svasutin

Sorry for the late response - busy trying to stay a float*... Very very true on the browser choice - it just appears as, whatever or however this infection is getting in, once it does, it uses IE. My thinking is, IE 8 hopefully with its updates and new security measures ( turn off crash protection & compatibility** ) might block it. I do believe last year Firefox had something like 6 times the number of security issues as IE, and as for Flock - i have no clue about it. As for permission-less, i can go either way on it - depending upon the number of users and type of system ( SOHO, LOCO, Family ). Usually for me, it's not a choice though as i'm working on other peoples' systems :-s If anyone does find a name and a removal tool for this infection, please post it. The post will only be accepted should you provide the name given to this infection. ** btw, if you're using, for example, Spybot's/Spyware Blaster Immunizations, then you have to disable them for IE 8. IDK what Msft did, but using immunizations ( block/kill bits/host ) with IE 8 slows the system to a crawl. I mention Spybot & SpywareBlaster only because of it's popularity - not citing them as the source/cause. * In other news, i've found some detectable infections are starting to replace the Windows Service Pack Info. This was/is a good idea on the hackers part - it got me. Once everything was cleaned and i went to check Windows Update to see if anything was missed, turned out the system was still running Service Pack 2, but everything read Service Pack 3. Hence, check a few version numbers for their service pack level before just replacing/repairing files ( sfc )... took me forever to figure out why some discs didn't work and/or over replacing some files caused system issues - lol

you know, idk - i thought it should work, but i could be wrong. Tell you what, i'll try it again tonight, and tell you how it goes - if i make them both the same...

I actually like Windows Defender - not too bad, of course the average user never checks the Permit and just kinda sits there and looks the icon and balloon message... waiting for something to happen... the same is true of Automatic Updates as well. I do like Spybot, Windows Defender, and Zone Alarms Extreme Edition all running. For the price, i do feel that Malware-Bytes is the best choice. I would say Spybot, but for a while there, they had issues, but since 1.6.2, i've more or less gone back to them... For detection, i really like Previx's CSI

Save this as a text file called killIt, and replace the <infectedNameX> part; 6 edits and just 2 names Don't forget to add the reg entry before going into the recovery console. Set or Create: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole] "SetCommand"=dword:00000001 Inside the Recovery Console ( after logging in ), to run it, type: Batch KillIt.txt I included the exit to cause a reboot. Highlight and save as: Killit.txt SET AllowWildCards = TRUE SET AllowAllPaths = TRUE SET AllowRemovableMedia = TRUE SET NoCopyPrompt = TRUE CD system32 CD drivers Attrib -c -r -s -h <infectedName1>.sys Attrib -c -r -s -h <infectedName2>.sys Delete <infectedName1>.sys Delete <infectedName2>.sys Disable <infectedName1> Disable <infectedName2> exit

hey - thanks and sorry for the delay - i don't always have access to the system :-s Anyway, here are the keys i've tried w/o success... for now, i'm testing it on my account on their 'puter. I'm assuming that extra/useless keys will be ignored by Vista. HKLM [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DisallowRun] "1"="Solitaire.exe" "0"="GameConsole-wt.exe" "2"="WinBej2-WT.exe" "3"="Blackhawk2-WT.exe" "4"="BlasterBall3-WT.exe" "5"="Buildalot-WT.exe" "6"="Fate-WT.exe" "7"="penguins-WT.exe" "8"="Polar-WT.exe" "9"="golf-WT.exe" "10"="tradewinds-WT.exe" "12"="Virtual Villagers - The Lost Children-WT.exe" "11"="freecell.exe" Then for HKU ( default and the original "owner" acct ), HKCU [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies] "DisallowRun"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun"=dword:00000001 After Reboots, i still can't get these to stick as the programs always seem to load and run :-s I'm thinking that perhaps Vista Basic might not include this ability - but also, i'm thinking i'm doing something not quite right here Thanks again.

My Favorite is Zone Alarms Extreme Edition. I am really impressed with it. While in remote sessions, i've been able to configure it so i cannot see: what the end user is typing into a window. For example, entering a URL, typing into a chat/IM box. Random Letters appear any open applications - even ones i've opened anything but a black screen The value here should be apparent, as key loggers, and programs which take screen shots, are rendered ineffective. The default is the black screen. Going back to Zone Alarms Internet Security Suite ( included in ZAEE ), the Self-Protect option does not allow me to remotely send keys or click on any ZA window. Of course, i also like that even if the EU clicks Yes, download and Install This Virus, it still stops the infection from happening. That and it plays pretty well with "free" independent checks ( Windows Defender, Spybot S&D, MalwareBytes, sysclean, hjt ) The bad side is, the longer a PC is on, the more memory it consumes, so daily reboots are required. Also, those first 21 days or Auto-Learn can be kind of rough.

