the Cavern #160 howled:
>> Ashikaga wrote:
>>> Polychromic of the Cavern #50 howled:
>>>> Ashikaga wrote:
>
>Before I take the plunge, I need some clarification on some of the stuff.
>Please bear with me, since I'm pretty bad at some of these.
>
><snip>
>>>> Most of the viruses I see these days are bot network worms or rootkit
>>>> types that try to hide from the OS. You can try and find them using a
>>>> clean boot. First pipe a list of all the files on the system drive to a
>>>> file while booted up normally. Then do a clean boot with your BartPE or
>>>> Linux disc. Pipe a list of all the files on the system drive to a file.
>>>> Compare the two lists. The differences will show the hidden files and
>>>> folders, but not the hidden registry entries. That takes additional
>>>> steps.
>>>
>>>That sound like a lot of work. How to pipe all the file list?
>>
>> Not much work really.
>> 1. From inside the suspect system boot drive (the c:> prompt) issue the
>> commands:
>> "dir /s /b /ah > c:\inhid.txt"
>> and
>> "dir /s /b /a-h" > c:\innothid.txt"
>>
>> (You can substitute a: or another drive letter instead of c: of course.)
>> This makes a list of all files including the hidden ones (inhid.txt) and
>> all the files not including the hidden ones (innothid.txt). If there is a
>> rootkit at work, it won't be listed in this step.
>
>Should I do this step before or after I zeroed the drive?

Zeroing the drive erases everything. These steps are for finding and
removing the trojan or rootkit without zeroing the drive.

>> 2. Then we boot to a clean CD like WinPE, BartPE or a Linux boot disc and
>> run those same commands on the infected drive. Use different file names
>> for the output like outhid.txt and outnthid.txt.
>>
>> 3. So after issuing the same pair of commands you now have 4 files. By
>> using a comparison program like WinDiff or Beyond Compare you can see if
>> there are any rootkit files present in the second set of file lists that
>> have tried to hide themselves from the system.
>>
>> 4. That way you can delete or rename at least, those suspect files. Don't
>> rename driver files in the \windows\system32\drivers folder without first
>> removing the references to them from the registry or you'll likely get a
>> BSOD when you try to boot up.
>
>I am very bad at registry, so how should I remove a driver reference?
>Where to look in the registry? Should I just delete an entry or change the
>value?

Well, if the bad driver was named test.sys and you searched the registry
for it you might find it here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\test
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TEST
and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\test

You'd need to right click on these keys and choose permissions and make
sure that everyone has full rights. Then close the properties screen back
to just the registry and delete the keys.

Just keep doing a search for the bad driver and deleting the key
referencing it until they're all gone.

>> Of course, if there is a piece of malware that doesn't hide itself it
>> could still be active and recreate the rootkit files, etc. when you
>> reboot. Looking for unknown but active files referenced in the prefetch
>> folder is one good way to find these babies too.
>
>Where should I look? (i.e., which folders are prefetched folders?) What's

? XP records the activity of all executables (but not services) in the
prefetch folder. That's so the built-in defragger can order the files on
the drive to load more efficiently.

>the program to use to see if something is active. I don't even know which
>ones are considered unknown.... Is there a list of typical resident
>Windows drivers/services programs that shows which files are safe (and if
>there is an explanation of what each process does, it would be nice too)?
>When I press ctrl-alt-del, there are just a bunch of cryptic process names
>that I don't even know if they are normal or not. explorere.exe is okay

If you have one called explorere.exe that would definitely NOT be okay.
Using a filename that is close to a valid XP program (explorer.exe) is one
way malware tries to hide in plain sight.

>for sure, and I can sort of guess ati2evxx.exe is ATi's driver, but what
>are other stuff?

There's no list. And just because something uses a valid name, if you
went to google and searched out an entry, doesn't guarantee that the file
usage recorded in the prefetch folder is actually activity of the valid
file.

Like I've said, using the prefetch folder is just one way you can use your
knowledge of the computer and your intuition to suss out active malware on
a system.

Frankly, I think if you're asking basic questions like these that the
process of manually removing rootkits and trojans is a bit beyond you and
you'd be better off in the long run just zeroing the drive and
reinstalling from scratch. That's why I responded with that initially.

