Re: I think I have virus after all....
- From: Polychromic <macecil@xxxxxxxxx>
- Date: Sun, 13 Jan 2008 20:59:49 -0600
On Sun, 13 Jan 2008 21:00:43 GMT, Ashikaga <citizenashi@xxxxxxxxxxx>
wrote:
Polychromic of the Cavern #160 howled:
Ashikaga wrote:
Polychromic of the Cavern #50 howled:
Ashikaga wrote:
Before I take the plunge, I need some clarification on some of the stuff.
Please bear with me, since I'm pretty bad at some of these.
<snip>
Most of the viruses I see these days are bot network worms or rootkit
types that try to hide from the OS. You can try and find them using a
clean boot. First pipe a list of all the files on the system drive to a
file while booted up normally. Then do a clean boot with your BartPE or
Linux disc. Pipe a list of all the files on the system drive to a file.
Compare the two lists. The differences will show the hidden files and
folders, but not the hidden registry entries. That takes additional
steps.
That sound like a lot of work. How to pipe all the file list?
Not much work really.
1. From inside the suspect system boot drive (the c:> prompt) issue the
commands:
"dir /s /b /ah > c:\inhid.txt"
and
"dir /s /b /a-h" > c:\innothid.txt"
(You can substitute a: or another drive letter instead of c: of course.)
This makes a list of all files including the hidden ones (inhid.txt) and
all the files not including the hidden ones (innothid.txt). If there is a
rootkit at work, it won't be listed in this step.
Should I do this step before or after I zeroed the drive?
Zeroing the drive erases everything. These steps are for finding and
removing the trojan or rootkit without zeroing the drive.
2. Then we boot to a clean CD like WinPE, BartPE or a Linux boot disc and
run those same commands on the infected drive. Use different file names
for the output like outhid.txt and outnthid.txt. :)
3. So after issuing the same pair of commands you now have 4 files. By
using a comparison program like WinDiff or Beyond Compare you can see if
there are any rootkit files present in the second set of file lists that
have tried to hide themselves from the system.
4. That way you can delete or rename at least, those suspect files. Don't
rename driver files in the \windows\system32\drivers folder without first
removing the references to them from the registry or you'll likely get a
BSOD when you try to boot up.
I am very bad at registry, so how should I remove a driver reference?
Where to look in the registry? Should I just delete an entry or change the
value?
Well, if the bad driver was named test.sys and you searched the registry
for it you might find it here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\test
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TEST
and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\test
You'd need to right click on these keys and choose permissions and make
sure that everyone has full rights. Then close the properties screen back
to just the registry and delete the keys.
Just keep doing a search for the bad driver and deleting the key
referencing it until they're all gone.
Of course, if there is a piece of malware that doesn't hide itself it
could still be active and recreate the rootkit files, etc. when you
reboot. Looking for unknown but active files referenced in the prefetch
folder is one good way to find these babies too.
Where should I look? (i.e., which folders are prefetched folders?) What's
? XP records the activity of all executables (but not services) in the
prefetch folder. That's so the built-in defragger can order the files on
the drive to load more efficiently.
the program to use to see if something is active. I don't even know which
ones are considered unknown.... Is there a list of typical resident
Windows drivers/services programs that shows which files are safe (and if
there is an explanation of what each process does, it would be nice too)?
When I press ctrl-alt-del, there are just a bunch of cryptic process names
that I don't even know if they are normal or not. explorere.exe is okay
If you have one called explorere.exe that would definitely NOT be okay.
Using a filename that is close to a valid XP program (explorer.exe) is one
way malware tries to hide in plain sight.
for sure, and I can sort of guess ati2evxx.exe is ATi's driver, but what
are other stuff?
There's no list. And just because something uses a valid name, if you
went to google and searched out an entry, doesn't guarantee that the file
usage recorded in the prefetch folder is actually activity of the valid
file.
Like I've said, using the prefetch folder is just one way you can use your
knowledge of the computer and your intuition to suss out active malware on
a system.
Frankly, I think if you're asking basic questions like these that the
process of manually removing rootkits and trojans is a bit beyond you and
you'd be better off in the long run just zeroing the drive and
reinstalling from scratch. That's why I responded with that initially.
You might just want to run Mark Russinovich's tools accessenum and rootkit
revealer on your system to see what might be out of place.
http://technet.microsoft.com/en-us/sysinternals/25e27bed-b251-4af4-b30a-c2a2a93a80d9.aspx?wt.svl=leftnav.aspx?wt.svl=leftnav
How to read the output? I have tons of files listed when I run accessenum
but I don't know what they mean.
