[trampas]

In some ways it might be best to skip over this post ! It's provided just so you have all the info maliprog.

A bit more information regarding the RAID driver that I replaced. In my post above (#35) I made this statement :

"On CD (and currently active) is a driver dated Dec 2002 and size 61,408 bytes."

Apologies, but I need to re-state what the situation was more accurately :

"Currently active is a driver dated Dec 2002 and size 61,408 bytes. I assume this must have come from the motherboard CD originally, which I used when rebuilding the PC last time."

Obviously that statement now relates to the past and the RAID driver has just been replaced.

Assumptions are sometimes a bad thing. When I actually checked the motherboard CD there was no sign of a RAID driver with date Dec 2002 or size 61408 bytes. When the driver was active I viewed it in Device Manager which showed its version number was 1.0.0.0. The proper driver dated April 2003 (from the manufacturer floppy disk) has a version number 5.1.2600.112 and this is the same as the driver (the XP version) on CD. It also matches the one on CD in regard to date and size.

(Two other drivers are on CD, for Win2000 and NT. Neither one is close to the size of the driver that I was running earlier (v 1.0.0.0). )

In short, I cannot explain what happened to my RAID driver between about 5 March and 12 April. It must have been v 5.1.2600.112 originally. The driver could have been corrupted, just like other files but that doesn't seem to explain everything. Anyway I'll leave it there for now.

EDIT: Further investigation into this has shown that when I rebuilt the PC on about 5 March I ran a utility on the motherboard CD called makedisk.exe. This is how owners are supposed to create their manufacturer disk. I did it this way to ensure that the RAID driver came off the CD. On p5-38 of the manual it says "A floppy disk with VIA RAID driver is required when installing Windows XP/2000/NT operating systems. Make sure to create a RAID driver floppy disk using Makedisk.exe utility for VIA RAID function before installing your operating system."

The weird thing is, this disk contains older copies of the RAID drivers and not the ones that are actually visible to Windows Explorer on the CD.

Mystery solved. Whether the older drivers are stable is not known !

Edited by trampas, 13 April 2012 - 09:22 PM.

[Advertisements]

OK. Just to sum things. Your system is clean and there is nothing to remove from my point of view.

Do you have any malware problems now?

[maliprog]

OK. Just to sum things. Your system is clean and there is nothing to remove from my point of view.

Do you have any malware problems now?

[trampas]

The trojan virus attached to a restore point is still there.

From what you say that isn't a particular threat. More concerning is when and how I acquired that virus. About 2 days ago I connected the PC to the internet to get Avira updates. I didn't open any browser.

So if a virus was downnloaded at that time it was done by software that bypassed my new Comodo firewall. Maybe that is an issue ?

The date of the restore point file is unknown but I guess it could be determined.

Out of caution I haven't rebooted the PC for 2 days because I didn't want to make matters worse. I can't really say if the corruption problem has gone. Changing the RAID driver may have improved things.

The 'save changes' problem has been nailed I suspect.

It's possible that my personal files are clean now but I'm not sure of this. I just downloaded a virus and I don't know how. Avira has known about the virus for a few years so the recent update shouldn't have made a difference in when it was detected.

The last helper, happyrock, suggested using a sandbox whilst opening a WORD file, just to see if anything malicious was being done.

Overall, I guess I'd appreciate your view at this point. :)

I'll reboot the PC a few times over the next day to see what happens with File System checks.

t.

[trampas]

Another long post but may contain useful info...

Just a quick update - after a couple of reboots I've seen no further file corruptions.


In folder C:\System Volume Information I see two folders which contain restore points. One of these (active one) is
_restore{186340FA-A7E6-44BF-B6AD-A5AC7E82A950}

The properties for that folder say that it was created on 10 March 2012 at 12:16pm. Supposedly that folder contains 10,270 files in 171 folders and takes up 2.3 GB of space on disk. These folders are for restore points RP0 to RP46 (with a partly filled folder ready for the next restore point RP47).

In the Avira quarantine folder is a file called A0019439.com (580KB) whose path indicates that it came originally from folder RP42 in the same _restore{...} folder above.

