J
jeffc
Zvi Netiv said:
Someone else recommended naming it something other than regedit.com. I
named it jregedit.exe. I suppose I could try abcde.exe instead.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
Someone else recommended naming it something other than regedit.com. I
named it jregedit.exe. I suppose I could try abcde.exe instead.
D
David H. Lipman
You do realize that folder is a hidden folder ?
Did you dump the IE cache form the IE General Options ? How large is the cache ? It only
needs to be 10MB.
Dave
|
| | > Who has to Google I already posted a tool that will find and remove the
| Torvil worm.
| >
| > Trend Sysclean
| > http://www.trendmicro.com/download/dcs.asp
| >
| > In fact I was the first to reply to him and I suggested Sysclean ;-)
|
| Sysclean won't run because it gets in an infinite loop (apparently) checking
| through the internet Temporary Files folder (which is supposed to be empty.)
|
|
Did you dump the IE cache form the IE General Options ? How large is the cache ? It only
needs to be 10MB.
Dave
|
| | > Who has to Google I already posted a tool that will find and remove the
| Torvil worm.
| >
| > Trend Sysclean
| > http://www.trendmicro.com/download/dcs.asp
| >
| > In fact I was the first to reply to him and I suggested Sysclean ;-)
|
| Sysclean won't run because it gets in an infinite loop (apparently) checking
| through the internet Temporary Files folder (which is supposed to be empty.)
|
|
J
jeffc
David H. Lipman said:You do realize that folder is a hidden folder ?
Did you dump the IE cache form the IE General Options ? How large is the cache ? It only
needs to be 10MB.
I don't understand "it only needs to be 10M". I don't know if it's hidden
or not because I have everything unhidden in Windows Explorer. I have
already deleted all files and content from IE options.
X
xmp
David H. Lipman wrote:
that's an amazing worm. sounds almost like a rootkit in the way that it
works.
basically the newer worms, rootkits, and trojans (rat's especially) are
incredible. i'm waiting for spyware to catch up with this. there are
working exploit coders doing spyware now, as evidenced by the CHM
exploits and droppers seen on various sites. they are only a few weeks
behind the exploits as they are posted on Bugtraq, etc. even very
popular sites have malicous code, because they sell ad space i.e. they
haven't checked every bit of JS.
i found the code for the Rameh downloader dropper to be neat. It's
mentioned in the July 23 (?) handler's diary at SANS. Nasty stuff.
michael
that's an amazing worm. sounds almost like a rootkit in the way that it
works.
basically the newer worms, rootkits, and trojans (rat's especially) are
incredible. i'm waiting for spyware to catch up with this. there are
working exploit coders doing spyware now, as evidenced by the CHM
exploits and droppers seen on various sites. they are only a few weeks
behind the exploits as they are posted on Bugtraq, etc. even very
popular sites have malicous code, because they sell ad space i.e. they
haven't checked every bit of JS.
i found the code for the Rameh downloader dropper to be neat. It's
mentioned in the July 23 (?) handler's diary at SANS. Nasty stuff.
michael
Z
Zvi Netiv
xmp said:David H. Lipman wrote:
that's an amazing worm. sounds almost like a rootkit in the way that it
works.
Chances are that this one *is* a rootkit. Standard procedures don't help much
in these cases, to not say interfere ...
Regards, Zvi
Z
Zvi Netiv
jeffc said:Someone else recommended naming it something other than regedit.com. I
named it jregedit.exe. I suppose I could try abcde.exe instead.
That someone else was me, and renaming regedit to jregedit wasn't the brightest
idea as whatever is messing with your system most probably looks for the string
"regedit" for doing its thing.
I also posted about the HackersDefender100 root-kit, in this thread, in article
<[email protected]>. The reason for my post on HacDef
wasn't that you look for it, specifically, but to suggest that you are probably
dealing with something similar and offer *methods* how to revert what it did.
What we need is a clue where to start from. Here is a procedure that may give
us that clue:
1. Make a copy of regedit.exe, in the Windows default directory, and name it
abcde.exe.
2. Run the following command line from the desktop, EXACTLY as written, quote
marks included (ignore the line wrap):
abcde /e c:\junk.txt
"hkey_local_machine\software\microsoft\windows\currentversion\run"
What that command does is to export the content of the machine run registry key
to a file named junk.txt. Find that file in the root of C: and paste it in your
next post, here.
What I expect to find there is how the Trojan your are dealing with initializes,
and provide the clue how to kill it.
