PLA Forums

Other Stuff That Has Little To Do With PLA => Techinical Shit => Technical Support => Topic started by: Vila on May 04, 2008, 05:06:39 AM

Title: A Trojan Question
Post by: Vila on May 04, 2008, 05:06:39 AM: A friend of mine over at CZ ran into a tricky Trojan and I told him I'd ask you guys about it since odds are one of you wrote it. (Or do I think to highly of you guys?!)

Quote
From: Death Stalker posted Sunday, May 04, 2008 3:52:39 AM
The last few days I have been literally running my virus sweeper non-stop to get rid of the effects of a Trojan Horse that appeared. My sweeper seems to be doing the job getting rid of it but it has filled my Fonts folder with literally tens of thousands of Movie, Program, and Game names. It has been five days and it is only on the letter S but so far I have seen movies like Sin City, programs such as various DVD converters, and games such as Star Wars Battlefront.

If I go into my actual Fonts folder they aren't there but is there a faster way of getting rid of all this?

You can read his origional post here: http://www.cryptozoology.com/forum/topic_view_thread.php?tid=25&pid=568190 (http://www.cryptozoology.com/forum/topic_view_thread.php?tid=25&pid=568190)
Title: Re: A Trojan Question
Post by: Zazen on May 04, 2008, 07:10:41 AM: The fonts folder is called a shell extension. When you open it up it doesn't show you files like every other folder, rather it processes a friendly list of installed fonts and shows them to you in a nice way. If he has a file in there thats setting off his antivirus it won't show up unless it's a font. If he uses the command line he can see and delete the real files.

Is this problem hampering his quest for bigfoot?
Title: Re: A Trojan Question
Post by: MattGSX on May 06, 2008, 09:12:22 AM: You're probably giving us too much credit. I don't think that many people on here actually write trojans/viruses for anything other than informational purposes.

Tell your friend to quit opening files like "pthc PRIVATE UNDERAGE MP4.wav" and his problems shouldn't persist.
Title: Re: A Trojan Question
Post by: mr_doc on May 12, 2008, 04:02:15 PM: It sounds to me like you need to perform a low level format on your hard drive.
Title: Re: A Trojan Question
Post by: trevelyn on May 19, 2008, 04:09:07 AM: Quote from: mr_doc on May 12, 2008, 04:02:15 PM
It sounds to me like you need to perform a low level format on your hard drive.
yeah, just backup what you need and get rid of everything - start fresh. I have been using tools like CleanUp!, Symantec Endpointe, Webroot, HijackThis, etc. and have been getting good at virus removal. The only virus i haven't been able to remove is FakeAlert which somehow runs even during SafeMode - Hijacks windows message balloons saying "YOU HAVE A VIRUS THRET CLICK HERE TO REMOVE ALL VIRUSES!" etc. most of the time if it takes more than 2 hours fr removal i suggest to the person to reinstall.
Title: Re: A Trojan Question
Post by: trevelyn on July 13, 2008, 02:10:56 PM: i got a grip on virus removal from work (thats a bulk of what i do now) and wrote up a paper for virus removal that seems to do well with everyone, so far.

http://weaknetlabs.com/texts/pdf/windows-antivirus.pdf

hope that helps reduce frustration of a lousy OS. :)
Title: Re: A Trojan Question
Post by: CerealKiller on July 13, 2008, 02:28:52 PM: sounds like you need the help of TORJAN MAAAAAAAAN!!!
Title: Re: A Trojan Question
Post by: Tachyon on July 13, 2008, 07:31:36 PM: ^Belongs in a thread about Onion Networks
Title: Re: A Trojan Question
Post by: Nod on July 13, 2008, 09:00:15 PM: I'm disappointed. I thought this question was going to have a bunch of people hidden in it that would take over my fort and kill everyone in their sleep.
Title: Re: A Trojan Question
Post by: rogueclown on July 13, 2008, 09:37:38 PM: Quote from: LordNod on July 13, 2008, 09:00:15 PM
I'm disappointed. I thought this question was going to have a bunch of people hidden in it that would take over my fort and kill everyone in their sleep.

i'm not sending anyone after you. i don't want you to die in your sleep. <3

i sent my hidden armies after....ummm...i'd say, but that would spoil the fun!
Title: Re: A Trojan Question
Post by: Zazen on July 13, 2008, 10:34:37 PM: Quote from: trevelyn on July 13, 2008, 02:10:56 PM
i got a grip on virus removal from work (thats a bulk of what i do now) and wrote up a paper for virus removal that seems to do well with everyone, so far.

http://weaknetlabs.com/texts/pdf/windows-antivirus.pdf

hope that helps reduce frustration of a lousy OS. :)

My magic formula for getting rid of that crap is:

-Run sysinternals' autoruns.exe or whatever other tool you like for enumerating everything that runs on startup.
-Write down the full file path of everything that looks like garbage. Don't bother trying to remove the startup entries. Any halfway decent malware will fight back and waste your time, plus if you make a mistake it's hard to put it back the way it was.
-Boot off of anything that lets you access the file system (windows CD in recovery mode, dos-ntfs on hirens, or whatever) and move the offending files to C:\temp to take them out of the picture. Safe mode isn't good enough for this.
-Boot up and the bad stuff won't be running. Get rid of any residual damage, including those now-orphaned startup entries that are probably generating errors about missing files. If you accidentally removed something important just move it back where it belongs and reboot. If there's still crap running, start over and be a little more liberal about what you call garbage.