Yes, Vista Basic - why? Idk, but i picked up a client who has 2 desktops running Vista Basic. Anyway, back in XP, there was a Registry sub-Key where i could list the names of executables in both HKCU and HKLM Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun This sub-key appears no longer to be valid. So i'm wondering if there is a new key out there for Vista to stop running programs... The issue is, an employee at one of the terminals is playing games far too often - and they know how to add/remove programs and everyone has administrator rights Anyway, maybe i'm just doing things wrong, or maybe it's just Vista Basic, but does anyone know how to DisallowRun in Vista? Thank you

For the past few months i've been dealing with a new RootKit Virus. I'm not exactly sure what it's stealing or doing, but it's pretty bad. So far, i've found it only on XP systems. Surprisingly, no one detects it or has a solution out yet. The worst thing about this FystemRoot is once the virus is cleaned - AU and BITs needs to be repaired and permissions reset manually <- That's the bad part - people are clean, but their system is still corrupted. * update * It seems the Task Scheduler is now being corrupted as well. Just came across this on a system * update * I've tried McAfee, Kaspersky, Symantec, F-Force, MalwareBytes, Previx, ( zone alarm ), Spybot.... everything i could, but only Manually Cleaning fixes it. It defeats HiJack This from fully running, and combofix wasn't much help either. If infected, 100% of the time System Event Log Shows DCOM errors about BITS not being able to be load. Trying to Set Automatic Updates or BITS through services.msc gives an error about permission or access Searching your registry for fystemroot yields a result Yes, it is FystemRoot not SystemRoot as it should be. The rumor mill suggests it gets in through an IE exploit - but i'm not too sure about that, as the people i've found infected use either FireFox or Flock. I've seen this virus since about early February, could even be late January. I figured it was new and so the AV companies would include it soon, however - so far, there is just scattered talk in some forums. Aside from not being able to fix WUAUServ or BITS, the other interesting feature about this is, it runs your other browser ( flock, opera, chrome, mozilla ) in a sandbox and forces IE as your default browser; it disables the always check feature. However, all links open up in whatever browser you are using and icons still show your browser of choice. Since something is going on with IE 6/7 Perhaps updating to IE 8 might be worth it Safe Mode does not always clean it out, so the Recovery Console is sometimes required To find the name of the infections is fairly easy. Through the registry ( independent registry editors have no effect ~ tried through cmd, regedit, wsh... ) go to HKLM\SYSTEM\CurrentControlSet\Services ( yes, it exists in ControlSet00n as well ) Then one by one go through each service until you get an error message. Usually there are two ( most people however are suggesting only one ). Write the names down for keys which it cannot be read. Usually these are numbers or letters and numbers. The files typically live in ( this could change if the hacker updates their code ) %windir%\system32\drivers Before going into the recovery console set [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole] "SetCommand"=dword:00000001 If you're able to, as sometimes SR cannot be disabled Clear ALL System Restore Points Set the Size To the Minimum Turn Off System Restore Edit your boot.ini to start in the Recovery Console Add another entry to start in Safe Mode with the Command Prompt Disconnect from the web, reboot to the recovery console, and delete the <found names>.sys Reboot into Safe Mode whilst Holding Down the Left Shift Key until you are at the cmd prompt and hdd activity has stopped ALL Through the cmd prompt, navigate to and run Spybot and MalwareBytes. Between those two, it finds further infections - note the logs, and search your registry for them, and delete them. I've found, whilst file info is removed, the registry entries are not always removed. Delete all restore points and turn off System Restore; yes i've found infections have been in the System Volume Information Folder A further step i've used is in a batch file run from the root of your drive, something along the lines of: for %%a in ( 1..9 ) do ( dir %%a*.exe %%a*.sys /b /a /s >> c:\infctns.txt ) for %%a in ( c:\infctns.txt ) do attrib -r -a -s -h "%%a" for %%a in ( c:\infctns.txt ) do erase /f /s /q "%%a"As of yet, i haven't found any legit programs which start with numbers and are exe's or sys files ~ opps forgot to mention the 1394 and 61883 files - you'll want to add an "if not part to it" Running CCleaner ( for both files ~ uncheck the older than 48 hrs option ~ and registry ) is a good idea, as now the temp folders contain new items. Open your registry editor, find and delete the keys of the names you found - including the ones we had to manually delete. After all that, now you should be able to open up explorer. In your "documents and settings" folders, check the temps & start up folders for extra files which this has dropped. Don't forget the Default User Run CCleaner FIXING WUAU AND BITS AND TASK SCHEDULER The final step is to reset the permissions for BITS and WUAUServ Click Start | Run Type in: dcomcnfg.exe Click OK Click your way from Component Services to DCOM Config and the BITS Set it to defaults. Do the same for Windows Update. Umm - Right-Click and Select Properties, btw Enter your Registry and head towards HKLM\SYSTEM\CurrentControlSet\Services For BITS, WUAUSERV, * update * Schedule * Update * Add/Give SYSTEM rights Make sure it's set to %SystemRoot% and no longer %fystemroot% Through Services, set BITS to Manual and AU to Automatic ( default settings ). Clear your event logs, and reboot. So far as i can tell, you should now be able to start XP in a normal environment, but still be disconnected, and hold down the Left Shift Key. Connect up to Windows Updates and see if you are fine. Of course, check your event logs to make sure you are still safe. If you can't connected up to Windows Update, then i've removed the WU controls from IE, cleaned the registry of their references, and have had IE reInitialize the WU controls. SPECULATION Some of the other infections which seems to have appeared along with this infection, also seem to cause a Registry editor and or a command box to shutdown after a few moments. So if you are running syslean, or some other av/as, removal tool from a cmd, it simply will not run or complete. However, these other infections ( including Vondo ) do seem to be detected and removed by most anti-malware vendors. On some occasions, i have found references to a hidden file in the registry %windir%\system32\..\<random file name>.randomExtension ~ for example Wsj.dst. This hidden file appears to have further rootkit abilities - as once it's removed, i've found more infections. Not specifically related to the fystemRoot, as it appears to be a launcher/transport/proxy, but check out parse AutoExec.bat settings, winlogon, wininit, as well as the win.ini file. I have no idea if this infects your anti-malware s/w. Once i find an infection, i assume anti-malware products are rendered useless and uninstall the lot ~ as well as Java. I will say, i have noticed that av and as products do still detect infections, just not this one. Alright - did i miss anything? Any mistakes or errors? Keywords: %fystemroot% %systemroot% Cannot set Automatic Updates Background Intelligent Transfer Service Access Denied Permission Error Virus Trojan Worm RootKit HiJackThis HJT Still with update issues? 1-866-PC-Safety <- that's msft's Windows Update Help Line

