Tweaks.com Forum / Windows & System Security / Virus / Spyware Problems and Security Software Issues / Horribly destructive infection, please help / Latest Posts

RE: Horribly destructive infection, please help

APK — Fri, 30 May 2008 10:18:01 GMT

[quote][b]quietman7 (5/28/2008)[/b][hr][quote]Most average users don't know how to do that.[/quote]

Seems the original poster DID though... he had rogue filenames.

[quote][b]quietman7 (5/28/2008)[/b][hr][quote]And as part of the disinfection process we help them understand how they got infected and how to keep from getting reinfected[/quote]

Fact is, you don't REALLY need automatic remover tools... not really & also, as to making it so it REALLY never happens again (IF you can obey some simple rules)?

All here -> [b] HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA even (so you DON'T "get hit" again):[/b]

[url]http://forum.tweaks.com/forum/Topic230980-28-1.aspx[/url]

In that post's "VIRUS SPYWARE REMOVAL SECTION" ?

[b]I outline HOW to use RC (possibly ProcessExplorer also) for that (determining culprits & also, destroying them), & finding what the user's hassle is in rogue processes that are LOCKED while inside RPL3/Ring3/Usermode operations under Explorer.exe shell!

(Also, vs. rootkits he suspected (bootsector type))

[quote][b]quietman7 (5/28/2008)[/b][hr][quote]Malware Removal Experts like RichieUK are able to assist them with easy to understand directions using specialized fix tools developed by other experts.[/quote]

ON "Experts" - a purely relative term... but, not knocking Rich... & that's where * I THINK * you have me wrong... I was merely pointing out alternate methods, period, that need nothing more than free tools or ones you have already (no 'automators' necessary really).

(YES - Automatic "killer" programs are nice & "time savers" too... 'script kiddie tools' really (this is no putdown, they ARE someone's hard work & time freely given many times), & they DO move faster than folks can... but, I have also seen them generate "false positives" too, on that note. "Want a job done right? DO IT YOURSELF" if possible)

I'd largely wager? He'll tell you the same, & on MOST accounts noted here.

APK

P.S.=> On virus removals & such? As part of my duties, professionally since 1994?? I've done literally 1,000's for paying customers, ranging from home users all the way up thru corporate networks under attack (by those & far worse) @ the tune of $150 per hour or more...

Personally speaking, & I'd wager Ritchie will agree? Once you get a GOOD set of tools & some understanding of what is needed??? This isn't "rocket science"... I'd bet even Ritchie will tell you that! Only takes a small amount of time studying a few with the right tools, & you don't even NEED "automatic virus/spyware killers" etc. really! apk

RE: Horribly destructive infection, please help

quietman7 — Wed, 28 May 2008 06:22:18 GMT

[quote]...& as far as "trojan files" too, DEL command in RC does the job...[/quote]
The infection and the malware files have to be identified first. Most average users don't know how to do that. Malware Removal Experts like RichieUK are able to assist them with easy to understand directions using specialized fix tools developed by other experts. That's why we have this and the HJT forum. And as part of the disinfection process we help them understand how they got infected and how to keep from getting reinfected.

RE: Horribly destructive infection, please help

APK — Tue, 27 May 2008 08:49:18 GMT

It's only 7 days old... & the point of MY reply was to simply point out that you DON'T really need 3rd party tools for many removals... inclusive of bootsector originated ROOTKITS (fixmbr takes care of those, "lickety split, no XXXX") & as far as "trojan files" too, DEL command in RC does the job on those, same effort/speed (fast & painless).

APK

RE: Horribly destructive infection, please help

RichieUK — Mon, 26 May 2008 18:21:11 GMT

APK,this is an old topic which has since been resolved.

RE: Horribly destructive infection, please help

APK — Mon, 26 May 2008 17:23:10 GMT

You know, there is a VERY easy method to stop the problem child(s) you are seeing... & you ALREADY OWN THE TOOLS:

[b]RECOVERY CONSOLE[/b]

(Boot from your XP/Server 2003/VISTA install media, & run it there (via bootoptions menus choices then))

OR, just install it to your OS drive, via :

1.Insert the Windows XP CD into the CD-ROM drive.
2.Click Start, and then click Run.
3.In the Open box, type d:\i386\winnt32.exe /cmdcons where d is the drive letter for the CD-ROM drive.
4.A Windows Setup Dialog Box appears. The Windows Setup Dialog Box describes the Recovery Console option. To confirm the installation, click Yes.
5.Restart the computer. The next time that you start your computer, "Microsoft Windows Recovery Console" appears on the startup menu.

Then once you are booted & logged into it, use:

FixMBR

&

DEL (filename)

Once in the folder/directory (via CD dos command) where those rogue files are, burn them, in RC... using DEL.

* This type of info. is in my "HOW TO SECURE Windows 2000/XP/Server 2003 & VISTA, & make it 'fun to do', via CIS Tool Guidance" post in this section of these forums in fact.

(Specifically in its VIRUS/SPYWARE/ROOTKIT REMOVAL section).

You MAY have to use SECPOL.msc & give yourself rights to folders other than %windir% & its subordinates though, if the rogue files aren't underneath Windows itself... because RC's default ACL to those things is just %windir% & its subordinate folders only.

Start in Left-hand side pane of secpol.msc -> Security Settings -> Local Policies -> Security Options (now right-hand side pane of secpol.msc) -> Recovery Console: Allow Floppy Copy and Access to all drives and folders

APK

RE: Horribly destructive infection, please help

RichieUK — Sun, 18 May 2008 02:50:00 GMT

You're welcome:)

RE: Horribly destructive infection, please help

Fennesz — Sat, 17 May 2008 05:07:00 GMT

Thanks for the reply.

http://forum.tweaks.com/forum/Topic239612-29-1.aspx

RE: Horribly destructive infection, please help

RichieUK — Sat, 17 May 2008 03:46:14 GMT

Welcome:)
Download [b][url=http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe][color="red"]Trend Micro HijackThis 2.0.2[/color][/url][/b] to your desktop:
Double click on HJTInstall.exe,it will prompt you to extract hijackthis.exe to C:\Program Files\Trend Micro\HijackThis.
When the install is complete,HijackThis will automatically launch.
When the license agreement appears,select "I Accept" and then click on the "Do a system scan only" button.
When the scan is complete,click on the "Save Log" button,then save it to your desktop.
Copy and paste the entire contents of that log into a new topic in the [b][url=http://forum.tweaks.com/forum/Forum29-1.aspx]HijackThis Logs forum[/url][/b],[b][color="red"] not here.[/color][/b]

Horribly destructive infection, please help

Fennesz — Fri, 16 May 2008 20:32:09 GMT

Hi. Yesterday I picked up on some rogue processes, and then over until this afternoon those few sprouted into many including (not precise) "mrofinu", "syst3m32.exe", "DILx.tmp" with "x" being a number between 1-15, and another I can't remember now. Amongst all this many important files became corrupt, including explorer.exe, and the internet was almost completely non-fucntional up until Generic Host Process (svchost.exe) crashed and took me offline properly until I restarted.

This evening I reformatted because I didn't see any possible salvage, but the problem seems to have brilliantly survived the wipe. My Temp folder is now full of DILx.tmp files again, and explorer among other things (the process that handles 16bit applications) have started to fail again. New processes, or ones I didn't notice before, have appeared, including ___r.exe and ___synmgr.exe.

I heard things can survive in the MBR, but I have no idea how to tackle this and in what order so as to actually contain the spread.

Help?

Edit: As a side note, most of the drivers I need to be installing are 16 bit, so I don't even have a working AGP chipset.