-=Computer Infections Be Gone

[-SpectraL]

I've built, diagnosed and repaired computers for almost 20 years now. I've written, masked and delivered many amazing and successful network attacks, trojans and exploits (only in a sandbox, of course!... hi feds!) Currently, I work for a major US cable company in the business class division, and computer security is a huge interest of mine. You could say I've worked both sides of the fence for a very long time. Post whatever computer infection(s) or ongoing attacks you think you might be suffering, and I'll tell you all the "secrets" about how they work, and how to remove them, thus leaving your computer/network all sparkling clean and co-operative again.

[Bender]

Not positive if this was a network virus, its gone now but never registered on a VS. It knocked out my Internet and LAN connection and slowed everything to shit. I wiped C and it was gone. Just curious what it could have been.

[-SpectraL]

Quote:

Originally Posted by Pandoras Assassin

Not positive if this was a network virus, its gone now but never registered on a VS. It knocked out my Internet and LAN connection and slowed everything to shit. I wiped C and it was gone. Just curious what it could have been.

Without further examination of the infection, and maybe some sand-box test-runs, it would be tough to identify. Most probably, it was a rootkit installation using kernel modules (.dll/.vbx/.ocx) to utilize core-components, but failing to do so. What people often misunderstand is that these hostile programs often are not designed to shut down the OS or Internet, but because they are so poorly written, and because they are so poorly organized/thought-out, their programs misbehave and crash the very systems they were meant to take advantage of. Always good to just low-level format and ghost a good copy of the OS every so often anyways, so I'm glad to hear you're good now.

[oddballz194]

-SpectraL: One thing you probably should have mentioned in addition is that it might not have been actually slowing the Internet connection -- if the computer's CPU and memory are given enough work, they slow down everything, since those are the two most important resources of a computer. This could easily happen if the malware was trying to break encryption keys, as a botnet might want to do.

Oh, and I'm glad you changed your mind and decided to at least try out zoklet after all.

[Bender]

Thanks guys. Yeah Malware sucks. I had that crap twice. I had my AV on when I went to the infected site, but it didn't stop it. Is there anyway to stop Malware before it infects you, changes your background and all its other shananagins?

[oddballz194]

Quote:

Originally Posted by Pandoras Assassin

Thanks guys. Yeah Malware sucks. I had that crap twice. I had my AV on when I went to the infected site, but it didn't stop it. Is there anyway to stop Malware before it infects you, changes your background and all its other shananagins?

In an absolute sense? No. Antivirus and antispyware programs usually do a reasonably good job stopping known malware programs, but unknown malware can often get through even the most aggressive heuristic analysis methods. You're usually better off trying to use common sense to evaluate unknown software.

One thing that might help if you have enough RAM and hard disk space: install VMWare, create a virtual machine and install a copy of Windows in it, then use that to run the unknown software. That way, if it's malicious, it only infects the virtual machine instead of your real computer.

[-SpectraL]

Just a little trick I learned along the way (created by myself actually), here's how I out-think the malware or trojan. I would not suggest you play with your registry unless you know what you are doing, as it could cause catastrophic events if the wrong keys were to be modified.


1. make a copy of regedit.exe as regedit.com
2. run regedit.com from command prompt
3. export [HKEY_CLASSES_ROOT\.exe] to the desktop as 1.reg
4. delete [HKEY_CLASSES_ROOT\.exe]
5. .exe files can no longer be started on the OS, including malware (unless already hiding in memory, of course)
6. use Process Explorer [procexp.exe] to kill all identified malware/spyware processes * OS will not be able to respawn these processes or re-populate the registry *
7. clean out registry of all known spyware/malware keys
8. delete all identified malware/spyware files using command prompt command.com
9. double click on 1.reg on the desktop and import the key back into the registry
10. reboot

______________________

Yes, Oddballz194.. I'm glad zok and deus will still have me.

[zeusy|Nemsis]

I use FreeBSD/OpenBSD's securelevel 3, it prevents kernel-level rootkits from being installed, without a reboot.
I also keep a floppy with linux and yafic on it in the floppy drive, configured to boot the floppy drive first.