Folder RP42 contains 639 files and was created on 10 April 2012 at 4:04pm. In that folder are two files that have the combofix icon, whose file names are
A0019438.com 4.2MB 10 April Cr 5:36pm Mod 5:13pm ?Mod before Cr?
A0019440.com 1.0KB 11 April 9:43am

and obviously file A0019439.com has been removed from that folder.

A0019438.com appears to be the ComboFix NSIS Installer
A0019440.com is a shortcut to E:\ComboFix.exe [ E: is a flash drive ???]

If file A0019439.com was infected after it was created (reasonable?) then the virus attached itself to that file on or after 10 April 2012 4:04pm. Maybe the identity of that file can be deduced from the other two.

EDIT: just noticed that OTL.COM is 580 KB. It's in the same folder as ComboFix.exe.

In the System Restore utility I can see that restore points were created as follows :
10 April 4:04pm System Checkpoint ?RP42
12 April 8:08am System Checkpoint ?RP43
12 April 11:00am Update to unsigned driver ?RP44
13 April 5:06pm Software Distribution Service 3.0 ?RP45
14 April 5:40pm System Checkpoint ?RP46
15 April <none>

My initial guess would be that RP42 became corrupted on 13 April when I connected the PC to the internet to get Avira updates but I'm really not certain. The virus was detected on 13 April at 7:09pm.

I don't know enough about System Restore to say a lot more but I can see that the number of files in each RP folder varies a lot. Some RPxx folders contain application files as well but RP42 is the only one from RP37-46 that has files with ComboFix icons. It may not be significant that the virus was attached to A0019439.com.

An alternative explanation is that RP42 was the most recent restore point created on the PC when one of its files became infected. I don't currently know a way to view the modification date on file A0019439.com without restoring it from quarantine. But that date might be useful to see.

I connected the PC to the internet for a short time on 11 April ~9:45pm [11 April ~4:45am US] - as per the earlier posts in this thread. At that time RP42 was the most recent restore point. And that occasion was the one and only time from 10-14 April that I plugged my 3G modem directly into the PC. (Doing that has been a problem in the past when the PC was already open to the hacker.)

By 13 April I'd got my hardware firewall up and running so that ought to have blocked any connection initiated from the internet side.

I don't know if any of the above is helpful.....

t.

Edited by trampas, 15 April 2012 - 12:57 AM.

[maliprog]

Hi trampas,

Your logs and system are clean now. There are no trace of any malware on it. You are safe to use it anyway you like. We need to clean up your PC from programs we used.

Step 1

First we will remove malware from system restore to clean up your PC.

You must turn OFF then turn ON your system restore in order to remove all restore points and remove malware.

To do this you can follow This article

Step 2

Please start OTL one more time and click CleanUp button. OTL will restart your system at the end. Remove all other application we used to clean your PC.

General recommendations

Here are some recommendations you should follow to minimize infection risk in the future:

1. Delete Temp files

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

2. Make Backups of Important Files

Please read this article Home Computer Data Backup.


3. Regularly update your software

To eliminate design flaws and security vulnerabilities, all software needs to be updated to the latest version or the vendor’s patch installed.

You should download Update Checker from here. The program will automaticly check for newer version of software installed on your system.

[trampas]

Hi maliprog

First of all thanks for the latest post. Lots of good info there.

Secondly, some more strange happenings that I need to report unfortunately.

I booted the PC this morning. Once again there was no File System check. :))

I logged on as the restricted user. Whilst that was taking place I noticed that a yellow triangle appeared in the system tray and inside the triangle was an exclamation mark. However this icon disappeared after about 5 seconds and this wasn't simply because the icon had become hidden. A bit odd but I ran up the event viewer to see if I could view the cause. The message was fairly brief and it was something like :

'The file system has become corrupted and unusable. Please run Chkdsk.'
(I can get the exact message later. EDIT I CAN confirm that no file name was specified.)