Well things just came up - so sorry if you were following along and i left you hanging. First, let me go back to the initial issue of the board. Well, the board finally arrived and i installed it. No - windows didn't recognize the sata device so i slipped in some drivers and proceeded to reInstall as much software as i could for my client ( naturally, this is covered under the it/mis services i provide ). All done. Time for some testing of the various connections and plugs - great - one of the usb ports has issues . However, it's now the weekend and i can't allow my client to wait an longer. I go out, purchase a new board, CPU, RAM, & PSU. w00t! no need to slip drivers now One interesting thing we noticed. When we compare their old hdd sysdrive to their new one - there is 20 gb less used on the new one. Because of the way the system is configured, the only thing that could be causing this 20 gb difference is all the updates over the past year. You know, going from firefox 1 to 2.x, updating IE, all the patches, new versions and updates to anti-malware s/w. This is despite using ccleaner and the Zone Alarm cleaner daily ( or at boot ). If i had to guess, it's mostly from %windir%\Installer. Every since MacroMedia took over Installshield, that folder keeps growing. Anyway, it's now day 3 since they have had their desktop restored - my clients are happy that they have a faster computer and everything appears to be in place. Not only that, but from their "friends" and other support people, they've been complimented on the system speed So now i contact the company again, and we set up another RMA to return this new board. Once i get everything back and verify it all works, i think i'm going to have a massive e-bay sale. maybe tomorrow i'll have an update on the new book, but for now, i've got to deal with a surge suppressor that failed and fried and fried some devices

