PDA

View Full Version : Exasperated With Xp Vulnerabilities



xploverhater
04-06-2011, 10:58 PM
Long story short, I have been combating a horrific trojan that came straight from hell. Posted on malwarebytes and majorgeeks forums, and, frankly, a HUGE waste of time. This trojan is highly sophisticated - way over their heads. I can do scans on my own. I did every scan known to man, including the one's the forums recommended. After both forum administrators adamantly declared I had no malware, I manually found tons in my registry. I have removed tons manually. It keeps coming back. All the scans in the world are false security, I hate to tell you. So I need an advanced user to direct me, please.

I have done about 5 reinstalls of XP and it is there immediately after each fresh reinstall. It is hiding where I am not savvy enough to catch it.

I disable a bunch of Services, bleach registry keys for remote access programs, a bunch of other registry keys that look suspicious, and it comes back. One aspect is that it is Chinese in origin. Ctfmon keeps reappearing in Task Manager, even though I delete all ctfmon files in the registry and using my Search tool to find and delete ctfmon files. It reappears in msconfig/startup program, after I uncheck it. This is only a minor element of this trojan, but a hint at its' behavior.

I am wondering if someone knows of a good website, book, or whatever to teach one's self about the inner workings of their computer. Microsoft's descriptions are way too dry, straight forward, not for the layman. I need layman terms descriptions and have scoured the internet for such a tool, to no avail....sigh.....

PrntRhd
04-06-2011, 11:29 PM
Be aware ctfmon.exe may be a legitimate Microsoft file or not, depending on where the file is located.
%System% location is usually legitimate.

http://webcache.googleusercontent.com/search?q=cache:ssWMD13brW0J:www.sysinfo.org/startuplist.php%3Ffilter%3DCTFMON+ctfmon&cd=10&hl=en&ct=clnk&gl=us&client=firefox-a&source=www.google.com

classicsoftware
04-06-2011, 11:39 PM
There is almost no way to get a virus after a clean install from it "lurking" on your system.

ctfmon (http://www.systemlookup.com/Startup/2443-ctfmon_exe.html) is part of the Office Package

Please note the part that says:


CTFMON.exe will continue to put itself back into MSConfig when you run the Office XP apps as long as the Text Services and Speech applets in the Control Panel are enabled.

In other words if you want to make sure you are clean.


Backup your data.
Download onto a CD for flash drive your AV and or firewall software.
Disconnect from the web
Format your hard drive
Zero fill your hard drive with Eraser (37 times)
Format your hard drive
Remove all partitions
Repartition your drive
Reformat the new partition
Reinstall XP
Install security software
Connect to the web

Paul Komski
04-07-2011, 01:49 AM
Some specific details of how you have determined this to be malware would be of interest. Just some of the tons of registry entries you have found manually could be revealing.


I am wondering if someone knows of a good website, book, or whatever to teach one's self about the inner workings of their computer.I think you have come to the right place. If you stick around and ask specific questions on these forums and read the related PCGuide (http://www.pcguide.com/vb/index.php) I have no doubt your knowledge will rapidly increase. If you don't understand any of the answers then just ask for clarification.

If you really are infected after a clean installation then two areas could be suspect; one is infected media that you may have inserted and the other is infection from any other computer on the internet or on a LAN.

xploverhater
04-07-2011, 11:48 PM
Hard to know where to start. My head is spinning from all the stuff I have found/removed. I just did a clean reinstall two days ago, so I don't have my screenshots of weird files that I had saved to a Word doc, which I could forward to you. I definitely found files/behavior that Microsoft calls the Alureon virus. I googled weird behavior and found Alureon on Microsoft's site, and voila, the files matched what was in my registry.

Zonealarm and Avast were the first to be disabled by the trojan. Comodo
firewall, thereafter (after uninstall of zonealarm) also got disabled. I uninstalled avast and was prevented from downloading ANY antivirus thereafter. It blocked me from downloading malwarebytes and hijackthis, both of which had been corrupted by it. IE8 was totally corrupt. Chrome was starting to get slower and corrupt, so I outsmarted it and now run Opera. Thus far, I am running fast. I never run IE8, for security reasons, and ONLY use IE8 for Microsoft updates.

Since then I have done a few reinstalls, still with weird behavior. I now have Online Armor firewall. Sometimes software downloads get blocked.