I logged off and logged back on as admin-su. No yellow triangle this time, so I opened Control Panel in order to access event viewer but something else odd happened. When I do this I normally click on the Administrative Tools folder, then on Event Viewer. There are other ways to do it, of course e.g. from the RUN command. Anyway, in the Administrative Tools folder I would normally expect to see the Event Viewer icon plus 5 other icons. This morning there was an extra one : desktop.ini. And the date on the ini file is 10 Mar 2012. I'm fairly sure I haven't seen that ini file before.

When I see something like this just appear I become suspicious. This is what the ini file contains :

"[LocalizedFileNames]
Event Viewer.lnk=@%SystemRoot%\sysem32\shell.dll,-22029
<5 similar lines>
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll, -21762"

Does the presence of this ini file modify how these tools are being run ?


There's a bit more. About 10 minutes after logging in as admin-su the yellow triangle appeared in the system tray. This time it had a balloon which said :

"Windows - Corrupt File
The file or directory
C:\WINDOWS\system32\config\system.LOG is corrupt and
unreadable. Please run the Chkdsk utility"


I haven't done anything significant with the PC since receiving that caution. And I decided *not* to open Event Viewer whilst logged in as user admin-su because of desktop.ini.

However, with the RAID tool I verified that the mirror disk was still a perfect copy of the master.
"Mirror Disk Verification Result
Mirror Disk is identical with Source Disk"

So this raises an interesting point. If the latest file corruption was caused by a bad sector on the master disk then the master disk ought now to have at least one sector that's different to the mirror. As it doesn't, that suggests to me that the data in the corrupt file was already corrupted when written to the disk and that's why it's the same on the mirror disk as well. I probably lack some knowledge here but I can't presently think of another explanation for the current situation.

Another curiosity from a few days ago : if my PC isn't compromised why does changing the name of the Kaspersky VRT (from the default) allow it to run ? There might be a reason but I'm scratching my head to think what that could be.

In the period 10-14 April a trojan virus was placed on my PC. I didn't run the browser, so was I hacked or was other malware already running. If I was hacked, how did that happen ? On 11 April I connected to the internet for no more than 12 minutes in two separate times of 6 minutes. On 13 April I had my hardware firewall active.

More generally, if some of what I see today is the result of ongoing hacking, and if the hacker's malware is not ALL recognised by up-to-date scanners, what is the best way for me to get this resolved ? I could be taking up G2G time that might be better used on other cases. This case is definitely atypical.

As the PC is almost certainly *not* clean, I think I'll have to rebuild the PC. Do you agree or is there something else ?

Of course, I was in a similar position when I reached the end of the first thread that I posted in on G2G. After that I rebuilt the PC and now I have suspicious activity again. My feeling is that I need to do something different this time.

If G2G can only resolve issues where the malware is already recognised what should the unfortunate minority do who have a hacker ? If I can't pinpoint how I was reinfected is it a case of throwing away my personal files ?

One thing that's different is that I now have a hardware firewall. Here are some questions that occur to me about PC security:
1. When I had no hardware firewall my PC could be scanned once the hacker had my IP address. Does the Windows XP O/S always have software that is vulnerable to being hijacked when it opens a port and accesses the internet ? I'm thinking of things like the MS update process which runs for literally hours during a PC rebuild.
2. How do AV firms decide that they've found evidence of a new virus ? I seem to have one and would like there to be a scan for it (eventually).
3. Did that virus come from a personal file or was I hacked from outside again ?

Just to re-iterate, I don't want to use up G2G time if it won't be a good use of that time. I just need to know what would be the best way to proceed from here. The hacker exists. From what I read today, sadly, hacking a PC is not that hard - the question seems to be which software makes ports vulnerable on XP when it runs. And does a hardware firewall make a PC completely safe from port scanning ?

Sorry if this latest information is bad news (I strongly suspect so).

t.
(minor edits)

Edited by trampas, 16 April 2012 - 01:39 AM.

[trampas]

One point that maybe I didn't higlight - between starting the XP boot process this morning and actually seeing the desktop on the screen it seems that a file on my PC became corrupt. When the XP boot process started no corruption was noticed but only a short period of time later one was.

Does this also suggest that malware ran during the boot sequence ?

EDIT: another issue I may have to face is that the PC was already compromised when I installed the new software firewall.

t.

Edited by trampas, 16 April 2012 - 03:59 AM.

