Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How can I be sure I got it all out of the system?


  • Please log in to reply
11 replies to this topic

#1 Maj. Matt Mason

Maj. Matt Mason

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:06 PM

Posted 18 February 2009 - 11:36 PM

Hi, everyone! I came across this site after searching for a solution to a virus attack. Just looking over some of the posts here really helped!!

To make a very long story short (yes, this is the short version!)...

I have another computer system who's HD had crashed. After trying to get the HD to read one last time, I finally gave up and replaced the HDs. I then pulled out the restore discs I had made when I got the system, only to find that they went bad (every 3rd sector or so was unreadable, which was strange since I had used them a little over a year ago and they were fine). I started searching the web to see if there was anyway to download the restore discs which eventually lead me to a Torrent search site. BAM! After entering the site, putting a search term in, and hitting the search button, the system went crazy. The antivirus was going off so fast, couldn't even see what was getting infected. I could not have been online with that site for more than 30 seconds or so when I finally pulled the plug on the system.

To shorten the story, over 1000 .EXE files had been altered (but their dates were not changed). Multiple virii, rootkits and the like were showing up. I pulled the HD and booted an older one to diagnose it. I deleted all files created at the time I went to the website. I then ran the antivirus, but was unable to clean the files and so I had to replace them almost one at a time! For the files I did not have, I just had to reinstall the apps and hope for the best. I was also able to load the infected registry into Regedit and pull out some of the more obvious changes. After doing what I could, I pulled out the backup drive and booted the system. I then spent the next couple of days going over everything I could think of, deleting suspicious-looking files and scanning and rescanning for virii, spyware, and rootkits.

Just when I thought I might have gotten it all, I noticed something very strange. ZoneAlarm would have entries in its program list for EVERY app I launched, even the command window! But it never reported accesses to the internet. After several hours of searching, I found Jestertb.dll in the Windows directory and removed it. I removed the extraneous programs from the ZoneAlarm list and think I finally got it all.

My question:

My paranoia these last few days kept yielding me another bug to remove. The system is running extremely well now, but that's when they get you - the stealthy one. How can I be sure it's all gone? Is there a anything I can do that would give me a warm and fuzzy as to a clean bill of health (short of wiping the system and starting over)? Is there a kind soul there that can look at any logs to see if I were clean? I'm a pretty tech-savvy guy doing tech support for large companies and have not had a personal virus issue in years. But I had never seen anything like this infect a system as fast as it did with as many different types of virii against so many files. Had the guy who put this up not try to throw everything but the kitchen sink at an unsuspecting visitor, I may not have know I was even infected.

Thank you guys in advance for whatever suggestions and help you may have for me! :thumbsup:

Signed - Too Paranoid to Sleep

BC AdBot (Login to Remove)

 


#2 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:06 PM

Posted 18 February 2009 - 11:44 PM

Apparently, I don't believe I got it all. ZoneAlarm is showing Windows Command Processor in its program list:

Posted Image

In a simple word: HHHEEEELLLPPPPP!!!!!!!

#3 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 19 February 2009 - 06:24 AM

Two words... Bloody Hell! When I was reading your post I was really feeling uneasy, how a torrent site can infect you so badly in less than a minute.. :thumbsup: i'll get on with helping you now :flowers:

Ok first off all download MBAM (Malwarebytes) from this location http://www.download.com/Malwarebytes-Anti-...4-10804572.html (100% safe) then update it. After updating it disconnect from the Internet and run a full system scan.

#4 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:06 PM

Posted 20 February 2009 - 08:23 AM

Thanks Skydie!

Malwarebytes found nothing.

I also tried Sophos Anti-Rootkit and found two hidden registry entries:

Posted Image

When I opened Regedit and looked at the entry for the second item, the load value was "missing". I created a new load value (empty) and ran the scan again and found that entry was fixed. I then added the Ext key and ran the scan again. This time, Settings, below Ext, showed as hidden. I created the Settings key and ran again to find this:

Posted Image

All of the CLSIDs appear to refer to MSTSCAX.DLL (dll has the same byte count as a clean machine). I also verified on a clean system that the Ext entry should not even exist. I deleted the entry and scanned again to find that it shows up as hidden again!

Next step?

Edited by Maj. Matt Mason, 20 February 2009 - 12:17 PM.


#5 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:06 PM

Posted 21 February 2009 - 02:59 PM

I discovered that the HKLM\SYSTEM\CurrentControlSet\Services\VxD appears to be "missing". A scan with Sophos Anti-Rootkit and Rootkit Revealer don't show anything, but I would think that the entry should be there and populated with something.

Any ideas?