Works every time for me, and without the need to install 31 flavors of antivirus tools. It's relatively quick too since you don't need to do scans or actually fight against programs while they're running.
Title: Re: A Trojan Question
Post by: MelloKira on July 14, 2008, 06:34:33 AM: Quote from: trevelyn on July 13, 2008, 02:10:56 PM
i got a grip on virus removal from work (thats a bulk of what i do now) and wrote up a paper for virus removal that seems to do well with everyone, so far.

http://weaknetlabs.com/texts/pdf/windows-antivirus.pdf

hope that helps reduce frustration of a lousy OS. :)

My magic formula for getting rid of that crap is:

(http://myhangover.files.wordpress.com/2008/02/smashed-computer.jpg)
Title: Re: A Trojan Question
Post by: trevelyn on September 25, 2008, 09:10:15 PM: updated:

http://weaknetlabs.com/texts/pdf/windows-antivirus.pdf

I find new tools all the time, the method i use works 9 times out of 10.
Title: Re: A Trojan Question
Post by: Zazen on September 25, 2008, 11:51:33 PM: Quote from: trevelyn on September 25, 2008, 09:10:15 PM
updated:

http://weaknetlabs.com/texts/pdf/windows-antivirus.pdf

I find new tools all the time, the method i use works 9 times out of 10.

1. Enter the machine in Normal Mode (not Safe Mode) if possible.
2. Enter the system in Safe Mode (F8 at Boot and select) with Networking.
3. Run clean-up applications
4. Run Scumware/Malware removal tools
5. Run Ã¢â‚¬Å“heavy dutyÃ¢â‚¬Â antivirus clients
6. Run Trojan removal tools
7. Defragment hard drive
8. Reboot (for the final time) and test.
9. If no luck after this methodology It may be wise to simply backup some data* and reinstall the Operating System.

Holy crap that's a lot of scans! Are you billing customers on an hourly basis?
Title: Re: A Trojan Question
Post by: trevelyn on September 29, 2008, 11:48:53 PM: Quote from: Zazen on September 25, 2008, 11:51:33 PM
Quote from: trevelyn on September 25, 2008, 09:10:15 PM
updated:

http://weaknetlabs.com/texts/pdf/windows-antivirus.pdf

I find new tools all the time, the method i use works 9 times out of 10.

1. Enter the machine in Normal Mode (not Safe Mode) if possible.
2. Enter the system in Safe Mode (F8 at Boot and select) with Networking.
3. Run clean-up applications
4. Run Scumware/Malware removal tools
5. Run Ã¢â‚¬Å“heavy dutyÃ¢â‚¬Â antivirus clients
6. Run Trojan removal tools
7. Defragment hard drive
8. Reboot (for the final time) and test.
9. If no luck after this methodology It may be wise to simply backup some data* and reinstall the Operating System.

Holy crap that's a lot of scans! Are you billing customers on an hourly basis?
naw, the university does, and i have like 20 machines a day, so i let all the virus shit go in the bg as i repair the physical damages at the same time. like, you know, multitasking.
Title: Re: A Trojan Question
Post by: Zazen on September 30, 2008, 11:23:47 AM: Have you considered building yourself a bootable OS environment for doing all these scans? It'd be faster than running with whatever gunk comes on the machine and you'd be guaranteed that malware isn't running (safe mode isn't always good enough for that, as you've seen). You'd never have to reboot for a scan to do its job either.
Title: Re: A Trojan Question
Post by: trevelyn on September 30, 2008, 02:47:14 PM: one of the security deployment guys here made one, it's pretty sweet. He gave me links on how to make my own as well, I just never got around to it. Have you made a Win32 based Live disk before? I have only made *nix.
Title: Re: A Trojan Question
Post by: Zazen on September 30, 2008, 11:51:43 PM: No, I've never had the need. In the rare case that there's an infection at work I just eliminate it using my quick method. If the infection did any kind of damage then I just reinstall the machine with my big scripted OS install that does everything in about 20 minutes.

In your case why not use a nix disc? Add in whatever you need to mount ntfs and you're in good shape. It'd be really convenient to script the crap out of it so it does all of those scans and stuff automatically.
Title: Re: A Trojan Question
Post by: trevelyn on October 10, 2008, 02:14:49 PM: :D WeakNet Linux! I was going to release my Unix Passwd Cracker "Perlwd" about 2 weeks ago, but now I decided to wait and just release it on my own snazzy version of Linux instead.