Then I have this for my rootkit revealer:
HKLM\SECURITY\Policy\Secrets\SAC* 1/10/2008 10:52 PM 0 bytes Key name
contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 1/10/2008 10:52 PM 0 bytes Key name
contains embedded nulls (*)
You won't be able to delete these easily.
Basically you need to boot to a WinPE or BartPE disc, use a registry
editor to load the hives from your \windows\system32\config folder and
then you can use a tool like Russinovich's RegDelNull to delete them. Then
unload those hives and reboot.
A registry editor..., can it be Windows's own registry editor or should I
use something else? What's loading a hive?
The files that comprise the registry are usually found in the folders:
c:\windows\system32\config
(default, sam, security, software, system)
and
c:\documents and settings\username
(ntuser.dat)
These files are called hives. You'd need a regeditor that can load remote
hives. I use http://regeditpe.sourceforge.net/ on my BartPE disc.
HKLM\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Prefetcher\TracesProcessed 1/11/2008 1:11 PM 4 bytes Data
mismatch between Windows API and raw hive data.
Not sure. Might just be a glitch or could refer to something trying to
hide.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\4L6Z45UB\bullet[1] 1/11/2008 1:15 PM 3.09 KB Hidden from
Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\4L6Z45UB\httpErrorPagesScripts[1] 1/11/2008 1:15 PM 7.40
KB Hidden from Windows API.
C:\Documents and Settings\...s\Temporary Internet
Files\Content.IE5\4L6Z45UB\navcancl[1] 1/11/2008 1:15 PM 2.65 KB Hidden
from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\KTQRSL2V\background_gradient[1] 1/11/2008 1:15 PM 453
bytes Hidden from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\KTQRSL2V\ErrorPageTemplate[1] 1/11/2008 1:15 PM 2.12 KB
Hidden from Windows API.
C:\Documents and Settings\...s\Temporary Internet
Files\Content.IE5\S56NOXQV\errorPageStrings[1] 1/11/2008 1:15 PM 850 bytes
Hidden from Windows API.
C:\Documents and Settings\...\Temporary Internet
Files\Content.IE5\S56NOXQV\info_48[1] 1/11/2008 1:15 PM 6.83 KB Hidden from
Windows API.
Really shouldn't ever be stuff hiding in here so all that is suspect. Are
you using IE still? I thought you knew better than that!
I typically use Firefox, but there are instances where I have to use IE....
Windows Update uses IE.... I also have IE tab extention installed on
Firefox, so if a page doesn't run well on Firefox, it has to run under
that....
And now you're infected. Don't use IE at all. Ever. You can download
updates for Windows manually with Firefox. (I doubt you'd ever get
infected using IE to do WindowsUpdate but I wouldn't use the IE extension
on random sites on the internet.)
Another thing to do is to clear everything out of the \windows\prefetch
folder except layout.ini. Then reboot a few times and see if there are
any entries referencing files that you're not familiar with.
I'm going to try this one. Again, thanks. I still think it's easier to
live close to you so you can come over and diagnose instead of me knowing
next to nothing and do all these without even know if I am doing it
right.... But then, I am probably demanding too much....
What, demanding I fly thousands of miles to clean your computer? Nah,
shoot. That's nothing. Pshaw!
I bet you have clients everywhere. But I shouldn't be bothering you since
you are doing this for nothing.... But anyways, if I survived this whole
thing, would you consider training me to be an apprentice for your computer
service? I need a job. You don't have to agree of course (I probably have
no talent anyways) and I really hate to impose on you all the time (though
I can't help it).
I don't mind answering questions. :)
--
The Polychromic Dragon of the -=={UDIC}==-
Webpage http://macecil.googlepages.com/index.htm
RGCUD Dragon Gallery http://home.roadrunner.com/~rgcud/
.
- Follow-Ups:
- Re: I think I have virus after all....
- From: Ashikaga
- Re: I think I have virus after all....
- References:
- I think I have virus after all....
- From: Ashikaga
- Re: I think I have virus after all....
- From: Polychromic
- Re: I think I have virus after all....
- From: Ashikaga
- Re: I think I have virus after all....
- From: Polychromic
- Re: I think I have virus after all....
- From: Ashikaga
- I think I have virus after all....
- Prev by Date: Re: I think I have virus after all....
- Next by Date: Re: I think I have virus after all....
- Previous by thread: Re: I think I have virus after all....
- Next by thread: Re: I think I have virus after all....
- Index(es):
Relevant Pages
|
