closing spybot avg etc

[Gaz]

Come across an irritating little bugger....

It prevents an xp system from booting into safe mode.
It prevents spybot from installing
It prevents AVG from installing
Adaware gives it a clean bill of health
mulit-av finds various viruses but claims to have deleted them
smitfraudfix doesnt find anything
Trend anti-virus when scanning causes a bsod
when installing the new avg antivirus the active shield wont run, and it
finds a not-a-virus.win32.realserver.b
causes a bsod when superantispyware is running
machine completely cleansed with hijack this....

Any ideas??

The trend online scanner found these:
adware bestoffers
adware_istbar
adware_funwebproducts
adware_bho_myway
adware_ibiswebsearch

Gaz

[Andy Walker]

Gaz wrote:

>machine completely cleansed with hijack this....
>
>Any ideas??

Hijackthis requires user input; what did you do to "cleanse"? If no
other program deleted the original problem files the pc is not clean
yet.

[Gaz]

Andy Walker wrote:
> Gaz wrote:
>
>> machine completely cleansed with hijack this....
>>
>> Any ideas??
>
> Hijackthis requires user input; what did you do to "cleanse"? If no
> other program deleted the original problem files the pc is not clean
> yet.

The only files left following a hijackthis scan, those that should be there.
The system is still infected, but hijackthis is not sufficient at removing
it.

Gaz

[Gaz]

Gaz wrote:
> Andy Walker wrote:
>> Gaz wrote:
>>
>>> machine completely cleansed with hijack this....
>>>
>>> Any ideas??
>>
>> Hijackthis requires user input; what did you do to "cleanse"? If no
>> other program deleted the original problem files the pc is not clean
>> yet.
>
> The only files left following a hijackthis scan, those that should be
> there.
> The system is still infected, but hijackthis is not sufficient at removing
> it.
>
> Gaz

ok, it seems that it is some kind of bagle variant hiding itself as rootkit
especially m_hook.sys

Gaz

[Andy Walker]

Gaz wrote:

>Gaz wrote:
>> Andy Walker wrote:
>>> Gaz wrote:
>>>
>>>> machine completely cleansed with hijack this....
>>>>
>>>> Any ideas??
>>>
>>> Hijackthis requires user input; what did you do to "cleanse"? If no
>>> other program deleted the original problem files the pc is not clean
>>> yet.
>>
>> The only files left following a hijackthis scan, those that should be
>> there.
>> The system is still infected, but hijackthis is not sufficient at removing
>> it.
>>
>> Gaz

I'm sorry, I misunderstood what you had written.

>ok, it seems that it is some kind of bagle variant hiding itself as rootkit
>especially m_hook.sys
>
>Gaz

You'll need to run a rootkit reveal/remove program to get rid of it.
If you don't have one you can try BlackLight from F-Secure (free...for
now)

http://www.f-secure.com/blacklight/try_blacklight.html

Another way to get rid of it may be to boot using a boot disk and
navigate to the hidden directory in a DOS window and delete the files.

The rootkit is most likely located in

c:\documents and settings\{current user}\Application Data\hidn

Here's a pretty good analysis of the rootkit infection

http://www.fortinet.com/VirusEncyclo...tly&fid=226180
or
http://************/w6dzf

This is definitely not an easy fix but at least you're one step ahead
of the game by identifying the malware.

[Gaz]

Andy Walker wrote:
> Gaz wrote:
>
>> Gaz wrote:
>>> Andy Walker wrote:
>>>> Gaz wrote:
>>>>
>>>>> machine completely cleansed with hijack this....
>>>>>
>>>>> Any ideas??
>>>>
>>>> Hijackthis requires user input; what did you do to "cleanse"? If no
>>>> other program deleted the original problem files the pc is not clean
>>>> yet.
>>>
>>> The only files left following a hijackthis scan, those that should be
>>> there.
>>> The system is still infected, but hijackthis is not sufficient at
>>> removing
>>> it.
>>>
>>> Gaz
>
> I'm sorry, I misunderstood what you had written.
>
>> ok, it seems that it is some kind of bagle variant hiding itself as
>> rootkit
>> especially m_hook.sys
>>
>> Gaz
>
> You'll need to run a rootkit reveal/remove program to get rid of it.
> If you don't have one you can try BlackLight from F-Secure (free...for
> now)
>
> http://www.f-secure.com/blacklight/try_blacklight.html
>
> Another way to get rid of it may be to boot using a boot disk and
> navigate to the hidden directory in a DOS window and delete the files.
>
> The rootkit is most likely located in
>
> c:\documents and settings\{current user}\Application Data\hidn
>
> Here's a pretty good analysis of the rootkit infection
>
> http://www.fortinet.com/VirusEncyclo...tly&fid=226180
> or
> http://************/w6dzf
>
> This is definitely not an easy fix but at least you're one step ahead
> of the game by identifying the malware.

