svasutin

Sorry for the late response - busy trying to stay a float*... Very very true on the browser choice - it just appears as, whatever or however this infection is getting in, once it does, it uses IE. My thinking is, IE 8 hopefully with its updates and new security measures ( turn off crash protection & compatibility** ) might block it. I do believe last year Firefox had something like 6 times the number of security issues as IE, and as for Flock - i have no clue about it. As for permission-less, i can go either way on it - depending upon the number of users and type of system ( SOHO, LOCO, Family ). Usually for me, it's not a choice though as i'm working on other peoples' systems :-s If anyone does find a name and a removal tool for this infection, please post it. The post will only be accepted should you provide the name given to this infection. ** btw, if you're using, for example, Spybot's/Spyware Blaster Immunizations, then you have to disable them for IE 8. IDK what Msft did, but using immunizations ( block/kill bits/host ) with IE 8 slows the system to a crawl. I mention Spybot & SpywareBlaster only because of it's popularity - not citing them as the source/cause. * In other news, i've found some detectable infections are starting to replace the Windows Service Pack Info. This was/is a good idea on the hackers part - it got me. Once everything was cleaned and i went to check Windows Update to see if anything was missed, turned out the system was still running Service Pack 2, but everything read Service Pack 3. Hence, check a few version numbers for their service pack level before just replacing/repairing files ( sfc )... took me forever to figure out why some discs didn't work and/or over replacing some files caused system issues - lol

you know, idk - i thought it should work, but i could be wrong. Tell you what, i'll try it again tonight, and tell you how it goes - if i make them both the same...

I actually like Windows Defender - not too bad, of course the average user never checks the Permit and just kinda sits there and looks the icon and balloon message... waiting for something to happen... the same is true of Automatic Updates as well. I do like Spybot, Windows Defender, and Zone Alarms Extreme Edition all running. For the price, i do feel that Malware-Bytes is the best choice. I would say Spybot, but for a while there, they had issues, but since 1.6.2, i've more or less gone back to them... For detection, i really like Previx's CSI

Save this as a text file called killIt, and replace the <infectedNameX> part; 6 edits and just 2 names Don't forget to add the reg entry before going into the recovery console. Set or Create: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole] "SetCommand"=dword:00000001 Inside the Recovery Console ( after logging in ), to run it, type: Batch KillIt.txt I included the exit to cause a reboot. Highlight and save as: Killit.txt SET AllowWildCards = TRUE SET AllowAllPaths = TRUE SET AllowRemovableMedia = TRUE SET NoCopyPrompt = TRUE CD system32 CD drivers Attrib -c -r -s -h <infectedName1>.sys Attrib -c -r -s -h <infectedName2>.sys Delete <infectedName1>.sys Delete <infectedName2>.sys Disable <infectedName1> Disable <infectedName2> exit

hey - thanks and sorry for the delay - i don't always have access to the system :-s Anyway, here are the keys i've tried w/o success... for now, i'm testing it on my account on their 'puter. I'm assuming that extra/useless keys will be ignored by Vista. HKLM [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DisallowRun] "1"="Solitaire.exe" "0"="GameConsole-wt.exe" "2"="WinBej2-WT.exe" "3"="Blackhawk2-WT.exe" "4"="BlasterBall3-WT.exe" "5"="Buildalot-WT.exe" "6"="Fate-WT.exe" "7"="penguins-WT.exe" "8"="Polar-WT.exe" "9"="golf-WT.exe" "10"="tradewinds-WT.exe" "12"="Virtual Villagers - The Lost Children-WT.exe" "11"="freecell.exe" Then for HKU ( default and the original "owner" acct ), HKCU [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies] "DisallowRun"=dword:00000001 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "DisallowRun"=dword:00000001 After Reboots, i still can't get these to stick as the programs always seem to load and run :-s I'm thinking that perhaps Vista Basic might not include this ability - but also, i'm thinking i'm doing something not quite right here Thanks again.

