mystery virus

[Guest]

[kesuki]

The gmer log is still showing the processes running. If the OTmoveit log doesn't show a move, it didn't do anything. It may be necessary to run OTmoveit in safe mode (reboot, use the F8 key to get to Windows safe mode). The rootkit stuff may be blocking things.

The DSS scan of your dad's machine shows

O4 - HKCU\..\Run: [HXDL.EXE] F:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run

which is listed as an undesireable program, but not necesarily malware. And this process entry, I have a question about

F:\Program Files\Muiltmedia keyboard utility\1.1\KbdAp32A.exe

because of the typo in the name. The descriptions match, but this could be something trying really hard to appear to be a legit process.

there was a wireless multimedia keyboard on this pc before, but i removed the software because that keyboard is now on mom's pc and i only installed the software to see if it worked with winamp and it didnt only worked with windows media player.  as for the other program there is no add remove program for that program. but i can see it came bundled with a photo editor my dad had a cd for.  (not sure if removing the photo editor will remove the 'undesired' app)

i would have to ask tomorrow if they use the program (i already installed the gimp on my mom's pc, which is the only image editor i use.)

[grue155]

Interesting... Sysinternals RootKitRevealer will create a service for doing the scan, but on my machine, it deleted the service after the scan completed, and did not create an O23 entry that HJT would list unless the program was running at that moment. I didn't see that in the running-processes list. Anything that RootKitRevealer would need, it would create, and then properly delete. These could be leftovers from earlier runs that didn't complete properly. In which case, deleting the files wouldn't cause any problems.

Slightly different item, any idea what this might be about:

2007-12-16 19:08:34         0 d-------- C:\LxkZ55

Until that C:\Documents and the CmdLineExt02 get cleared, I'm suspecting the rootkit is still in place, and causing problems with the removals and scans.

I'm coming up on the end of my day here, and will have to do any follow-ups later.

[kesuki]

Interesting... Sysinternals RootKitRevealer will create a service for doing the scan, but on my machine, it deleted the service after the scan completed, and did not create an O23 entry that HJT would list unless the program was running at that moment. I didn't see that in the running-processes list. Anything that RootKitRevealer would need, it would create, and then properly delete. These could be leftovers from earlier runs that didn't complete properly. In which case, deleting the files wouldn't cause any problems.

Slightly different item, any idea what this might be about:

2007-12-16 19:08:34         0 d-------- C:\LxkZ55



Until that C:\Documents and the CmdLineExt02 get cleared, I'm suspecting the rootkit is still in place, and causing problems with the removals and scans.

I'm coming up on the end of my day here, and will have to do any follow-ups later.

lxk = lexmark the number is for the printer driver version...
as i said rootkitrevealer 'errored' saying it couldn't start its services, then on a reboot i was able to run rootkit revealer. (apparently the services were blocked from running but were not blocked from installing so on the next reboot they ran before the rootkit? thats my best guess)

i'll try to run the moveit program from bart's pe (made a pe disc last night with files on it but most of them wouldn't run from pe)

[kesuki]

found out why moveit couldn't move the files... they were actually in The Recycle bin.  as strange as that sounds... when i couldn't move them from bart's pe i looked in the recycle bin and there was a documents and settings folder and the temp folder... still i dont understand how the files would wind up in both my mom and dad's systems recycle bins... unless that was where the rootkit  put them after it got their system?

[kesuki]

dad's pc, after emptying recycle bin.  noted 'oddness' gmer no longer runs. deckard's no longer makes a 'extra.txt' ever. nomatter what.

Deckard's System Scanner v20071014.68
Run by ryan on 2007-12-17 11:48:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis (run as ryan.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:54 AM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\WINDOWS\Explorer.EXE
F:\Program Files\Comodo\Firewall\cmdagent.exe
F:\Program Files\McAfee\MBK\MBackMonitor.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
f:\program files\common files\mcafee\mna\mcnasvc.exe
F:\WINDOWS\SOUNDMAN.EXE
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\Winamp\winampa.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
F:\Program Files\McAfee.com\Agent\mcagent.exe
F:\Program Files\Comodo\Firewall\CPF.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
F:\Program Files\McAfee\MSK\MskSrver.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\SiteAdvisor\6172\SAService.exe
F:\WINDOWS\system32\svchost.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Program Files\ATI Technologies\ATI.ACE\cli.exe
F:\Documents and Settings\ryan\Desktop\ssd.exe
F:\PROGRA~1\TRENDM~1\HIJACK~1\ryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - f:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - F:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - F:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MBkLogOnHook] F:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [mcagent_exe] F:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [COMODO Firewall Pro] "F:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] F:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E249E087-04D9-408A-8225-7E6BC91415DF}: NameServer = 66.115.71.53,24.196.64.53
O20 - AppInit_DLLs: 
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - F:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - F:\WINDOWS\system32\ImapiRox.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MBackMonitor - McAfee - F:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - f:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - F:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - F:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - F:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - F:\Program Files\SiteAdvisor\6172\SAService.exe