I am fairly confident I got the malware from a cousins email, as her email had been hijacked. I had never gotten spam in my life, until I opened an email from her, not even a link in her email. After an odd looking email from her address (opened, then immediately "report as spam"), I started getting weird titled email's, which I "report as spam", of course, and never opened. After her email hijack event, someone was remote accessing my computer and would put folders on my desktop, labeled: Backup. In no way did I put them there.

I found/deleted about 200 website addresses in my registry - mostly adult oriented and games - all under one key name. And no, I never go to adult sites. All the weirdness happened only after my cousins email got hijacked. After this last reinstall, I found some keys in my registry titled "joystick", which I have deleted. I have found/removed other keys with names like "nerdsarecool", and there was a long list of suspicious names like this that I deleted from the registry.

Out of nowhere an installer called Installshield, by Macrovision, started superseding Microsoft's tool to install software. After this, my Realtek Wifi antenna software started getting corrupted. Perhaps my laptop is being used as a bot, for some gaming? On this new reinstall, Installshield tried to run again when I inserted the disc for my Realtek Wifi antenna. I waited a few minutes and Microsofts install tool appeared, which I used this time. I have seen Installshield associated with gamers, so perhaps there is a link with the registry finds of "joystick", "nerdsarecool" and space wars sounding games in my registry.

I am a super paranoid pc user, so I run a firewall, an antivirus, Winpatrol, scan with SAS, Malwarebytes, Hijackthis. I don't go to porn sites, download movies or emoticons, desktop photos and such.. I download software, such as antivirus, only from cnet and majorgeeks. I even run a suspicious looking website in nortonsitechecker.com before I visit a website, to avoid a drive-by download.

I wish I could recall alllll of the things I have found and removed. I am including two screenshots here. I will look for more and better examples tomorrow.

Ok, maybe I won't send screenshots, just noticed the max file is 19.5 kb. My screenshots on a Word doc are 2.8 MB.

So, here are some suspicious registry keys. I will find better examples tomorrow:

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Conf\Pers on Leaves\.Current
C:\Program Files\NetMeeting\Blip.wav

HKEY_CURRENT_USER\AppEvents\Schemes\Apps\Explorer\ FeedDiscovered

HKEY_CURRENT_USER\Identities\{2057D582-8792-4980-BA89-F4DB3E5C0B2B}\Software\Microsoft\Outlook Express\5.0\Recent Stationery List

With value data, associated with above key:
Clear Day.htm
Nature.htm
Maize.htm
Sunflower.htm
Citrus Punch.htm
Blank.htm
Leaves.htm

HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\S etup\CreatedLinks
C:\PROGRA~1\WINDOW~2\wmplayer.exe

Thanks for your help!

classicsoftware
04-08-2011, 12:13 AM
If you follow my instructions you will be clear of this problem. This is a rootkit that does not infect the boot sector. If you do what I say and then re-install you will cleared of this. What you are doing is like a chicken running around with it's head cut off. You are bouncing from place to place and doing nothing to solve the problem.

It almost doesn't matter what the infection is as long as it does not effect the boot sector and almost none of them do, following my instructions will cure you

Paul Komski
04-08-2011, 02:19 AM
Personally I would just zero the MBR (or the whole drive with DBAN or similar) and then pop in the WinXP CD and let set-up run automatically but not attach to any network until all SPs and A/V installed. But ClassicSoftware spends much more time than me in these murky areas so you should go with his more elaborate measures.

If you are getting reinfected immediately after a clean install as per ...

I have done about 5 reinstalls of XP and it is there immediately after each fresh reinstall.
... then one must ask the question as to whether you are using genuine Windows XP setup CDs.

I would like to add that you should check any USB drives you attach for the presence any autorun files and delete them before re-inserting into any PC.

If after all the suggested measures you still get reinfected then the only other things I can think of are malware lurking in infected firmware - such as on an infected PCI card - but such stealth is very very very rare.

xploverhater
04-08-2011, 08:12 PM
Wow, great responses everyone! I can already see that the responses are more sophisticated than other forums I have been to.

Now, I am a total novice, so much of the pc lingo needs to be googled, so please be patient. I agree that I am like a chicken with my head cut off, running here and there, not solving the core issue. The only good thing about this malware is that (by hunting it down using intuition, google and its' behavior) I have learned more about the function of my computer. I have learned that I cannot manually remove what is probably thousands of corrupt files and am in total agreement about a reformat/reinstall.

