Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: my parents got pawned ... root kit

  1. #11
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmm,

    1. You must keep the OS up to date.
    2. Use an AV and keep it up to date
    3. Use a firewall and keep it up to date.
    4. If your e-mail has "preview" turn it off (it launches malware)
    5. http://www.winpatrol.com
    6. http://www.diamondcs.com.au/index.php?page=products There are some nice free tools on that site

    RegistryProt and WinPatrol will give some protection against nasties trying to install and register themselves.

  2. #12
    Another good monitoring program like WinPatrol is WinPooch.
    http://sourceforge.net/projects/winpooch/

  3. #13
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    Gee Whizz, walk away to get some coffee... and so many responses before I pressed submit....lol


    As you mentoned, "the lack of running windows update or via web pages..." Another family member using the computer, Instant Messengers, Chatrooms, receiving .jpgs from others, and now the re-emerging threat of malware in Word Document attachments - to mention only a few. As you see the list goes on and on. I don't want to start a family disruption, but event logs, history logs, router logs, and the like; may very well lead you to the person that unknowingly or knowingly downloaded the junk. Just to relate a story...

    I remember several times my teenage son's computer would come to a screeching halt and he would say the same thing. "But I didn't download a virus." A quick check of the logs and I found he was surfing anime sites and I would just follow the trail. In amongst the files were some of the most erotic pictures imaginable. And of course he did click on them, thus the download was completed. Some he didn't click on, but just viewed the page.

    Bottom line, after a rootkit... a format & install is most likely forth coming. If you are attempting to restore the system exactly as it was, be sure to download a hdd washer as well. It will place 0's via alogrythm selection, on a multitude of the sectors. Slave their drive to another and run the program. The reasons should be self-explanatory, but it may help disrupt a possible re-emergence of the same malware or other programs.

    Then complete your build up and follow Nihil's 1 thru 6.

    cheers
    Connection refused, try again later.

  4. #14
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    You might also have your parents quit the IE habit. Don't know about this one, but a lot of this stuff installs itself on PC's via Internet Explorer. The default config for IE is wide open to this kind of thing, and properly config'ing IE is beyond most users. Put them in Firefox or Opera.

    I also recommend home users, especially newbies, switch to Yahoo, Hotmail or some other web-based email system that has built-in AV protection. If this one came in via email, it wouldn't have made it past Yahoo's system into the PC.

    Just the facts...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  5. #15
    Blast From the Past
    Join Date
    Jan 2003
    Posts
    729
    yes IE is full of holes

    so is FF ,Opera, and all the other browsers out there but the holes just havent been discovered yet...

    you just need to find the browser that isnt a priority target for attackers.


    Getting on the internet is like driving through the worst part of town at the worst time of night in a brand new car. If you are lucky you can get through.. if not... someone pulls out there '9mm rootkit semi-auto' and no more new car.
    work it harder, make it better, do it faster, makes us stronger

  6. #16
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Jeez, I drive thru the worst part of town all the time, and with the full intent of getting lucky.

    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #17
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    When the only idea is Reinstall the whole purpose of the thread is wasted..

    Currently my most reliable method of dealing with rootkits is remote scanning of the partition/drive.
    That is either remove the HDD from the machine and scann it in a clean machine with the appropriate tools..OR as is my current practice.. A BootCD with a USB drive with the updated tools.. the boot cd currently is BartPE.. you could do the same with a *Nix OS..

    When a remote scanning technique is used the "Cloaking" is ineffective.. then all you need is to be able to identify the files..
    NEXT.. you need a Registry Scanner.. to get the troublesome Keys removed.. like the keys that prompt your boxen to auto download a new version of the rootkit..nice huh
    THEN.. the clean up.. remove the files mentioned earlier.. Windows/temp, doc&settings/user/localsettings/temp and temp internet.. not forgetting windows/prefetch

    But in all this even with the best tools, the cleanup is only as good as the observation skills of the tools user..
    If your reason to do the cleanup is to have a clean machine.. then clean install.. if it is to remove the malware and not spend weeks restoreing software, and finding data.. then learn from the exercise
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #18
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    When the only idea is Reinstall the whole purpose of the thread is wasted
    There is another aspect to it, in that it is his parents' box and I believe he is also looking for ideas on how to stop it happening again.


  9. #19
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    he is also looking for ideas on how to stop it happening again.
    true.. a point I failed to mention/clarify
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  10. #20
    Member
    Join Date
    Sep 2005
    Posts
    77
    Not sure if I missed it, but how did you uncover this file in the first place? Just by checking the running processes?
    Either way, adding to what Und3ertak3r was saying:

    When a remote scanning technique is used the "Cloaking" is ineffective.. then all you need is to be able to identify the files..
    NEXT.. you need a Registry Scanner.. to get the troublesome Keys removed.. like the keys that prompt your boxen to auto download a new version of the rootkit..nice huh
    THEN.. the clean up.. remove the files mentioned earlier.. Windows/temp, doc&settings/user/localsettings/temp and temp internet.. not forgetting windows/prefetch
    There are a few useful utilities out there for cleaning up the registry should you find some unwanted entries.

    RegClean4.3 - Easy to read GUI, very easy to use program which displays reg keys for installed software...whether new or old and allows for effortless cleanup/removal of reg keys.

    and in case you stumble across any reg entries that prove to be stubborn in deleting
    check out a few of Sysinternals reg tools:

    Rootkit Revealer - Good for locating hidden reg keys... usually registry keys that contain embedded-null characters.
    These keys sometimes will not let you manually delete them, Sysinternals has another handy tool for removing those reg keys called REGDELNULL


    Good luck!
    %42%75%75%75%75%72%70%21%00

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •