i have a worm.pc worm
i have a worm.pc worm
last Nite spybot asked me if i would like to allow some registry changes.i denied them all.i found them sus.later on the network was lagging.i noticed about 200 packets being sent a second.
i did a spyware scan and found a few trojan downlOaders,browser hijackers and a few things like a mass mailling worm.now i found added startups,winlogan.exe and winsto.exe
there was odd proccesses lIke _svchost.exe
netstat showed millions of smtp connections <simple mail transfer protocal> to mail servers .this has Caused the router to lock-up twice today.i think it also is starting up in safe mode to.
there was these files i found
_svchost.exe ieupdr.exe update228.exe update247.exe update266.exe
winlogan.exe
winsto.exe
2 Batch files
_it.bat i would post the script but the file is gone
i have also
uninst5481731.bat
script is
@echo off
:begin
del %1
if exist %1 goto begin
del %0
now im thinking that deletes 1% off my data or a random piece of data
also i found c:/windows.0/wsnpoem/video.dll and audio.dll
that's w32.agent.pz
_svchost.exe was w32.tiny.abk
i also found a folder called explorer.exe contain explore.exe and klog.dat
and obvious keylogger.
any idea on how to remove all this Crap
i did a spyware scan and found a few trojan downlOaders,browser hijackers and a few things like a mass mailling worm.now i found added startups,winlogan.exe and winsto.exe
there was odd proccesses lIke _svchost.exe
netstat showed millions of smtp connections <simple mail transfer protocal> to mail servers .this has Caused the router to lock-up twice today.i think it also is starting up in safe mode to.
there was these files i found
_svchost.exe ieupdr.exe update228.exe update247.exe update266.exe
winlogan.exe
winsto.exe
2 Batch files
_it.bat i would post the script but the file is gone
i have also
uninst5481731.bat
script is
@echo off
:begin
del %1
if exist %1 goto begin
del %0
now im thinking that deletes 1% off my data or a random piece of data
also i found c:/windows.0/wsnpoem/video.dll and audio.dll
that's w32.agent.pz
_svchost.exe was w32.tiny.abk
i also found a folder called explorer.exe contain explore.exe and klog.dat
and obvious keylogger.
any idea on how to remove all this Crap
- floodhound2
- ∑lectronic counselor
- Posts: 2117
- Joined: 03 Sep 2006, 16:00
- 17
- Location: 127.0.0.1
- Contact:
- bad_brain
- Site Owner
- Posts: 11636
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
to be honest it makes no real sense trying to repair a system which is THAT infected already. it'll most likely take longer than to make a a new install and it's also likely the system will be damaged afterwards....
save your stuff to a DVD, set up a fresh system, scan the DVD before you copy any files back again....and make sure to protect your system better this time, use a good browser like FF or K-Meleon and a good AV like Kaspersky 6.
oh, and best change all passwords, you never know what data has been transfered already...
save your stuff to a DVD, set up a fresh system, scan the DVD before you copy any files back again....and make sure to protect your system better this time, use a good browser like FF or K-Meleon and a good AV like Kaspersky 6.
oh, and best change all passwords, you never know what data has been transfered already...
InfoSec - clean install
InfoSec is layers. I'll try to explain some of them.
First off, you do need to start with a clean install. Learn to protect your data (read all the posts this week about people who lost access due to various computer crashes) Keep your data off the harddrive, I like to back up to not only another disk, but online as well. The data you keep on your harddrive is merely a copy, not the original.
The clean install is recommended for windows boxes anyways, esp if you install/uninstall progs alot, or even surf alot, you not only clean out all the junk in the registry, but you'll also wipe any trace of what you have been doing this year
Never trust your computer, but trust a clean install. After you perform a clean install and carefully reinstall patches and third party appz, you _baseline_ your box. A baseline is not just a feeling that everything is ok The baseline should be something that you can verify and duplicate. Some people get confused - "how do I remember all those processes that run in windows, which processes are bad like scvhost.exe, how to read my registry, etc". It is actually easy to baseline, you only need to look for what is _not_ right. Anomalies like strange packets trying to get sent over the network, or processes running that you did not call. The genius is knowing how to verify that anomaly.