Well, instead of adding my the final installment of my Tech Support Hell Story Series, thought i'd bring you an update on my board. The ground did a little shaking and everyone wants you to visit them just to make sure everything is ok Anyway, so it has been one week since the board support said i had to choose between waiting 10 days or, if no reply, the "upgrade" would be shipped out in two weeks. Naturally, i replied yes, approved, please send last Wednesday ( and could you please over night it ). Well it should be there in 3 days... i was thinking on Monday or Tuesday by the latest. Well it has been a week, and still nothing, no emails, no calls, no responses. Well, no responses except that the board would be shipped "this week" ( actually last week, but anyway ). So i finally call and get someone ( i'm guessing when they saw my caller id - they just didn't answer ). I get a tracking number... it was shipped out yesterday. Finally, the board is set to arrive on the 2nd of November. i'll be back tomorrow

So where was i... ah yes, sending e-mails. Now then, this being so long ago, HTML e-mail was fairly new. So on a secure server, i created a little 1x1 transparent gif ( as well as tracking and enable read replies ), placed a link in the image, and shot off another reply. In the meantime, i'm still trying to get e-bay, western union, and NY PD interested in this case. So i start to trace the previous headers, look in to the name, as well as comments and other people who bid or bought items from the thief. Slowly a circle of buyers and sellers emerge. For the most part small to medium priced items are sold around, and ratings are boosted over a two year period. These people are very, very patient. I finally find a person in the the computer crimes division who is willing to work with me. So i tell them my little story ( i was scammed!!! ) and what i'm currently doing. From a trip to NY, i was able to track down who picked up the money. From there and a little research, i found the suspect and followed him to school at NYU ~ he was working on a doctoral thesis in Accounting. Oh yes, and the Western Union location has his picture on file and is waiting for your pd to pick up the image. Also, my little web bug is going from place to place but eventually finds a home in Lithuania, before it starts finding its way back to me in a reply. The ADA says she can contact the FBI since this crosses state lines, but can't seem to get a hold of e-bay. Well, it's a good thing i live close by e-bay. Another useless trip to e-bay with her information and the case number that goes no where. Fortunately, the local police department was close and i found a willing detective who would called, verified my story, and went into ebay to get some information. By this time, enough time has passed that the scammer knows i should have noticed, so i send another e-mail. "Hey, umm, i didn't get my notebook yet. i know i wasn't around, but ups hasn't left anything on my door. i haven't checked with my neighbors, but i'm wondering what address did you ship it to, and how did you ship it, thank you" ( yes, bad grammar and spelling makes people think ur n0t a$ s(V)art ) Also, i'm getting another email from someone else who wants to know what i thought of the scammer. For the most part, these are left on the server, untouched, and just collecting dust. From my little research, i know it's the thieves checking up on themselves. Since i now have a contact in the FBI, i give them and the NY Computer Crimes access to my e-mail. Of course i asked that they help me clean out some of the spam as well. So a week after the NY Computer Crimes gets involved, the thief is arrested. A month or two later, the ADA calls me. Turns out, this was part of an international money laundering scheme. This person took many other people totaling in over $100k, and from the "ring" i found, arrests in other parts of the nation were also made. My thief was in the US on a visa. So in the end, i sent a letter to his academic adviser, which got him expelled. He was forced to pay everyone back ( judge ordered me first ) or be sent to jail. Of course he couldn't pay everyone back, but i got my money, and he ended up in jail for 6 months, and was then deported In all this, e-bay wasn't willing to do anything and had to be forced to work with law enforcement or the person who got scammed. While i don't use e-bay anymore, i was quite surprised how little they do to protect people from scams. While i can string code together i'm no pro. I didn't have access to their internal networks, but was able to track down quite a few scammers. Of course e-bay wasn't interested in any of my code or work. Their attitude is very much, it's not our problem & don't ask/don't tell. One thing that happened during this time was the fact i was out a few dollars. Not that i hadn't planned on it, but i had planned on receiving something in return. I still needed a new notebook, so i went out and picked one up ( again on line ) from a major manufacturer's website. It worked fine for a few months, but then it started to fail... * stay tuned for the next installment of Tech Support Hell *

looks like i'm still swamped, but might be able to get back later today. Just a few more comments about the board issue. It purchased in June of last year and still under warranty ~ i'm pretty sure it has a 3 year warranty, so i'd expect it to fail sometime after 3 years. No vendor ever extend their warranty past what they expect a products' typical life cycle to be. If i had to guess why this happened, i think ( very heavy speculation ) it might be a consequence of the new Vista policy. Given finite resources, if a board goes bad and can't be repaired, then the consumer will be forced to purchase a new Vista key. So maybe board manufacturers are switching over to repairing existing boards to an effort to help new Vista customers out. However, in doing so, they don't manufacture or repair "legacy" boards. Still though, i'm watching the warranty on boards now to see if it goes down. If it does, then we know we're in for more trouble.