--
End of file - 6760 bytes

-- Files created between 2007-11-17 and 2007-12-17 -----------------------------

2007-12-17 10:57:35         0 d-------- F:\mcafee
2007-12-17 09:49:23         0 d-------- F:\WINDOWS\pss
2007-12-17 02:02:20         0 d-------- F:\Documents
2007-12-16 20:57:47         0 d-------- F:\Program Files\Trend Micro
2007-11-22 15:37:02       229 --a------ F:\WINDOWS\PowerReg.dat
2007-11-22 15:36:40         0 d-------- F:\Program Files\Hasbro Interactive


-- Find3M Report ---------------------------------------------------------------

2007-12-17 11:05:57         0 d-------- F:\Program Files\McAfee
2007-12-17 00:35:00         0 d-------- F:\Program Files\Java
2007-11-23 08:29:22         0 d-------- F:\Documents and Settings\ryan\Application Data\Comodo
2007-11-23 07:20:25         0 d-------- F:\Program Files\Comodo
2007-11-18 07:48:21         0 d-------- F:\Program Files\Common Files\McAfee
2007-11-05 22:55:26         0 d-------- F:\Program Files\Common Files\Adobe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
09/19/2007 06:15 AM   329032   --a------   f:\PROGRA~1\mcafee\msk\mcapbho.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [01/09/2004 01:54 AM F:\WINDOWS\SOUNDMAN.EXE]
"ATICCC"="F:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [01/02/2006 03:41 PM]
"WinampAgent"="F:\Program Files\Winamp\winampa.exe" [05/14/2007 02:22 PM]
"MBkLogOnHook"="F:\Program Files\McAfee\MBK\LogOnHook.exe" [01/08/2007 10:22 AM]
"mcagent_exe"="F:\Program Files\McAfee.com\Agent\mcagent.exe" [08/03/2007 10:33 PM]
"COMODO Firewall Pro"="F:\Program Files\Comodo\Firewall\CPF.exe" [11/23/2007 09:25 AM]
"NvCplDaemon"="F:\WINDOWS\system32\NvCpl.dll" [10/22/2006 11:22 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="F:\WINDOWS\system32\ctfmon.exe" [02/28/2006 04:00 AM]
"swg"="F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/18/2007 09:35 AM]

F:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - F:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 12:15:54 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
[ at ]=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
[ at ]=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=F:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"F:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HXDL.EXE]
F:\Program Files\Cosmi\HelpExpress\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE" -run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfee Backup]
F:\Program Files\McAfee\MBK\McAfeeDataBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiteAdvisor]
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"F:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3cdf0fe4-5776-11dc-b872-0004615d60ab}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2007-12-17 11:49:36 ------------

[kesuki]

mom's pc deckards makes no extra.txt rootkit revealer log attached, f-secure ran, but it's result page refused to load in ie. gmer runs no detection now... since i emptied the recycle bin...

[kesuki]

taskmgr.exe Vs hijackthis.

first hijackthis.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Player\vmware-authd.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXAKPSWX.EXE
C:\Documents and Settings\Ryan\Desktop\that.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ryan.exe

now taskmgr i wrote these by hand

alg.exe
ati2evee.exe
cmdagent.exe
cpf.exe
csrss.exe
ctfmon.exe
explorer.exe
googletoolbarnotifier.exe
hqtray.exe
iexplore.exe
ipoint.exe
jusched.exe
lexbces.exe
lexpps.exe
lsass.exe
lxakpswx.exe
mcagent.exe
mcdetect.exe
mcshield.exe
mctskshd.exe
mcvsescn.exe
mcvsshld.exe
notepad.exe
nvmixertray.exe
oasclnt.exe
scrnsave.scr
services.exe
smss.exe
spoolsv.exe
svchost.exe
'system'
'system idle process'
taskmgr.exe
vmnat.exe
vmnetdhcp.exe
vmount2.exe
vmware-authd.exe
winampa.exe
winlogon.exe

scrnsave.scr has me a bit worried -- should the screensaver be running while im at the pc typing?
i know these computers are set with multiple accounts but still..