[oddballz194]

SpectraL: One problem in your last instructions. Instead of double-clicking the .reg file, double click on regedit.com and then use the File Menu's Import command to load the .reg file. If you double-click the .reg file, it'll try to run regedit.exe, and you don't want to just see an error message.

[Bender]

Quote:

Originally Posted by -SpectraL

Just a little trick I learned along the way (created by myself actually), here's how I out-think the malware or trojan. I would not suggest you play with your registry unless you know what you are doing, as it could cause catastrophic events if the wrong keys were to be modified.


1. make a copy of regedit.exe as regedit.com
2. run regedit.com from command prompt
3. export [HKEY_CLASSES_ROOT\.exe] to the desktop as 1.reg
4. delete [HKEY_CLASSES_ROOT\.exe]
5. .exe files can no longer be started on the OS, including malware (unless already hiding in memory, of course)
6. use Process Explorer [procexp.exe] to kill all identified malware/spyware processes * OS will not be able to respawn these processes or re-populate the registry *
7. clean out registry of all known spyware/malware keys
8. delete all identified malware/spyware files using command prompt command.com
9. double click on 1.reg on the desktop and import the key back into the registry
10. reboot

______________________

Yes, Oddballz194.. I'm glad zok and deus will still have me.

Humm, that is really smart. Yeah the way I was infected it was a popup and I went to go get rid of it, and I guess they faked the little "X" button and it auto directed me to an assload of sites. Next thing I know, I see a little pop up saying that I have 1,206,452 virus's.

Yeah, thanks SpectraL and Oddballz you really are alot of help.

[-SpectraL]

Quote:

Originally Posted by Pandoras Assassin

Humm, that is really smart. Yeah the way I was infected it was a popup and I went to go get rid of it, and I guess they faked the little "X" button and it auto directed me to an assload of sites. Next thing I know, I see a little pop up saying that I have 1,206,452 virus's.

Yeah, thanks SpectraL and Oddballz you really are alot of help.

One thing I forgot to mention about that trick is... you need a copy of procexp.exe renamed as procexp.com before you disable executable loading by deleting the .exe registry key. Also, when you double-click the 1.reg file after you are done, to import the registry setting back in to enable executable loading I can't remember if, when you double click on 1.reg, the OS complains that regedit.exe is not able to run and is required to run *.reg files. It may be a good idea to import the 1.reg using the command line "regedit.com 1.reg" from command.com in the root.

Anyways, I used to spend thousands of hours on this shit.. and it's quite fun to outsmart even the most devious hostile programs without even requiring a reboot. Now.. memory resident nasties... and memory-cave hiders (hiding a PID inside the PID of another legitimate process)... that's another story for another day.

[-SpectraL]

Quote:

Originally Posted by oddballz194

SpectraL: One problem in your last instructions. Instead of double-clicking the .reg file, double click on regedit.com and then use the File Menu's Import command to load the .reg file. If you double-click the .reg file, it'll try to run regedit.exe, and you don't want to just see an error message.

HOLY SHIT! After I made my correction.. I went back up to read the previous posts and saw this one! You're smart as hell man! Smart as hell!

* -SpectraL backs away from the keyboard slowly *

[Orchid]

i have annoying malware that pops up even when im not on the Net iv done heaps of scans that show up lots of infections that are then removed but i still have the same problem.

[-SpectraL]

Quote:

Originally Posted by Orchid

i have annoying malware that pops up even when im not on the Net iv done heaps of scans that show up lots of infections that are then removed but i still have the same problem.

If the number of different infections are numerous, as I suspect they are, it can be quite difficult to deliver the over-all solution through a medium such as this. I would suggest doing a full, new install of the OS from boot from setup disk, (not a restoral, as that will simply restore previous infections which were backup up) in this case.

If you have a some information on a specific infection, such as filename, detailed behavior, etc.. I would be happy to give you a few tips on how to get rid of that particular one.