Alright, so the year was 1998, 56k dial up was all the rage. E-bay was taking off, in the us i think the max cd-r speed was 8x, and in the uk they had 2.6gb dvd +- r's, and craiglist was, well craigsligt. I was in the market for a notebook, something really hot. I knew better, but at that time, a Sony had a notebook that spec'd out well. I searched and searched, and found a deal on E-bay. What a bargin!!! I could save $700. Of course it was suspicious, but the Internet was still starting out, and it was not uncommon to find large price differences from where i lived and purchased products. Matter of fact, my camcorder, from yahoo shopping was over 1k less than it was in my local cash and carry stores. So i sent my 2.5k USD (worth a lot more back then given the current us economy) - western union. Now then, as soon as the money was picked up in New York, i received an e-mail from e-bay telling me i might have been scammed, as the user said there had been unauthorized activity. So i sent emails with follow up, called western union, tried to contact e-bay, and got a hold of the a District Attorney in New York. Well first, Western Union was useless - no help, but a confirmation code. They have a policy of, if you send it - it's gone. Ebay was useless, but fortunately their main ( and at that time only ) HQ was within a few minutes driving distance ( i'm in california btw ). So i actually got a few ebay phone numbers, but these never went anywhere. Ebay has a policy - if you bought it, then you spent the money. Now then, there happened to be a few Assistant DA's in NY that were interested in these "new" computer crimes, and NY had one of the first computer crime divisions. Of course though, this wasn't a priority, since the crime had already been committed. However i never really gave up contact with the seller. I played dumb. I said wasn't going to be home for a while, so when it was supposed to arrive, it might take me a while to give him a rating. That and i was wondering if he could sell me a warranty? woot! now i had a crime in progress. Again, this was the early days of the internet where security was lacking, but could be used for an advantage. First, i tracked the email headers, one of them was funny, but most went back to NY. So i few out... the rest will have to come later, as i've got someone one the phone

I agree that often the end user will lie. So one thing i look for is how people handle this situation. The answer i'm usually looking for is something about easing the end users concern that they can "break" their system or something about encouraging clients to experiment with their systems. Either way, a good response has to do with encouraging the client to increase their knowledge. Getting the client to be comfortable is key to quickly determining a solution: "Well i did try to install some new ram" So maybe the memory module isn't fully seated. Let's open it up and fix it. From what you told me about your other memory, you purchased the wrong type. While ddr2 is faster, it won't work in your current system. ( which reminds me? would you like us to look into a new system for you? Gotta get the suggestive sell/upsell part in )

* sorry about the delay - had to take care of some business * Of course the call comes 2 days later. They will ship out a refurbished product and it should be there in 5-7 business days. Now then, i used to work for HP. When it was HP and Agilent. Yes, sometime ago. I recall when they first started to roll out their new support strategy. It was all about handling calls per minute. Calls/minute was the metric they wanted to use - of course i opposed that metric. Look, the internet will allow us to collect information from all people about the quality of calls. The metric should reflect quality of service. In the end, and for other reasons, i left for due to HP's shift to quantity over quality. These days, HP and many other companies don't even bother with their own support anymore. In texas, there is an office with 1-2 people. This american service company is where an Indian company is located. They are the contact for major companies. The manufactures only submit testing procedures. Of course, this means the people and engineers creating the products don't actually know about the issues. While i'm not a large company, i do work with many soho's and medium sized businesses. We recommend, implement, support, and recycle equipment for our clients. One thing we've always been able to do is provide excellent service over most all other vendors. While i still can provide better software support - hardware support is terrible these days. In the end, i think this shift towards india is going to put me out of business. So the moral of my story is this. As companies outsource their products support and customer service suffers. No doubt at some level the bottom line is measured. how many products are being returned and after how long? If these outsource companies have the consumers return the products within x-days, it would appear they are not doing their job. So the "trick" is to increase the time the end user has the product. Of course, i'm sure you get more brownie points if you solve an issue a colleague couldn't. This makes it appear as if it is a client issue and not lousy tech support. Over the past few years i have watched support decay into what it is now... which reminds me of the beginning of my woes but that will be in another post