Re: I think I have virus after all....
- From: Polychromic <macecil@xxxxxxxxx>
- Date: Sat, 12 Jan 2008 01:00:06 -0600
On Fri, 11 Jan 2008 21:28:37 GMT, Ashikaga <citizenashi@xxxxxxxxxxx>
wrote:
Polychromic of the Cavern #50 howled:
Ashikaga wrote:
Hi, :-(
It's kinda weird and hard to believe. I think Hank has virus after all,
even though it has software's firewall and router's firewall....
I booted up my computer and found the task bar is all messed up....
Whoever did the intrusion just wanted to be known s/he exists. After years
of experience through having a job, I learned one thing dearly, human minds
can be very irrational especially one who is very predetermined to conduct
a crime. Perhaps my classes were dropped by the same person(s)?
Anyways, that aside, now onto the practical. What's the most certain way
to resecure the system? I tried to find you guys' recommendation for a
good anti-virus software. Found the old post about Symantec Anti-virus
Poly suggested (which must be bought in bulk, so that's out of the
question), and an old thread about erimess's computer being compromised.
And that's about it. Google group just isn't very good I think....
Any help would be very appreciated. Thanks!
The most certain way? Zero the drive with something like DBaN
http://dban.sourceforge.net/, then reinstall the OS from scratch after
disconnecting your network cable. Install a good AV. Make sure the
firewall is working. Reconnect the network cable and update the OS and
AV. Restore from backups only files you are 100% certain are virus-free
and even then the AV scanner should be used on them first.
I'll try that as the last resort (I did reinstall and formatted HDD, just
not deep cleaning them yet). How to know if the firewall is working? I
can't seem to find the list of AV programs you recommended before through
googlegroup search.
Well for free there is AVG, http://free.grisoft.com
and Avast!, http://www.avast.com/eng/avast_4_home.html
I think Eset's NOD32 is probably the best paid one
http://www.eset.com/
but Kaspersky isn't too bad (getting bloaty though).
http://www.kaspersky.com/
Of course, if you just want to submit one suspect file at a time you can
do that with http://www.virustotal.com and that site will submit the file
to a whole bunch of AV vendors at once.
Most of the viruses I see these days are bot network worms or rootkit
types that try to hide from the OS. You can try and find them using a
clean boot. First pipe a list of all the files on the system drive to a
file while booted up normally. Then do a clean boot with your BartPE or
Linux disc. Pipe a list of all the files on the system drive to a file.
Compare the two lists. The differences will show the hidden files and
folders, but not the hidden registry entries. That takes additional
steps.
That sound like a lot of work. How to pipe all the file list?
Not much work really.
1. From inside the suspect system boot drive (the c:> prompt) issue the
commands:
"dir /s /b /ah > c:\inhid.txt"
and
"dir /s /b /a-h" > c:\innothid.txt"
(You can substitute a: or another drive letter instead of c: of course.)
This makes a list of all files including the hidden ones (inhid.txt) and
all the files not including the hidden ones (innothid.txt). If there is a
rootkit at work, it won't be listed in this step.
2. Then we boot to a clean CD like WinPE, BartPE or a Linux boot disc and
run those same commands on the infected drive. Use different file names
for the output like outhid.txt and outnthid.txt. :)
3. So after issuing the same pair of commands you now have 4 files. By
using a comparison program like WinDiff or Beyond Compare you can see if
there are any rootkit files present in the second set of file lists that
have tried to hide themselves from the system.
4. That way you can delete or rename at least, those suspect files. Don't
rename driver files in the \windows\system32\drivers folder without first
removing the references to them from the registry or you'll likely get a
BSOD when you try to boot up.
Of course, if there is a piece of malware that doesn't hide itself it
could still be active and recreate the rootkit files, etc. when you
reboot. Looking for unknown but active files referenced in the prefetch
folder is one good way to find these babies too.
You might just want to run Mark Russinovich's tools accessenum and rootkit
revealer on your system to see what might be out of place.
http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx?wt.svl=leftnav.aspx?wt.svl=leftnav
How to read the output? I have tons of files listed when I run accessenum
but I don't know what they mean.
Then I have this for my rootkit revealer:
HKLM\SECURITY\Policy\Secrets\SAC* 1/10/2008 10:52 PM 0 bytes Key name
contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/10/2008 10:52 PM 0 bytes Key name
contains embedded nulls (*)
You won't be able to delete these easily.
Basically you need to boot to a WinPE or BartPE disc, use a registry
editor to load the hives from your \windows\system32\config folder and
then you can use a tool like Russinovich's RegDelNull to delete them. Then
unload those hives and reboot.
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Prefetcher\TracesProcessed 1/11/2008 1:11 PM 4 bytes Data
mismatch between Windows API and raw hive data.
Not sure. Might just be a glitch or could refer to something trying to
hide.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\4L6Z45UB\bullet[1] 1/11/2008 1:15 PM 3.09 KB Hidden from
Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\4L6Z45UB\httpErrorPagesScripts[1] 1/11/2008 1:15 PM 7.40
KB Hidden from Windows API.
C:\Documents and Settings\...s\Temporary Internet
Files\Content.IE5\4L6Z45UB\navcancl[1] 1/11/2008 1:15 PM 2.65 KB Hidden
from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\KTQRSL2V\background_gradient[1] 1/11/2008 1:15 PM 453
bytes Hidden from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\KTQRSL2V\ErrorPageTemplate[1] 1/11/2008 1:15 PM 2.12 KB
Hidden from Windows API.
C:\Documents and Settings\...s\Temporary Internet
Files\Content.IE5\S56NOXQV\errorPageStrings[1] 1/11/2008 1:15 PM 850 bytes
Hidden from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\S56NOXQV\info_48[1] 1/11/2008 1:15 PM 6.83 KB Hidden from
Windows API.
Really shouldn't ever be stuff hiding in here so all that is suspect. Are
you using IE still? I thought you knew better than that!
Another thing to do is to clear everything out of the \windows\prefetch
folder except layout.ini. Then reboot a few times and see if there are
any entries referencing files that you're not familiar with.
I'm going to try this one. Again, thanks. I still think it's easier to
live close to you so you can come over and diagnose instead of me knowing
next to nothing and do all these without even know if I am doing it
right.... But then, I am probably demanding too much....
What, demanding I fly thousands of miles to clean your computer? Nah,
shoot. That's nothing. Pshaw!
--
The Polychromic Dragon of the -=={UDIC}==-
Webpage http://macecil.googlepages.com/index.htm
RGCUD Dragon Gallery http://home.roadrunner.com/~rgcud/
.
- Follow-Ups:
- Re: I think I have virus after all....
- From: Ashikaga
- Re: I think I have virus after all....
- From: Ashikaga
- Re: I think I have virus after all....
- From: Optician Dragon
- Re: I think I have virus after all....
- References:
- I think I have virus after all....
- From: Ashikaga
- Re: I think I have virus after all....
- From: Polychromic
- Re: I think I have virus after all....
- From: Ashikaga
- I think I have virus after all....
- Prev by Date: Re: I think I have virus after all....
- Next by Date: Re: I think I have virus after all....
- Previous by thread: Re: I think I have virus after all....
- Next by thread: Re: I think I have virus after all....
- Index(es):
Relevant Pages
|
