Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Which Linux distro should I use to try and remove the malware?


  • Please log in to reply
7 replies to this topic

#1 Luxi_Terna

Luxi_Terna

  • Banned Spammer
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:04 PM

Posted 30 December 2016 - 11:54 PM

I run Win7 professional (so I can use all 32G). If only you knew the power of  the dark side  a 16G ramdisk for temp and paging files! And you can edit a 4K HD movie in memory.

 

I ran combofix.

 

Okay, I'm definitely infected.  ME, the computer security grad student!

 

...I mean my PC got infected. Amazingly, I've managed not to.

 

► crss.exe is doing continuous disk I/O, right now, while I type. There's no reason Win7 should be doing a shadow copy and I don't have auto-defrag on, so I suspect it's being encrypted by the Russian Mafia. I unplugged my bkp drive. (which you can do while the sys is running if there's no writes buffered. Look at the different lengths of the contacts on the connector. The pwr connection disconnects first, then everything else. Cool, huh!).

 

► There is no crss.exe in windows, system32, or anywhere on the disk. There's supposed to be.

 

► You can't kill it. "access denied." And there's no way to tell where the executable launched from.

 

► sfc /scannow says it found corrupt system files but is unable to fix them.

 

►Chkdsk won't start but the Cancel button works.

 

► AVG virus scan hangs at 6%.

 

► I noticed that my AVG firewall isn't running and when I try to run it, it says that I have to buy it. I already bought it, and antivir is running (but it's surely been hacked). It ran great two months ago when I inserted some UDP/RDP blocking rules.

 

► My "everything" file lister won't load its database, and when I try to recreate it, the drive scan hangs.

 

► The properties dlg box of my "Users\luxi\Application Data" directory doesn't even try to show the number of files or total size. That area of the dlg is blank.

 

► My "Users\luxi\Application Data" has a subdir called Application Data, and it recurses forever. That is, the file path is all filled up with "Application Data" subdirs. If I drop to DOS and do dir *.* /s from my user directory, it coughs up hundreds of error messages saying that the name of file  [filename] is too long, probably because of the infinite-recursive path name..

 

 And it's not a shortcut. If I delete any of the lower level subdirs, I delete the real Application Data. It's not a file or directory or shortcut; the Russian bast ard used a NTFS file system structure called a "junction".

 

So of course I thought "okay, crosslinked clusters," but chkdsk WILL run in DOS in safe mode, and it finds no errors. Is there a freeware NTFS integrity-check utility?

 

► I can boot Linux from a bitdefender bootable CD, but it hangs after you select "English" on the first screen. It didn't do that two months ago.

 

That last one (preventing bootable antivir scanner)  makes me think it's that new low-level partition virus that starts before your disks even initialize(!)  The only cure is buying new drives and using UEFI. (It doesn't infect those). I didn't want to use UEFI when I assembled this monster because I may have to boot from the CD or run Linux or something.

 

I always wondered why no one ever thought of hacking the EEPROMs in the PC and drives. I guess somebody else thought of it, too.  Probably the NSA.

 

I read about  the unholy abomination in infoworld (where I'm banned, BTW). I wish I could remember  the virus's name. It was a single word about 8 letters and I think it started with "c".

 

It tricks you into installing it by pretending it's windows update. I remember a couple of weeks ago, I clicked OK when a win update window popped up, and just as I did, I remember noticing something wrong with it its appearance, but 2 late 4 Lux!

 

Oh well.

 

Action items:

 

1) I just want to find out the name of this thing so I can know what it's doing to my computer.

 

2) Unless you recognize the symptoms, pls tell me what diag s/w I should run and post (yes, yes, in the other thread). I'm now downloading and running all the special-purpose crapware removers you guys have.

__________

 

Right now I'm  watching my drive activity light stay on and it's hard-driving me crazy. I'm thinking, "Some stranger just grabbed my data drive without asking my permission or even telling me what's going on; I'll find out when it happens! He's doing whatever he wants to it right in front of me, blatantly. The little green light is on continuously, not even blinking, and I'm helpless; I can't make it stop. I'm just an audience watching someone else use my system.

 

I was in a  situation like this before. It's not that something bad is happening; it's that I don't know WHAT'S happening. It's that I'm overwhelmed with outrage, and offended that this son of a bi tch has the GALL to just go ahead and help himself to my stuff, right in front of me.

 

Yeah, sure, use my drive!  it's not mine; it's yours! Do anything you want to it!  Hold for ransom!  Encrypt it!  Erase, steal, alter *MY* data right the hell in front of me, just like I'm not even here!

