Pacisoft Virus - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Pacisoft Virus

  1. #11
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    searching registry

    thanks zenger but nothing came up when I searched for that value data.

    i'll be back in an hour i wanna take a nap lol

  2. #12
    Member
    Join Date
    Jan 2005
    Posts
    73
    Personally, I'd consider a reformat. But then, I like reformatting my machine fairly regularly anyway
    \"The future stretches out before us, uncharted. Find the open road and look back with a sense of wonder. How pregnant this moment in time. How mysterious the path ahead. Now, step forward.\"
    Phillip Toshio Sudo, Zen Computer
    Have faith, but lock your door.

  3. #13
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Yeah, Wolfrune, you're a glutton for punishment.

    According to what I've found on the net, pacisoft is a startup infection, so there is something in the registry referencing that folder location and looking for a startup or startup config file. Hijackthis may miss it.

    If safemode won't get you where you want to go, you might want to look at the Windows version of UltimateBootCD (http://www.ubcd4win.com/) and try to analyze the registry and file system from that. It is possible that the infection is hiding registry keys or other things from you even in Safemode.

  4. #14
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    Here one prog that can find hiden registry entries


    http://www.sysinternals.com/utilitie...trevealer.html

    The term rootkit is used to describe the mechanisms and techniques whereby malware, including viruses, spyware, and trojans, attempt to hide their presence from spyware blockers, antivirus, and system management utilities. There are several rootkit classifications depending on whether the malware survives reboot and whether it executes in user mode or kernel mode.

    Hope evrything that left......
    // too far away outside of limit

  5. #15
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136
    ok root kit revealer identified some hidden files, and that folder was 1 of them. here look at the gif screen shot i took for u Sir Babis http://www.boredinnc.net/ftp/Webpage/revealer.gif

    u see that mpestfat9.sys file in system32 folder ? hmm i cannot seem to locate it even when revealing hidden files. so how do i go about deleting that i wonder? noticed the date time stamp on the reg keys and the sys file and the folder all correspond to 9-27-05. seemingly these r are all culprits, but mysteriously evading my hand of wrath.


    i downloaded the ultimate boot cd off that page, but i am not gonna use that just yet until i know what i am doing. thanks.


    oh by the way i managed to delete those windows services detected on the Root kit scan by going into the registry and manually deleting them.

    thanks all again for help

  6. #16
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    Could you send that .sys file, i wish to study it.

  7. #17
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    would if i could

    i would if i could, but it's not visible so the thing is i dunno how to do that. it's deemed ghostware as opposed to spyware. i am waiting on sir babis to try to help me figure out how i can manipulate the file. he helped me locate it thus far so that's half the battle, but if i can manage to manipulate the file somehow yeah i can send it to u.

    i tried to type in attrib -a -h -r -s c:\windows\system32\mpestfat9.sys
    but it says file not found.

  8. #18
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    What you are describing sounds a lot like the description from the SANS ISC handler about a week ago:

    http://isc.sans.org/diary.php?date=2005-09-22

    About the only way you are going to get to the Registry and file system and nail these bad boys is to boot from a CD that allows you to edit the hidden registry keys, and the hidden file system stuff. The boot CD I pointed you to will do that. BTDT, got the t-shirt.

    Use the ISO to burn a CD and boot to it. Very straightforward.

  9. #19
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    I got one ide that may be can work.

    Export whole registry to some file and then file try to file that file name in the extracted file.
    Then create own registry file that will remove it.


    here some examples about how you do export:

    1) you can use regedit )) start->run->regedit
    2) you can use console )) copy and insert in text file and save it filename.bat then run it may work

    ::------bat.file-------
    reg export HKLM HKLM.reg
    find HKLM.reg "Unismith"
    if errorlevel == 0 start /w wordpad HKLM.reg

    reg export HKCU HKCU.reg
    find HKCU.reg "Unismith"
    if errorlevel == 0 start /w wordpad HKCU.reg


    reg export HKCR HKCR.reg
    find HKCR.reg "Unismith"
    if errorlevel == 0 start /w wordpad HKCR.reg

    reg export HKU HKU.reg
    find HKU.reg "Unismith"
    if errorlevel == 0 start /w wordpad HKU.reg

    reg export HKCC HKCC.reg
    find HKCC.reg "Unismith"
    if errorlevel == 0 start /w wordpad HKCC.reg

    ::--------en of bat.file---------
    3) how to create regfile that will remove regkey
    3.1) remove reg value

    [HKEY_CLASSES_ROOT\someK]
    InfoTip=-

    this will remove value "InfoTip" in key "someK"

    3.2) remove key
    [-HKEY_CLASSES_ROOT\someK]

    this will remove "someK" key
    // too far away outside of limit

  10. #20
    Senior Member isle_of_infamy's Avatar
    Join Date
    Dec 2003
    Posts
    136

    not sure

    I fixed my problem because;

    I jus made a crucuial discovery of an error i made. i was looking in the wrong directory for mpestfat9.sys seemingly i was thinking it was located in C:\WINDOWS\SYSTEM32, but it was in fact located in C:\WINDOWS\SYSTEM32\DRIVERS

    by deleting the sys file i was able to also delete unismith folder in safe mode and boot up successfully in normal mode. sorry for all the fuss.

    also these 3 hidden registry directorys do not show up anymore when i scan
    with rootkit revealer. so problem is fixed 100%
    HKLM\SOFTWARE\CqiU2ACteU6m
    HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSK116X
    HKLM\SYSTEM\ControlSet001\Services\MSK116x

    thanks all for help especially sir babis for the rootkit revealer program. it proved to be invaluable.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides