You may want to try going at this like you would a forensic analysis if you
REALLY want to ID the bug and remove it, but personally, I would say your
best bet is to wipe the system and install again. What it sounds like is
you have a particularly nasty piece of unknown malware on your system, and
if it has killed your A/V, it has probably also invited a few others in as
well, like remote access trojans and the like. You may never be 100% sure
that you have eliminated all of the malware.
That being said, I personally would use a different, known clean system to
create a forensic boot-CD or boot-USB. Helix is a good one, as is Bart-PE.
Follow the instructions to the letter to create one that is "forensically
sound", meaning it doesn't rely on the hard disk to create swapfiles and the
like.
While this media is being prepared, grab a few tools like FileMon or other
tracking utils. Then run through your A/V install again. Filemon should
pinpoint what exe is activated to delete the files.
Copy onto the new bootable media an antivirus package of your choice. If
you use Bart-PE, you can use just about any. I would also look at Sophos'
free Rootkit Detection tool, because it sounds like your bug might be deep
in the O/S. Grab as many forensic tools as you can, because your
description is vague.
Boot 'er up with your new media, and have at her. Scan everything. Examine
the registry load points. If you have disk utilities, check the master boot
record in case something is loading at that level.
If and when you find it, DON'T just delete it! Zip and copy the offending
software onto another USB stick that you don't care about. Then remove it
from your system. Now you can reboot and see if you still have any traces
of the problem. If not, send that zip file to your A/V vendor to examine.
Could be a new one that they don't have a detection mechanism for yet.
Then, wipe that system anyway. It's not worth the risk of your personal
information and life savings.
Cheers and good luck with that!
Mark
http://www.nu2.nu/pebuilder/
http://www.e-fense.com/helix/
http://www.sysinternals.com/Utilities/Filemon.html
http://www.sysinternals.com/
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com]On Behalf Of gmx
Sent: Friday, October 13, 2006 1:40 PM
To: genome
Cc: focus-virus@securityfocus.com
Subject: Re: Virus or trojan help
Hello genome,
The virus must be starting somehow, so i suggest you check the
registry, maybe using hjt (hijackthis) to see what is loaded at
run-time, if it still wont work, take your time and do a boot-up
protocol (its in same menu where you can select safe mode) and read it
then, there you will be able to see what services the system loads
while booting and kill the ones which look suspect to you.
Once you killed the virus possibility to load/start you should be able
to install some av. and kill the rest of the garbage.
If some system entries have been modifyed that bad (i dont think they
are), maybe a new installation will be the only way to get out.
--
Best regards,
Adam Pal
Thursday, October 12, 2006, 8:08:19 AM, you wrote:
<==============Original message text===============
g> hello..
g> I am infected with a virus or a trojan that will not allow me to execute
and
g> install any antivirus software or even install any windows updates
offline
g> or online... It simply deletes certain exe files when extracted to the
hard
g> disk.. and the software installation gives an error saying it cannot find
g> the file...
g> I tried booting in safemode from xp and extract the files manualy but the
g> antivirus wont install because its safemode so I boot xp normaly and
browse
g> to the extraction directory only to find right in front of my eyes the
exe
g> being deleted by the unknown virus.. tried different antivirus and they
all
g> wont install... but other software that is not an antivirus will
install...
g> I tried using an online scanner from bitdefender but it did not detect
any..
g> I tried closing all running process in task manager and services running
g> still no avail..
g> anyone knows what virus or trojan that acts like this..can anyone please
g> inform me of its name so I may come to the right way of tracking a
g> solution..
g> thanks...
g> -------------------------------------------------------------------------
---
g> ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
g> It's as simple as placing additional SQL commands into a Web
g> Form input box giving hackers complete access to all your backend
g> systems!
g> https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CZWl
g> -------------------------------------------------------------------------
---
<===========End of original message text===========
----------------------------------------------------------------------------
ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CZWl
----------------------------------------------------------------------------
----------------------------------------------------------------------------
ALERT: "How a Hacker Launches a SQL Injection Attack!" - White Paper
It's as simple as placing additional SQL commands into a Web Form input box
giving hackers complete access to all your backend systems!
https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CZWl
----------------------------------------------------------------------------