#6 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 February 2009 - 04:17 PM

Sorry I havn't been on for a while :trumpet: Ok please download SAS (SuperAntiSpyware). Sas and Mbam work like a charm together :flowers: Heres the link http://www.download.com/SuperAntiSpyware-F....html?tag=mncol (100% safe). When using Sas always update the definitions first :thumbsup: . Then disconnect (after updating) and finally run a full system scan.

#7 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 February 2009 - 04:19 PM

Sorry im not familiar with Sophos :thumbsup:

#8 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 21 February 2009 - 04:20 PM

However I know it's a pretty good anti-virus and the anti-rootkit capabilities are pretty good too. Let's not worry about Registry entries yet, hopefully Sas can pick up anything in there.

#9 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:06 PM

Posted 22 February 2009 - 01:37 AM

I was going to provide good news, but then...well, you know! :thumbsup:

I have a linux server I'm using for a router/firewall and so I turned on a sniffer to record all traffic from my system to the internet. I went to a few sites and then checked the logs. Nothing unexpected. I then left the system on with the browser opened and just let it sit for a few hours. No traffic at all except for a few updates from an RSS feed from Google (normal). I began to think I may just be chasing my own tail on this one.

Later in the evening, I found that Notepad had been added to the ZoneAlarm program list, but only AFTER I printed a document (I have an IP printer). ZoneAlarm had been installed about 2/3 the way through getting the original virus attack out, so at some point its files must have been infected and cleaned, but left in a slightly corrupted state. So, this morning, I completely uninstalled it, and went through both the HD and registry, removing any trace of it and then finally reinstalled it. All my programs began to behave properly and no sign of any unexpected program in the ZoneAlarm list.

I again went through the registry, and did find some evidence of one of the virii, but its actual files had already been deleted, so I just deleted the entry from the registry. Apart from the hidden registry entry in my prior post, everything looked OK.

I came back to this post and saw your reply, and was just going to reply back, but thought, "what the heck" and ran SuperAntiSpyware. The "good" news is that it only came up with a few problem cookies (which I deleted). The bad news was that during the scan, McAfee popped up with 2 files that had the W32/Virut.n.gen virus (cleaned)!

I also found ERDNT.EXE, which did not show as a virus, but deleted anyway.

Back to %#@$ square one!

One change note. I had completely uninstalled Firefox and deleted all folders, files, and registry entries (backing up the Bookmarks.html file ONLY). Sometime after all my sniffer tests, I tried to put my bookmarks back. I did scan the file a few times with McAfee, but is it possible a virus could hide in the Bookmarks.html file since some binary data (icons) is also stored in that file?

And Windows Explorer (Explorer.exe) is again popping back up in the ZoneAlarm list simply by launching CMD.EXE. Again, this does not occur on the known clean system.

In the mean time, I'm running yet ANOTHER full drive scan with McAfee.

Ready for the big guns when you are!

P.S.

As I mentioned before Sophos Anti-Rootkit finds some hidden keys under

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\

Starting with Ext. If I put the key name back and scan again, it finds the next key down until eventually it becomes:

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4EDCB26C-D24C-4e72-AF07-B576699AC0DE}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7390f3d8-0439-4c05-91e3-cf5cb290c3d0}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{7584c670-2274-4efb-b00b-d6aaba6d3850}]
"Flags"=dword:00000001
"Version"="*"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{9059f30f-4eb1-4bd2-9fdc-36f43a218f4a}]
"Flags"=dword:00000001
"Version"="*"


If I try to delete these keys, they just become hidden again. I've "replaced" the keys as they are above and at least Sophos no longer finds hidden registry entries.

And I have also found that the program list in ZoneAlarm has grown again to include the Windows Command Processor (cmd.exe), Task Manager, Sophos Anti-Rootkit, and McAfee's On Access Scanner.

Edited by Maj. Matt Mason, 22 February 2009 - 07:07 AM.


#10 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 22 February 2009 - 02:30 PM

Ok I think as Zonealarm is being tweaked by a rouge process. The situation is extreemly bad with your computer but it's not clean either. I therefore recommend you post a HJT log on this part of the forums http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ and also heres a preparation guide for a HJT log http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ In a few days a trained HJT team member (if you havn't recieved a reply in 5 days post here http://www.bleepingcomputer.com/forums/t/176012/post-in-this-thread-when-you-havent-received-an-answer-in-five-days/ ) will help you with your problem. Hopefully you'll clean your computer with their help :thumbsup:

#11 Maj. Matt Mason

Maj. Matt Mason
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:03:06 PM

Posted 22 February 2009 - 03:36 PM

Thanks for all your help. I really do appreciate it!

#12 Skydie

Skydie

  • Members
  • 353 posts
  • OFFLINE
  •  
  • Local time:12:06 AM

Posted 23 February 2009 - 03:08 PM

No problem :thumbsup: Good luck in removing that virus :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users