 

Eventually, the little green light will go dark. No more activity. Suddenly, it's all over, and I'll lay here on my bed with my computer  saying "WTF just happened?" I feel outraged, walked on, and pissed off. I hope he didn't plant a virus in my drive, something that will wake up and start more trouble..

 

Somebody, somewhere has de-engineered it in hex machine instructions, right down to the bare metal. Where can I go to hook up with him? Can I boot into Linux and do something? 

 

Please help; for the first time I can remember, my bag of Jedi tricks is  empty.

 

-Lux, helpless dancer


Edited by Luxi_Terna, 31 December 2016 - 04:34 AM.


BC AdBot (Login to Remove)

 


#2 Luxi_Terna

Luxi_Terna
  • Topic Starter

  • Banned Spammer
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:04 PM

Posted 31 December 2016 - 03:57 AM

I'm going to boot Linux and try to kill that thing¹ while it sleeps.  But this distro site has ISO images for 11 different flavors and I haven't done unix in a long, long time. So which one is stable, has a robust GUI and lots of ancillary programs and utilities—particularly disk and malware utilities?

 

Thanx,

 

--Lux

 

_______________

 

¹See prev message thread.



#3 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 31 December 2016 - 04:06 AM

Beats me, but i like Linux mint my self and have it on my laptop, the GUI is like winXP or win7 ish and is live boot,so if you know how to use windows.

Its not hard to learn how to use mint if you know how to use windows, its why i like it.

As for computer repair tech Linux DVDS i don't know of any and the last time i looked in to it for a dedicated Linux burn-in DVD what i found was weak and command line land.

 

Why not just use this ? im shore you know about em with your background in computer repairs but ill list em anyways.

 

http://www.hirensbootcd.org/

 

http://www.ultimatebootcd.com/

 

As for the hardcore hacker Linux Os this is the most well known but theirs really like 5 or so out their in this stile.

 

https://www.kali.org/



#4 Luxi_Terna

Luxi_Terna
  • Topic Starter

  • Banned Spammer
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:04 PM

Posted 31 December 2016 - 05:37 AM

Thanx, Members!  Unfortunately I just discovered that I'm out of blank dvds.

 

What is darknet? Sounds like the kind of thing I like!   Is it that onion protocol you access with tor?



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 PM

Posted 31 December 2016 - 07:07 AM

Everything You Need to Know About Linux Live CDs
Run any Live Linux CD from within Windows
How to Fix a Windows Infection Using Linux
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 shadow_647

shadow_647

  • Banned
  • 1,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:04 PM

Posted 31 December 2016 - 10:15 AM

Hemm clamAV hu, last i checked its just a signature black list based AV, nothing to lose using it but i wouldn't count on it finding anything or being able to do anything.

 

And i know clam well, use to use it.

btw Go get a 25 pack of cheapo dvds, shouldn't cost much.

 

Sounds like the computer massively owned, anyways here some tools i like using when you have to do it the hard way.

 

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

 

https://technet.microsoft.com/en-us/sysinternals/tcpview.aspx

 

https://technet.microsoft.com/en-us/sysinternals/bb842062

 

--------------------------------------------------------------------------

Nice little vid about some pro that makes looking for stuxnet look like a kids game.

Might like this seeing as your a computer security grad student!

 

https://en.wikipedia.org/wiki/Stuxnet

 


Edited by shadow_647, 31 December 2016 - 10:18 AM.


#7 Luxi_Terna

Luxi_Terna
  • Topic Starter

  • Banned Spammer
  • 35 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:04 PM

Posted 31 December 2016 - 10:21 PM

> Hemm clamAV hu,

 

What does that mean?


 

Nice little vid about some pro that makes looking for stuxnet look like a kids game.

 

Yeah, we looked at stuxnet in detail, how it works. The US paid maybe a million dollars to damage exactly two iranian centrifuges.  In the meantime, Russia and China do cyber-sabotage right.

 

> Might like this seeing as your a computer security grad student!

 

You sound sarcastic. And you bolded the phrase. Maybe you don't believe I'm in school (at WNMU). I gave up trying to repair wrong people a long time ago.

 

Or maybe it's the opposite, and you think mentioning computer security classes is inappropriate in fora about computer security.

 

Either way, I don't care. Unfortunately, autism makes other peoples' intentions opaque to me. But I don't care about that, either. Normals fight to be "king of the hill" when only autistics can see that there isn't a hill.

 

 


Edited by Luxi_Terna, 31 December 2016 - 10:39 PM.


#8 opera

opera

  • Members
  • 994 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:04 PM

Posted 01 January 2017 - 01:49 AM

What happens in safe mode without networking?






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users