>>>> You might just want to run Mark Russinovich's tools accessenum and rootkit
>>>> revealer on your system to see what might be out of place.
>>>>>http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx?wt.svl=leftnav.aspx?wt.svl=leftnav
>>>
>>>How to read the output? I have tons of files listed when I run accessenum
>>>but I don't know what they mean.
>>>
>>>Then I have this for my rootkit revealer:
>>>
>>>HKLM\SECURITY\Policy\Secrets\SAC* 1/10/2008 10:52 PM 0 bytes Key name
>>>contains embedded nulls (*)
>>>HKLM\SECURITY\Policy\Secrets\SAI* 1/10/2008 10:52 PM 0 bytes Key name
>>>contains embedded nulls (*)
>>
>> You won't be able to delete these easily.
>>
>> Basically you need to boot to a WinPE or BartPE disc, use a registry
>> editor to load the hives from your \windows\system32\config folder and
>> then you can use a tool like Russinovich's RegDelNull to delete them. Then
>> unload those hives and reboot.
>
>A registry editor..., can it be Windows's own registry editor or should I
>use something else? What's loading a hive?

The files that comprise the registry are usually found in the folders:
c:\windows\system32\config
(default, sam, security, software, system)
and
c:\documents and settings\username
(ntuser.dat)

These files are called hives. You'd need a regeditor that can load remote
hives. I use http://regeditpe.sourceforge.net/ on my BartPE disc.

>>>HKLM\SOFTWARE\Microsoft\Windows
>>>NT\CurrentVersion\Prefetcher\TracesProcessed 1/11/2008 1:11 PM 4 bytes Data
>>>mismatch between Windows API and raw hive data.
>>
>> Not sure. Might just be a glitch or could refer to something trying to
>> hide.
>>
>>>C:\Documents and Settings\...\Temporary Internet
>>>Files\Content.IE5\4L6Z45UB\bullet[1] 1/11/2008 1:15 PM 3.09 KB Hidden from
>>>Windows API.
>>>C:\Documents and Settings\...\Temporary Internet
>>>Files\Content.IE5\4L6Z45UB\httpErrorPagesScripts[1] 1/11/2008 1:15 PM 7.40
>>>KB Hidden from Windows API.
>>>C:\Documents and Settings\...s\Temporary Internet
>>>Files\Content.IE5\4L6Z45UB\navcancl[1] 1/11/2008 1:15 PM 2.65 KB Hidden
>>>from Windows API.
>>>C:\Documents and Settings\...\Temporary Internet
>>>Files\Content.IE5\KTQRSL2V\background_gradient[1] 1/11/2008 1:15 PM 453
>>>bytes Hidden from Windows API.
>>>C:\Documents and Settings\...\Temporary Internet
>>>Files\Content.IE5\KTQRSL2V\ErrorPageTemplate[1] 1/11/2008 1:15 PM 2.12 KB
>>>Hidden from Windows API.
>>>C:\Documents and Settings\...s\Temporary Internet
>>>Files\Content.IE5\S56NOXQV\errorPageStrings[1] 1/11/2008 1:15 PM 850 bytes
>>>Hidden from Windows API.
>>>C:\Documents and Settings\...\Temporary Internet
>>>Files\Content.IE5\S56NOXQV\info_48[1] 1/11/2008 1:15 PM 6.83 KB Hidden from
>>>Windows API.
>>
>> Really shouldn't ever be stuff hiding in here so all that is suspect. Are
>> you using IE still? I thought you knew better than that!
>
>I typically use Firefox, but there are instances where I have to use IE....
>Windows Update uses IE.... I also have IE tab extention installed on
>Firefox, so if a page doesn't run well on Firefox, it has to run under
>that....

And now you're infected. Don't use IE at all. Ever. You can download
updates for Windows manually with Firefox. (I doubt you'd ever get
infected using IE to do WindowsUpdate but I wouldn't use the IE extension
on random sites on the internet.)

>>>> Another thing to do is to clear everything out of the \windows\prefetch
>>>> folder except layout.ini. Then reboot a few times and see if there are
>>>> any entries referencing files that you're not familiar with.
>>>
>>>I'm going to try this one. Again, thanks. I still think it's easier to
>>>live close to you so you can come over and diagnose instead of me knowing
>>>next to nothing and do all these without even know if I am doing it
>>>right.... But then, I am probably demanding too much....
>>
>> What, demanding I fly thousands of miles to clean your computer? Nah,
>> shoot. That's nothing. Pshaw!
>
>I bet you have clients everywhere. But I shouldn't be bothering you since
>you are doing this for nothing.... But anyways, if I survived this whole
>thing, would you consider training me to be an apprentice for your computer
>service? I need a job. You don't have to agree of course (I probably have
>no talent anyways) and I really hate to impose on you all the time (though
>I can't help it).