[maliprog]

Hi trampas,

I asked for little help from my coworkers here at G2G and they don't see any malware on your system too. We also tried to find hardware issue and fix it but we couldn't find it.

I'm sorry but there is nothing we can do from here. Thanks for choosing Geeks to Go, but we seem unable to help with this specific issue. You may want to seek the help of a local professional.

Make sure to backup all your data in case something goes wrong while your PC is at repair shop.

[trampas]

Hi maliprog

Thanks for the kind words.

I kind of realised at the end of the first thread that the success of G2G is built upon recognising known malware. I'm sure you'd agree that new malware isn't recognised by scanners and so a clean scan doesn't necessarily indicate a clean system.

I'm almost certain that file corruptions, like all the other strange things are caused by hacking. The mirror disk being the exact copy of the master is a giveaway. I know you haven't commented on that.

But if you could answer some of the questions raised in the earlier post that would be immensely helpful. The one about new malware and how AV suppliers deal with it is relevant I guess. Any comment on desktop.ini ? I agree about backups but with what happened on my PC I don't think it would have made any difference. Do you think adding a hardware firewall will assist i.e. prevent my ports being scanned ?

And one further question: what would you recommend as the best way to fix the corruption on system.log. I was thinking that a reboot would force the File System check to run but I'm not certain that would be the best action.

t.

[trampas]

EDIT: managed to post the message twice....

Edited by trampas, 17 April 2012 - 01:12 AM.

[maliprog]

Of course I can...

How do AV firms decide that they've found evidence of a new virus ? I seem to have one and would like there to be a scan for it (eventually).

I can't really tell you this one because there is a lot of antivirus companies and they all have different way for searching and finding solution for different malware. As you now, there is no antivirus that protect you 100%. They try to keep up but that is not good enough.

For example if I found any malware here I would submit it myself to all antivirus engines so they can help others.

Any comment on desktop.ini

Some desktop.ini files can be related to some malware but usually they are not. Quick info Here. This is system file and I have it too in the same folder. You will see them a lot now. Please read This article how you can Show/Hide this files.

I agree about backups but with what happened on my PC I don't think it would have made any difference.

I agree. But you must have backup of your files because you don't know if they are really infected. For example I can open then with no problems at all. Until you solve this it's best to have any backup then non.

Do you think adding a hardware firewall will assist i.e. prevent my ports being scanned?

Hardare firewall hides your system form open network completely. They also have hacking detection mechanisms so I think you are pretty safe

what would you recommend as the best way to fix the corruption on system.log. I was thinking that a reboot would force the File System check to run but I'm not certain that would be the best action.

The easy way is to reboot and disk check should do the rest. System.log error usually means that there was error writing to disk. For example I usually have this error when power failure accurs and that interrupt writing to disk. If your system boots after check disk then you are safe.

As I sad in my last post, take you PC to local repair shop because they can test it all for you.

Hope it helps.

[trampas]

Thanks maliprog

I rebooted the PC and the File System check fixed a few files (including 0x9 again).

That desktop.ini is normally hidden - that may explain why I never used to see it.

I will go through your clean-up process and report back with (hopefully) success.

I think I may open a new thread in one of the other forums regarding security of Windows XP. I have no doubts that the hacker will try to get past my hardware firewall and I read in some places that hardware firewalls are not 100% guaranteed to block hacking. So I think I need to know more about that.

The other thing that's still a mystery is exactly which services that open ports (in XP SP3) can be tricked into letting a hacker in. That seems bizarre. Even if I configure my software firewall to block all incoming connections it seems that it won't detect one that piggy-backs on a service that already has opened a port for an *outgoing* connection to a different IP address. That's amazing.

I now understand a little bit about the smart tags problem in WORD but not how that feature passes from one file to another via Normal.dot. I also don't understand why only a handful of my files were displaying the problem when the feature was turned ON globally. It seems there must be some other thing present in the affected file itself - something that's removed when the file is converted to RTF and then back to DOC.

Thanks for spotting that ZoneAlarm pre-requisites issue !