My Favorite is Zone Alarms Extreme Edition. I am really impressed with it. While in remote sessions, i've been able to configure it so i cannot see: what the end user is typing into a window. For example, entering a URL, typing into a chat/IM box. Random Letters appear any open applications - even ones i've opened anything but a black screen The value here should be apparent, as key loggers, and programs which take screen shots, are rendered ineffective. The default is the black screen. Going back to Zone Alarms Internet Security Suite ( included in ZAEE ), the Self-Protect option does not allow me to remotely send keys or click on any ZA window. Of course, i also like that even if the EU clicks Yes, download and Install This Virus, it still stops the infection from happening. That and it plays pretty well with "free" independent checks ( Windows Defender, Spybot S&D, MalwareBytes, sysclean, hjt ) The bad side is, the longer a PC is on, the more memory it consumes, so daily reboots are required. Also, those first 21 days or Auto-Learn can be kind of rough.

Yes, Vista Basic - why? Idk, but i picked up a client who has 2 desktops running Vista Basic. Anyway, back in XP, there was a Registry sub-Key where i could list the names of executables in both HKCU and HKLM Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun This sub-key appears no longer to be valid. So i'm wondering if there is a new key out there for Vista to stop running programs... The issue is, an employee at one of the terminals is playing games far too often - and they know how to add/remove programs and everyone has administrator rights Anyway, maybe i'm just doing things wrong, or maybe it's just Vista Basic, but does anyone know how to DisallowRun in Vista? Thank you