Regards, Zvi
M
Michael
they generally look for an exe name. i've fired up Optix Pro and
others, and it gives a customizable list of exe names to kill.
obviously it has a default list of several hundred. on unix though, you
generally have to modify the source code rather than a trivial renaming
of the file. it's an ancient trick and obviously malware authors are
not stagnating, they are PROACTIVE.
if it's hacker defender, that's a ring zero kit. you really need to
mount the media and scan from another OS instance, scan from PE, or
something of that nature.
tripwire or AIDE could have avoided this whole issue, because you would
have known from the hashes that you got owned. (i use free tripwire on
linux, and a custom script that hashes on windows). assuming the kit
doesn't intercept and serve up bogus files for hashing purposes.
zvi, you give good advice, of course.
also the general forensics procedure, after making an image of drive for
legal purposes, is to use utilities on floppy or CDR. the best case is
keeping them on single write media (along with your tripwire hashes of
course). having clean utilities can sometimes defeat the simpler
rootkits, it just depends.
i've already mentioned the tools to detect and clean this in a prior post.
michael
others, and it gives a customizable list of exe names to kill.
obviously it has a default list of several hundred. on unix though, you
generally have to modify the source code rather than a trivial renaming
of the file. it's an ancient trick and obviously malware authors are
not stagnating, they are PROACTIVE.
That someone else was me, and renaming regedit to jregedit wasn't the brightest
idea as whatever is messing with your system most probably looks for the string
"regedit" for doing its thing.
I also posted about the HackersDefender100 root-kit, in this thread, in article
<[email protected]>. The reason for my post on HacDef
wasn't that you look for it, specifically, but to suggest that you are probably
dealing with something similar and offer *methods* how to revert what it did.
if it's hacker defender, that's a ring zero kit. you really need to
mount the media and scan from another OS instance, scan from PE, or
something of that nature.
tripwire or AIDE could have avoided this whole issue, because you would
have known from the hashes that you got owned. (i use free tripwire on
linux, and a custom script that hashes on windows). assuming the kit
doesn't intercept and serve up bogus files for hashing purposes.
What we need is a clue where to start from. Here is a procedure that may give
us that clue:
1. Make a copy of regedit.exe, in the Windows default directory, and name it
abcde.exe.
2. Run the following command line from the desktop, EXACTLY as written, quote
marks included (ignore the line wrap):
abcde /e c:\junk.txt
"hkey_local_machine\software\microsoft\windows\currentversion\run"
What that command does is to export the content of the machine run registry key
to a file named junk.txt. Find that file in the root of C: and paste it in your
next post, here.
What I expect to find there is how the Trojan your are dealing with initializes,
and provide the clue how to kill it.
Regards, Zvi
--
zvi, you give good advice, of course.
also the general forensics procedure, after making an image of drive for
legal purposes, is to use utilities on floppy or CDR. the best case is
keeping them on single write media (along with your tripwire hashes of
course). having clean utilities can sometimes defeat the simpler
rootkits, it just depends.
i've already mentioned the tools to detect and clean this in a prior post.
michael
J
jeffc
Zvi Netiv said:That someone else was me, and renaming regedit to jregedit wasn't the brightest
idea as whatever is messing with your system most probably looks for the string
"regedit" for doing its thing.
I also posted about the HackersDefender100 root-kit, in this thread, in article
<[email protected]>. The reason for my post on HacDef
wasn't that you look for it, specifically, but to suggest that you are probably
dealing with something similar and offer *methods* how to revert what it did.
What we need is a clue where to start from. Here is a procedure that may give
us that clue:
1. Make a copy of regedit.exe, in the Windows default directory, and name it
abcde.exe.
abcde.exe also does not work. I'll try the rest of your suggestions when I
get home from work, thanks!
J
jeffc
Zvi Netiv said:That someone else was me, and renaming regedit to jregedit wasn't the brightest
idea as whatever is messing with your system most probably looks for the string
"regedit" for doing its thing.
By the way, the reason I thought this was reasonable was that stinger.exe
would not run, but when I renamed it jstinger.exe, it seemed to run fine.
X
xmp
jeffc said:abcde.exe also does not work. I'll try the rest of your suggestions when I
get home from work, thanks!
i've said this three times and this will be my final post.
USE A RAW REGISTRY EDITOR AND PROCESS VIEWER!
regedit sucks ass.
regards,
michael
p.s. this isn't ****ing rocket science
J
jeffc
xmp said:i've said this three times and this will be my final post.
USE A RAW REGISTRY EDITOR AND PROCESS VIEWER!
Uh, no you haven't.
regedit sucks ass.
p.s. this isn't ****ing rocket science
Easy cowboy. (You'll keep *reading* though, right?)
Z
Zvi Netiv
jeffc said:abcde.exe also does not work. I'll try the rest of your suggestions when I
get home from work, thanks!
Something is fishy in your above reply!
On what computer did you try the renamed copy of regedit.exe? On the affected
one? If yes, then why do you have to get home for trying the rest of my
suggestions? What exactly did "not work"? Did you try exporting the registry
key I asked with the command I gave? Have you tried it on a healthy PC just to
see how the procedure works? Did you look for the exported text file and read
through, to familiarize with?
Maybe you should start telling us not what doesn't work, but what does, in
details!