It's quite possible that my DOC files are not capable of dropping a virus. And all that's been happening is the hacker kept breaching my software firewall and reinfecting my PC with both known and unknown malware. If I'd realised this breach was possible I probably would have approached the problem differently. Maybe I wouldn't have used IE to download ChromeSetup.exe, for example

t.

[trampas]

Hi maliprog

That clean-up went fine. What I plan to do now is monitor the situation for a while. If it becomes necessary I'll rebuild the PC again, this time with the added protection of my hardware firewall.

There's certain information that I've gathered that could be helpful to other readers of the G2G web site. As my thanks for the patience shown by helpers on here I'd like to share what I've learned. It's possible that, in a few cases at least, the information will allow readers to help themselves. Do you think I should do this ? If so, what would be the best way, in your opinion ?

The information falls into two categories :
- the smart tags feature of WORD 2002 (?and later) which has virus-like properties
- what to do if you have the personal attention of a hacker (very rare, admittedly)

As per my last post, the knowledge that I've acquired regarding smart tags is incomplete so, in that case, I thought it best to simply start a discussion at first. That is if one hasn't been started already.

Once again, thanks very much for the help over the last month or so. You've been great :)

trampas


Re hackers, these sites were all very helpful to me :

http://www.infohq.co...hackers-isp.htm
Tracking a hacker's ISP

http://en.wikipedia....ki/Port_scanner
http://www.askdeb.co...mputer/hackers/
What hackers do and how a hardware firewall helps

http://itknowledgeex...en-hacked-into/
Showing your PC's connections with netstat and other advice

http://www.xnews.ro/...securityxp1.htm
How to turn off services in XP that you don't use

http://searchsecurit...inst-port-scans
http://www.auditmypc...rt-scanning.asp
http://www.brighthub...cles/34708.aspx
Using online resources to test the port security of your PC

[maliprog]

Hi trampas,

Once again, thanks very much for the help over the last month or so. You've been great

I hope you'll solve your problem. Goodbye and stay safe

[trampas]

Hi m

I'm currently looking at IP connections that get created on the PC as soon as it's allowed to access the internet. I may have found something, hence this 'extra' post.

Under the original firewall settings, as soon as access to the internet is granted :
- Incoming request from firewall to connect to SVCHOST.EXE on the PC (I say YES)
- Outgoing connection made to an IP address owned by AAPT
- Outgoing connection made to an IP address owned by Akamei Technology

(I can't vouch for the time order of the above 3 events, nothing should be inferred)

I can't actually see which rule in the firewall is being triggered to ASK me if the router can connect to the PC. I only see rules for ALLOW and BLOCK. That's the first confusing thing. The firewall has a rule that allows those two outgoing connections. On reflection the rules seem a bit weak at present, but moving on.

If I set up a rule to BLOCK the connections to AAPT and Akamei and LOG the event then this stops the outgoing connections happening and I also don't get ASKed to receive the incoming connection on SVCHOST.EXE any more. Possibly that's a clue as to which event causes others.

Something else is a bit odd because I don't see anything in the firewall log about the new rules having been triggered. It seems as though they have.

With those connections being blocked I can still update Avira, Comodo and use Chrome on the PC with no trouble. I've read that Akamei may not be suspicious but I do have doubts about AAPT. When I trace that IP I find that it's a static IP address with a dial-up connection behind it, allegedly.

I can find out which PID is making the connection to AAPT but I think I'd need to remove the firewall rule so that the connection gets set up, then trace with netstat.

I may have a way forward here but there are some things that I don't quite understand yet. I thought I'd just see if you had a comment.

EDIT: I had a File System check this morning. File 0x9 had minor repairs again. And another update : whilst using the PC for word processing today I discovered that 'smart tags' was turned ON again.
EDIT2: After further research (try google chkdsk 0x9) it seems that this report about file 0x9 in the chkdsk log is nothing to worry about so, just like smart tags, it's meant to be scary/a bit annoying. In other words it's another mark of the hacker. If I focus on finding the file/malware that's doing this I can probably eliminate both issues. Failing that PC rebuild. The only lead I have is the IP connections mentioned above but it seems promising.

t.

Edited by trampas, 18 April 2012 - 07:42 PM.