For the past few months i've been dealing with a new RootKit Virus. I'm not exactly sure what it's stealing or doing, but it's pretty bad. So far, i've found it only on XP systems. Surprisingly, no one detects it or has a solution out yet. The worst thing about this FystemRoot is once the virus is cleaned - AU and BITs needs to be repaired and permissions reset manually <- That's the bad part - people are clean, but their system is still corrupted. * update * It seems the Task Scheduler is now being corrupted as well. Just came across this on a system * update * I've tried McAfee, Kaspersky, Symantec, F-Force, MalwareBytes, Previx, ( zone alarm ), Spybot.... everything i could, but only Manually Cleaning fixes it. It defeats HiJack This from fully running, and combofix wasn't much help either. If infected, 100% of the time System Event Log Shows DCOM errors about BITS not being able to be load. Trying to Set Automatic Updates or BITS through services.msc gives an error about permission or access Searching your registry for fystemroot yields a result Yes, it is FystemRoot not SystemRoot as it should be. The rumor mill suggests it gets in through an IE exploit - but i'm not too sure about that, as the people i've found infected use either FireFox or Flock. I've seen this virus since about early February, could even be late January. I figured it was new and so the AV companies would include it soon, however - so far, there is just scattered talk in some forums. Aside from not being able to fix WUAUServ or BITS, the other interesting feature about this is, it runs your other browser ( flock, opera, chrome, mozilla ) in a sandbox and forces IE as your default browser; it disables the always check feature. However, all links open up in whatever browser you are using and icons still show your browser of choice. Since something is going on with IE 6/7 Perhaps updating to IE 8 might be worth it Safe Mode does not always clean it out, so the Recovery Console is sometimes required To find the name of the infections is fairly easy. Through the registry ( independent registry editors have no effect ~ tried through cmd, regedit, wsh... ) go to HKLM\SYSTEM\CurrentControlSet\Services ( yes, it exists in ControlSet00n as well ) Then one by one go through each service until you get an error message. Usually there are two ( most people however are suggesting only one ). Write the names down for keys which it cannot be read. Usually these are numbers or letters and numbers. The files typically live in ( this could change if the hacker updates their code ) %windir%\system32\drivers Before going into the recovery console set [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole] "SetCommand"=dword:00000001 If you're able to, as sometimes SR cannot be disabled Clear ALL System Restore Points Set the Size To the Minimum Turn Off System Restore Edit your boot.ini to start in the Recovery Console Add another entry to start in Safe Mode with the Command Prompt Disconnect from the web, reboot to the recovery console, and delete the <found names>.sys Reboot into Safe Mode whilst Holding Down the Left Shift Key until you are at the cmd prompt and hdd activity has stopped ALL Through the cmd prompt, navigate to and run Spybot and MalwareBytes. Between those two, it finds further infections - note the logs, and search your registry for them, and delete them. I've found, whilst file info is removed, the registry entries are not always removed. Delete all restore points and turn off System Restore; yes i've found infections have been in the System Volume Information Folder A further step i've used is in a batch file run from the root of your drive, something along the lines of: for %%a in ( 1..9 ) do ( dir %%a*.exe %%a*.sys /b /a /s >> c:\infctns.txt ) for %%a in ( c:\infctns.txt ) do attrib -r -a -s -h "%%a" for %%a in ( c:\infctns.txt ) do erase /f /s /q "%%a"As of yet, i haven't found any legit programs which start with numbers and are exe's or sys files ~ opps forgot to mention the 1394 and 61883 files - you'll want to add an "if not part to it" Running CCleaner ( for both files ~ uncheck the older than 48 hrs option ~ and registry ) is a good idea, as now the temp folders contain new items. Open your registry editor, find and delete the keys of the names you found - including the ones we had to manually delete. After all that, now you should be able to open up explorer. In your "documents and settings" folders, check the temps & start up folders for extra files which this has dropped. Don't forget the Default User Run CCleaner FIXING WUAU AND BITS AND TASK SCHEDULER The final step is to reset the permissions for BITS and WUAUServ Click Start | Run Type in: dcomcnfg.exe Click OK Click your way from Component Services to DCOM Config and the BITS Set it to defaults. Do the same for Windows Update. Umm - Right-Click and Select Properties, btw Enter your Registry and head towards HKLM\SYSTEM\CurrentControlSet\Services For BITS, WUAUSERV, * update * Schedule * Update * Add/Give SYSTEM rights Make sure it's set to %SystemRoot% and no longer %fystemroot% Through Services, set BITS to Manual and AU to Automatic ( default settings ). Clear your event logs, and reboot. So far as i can tell, you should now be able to start XP in a normal environment, but still be disconnected, and hold down the Left Shift Key. Connect up to Windows Updates and see if you are fine. Of course, check your event logs to make sure you are still safe. If you can't connected up to Windows Update, then i've removed the WU controls from IE, cleaned the registry of their references, and have had IE reInitialize the WU controls. SPECULATION Some of the other infections which seems to have appeared along with this infection, also seem to cause a Registry editor and or a command box to shutdown after a few moments. So if you are running syslean, or some other av/as, removal tool from a cmd, it simply will not run or complete. However, these other infections ( including Vondo ) do seem to be detected and removed by most anti-malware vendors. On some occasions, i have found references to a hidden file in the registry %windir%\system32\..\<random file name>.randomExtension ~ for example Wsj.dst. This hidden file appears to have further rootkit abilities - as once it's removed, i've found more infections. Not specifically related to the fystemRoot, as it appears to be a launcher/transport/proxy, but check out parse AutoExec.bat settings, winlogon, wininit, as well as the win.ini file. I have no idea if this infects your anti-malware s/w. Once i find an infection, i assume anti-malware products are rendered useless and uninstall the lot ~ as well as Java. I will say, i have noticed that av and as products do still detect infections, just not this one. Alright - did i miss anything? Any mistakes or errors? Keywords: %fystemroot% %systemroot% Cannot set Automatic Updates Background Intelligent Transfer Service Access Denied Permission Error Virus Trojan Worm RootKit HiJackThis HJT Still with update issues? 1-866-PC-Safety <- that's msft's Windows Update Help Line