[grue155]

Curiouser and curiouser... And I'm somewhat more awake now than I was yesterday.

To my knowledge, the scrnsave.scr process should not be there. Task Manager doesn't give path names, but gmer does. Run gmer, click the processes tab, and see where that scrnsave.scr is running from, and eyeball it's list of libraries and threads. If it isn't Windows stuff, it's probably not a good thing to have running.

The Recycle Bin is a surprise, as that is a Windows folder that is called that, and so should show up on path names. But, if the processes aren't running, it could be some quirk of the cleanup. That gmer isn't showing any hidden processes is a good sign, I think. The rootkit may be out of the way, just not removed entirely.

I haven't gone thru the DSS log yet. That'll be a few more minutes.

[grue155]

Some progress, I think. The DSS log from your dad's machine looks okay, but that gmer isn't running on his machine doesn't sound good. That means the DSS log might not be for real, if a rootkit is still kicking around in the background.

But, on your mom's machine, that gmer and rootkitrevelaer are running, and the f-secure runs but can't display, is a good sign. It means there may be way to wedge in, and clean up some stuff.  So, for her machine, let's try a couple of cleaners:

First, is Dr.WebCureit, download from http://www.freedrweb.com/  Run it, and let it do it's stuff.

Then, download this rootkit remover from http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html to take out some of the more esoteric stuff.

That should get any kind of rootkit out of the way, and leave just a "more conventional" malware cleanup. Before going into those steps, let's see what the rootkit removers can do.

[kesuki]

sorry im not here every day but i had to dl drweb from an online download site, because it was now blocked on both vmware and on ie... sophos found nothing i'll re run it after drweb dleds and has been run. 

one more thing ive noticed. on dad's system i have to click the mouse or alt tab to get windows to switch user after its been in screensaver a long time, after ive already clicked the username to login as...

[kesuki]

the dl site had an '89 day old' dr web exe...  but it found nothing in the express scan and i still cant dl the 'latest' dr web. im doing the complete scan now.  with all the problems/symptoms im starting to think i need to reformat the computers, problem being i'm concerned about how long it takes to go from sp2 to sp3... i found a link for sp3 on microsoft, but it was just an installer that downloads sp3 off the net... based on which updates you need to go to sp3. im concerned that even with firewalls and av software that the systems will just wind up hacked in the time it takes to dl all those updates. even if i force an ip address change it still takes 30 seconds (according to some statistics i've seen) for a vulnerable machine to get reinfected. considering that it takes 50 minutes to download the 83 'critical' updates in windows sp3 (i brought my system here and tried to update it with windows update, but i reformated again because of the driver disk issues) im just not sure what to do anymore. i could probabbly reformat my dad's pc to linux, but mom's pc still 'needs' to run windows, and be on the internet.

ugh. if i recall correctly one can use the list of 'installed updates' to get to the knowledgebase numbers and find the redistributable dl patches, but that would take me probably a whole day.

reformatting the computers would take the better part of a day, especially since i need to re download every executable and cant trust any of the ones i archived. (i recently redid both machines thinking that files i had downloaded recently would be good, and using automatic updates to install any patches)  well recently in the past 6 months sense...

so far the complete scan has only detected 1 thing likely 'adware' from a program called cdburner xp pro 3. that i was using because i had not then settled on 'infra recorder' (open source software, basically uses linux cd recording tools to make and burn cds and dvds) it has its problems and isnt user friendly and it has a hard time burning cds on dvd burners, but at least it dosen't come with adware.  specifically drweb found 'program.pskill.origin' in NMSAccess.exe in the cdburnerxp pro 3\tools folder.

i really don't want to format this christmas, so likely if i do that it will be in march when my parents go to vegas for the nascar race. although i could start preparations (making drivers, dling patches etc) anytime between now and then. if they find their 'extra' hard drive i could use that to get dad's pc running linux before i do all the backup and restore stuff...

i am a little worried about dad's 'thumbdrives' that he uses for pictures, one of them opens via a windows exe.  the other one is just a normal filesystem... but ug why do thumbdrive makers have stupid programs that make the drive accessable to programs etc.