Your clean install should always be the same, otherwise you'll never have a pattern to easily reconise. Usually the order is OS, drivers, patches, third party appz. You trust your OS, drivers, and patches because of their source - a CD with MS certified logo/halo, and drivers and patches that you kept on a disk separate from other data, like a hacking tool you downloaded from THC.
I don't have much problems with accessing a verified site for the latest download or patch during the clean install, the only problem is new versions of patches or drivers could make an anomaly. Been there, done that, and got the t-shirt.
Again, the genius is how to verify the anomaly.
Other areas of InfoSec deal with monitoring, repudiation, encryption, and secure deletion.
I didn't cover tools used to protect your clean install, as everyone has their preferences. But you do need an AVP, a network firewall, and malware scanner.
DNR
First off, you do need to start with a clean install. Learn to protect your data (read all the posts this week about people who lost access due to various computer crashes) Keep your data off the harddrive, I like to back up to not only another disk, but online as well. The data you keep on your harddrive is merely a copy, not the original.
The clean install is recommended for windows boxes anyways, esp if you install/uninstall progs alot, or even surf alot, you not only clean out all the junk in the registry, but you'll also wipe any trace of what you have been doing this year
Never trust your computer, but trust a clean install. After you perform a clean install and carefully reinstall patches and third party appz, you _baseline_ your box. A baseline is not just a feeling that everything is ok The baseline should be something that you can verify and duplicate. Some people get confused - "how do I remember all those processes that run in windows, which processes are bad like scvhost.exe, how to read my registry, etc". It is actually easy to baseline, you only need to look for what is _not_ right. Anomalies like strange packets trying to get sent over the network, or processes running that you did not call. The genius is knowing how to verify that anomaly.
Your clean install should always be the same, otherwise you'll never have a pattern to easily reconise. Usually the order is OS, drivers, patches, third party appz. You trust your OS, drivers, and patches because of their source - a CD with MS certified logo/halo, and drivers and patches that you kept on a disk separate from other data, like a hacking tool you downloaded from THC.
I don't have much problems with accessing a verified site for the latest download or patch during the clean install, the only problem is new versions of patches or drivers could make an anomaly. Been there, done that, and got the t-shirt.
Again, the genius is how to verify the anomaly.
Other areas of InfoSec deal with monitoring, repudiation, encryption, and secure deletion.
I didn't cover tools used to protect your clean install, as everyone has their preferences. But you do need an AVP, a network firewall, and malware scanner.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
- MusicOnlineCentre
- forum buddy
- Posts: 21
- Joined: 04 Dec 2007, 17:00
- 16
- Location: WWW
- Contact:
Re: InfoSec - clean install
So.. Hold on, is the process 'scvhost.exe' a bad one .. Ah dont worry I have a svchost.exe lol, hopefully the 'vc' being the other way around means you are talking about a different .exeDNR wrote:"how do I remember all those processes that run in windows, which processes are bad like scvhost.exe, how to read my registry, etc".
DNR
svchost or scvhost?
I am going to call you MoC for short
This is my point exactly, a little tongue-in-cheek if you will.
Deleting svchost.exe will cause you a world of problems
DNR
This is my point exactly, a little tongue-in-cheek if you will.
Deleting svchost.exe will cause you a world of problems
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
- Big-E
- Administrator
- Posts: 1332
- Joined: 16 May 2007, 16:00
- 16
- Location: IN UR ____ , ____ING UR _____ .
- Contact:
Re: InfoSec - clean install
Good post, but to touch base on a few more things and go in more depth than what DNR had stated; I have the following advice. Take it for what its worth.DNR wrote:InfoSec is layers. I'll try to explain some of them.
First off, you do need to start with a clean install. Learn to protect your data (read all the posts this week about people who lost access due to various computer crashes) .....
DNR
Do not connect your computer directly to the internet after a clean install, it takes only minutes for a worm to attack an unpatched system. Thus, if you DO connect it, ensure that the FIRST thing you do is your Microsoft Updates. If you can get your hands on the latest XP release, that would also be beneficial as they are to be less vulnerabilities.
Also, ensure that you know where your OS image came from. The XP versions released on torrent sites sometimes have malware already in the image. One would be surprised. I personally use a Corporate XP Pro disc that I have attained through an undisclosed process.