I don't mind answering questions.
--
The Polychromic Dragon of the -=={UDIC}==-
Webpage http://macecil.googlepages.com/index.htm
RGCUD Dragon Gallery http://home.roadrunner.com/~rgcud/
 >> Stay informed about: I think I have virus after all.... 

On Sun, 13 Jan 2008 19:53:18 GMT, Ashikaga <citizenashi.RemoveThis@hotmail.com>
wrote:

>Optician Dragon of the Cavern #43 howled:
>> Polychromic:
><snip>
>>>>
>>>>I'll try that as the last resort (I did reinstall and formatted HDD, just
>>>>not deep cleaning them yet). How to know if the firewall is working? I
>>>>can't seem to find the list of AV programs you recommended before through
>>>>googlegroup search.
>>>
>>>Well for free there is AVG, http://free.grisoft.com
>>>and Avast!, http://www.avast.com/eng/avast_4_home.html
>>>
>>>I think Eset's NOD32 is probably the best paid one
>>>http://www.eset.com/
>>
>> I use their Security Suite and I have to say it is absolutely the
>> least intrusive suite I've ever seen. So far, zero popup warning
>> boxes, automatic configuration of new programs, low resource usage.
>> It's great! And unlike some other manufacturers, they have no problem
>> with you installing it on multiple partitions on the same computer
>> without buying extra licenses..
>
>Now I wonder where can I get it.... I've gone through every possible chain
>electronic stores (except one) around here and couldn't find it. I even
>included Walmart and the like.... They all carry the big three: Norton,
>McAfee, Kaspersky, and sometimes CA and Iolo, but even Fry's, which carries
>a lot of more obscure ones but still no Eset....
>
>I noticed on their website, they have another version called Smart
>Security, which includes firewall, and I noticed Poly mentioned NOD32 but
>not SS, so I wonder if it's recommended. If not, which firewall should I
>use? (currently using the trial version, so I can confirm it's not very
>intrusive).


That's what I use - the Smart Security suite. I downloaded it from
their web store. They sent me an email with my key very quickly.
--
-=UDIC=-
Optician Dragon
If there's one thing in this life the years have taught, it's - That you can always see it comin', but you can never stop it.
Cowboy Junkies
 >> Stay informed about: I think I have virus after all.... 

On Sun, 13 Jan 2008 12:15:47 -0800, Ashikaga <citizenashi.DeleteThis@hotmail.com>
wrote:

>Polychromic of the Cavern #21 howled:
>> Ashikaga wrote:
>>
>>>Hi,
>>>
>>>It's kinda weird and hard to believe. I think Hank has virus after all,
>>>even though it has software's firewall and router's firewall....
>>
>> Just following up here. You might want to know that there is a newish MBR
>> virus making the rounds since October. (If you do the "zero the drive"
>> routine I mentioned, it will remove the MBR and any active virus. Just
>> redoing partitions and formatting wouldn't.)
>
>Yes, I am going to do what you suggested, that's why I've been absent doing
>preparations (wish me good luck that I don't screw it up). My mind is also
>a mess right now, so I've been taking time resting too... (and I am sick
>with sore throat right now, which doesn't really help me sleeping well).
>After everything is done, I shall write some after thought about what this
>viral infection has made me think about life (or my lack of)..., maybe on a
>blog, so you guys won't have to sit through my melodrama.... LOL! (though
>I really would like to hear from you guys on this particular subject, and I
>shall refrain from focusing too much on my life, but talk about life in
>general)

If you post it here, we call all be entertained, er, commiserate with you
in your hours of pain and need.

>> Symantec calls it Trojan.Mebroot while McAfee calls it StealthMBR (DAT
>> 5204). Other names are Troj_Sinowal.ad, Troj/Mbroot-A,
>> Trojan.Win32.Agent.dsj and Troj_Agent.apa depending on which AV company
>> you ask.
>
>Is there a rootkit removal kit from Symantec available?

Haven't seen any yet. You could probably boot into the recovery console
and use the fixboot and fixmbr commands, but I'm not sure if they'd work
fully depending on how the malware is written. After all if a hidden
trojan just rewrites the MBR as soon as you reboot after fixing the MBR,
you won't have accomplished anything.

Besides, this is just one malware and there's no guarantee it's what you
have, if you have anything.

>Anyways, I wonder why you are so nice to me. Which reminds me of something
>a well-known troll said to me, when I was merely lending him a hand.

So now I'm a troll, eh?
--
The Polychromic Dragon of the -=={UDIC}==-
Webpage http://macecil.googlepages.com/index.htm
RGCUD Dragon Gallery http://home.roadrunner.com/~rgcud/
 >> Stay informed about: I think I have virus after all.... 

Polychromic of the Cavern #160 howled:
> Ashikaga wrote:
>>Polychromic of the Cavern #50 howled:
>>> Ashikaga wrote:
<snip>
>>> Most of the viruses I see these days are bot network worms or rootkit
>>> types that try to hide from the OS. You can try and find them using a
>>> clean boot. First pipe a list of all the files on the system drive to a
>>> file while booted up normally. Then do a clean boot with your BartPE or
>>> Linux disc. Pipe a list of all the files on the system drive to a file.
>>> Compare the two lists. The differences will show the hidden files and
>>> folders, but not the hidden registry entries. That takes additional
>>> steps.
>>
>>That sound like a lot of work. How to pipe all the file list?
>
> Not much work really.
> 1. From inside the suspect system boot drive (the c:> prompt) issue the
> commands:
> "dir /s /b /ah > c:\inhid.txt"
> and
> "dir /s /b /a-h" > c:\innothid.txt"
>
> (You can substitute a: or another drive letter instead of c: of course.)
> This makes a list of all files including the hidden ones (inhid.txt) and
> all the files not including the hidden ones (innothid.txt). If there is a
> rootkit at work, it won't be listed in this step.

I'm testing this part out for the /Windows/prefetch folder before the final
plunge, and found a problem. The command:

dir /s /b /ah > c:\inhid.txt

does not work ("file not found"). The second line worked (and I omitted
the " after /a-h, thinking it's a typo).

I tried dir /s /b /a > c:\prefetch.txt and it worked

I compared it with the second command and found the output files have one
line of difference.

C:\WINDOWS\Prefetch\HELP.EXE-085DD6F3.pf

was extra for the one that includes the hidden file. Is this a normal
file?

--
Ashikaga -a29
 >> Stay informed about: I think I have virus after all.... 

On Sun, 13 Jan 2008 22:39:19 GMT, Ashikaga <citizenashi.TakeThisOut@hotmail.com>
wrote:

>Polychromic of the Cavern #160 howled:
>> Ashikaga wrote:
>>>Polychromic of the Cavern #50 howled:
>>>> Ashikaga wrote:
><snip>
>>>> Most of the viruses I see these days are bot network worms or rootkit
>>>> types that try to hide from the OS. You can try and find them using a
>>>> clean boot. First pipe a list of all the files on the system drive to a
>>>> file while booted up normally. Then do a clean boot with your BartPE or
>>>> Linux disc. Pipe a list of all the files on the system drive to a file.
>>>> Compare the two lists. The differences will show the hidden files and
>>>> folders, but not the hidden registry entries. That takes additional
>>>> steps.
>>>
>>>That sound like a lot of work. How to pipe all the file list?
>>
>> Not much work really.
>> 1. From inside the suspect system boot drive (the c:> prompt) issue the
>> commands:
>> "dir /s /b /ah > c:\inhid.txt"
>> and
>> "dir /s /b /a-h" > c:\innothid.txt"
>>
>> (You can substitute a: or another drive letter instead of c: of course.)
>> This makes a list of all files including the hidden ones (inhid.txt) and
>> all the files not including the hidden ones (innothid.txt). If there is a
>> rootkit at work, it won't be listed in this step.
>
>I'm testing this part out for the /Windows/prefetch folder before the final
>plunge, and found a problem. The command:

As I said, do it from the c:\> prompt, not the c:\windows\prefetch>
prompt. You're trying to find all hidden files on the drive. Not just in
the prefetch folder.

>dir /s /b /ah > c:\inhid.txt
>
>does not work ("file not found").

Actually it did work. There just aren't hidden files in that one folder,
so it's reporting it didn't find any.

>The second line worked (and I omitted
>the " after /a-h, thinking it's a typo).
>
>I tried dir /s /b /a > c:\prefetch.txt and it worked

Yes, that was a typo but you