[grue155]

Reformatting is a pain, but sometimes the only way to get back to a known working state. Some malware is sufficiently invasive that removing the malware will pretty much brick the machine. The things that have been tried lead me to believe that this is one of those very unwelcome malware variants.

Note that XP SP3 is not yet officially released. It's in RC status, and expected to be released sometime in the next several months. If you can get to a working XP SP2 condition, you'll be in good shape.

Given how this malware has been infecting cd-r's, I'm suspecting that it will propagate by network shares and any other removable media. Just for safety, I'd consider any thumbdrives to be infected. Flash drives don't really clean, because of the way they're constructed. You might find the Best Practices at http://www.cit.cornell.edu/security/media-destruct.html to be useful reading.

If you do decide to wait about reformatting, I recommend keeping the machines off the Internet. That'll keep whatever from phoning home, and from doing whatever it is the malware is supposed to be doing (spamming, fast flux hosting, or whatever).

At worst, you could take a machine to a "big box" shop, and tell them to zero wipe and reinstall. Let them do the work, and you get back the equivalent of a "new" machine that you can lock down. If you go that route, either do all machines at once, or keep machines isolated to avoid the suspected network share infection vector.

[kesuki]

while attemptin to migrate 'dads pc' to linux i spent about an hour playing with the configuration before i had to _clear the CMOS_ to get it to boot without the exact hardware that 'dads pc' was running for windows. because i had a handy drive with nothing important on it i was going to use that one, and i noticed one of my firewire add-in cards that had been left in dad's pc so i took that out... if the virus is infecting the cmos... that is definitely not normal. nor do any of the scanners we've used even check the cmos...

[kesuki]

well i am already downloading the standalone sp3 update package.  dad's machine is going to linux, while i try to find out if attaching it to a 'scrap drive' install of windows (complete with security products, and the rootkit scanners) i was scanning my mom's old hard drive and all that turned up was a virus that kaspersky av found. virus Type_Win32 (modification) e:\documents and settings\ryan\local settings\temp\arc101

no idea if that's whats currently on my systems... i took dad's hd to scan that, and am loaning him one of my spare hds and am installing linux on it (he mainly plays card games so i figured linux would be fine for a while) the scanners were still running if i find more i'll post here when i know more.  oem system builders have been shipping xp with sp3 for quite a while so I am willing to 'try' this release canidate. if it causes a headache its only a couple hours of my time wasted anyways. i feel way more secure running the sp3 rc than spending 50 minutes per machine to dl the patches released since sp2. i think i will reflash their bioses as well, since technically i didnt get a 'known clean' windows install until _after_ i reflashed my mainboards bios (i also switched to a known clean driver cd)

there are no big box vendors here and we've already had the 'local' computer shop people try to 'fix' the systems but the problem was they did them 1 at a time, not all at once. and i seriously doubt they reflashed the bioses (in fact the bios on 1 read 2004 when i looked at it) switching dad to linux (if he likes it) will simplify the task, because then they only have 1 windows pc for me to flash/update/reinstall etc.

[grue155]

while attemptin to migrate 'dads pc' to linux i spent about an hour playing with the configuration before i had to _clear the CMOS_ to get it to boot without the exact hardware that 'dads pc' was running for windows. because i had a handy drive with nothing important on it i was going to use that one, and i noticed one of my firewire add-in cards that had been left in dad's pc so i took that out... if the virus is infecting the cmos... that is definitely not normal. nor do any of the scanners we've used even check the cmos...

This sounds a little like a Dell box. Dell machines, up until recently, have had a reputation for being very picky about add-in hardware being other than "Dell certified". I've heard, but not confirmed, that Dell took enough flak about that to have changed their policies over the last couple of years.

Using SP3 as a way to get the security patch rollup is a good move. There are some new things in SP3 that might not be quite right, but that's not likely to interfere with anything in a normal household environment (corporate environments are different, some major updates in the works there)

Believe it or not, you're on the way to getting things cleaned up. It's just going to take some time. There's still a couple of open questions: are backups infected? Just one or two things, or a whole bunch, or what... And, however this something got in, it managed to migrate to other machines, so the question of LAN security comes up, in how to keep the infection out, or at least contained to one machine if it does get in?

Linux is a good environment, but even there it takes being aware of security to keep security in place (no running everything as root, that kind of thing). WinXP can be a secure environment. It just takes some rethinking on the usual way of doing things. Limited user and role accounts, restricted software policies, different browsers, update and patch routines, stuff like that, that nobody ever really talks about but is key to keeping things safe and sane.

[Tags:]