As he also mentioned, anomalies is essentially the easiest way to find out that something doesn't belong on your system. However, packet analysis is a whole art in itself - thus, not everyone can do it. What one can do is run an IDS system (Intrusion Detection System). I suggest either looking up SNORT or OSSEC and run those, I currently run both on my network along with a firewall.
So, basically SNORT/OSSEC and Sonicwall = monitoring and repudiation (which essentially means denial of traffic)..but the true benchmark used in the InfoSec industry is the CIA process, which I believe they are ultimately straying away from today and looking to other processes because currently the methods are just not that effective.
I believe that it is due in cause to the CIA method leaving gaps in security with respect to human-computer interaction and the responsibility that the method leaves on the end user - too much.
Anyway, enough of my tangent - what I am getting at is this. You can do EVERYTHING to secure your system, but the second you download that porn and release the virus on your computer, there is not too much that your security can do about that - except warn you that something isn't right.
repudiation
lets keep the thread going
Big-e let me correct something you said:
DNR
Big-e let me correct something you said:
What I meant was different and a serious, inherent defect in the Internet.repudiation (which essentially means denial of traffic).
Spoofing one's Identity, or login. How can you really be sure that its _you_ that logs in as Big-E. How can we be sure that this post written in your name, was by you? The same goes for your credit card, when it travels up the network to check on your debit account, should it make sure that its you?Noun 1. repudiation - rejecting or disowning or disclaiming as invalid;
renunciation
rejection - the speech act of rejecting
(law) a voluntary repudiation of a person's legal claim to something
disowning, disownment - refusal to acknowledge as one's own
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
- Oppconsulting
- Fame ! Where are the chicks?!
- Posts: 205
- Joined: 05 Aug 2007, 16:00
- 16
- Location: Wheres Waldo
- Contact:
svchost.exe
winlogan.exe
these are normal get that straight and stop confuseing the room
ok next read my tutorial on how to remove spyware and viruses this pc can and probibly could be salvaged if done right
Take the drive out like my instrutions say scan etc
if you follow everything to the letter you have a chance of saveing it or at least if not saveing it backing up the data pm or ask if you dont understan my walk through in the tutorials section
winlogan.exe
these are normal get that straight and stop confuseing the room
ok next read my tutorial on how to remove spyware and viruses this pc can and probibly could be salvaged if done right
Take the drive out like my instrutions say scan etc
if you follow everything to the letter you have a chance of saveing it or at least if not saveing it backing up the data pm or ask if you dont understan my walk through in the tutorials section
- Big-E
- Administrator
- Posts: 1332
- Joined: 16 May 2007, 16:00
- 16
- Location: IN UR ____ , ____ING UR _____ .
- Contact:
Before you start making comments like this, please ensure that winlogan.exe is infact, a real windows process. Really, it is not - it's malware. Infact, even winlogin.exe can be a trojan/virus if located else where other than the system32 folder in which the file is typically 20992 bytes in size but it varys (this is just the most common size found).Oppconsulting wrote:svchost.exe
winlogan.exe
these are normal get that straight and stop confuseing the room
ok next read my tutorial on how to remove spyware and viruses this pc can and probibly could be salvaged if done right
Take the drive out like my instrutions say scan etc
if you follow everything to the letter you have a chance of saveing it or at least if not saveing it backing up the data pm or ask if you dont understan my walk through in the tutorials section
Also @ DNR - I will respond to the above, I am busy right now and don't have time at this current moment.
- Oppconsulting
- Fame ! Where are the chicks?!
- Posts: 205
- Joined: 05 Aug 2007, 16:00
- 16
- Location: Wheres Waldo
- Contact:
go ahead, light the fuse
Its not "whatever", its not even an opinion, but a statement of fact.
DNRBefore you start making comments like this, please ensure that winlogan.exe is infact, a real windows process. Really, it is not - it's malware.
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
- isapiens
- Fame ! Where are the chicks?!
- Posts: 533
- Joined: 05 May 2006, 16:00
- 17
- Location: Turn around
i was just thinking... i think i have zero experience with malware and viruses. I pretty much never got them, and if i did i just reformatted the system...
I wonder if thats a bad thing or a good thing.
I wonder if thats a bad thing or a good thing.
Fluoridation is the most monstrously conceived and dangerous communist plot we have ever had to face.
good boy!
the fact that you can survive by reformatting says a lot of good things about your computing habits.
DNR
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.