Zvi
P
postminimalist
jeffc said:Uh, no you haven't.
excuse my harsh tone (under handle xmp).
this link may help if it's a rootkit:
http://home.arcor.de/scheinsicherheit/rootkits.htm
it lists a raw registry editor.
also Kaspersky keeps up with new versions of hacker defender and
trojans. 3w design has a rootkit detector also (see link above).
regards,
michael
J
jeffc
postminimalist said:also Kaspersky keeps up with new versions of hacker defender and
trojans.
Cannot install Kaspersky. I downloaded it to another computer and copied it
over on diskette (8 diskettes!) But the hack or virus or whatever won't let
the Kaspersky install program run. My email to Kaspersky also could not be
sent. I emailed from another computer 3 days ago, and they never responded
to my question.
J
jeffc
Zvi Netiv said:Something is fishy in your above reply!
On what computer did you try the renamed copy of regedit.exe? On the affected
one?
Of course.
If yes, then why do you have to get home for trying the rest of my
suggestions?
Because I was late for work and I had to leave.
What exactly did "not work"?
If I run regedit.exe it "doesn't work". Meaning it just doesn't run.
Meaning it just "goes away". If I rename it jregedit.exe, same results. If
I rename it abcde.exe, same results. If I run stinger.exe, it "doesn't
work". If I rename that to jstinger.exe, it runs fine.
Maybe you should start telling us not what doesn't work, but what does, in
details!
I have been letting the Eraser program finish working to delete the "hidden"
Temporary Internet files. I thought stinger was in an "infinite loop", but
it turns out there were thousands and thousands of files there were hidden
to me from Windows Explorer (even though I show hidden files in the
options.) Eraser finally erased 2G of these "hidden" files, and it took
about 30 hours. I am now running stinger because it's the only thing that
will run. I'm again late for work and I'll try your other suggestions when
I get home. thanks
J
jeffc
Zvi Netiv said:Something is fishy in your above reply!
More details - I have 2 computers at home - the main, infected one, call it
A, and my older one, call it B. Both are connected to the internet through
a router (which I had hoped would act as a decent firewall.) A is XP, B is
98. I cannot access this newsgroup on A. All other newsgroups work fine,
but when I attempt to go to alt.comp.anti-virus from A, Outlook Express
quits. From A, I can access the sites that I removed from my hosts file,
but that's not good enough. For example, if I go to Google and search on
"virus", IE quits. It works for all other normal searches. I also can not
get to the Kaspersky site, but I can get to the Symantec site. I have no CD
burner on B. Everything I download to B must be transferred to A by
diskette. I do not have a network "installed" or "working" (I don't know
how the computers might communicate by default, but there is no
communication I'm aware of. I am not interested in getting networking
between them at this time, especially since I think that could very well
make this problem worse.) All messages to this newsgroup come from B, or
from my work computer (where I am now.)
B
Beauregard T. Shagnasty
Quoth the raven jeffc:
What happens if you try a different newsreader?
http://home.rochester.rr.com/bshagnasty/tips.html#newsreaders
All other newsgroups work fine, but when I attempt to go to
alt.comp.anti-virus from A, Outlook Express quits.
What happens if you try a different newsreader?
http://home.rochester.rr.com/bshagnasty/tips.html#newsreaders
J
jeffc
Beauregard T. Shagnasty said:Quoth the raven jeffc:
What happens if you try a different newsreader?
http://home.rochester.rr.com/bshagnasty/tips.html#newsreaders
Nice site. I'll go through some of it later. I used another newsreader at
one time - can't remember why I didn't keep it. I'll consider switching to
another IB also.
J
jeffc
David H. Lipman said:1) Download the following three items...
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp
OK, I was finally able to copy Sysclean to that machine and run it. It is
reporting Netsky on multiple files. These files are being automatically
generated into my Temporary Internet Files folder (under Content.IE5). You
know the folders with the cryptic names: AU56TUY and stuff like that. There
are hundreds of files being created in these folders over time with the name
wbknnn.tmp where nnn is some number. These files are being reported as
Netsky. I have gone to the internet to look at something fairly benign,
like CNN. I see some of the files I would expect to see in the Temp
Internet folder, but these other files are "hidden" to me in Windows
Explorer (I show all files in options.) The Eraser program can find them
though and so can Sysclean. Sysclean deletes the files, but they keep
coming back.
J
jeffc
Zvi Netiv said:What we need is a clue where to start from. Here is a procedure that may give
us that clue:
1. Make a copy of regedit.exe, in the Windows default directory, and name it
abcde.exe.
2. Run the following command line from the desktop, EXACTLY as written, quote
marks included (ignore the line wrap):
abcde /e c:\junk.txt
"hkey_local_machine\software\microsoft\windows\currentversion\run"
abcde.exe does not run. The error message pops up too fast, but I think
it's the one that says I don't have authority.
Ask a Question
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.