[Orchid]

Im pretty sure the 1 i need to get rid of is a Vundo Trojan or something. iv heard they are hard to remove.

[-SpectraL]

Quote:

Originally Posted by Orchid

Im pretty sure the 1 i need to get rid of is a Vundo Trojan or something. iv heard they are hard to remove.

You're absolutely right. The Vundo is a very nasty piece of work, as it is actually both spyware, adware and a trojan all at the same time. Many scanners out there can detect it, and do offer to clean it, but they are unable to do so. There are actually very few scanners which can actually remove this one. One scanner I have found to work in cleaning the Vundo is called SpyNoMore.

Personally, I do all my cleaning manually, and all adware, spyware, BHOs, and trojans are removed by hand from the registry, and file-system. I hate to trust any application to secure my machine, and I feel more comfortable having "cherry-picked" it myself, and more is learned by doing it this way.

FU Vundo.


[EDIT]

DISCLAIMER: zoklet.net and its affiliates take no responsibility whatsoever for the result of following the advice posted above. Any actions taken by you in regard to this advice, in whole or in part, is your complete responsibility.

[SwifTst]

Okay, I got an e-mail from myself to myself saying "We have all your personal information."

Is that not fucked up?

[zeusy|Nemsis]

Quote:

Originally Posted by SwifTst

Okay, I got an e-mail from myself to myself saying "We have all your personal information."

Is that not fucked up?

O RLY?

Couldn't resist

[Mutant Funk Drink]

My windows xp machine has some infection that causes google results to be routed to strange ip addresses(like this: http://72.233.75.194/rs/v?phpses=c87...02720ccf6c453e) that try and run a script in my browser, which are fortunately blocked by no-script in firefox. It also makes it so that whenever I try opening a drive in My Computer, it tries to run some kind of autorun script or something of the like and prevents me from opening the drive; I have to right-click and click Explore in order to open the drive.

EDIT: My host file is unchanged. Even though it redirects my links, whenever I copy and paste the link, it works fine.

[Orgasm Hut]

Quote:

Originally Posted by Mutant Funk Drink

My windows xp machine has some infection that causes google results to be routed to strange ip addresses(like this: http://72.233.75.194/rs/v?phpses=c87...02720ccf6c453e) that try and run a script in my browser, which are fortunately blocked by no-script in firefox. It also makes it so that whenever I try opening a drive in My Computer, it tries to run some kind of autorun script or something of the like and prevents me from opening the drive; I have to right-click and click Explore in order to open the drive.

EDIT: My host file is unchanged. Even though it redirects my links, whenever I copy and paste the link, it works fine.

Sounds like a browser hijacker. I wouldn't know how to fix it but I'm sure most a/v would pick it up. If not, try Hijack this and run it though an online log checker.

[oddballz194]

Quote:

Originally Posted by SwifTst

Okay, I got an e-mail from myself to myself saying "We have all your personal information."

Is that not fucked up?

Some spammers spoof your email address as the source of their emails in order to try and get past spam filters. That trick used to work quite well, but new filters actually flag emails sent from the recipient as spam automatically.

[eSparq]

Quote:

Originally Posted by -SpectraL

1. make a copy of regedit.exe as regedit.com
2. run regedit.com from command prompt
3. export [HKEY_CLASSES_ROOT\.exe] to the desktop as 1.reg
4. delete [HKEY_CLASSES_ROOT\.exe]

I've studied this trick in Windows 7 Beta 1, and it doesn't work. Now, if you do the old "assoc .exe=txtfile", then it causes Windows Explorer to start notepad with the .exe file's contents displayed instead of running the program, but running the program from command prompt still works, as does running a program from any other program that has process spawning capabilities (such as Task Manager). Note that to fix the command I gave earlier, run "assoc .exe=exefile". The ftype command can also be used to modify the file associations to disable execution, but again it's limited to Windows Explorer.

I'm currently writing a program that I hope will work for this. I'll see about making it available when I'm finished.