I have never done a reformat before. I had never done a reinstall of XP, until this recent malware. So I definitely have some questions. I don't want to be stuck, high and dry, with my laptop not functioning because I have no drivers or made a mistake. I do not have the driver discs that came with the laptop (only an XP disc) and HP no longer has them, according to the guy from India. It is an HP Compaq Presario V5000, XP Home, 1G RAM, Intel (R) Celeron (R) M CPU 410 @ 1.46GHz.

I am confused about what types of format there are. When I have done a reinstall, after I insert the XP disc and it asks if I want to "format" and I say yes, I somehow don't think this is a "real" format. I think I have just done reinstalls of XP, because I still have drivers and the laptop runs. I think of a format as when you lose your drivers and wipe the hard drive (whatever that means). Told you I am a newbie.

I have thought about doing a format/reinstall, but need the drivers downloaded. I am not going to download from my laptop, as I am confident the drivers are corrupt. The only option I can think of is to download drivers at the library. I assume that pc security at the library is fairly safe - don't know why I think this.

How do I know ALL of the drivers that I need? If I go to HP's site and type in my model and "drivers", does that list ALL of the needed one's?

Other Questions:

1) Zero fill your hard drive with Eraser (37 times)?
Any suggestions where to find info on this? I will google it, but if you have any preference where I should look, that may be better?

I am not clear how these all differ and how to do the following:

Format your hard drive
Remove all partitions
Repartition your drive
Reformat the new partition
Reinstall XP


Thanks, everyone, for the advice! And most of all, thanks for not being bitchy.

I cannot believe how condescending and horrible the other people were in the other two forums I had been to, once I was assigned to one individual. What is amazing to me is that they were so condescending and they were ABSOLUTELY WRONG in definitively declaring that I had no more malware.
I insisted malware was still present, but they condescendingly insisted it wasn't. I am a newbie and I found many corrupt files on my own, with the help of google, of course.

xploverhater
04-08-2011, 08:37 PM
Personally I would just zero the MBR (or the whole drive with DBAN or similar) and then pop in the WinXP CD and let set-up run automatically but not attach to any network until all SPs and A/V installed. But ClassicSoftware spends much more time than me in these murky areas so you should go with his more elaborate measures.

I would like to add that you should check any USB drives you attach for the presence any autorun files and delete them before re-inserting into any PC.

If after all the suggested measures you still get reinfected then the only other things I can think of are malware lurking in infected firmware - such as on an infected PCI card - but such stealth is very very very rare.

I agree, my pc skills are nowhere near savvy enough to weed this thing out, so a format/reinstall is best. A one fell swoop solution, hopefully. Interestingly though, I have wondered, very much so, if the MBR is corrupt.

I think the PCI card is infected. Interestingly, just the other day I tried to download drivers for audio, not able to do so due to "No media" something or other. Then there was an exclamation point over PCI, in Device Manager. Believe me, this malware is HIGHLY sophisticated. It greets me at every turn, when I try to defeat it or disable certain Services.

Thank you for insightful feedback and help.

I wish you guys could see what I see. I have googled certain corrupt files I have found/removed and it's behavior, after finding forums with posts from guys dealing with similar issues/behavior. Reading these posts (archived), I can see that these guys are infinitely more knowledgeable about computers than myself, and I have seen a couple of them talk about the malware as being extremely sophisticated. They speak of wishing the person that created it die a horrible death, while at the same time having high respect for whomever wrote the program, with words like "brilliant" being used.

mjc
04-08-2011, 08:47 PM
I noticed a couple of other things...

1. Installshield is a legitimate installer that is used by thousands of applications, so it could have come from anywhere. Yes, it can be a bit invasive. Since you have an HP, there are lots of HP applications that do use InstallShield, so it is likely to be there from the start, when using the HP supplied disks to reinstall.

2. The website list...depending on the key, you may actually be harming yourself or opening yourself up to future problems, because there are several keys that will list such sites as a blocklist.

3. Those 'suspicious' keys...nope, not suspicious at all. Those are pretty much normal entries for those keys, especially on an HP machine, which includes things like NetMeeting installed, by default.

