Hi maliprog
First of all thanks for the latest post. Lots of good info there.
Secondly, some more strange happenings that I need to report unfortunately.
I booted the PC this morning. Once again there was no File System check. :))
I logged on as the restricted user. Whilst that was taking place I noticed that a yellow triangle appeared in the system tray and inside the triangle was an exclamation mark. However this icon disappeared after about 5 seconds and this wasn't simply because the icon had become hidden. A bit odd but I ran up the event viewer to see if I could view the cause. The message was fairly brief and it was something like :
'The file system has become corrupted and unusable. Please run Chkdsk.'
(I can get the exact message later. EDIT I CAN confirm that no file name was specified.)
I logged off and logged back on as admin-su. No yellow triangle this time, so I opened Control Panel in order to access event viewer but something else odd happened. When I do this I normally click on the Administrative Tools folder, then on Event Viewer. There are other ways to do it, of course e.g. from the RUN command. Anyway, in the Administrative Tools folder I would normally expect to see the Event Viewer icon plus 5 other icons. This morning there was an extra one : desktop.ini. And the date on the ini file is 10 Mar 2012. I'm fairly sure I haven't seen that ini file before.
When I see something like this just appear I become suspicious. This is what the ini file contains :
"[LocalizedFileNames]
Event Viewer.lnk=@%SystemRoot%\sysem32\shell.dll,-22029
<5 similar lines>
[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll, -21762"
Does the presence of this ini file modify how these tools are being run ?
There's a bit more. About 10 minutes after logging in as admin-su the yellow triangle appeared in the system tray. This time it had a balloon which said :
"Windows - Corrupt File
The file or directory
C:\WINDOWS\system32\config\system.LOG is corrupt and
unreadable. Please run the Chkdsk utility"
I haven't done anything significant with the PC since receiving that caution. And I decided *not* to open Event Viewer whilst logged in as user admin-su because of desktop.ini.
However, with the RAID tool I verified that the mirror disk was still a perfect copy of the master.
"Mirror Disk Verification Result
Mirror Disk is identical with Source Disk"
So this raises an interesting point. If the latest file corruption was caused by a bad sector on the master disk then the master disk ought now to have at least one sector that's different to the mirror. As it doesn't, that suggests to me that the data in the corrupt file was already corrupted when written to the disk and that's why it's the same on the mirror disk as well. I probably lack some knowledge here but I can't presently think of another explanation for the current situation.
Another curiosity from a few days ago : if my PC isn't compromised why does changing the name of the Kaspersky VRT (from the default) allow it to run ? There might be a reason but I'm scratching my head to think what that could be.
In the period 10-14 April a trojan virus was placed on my PC. I didn't run the browser, so was I hacked or was other malware already running. If I was hacked, how did that happen ? On 11 April I connected to the internet for no more than 12 minutes in two separate times of 6 minutes. On 13 April I had my hardware firewall active.
More generally, if some of what I see today is the result of ongoing hacking, and if the hacker's malware is not ALL recognised by up-to-date scanners, what is the best way for me to get this resolved ? I could be taking up G2G time that might be better used on other cases. This case is definitely atypical.
As the PC is almost certainly *not* clean, I think I'll have to rebuild the PC. Do you agree or is there something else ?
Of course, I was in a similar position when I reached the end of the first thread that I posted in on G2G. After that I rebuilt the PC and now I have suspicious activity again. My feeling is that I need to do something different this time.
If G2G can only resolve issues where the malware is already recognised what should the unfortunate minority do who have a hacker ? If I can't pinpoint how I was reinfected is it a case of throwing away my personal files ?
One thing that's different is that I now have a hardware firewall. Here are some questions that occur to me about PC security:
1. When I had no hardware firewall my PC could be scanned once the hacker had my IP address. Does the Windows XP O/S always have software that is vulnerable to being hijacked when it opens a port and accesses the internet ? I'm thinking of things like the MS update process which runs for literally hours during a PC rebuild.
2. How do AV firms decide that they've found evidence of a new virus ? I seem to have one and would like there to be a scan for it (eventually).
3. Did that virus come from a personal file or was I hacked from outside again ?
Just to re-iterate, I don't want to use up G2G time if it won't be a good use of that time. I just need to know what would be the best way to proceed from here. The hacker exists. From what I read today, sadly, hacking a PC is not that hard - the question seems to be which software makes ports vulnerable on XP when it runs. And does a hardware firewall make a PC completely safe from port scanning ?
Sorry if this latest information is bad news (I strongly suspect so).
t.
(minor edits)
Edited by trampas, 16 April 2012 - 01:39 AM.