I used erd commander to remove the files (sorry i am lazy and over dependent
on gui), now sorted...

This whole rootkit development is very worrying, spyware distributors etc
are going to start masking their software using this technique as a matter
of routine.


Gaz

[Dustin Cook]

"Gaz" <gazter@msn.com> wrote in news:4vuu3fF1dm0h2U1@mid.individual.net:

> Andy Walker wrote:
>> Gaz wrote:
>>
>>> Gaz wrote:
>>>> Andy Walker wrote:
>>>>> Gaz wrote:
>>>>>
>>>>>> machine completely cleansed with hijack this....
>>>>>>
>>>>>> Any ideas??
>>>>>
>>>>> Hijackthis requires user input; what did you do to "cleanse"? If
>>>>> no other program deleted the original problem files the pc is not
>>>>> clean yet.
>>>>
>>>> The only files left following a hijackthis scan, those that should
>>>> be there.
>>>> The system is still infected, but hijackthis is not sufficient at
>>>> removing
>>>> it.
>>>>
>>>> Gaz
>>
>> I'm sorry, I misunderstood what you had written.
>>
>>> ok, it seems that it is some kind of bagle variant hiding itself as
>>> rootkit
>>> especially m_hook.sys
>>>
>>> Gaz
>>
>> You'll need to run a rootkit reveal/remove program to get rid of it.
>> If you don't have one you can try BlackLight from F-Secure
>> (free...for now)
>>
>> http://www.f-secure.com/blacklight/try_blacklight.html
>>
>> Another way to get rid of it may be to boot using a boot disk and
>> navigate to the hidden directory in a DOS window and delete the
>> files.
>>
>> The rootkit is most likely located in
>>
>> c:\documents and settings\{current user}\Application Data\hidn
>>
>> Here's a pretty good analysis of the rootkit infection
>>
>> http://www.fortinet.com/VirusEncyclo...pediaSearch.do
>> ?method=viewVirusDetailsInfoDirectly&fid=226180 or
>> http://************/w6dzf
>>
>> This is definitely not an easy fix but at least you're one step ahead
>> of the game by identifying the malware.
>
> I used erd commander to remove the files (sorry i am lazy and over
> dependent on gui), now sorted...
>
> This whole rootkit development is very worrying, spyware distributors
> etc are going to start masking their software using this technique as
> a matter of routine.
>
>
> Gaz
>
>
>

Hiya Gaz, should you run across something like this again, feel free to
send samples along to me. If BugHunter doesn't presently detect the
files, it will.


--
Dustin Cook
Author of BugHunter - MalWare Removal Tool -V2.0
web: http://bughunter.it-mate.co.uk
email: bughunter.dustin@gmail.com.removethis
Last updated: January 4th, 2007

[Larry Fisk]

I cured the failure to boot to safe mode, by copying and merging
"HKLM\SYSTEM\ControlSet001\Control\SafeBoot"
from a healthy XP system to the infected systems after I cleaned the
rootkit with F-secure Blacklight and manually deleting the hidden files
"hidr.exe" and "m_hook.sys" using highjackthis "delete a file on reboot"
utility
found under "misc tools section"
in c:\documents and settings\{current user}\Application Data\hidn
Worked on two different systems.

"Gaz" <gazter@msn.com> wrote in message
news:4vr8ggF1dbrcqU1@mid.individual.net...
> Come across an irritating little bugger....
>
> It prevents an xp system from booting into safe mode.
> It prevents spybot from installing
> It prevents AVG from installing
> Adaware gives it a clean bill of health
> mulit-av finds various viruses but claims to have deleted them
> smitfraudfix doesnt find anything
> Trend anti-virus when scanning causes a bsod
> when installing the new avg antivirus the active shield wont run, and it
> finds a not-a-virus.win32.realserver.b
> causes a bsod when superantispyware is running
> machine completely cleansed with hijack this....