A format, of any type, resets the MBR and says the drive space is available. It doesn't actually erase the data. Wiping the disk, on the other hand, over writes all the data present with either random numbers, ones, or zeros. Then depending on the program used formats it.

xploverhater
04-08-2011, 08:48 PM
Be aware ctfmon.exe may be a legitimate Microsoft file or not, depending on where the file is located.
%System% location is usually legitimate.

http://webcache.googleusercontent.com/search?q=cache:ssWMD13brW0J:www.sysinfo.org/startuplist.php%3Ffilter%3DCTFMON+ctfmon&cd=10&hl=en&ct=clnk&gl=us&client=firefox-a&source=www.google.com

I am confident there is an issue with a ctfmon, corruption link. Though certainly only one small element to this infection.

I deleted all files from my registry that had ctfmon. I deleted all ctfmon files, using Search. I know it always returns in Search, under the system32 file. I unchecked it in Startup, via misconfig.

Nonetheless, today, there are now two files under Startup, in misconfig. There has only been one ctfmon reoccurring in Startup before. Now there are two.

I can't see the whole file in msconfig, but what I can see, of the newest file:

C:\Windows\system... SOFTWARE\Microsoft\Windows\CurrentVersion\Run

classicsoftware
04-08-2011, 08:59 PM
Who cares. You are going to wipe it out anyway.

Paul Komski
04-08-2011, 10:28 PM
If you are going to reinstall you will need any missing OEM drivers (that is any drivers that WinXP doesn't provide from its own setup). If you still have a functioning system these can be collected (using the fast collect option) using the MyDrivers 5.0 (http://www.zhangduo.com/) utility - there's no need to backup the other drivers. Either way - it is worth saying that it takes the utility some time to search the system and make the backups.

I know that there other ways to find drivers on the internet but it can be a huge PITA if you don't have them to start with. I know you would prefer to have a completely clean set of files but having these stored somewhere may be your only easy way to grab them later on.

xploverhater
04-09-2011, 09:20 PM
If you are going to reinstall you will need any missing OEM drivers (that is any drivers that WinXP doesn't provide from its own setup). If you still have a functioning system these can be collected (using the fast collect option) using the MyDrivers 5.0 (http://www.zhangduo.com/) utility - there's no need to backup the other drivers. Either way - it is worth saying that it takes the utility some time to search the system and make the backups.

I know that there other ways to find drivers on the internet but it can be a huge PITA if you don't have them to start with. I know you would prefer to have a completely clean set of files but having these stored somewhere may be your only easy way to grab them later on.

Thanks for the reply.

God, I am so confused. This is the problem with pc language. I thought "reinstall" referred to the OS and "reformat" is the hard drive.

I have done a "reinstall" of XP about 5 times now since malware issues and still have drivers. I have to do a complete format/reinstall. How do I know which drivers are included with XP?

I am thinking it is better to download driver files to a CD, so that I can completely wipe the laptop (whatever the hell this means).

If I do a format/reinstall, using classicsoftware instruct (listed below), do I just need my XP Home disc and disc with drivers on it (downloaded to a CD from a "clean" computer)? Or will there be something missing? I don't want to wonder if I will have a functioning system or not, once I follow the instructions below.

What does it mean when I put the XP disc in and it asks if I want to format?
This last reinstall of XP I did so and the laptop still functions just fine.
All the forums I have been to refer to a reinstall as the OS and a format/reinstall as starting over fresh.

When I have tried to do an XP Repair, using XP disc, I have only once gotten the option to actually do a repair, by pressing "r". All other times I have followed the instructions on a particular website to "repair" and have never gotten the option to R/Repair. This is why everything is so confusing. It doesn't help when the XP disc doesn't explain what you are doing either, when it asks what you want to do.

What would happen if I follow the instructions below, use my XP Home disc and no disc for drivers whatsoever, EXCEPT the disc for my Realtek Wifi Antenna??? Would I be able to get on the internet and use my Wifi antenna to get on the internet and download drivers and such??? Or would I be stuck and have no internet capability???

Instructions:

Backup your data.
Download onto a CD for flash drive your AV and or firewall software.
Disconnect from the web
Format your hard drive
Zero fill your hard drive with Eraser (37 times)
Format your hard drive
Remove all partitions
Repartition your drive
Reformat the new partition
Reinstall XP
Install security software
Connect to the web

Paul Komski
04-09-2011, 10:09 PM
Format your hard driveIs mentioned twice in the suggested list and I'm unsure just why and think it is confusing particularly since one can only format partitions and not whole hard drives.

For Information:

Zero-filling or Wiping a hard drive with whatever utility (Linux's dd, a manufacturers utility, DBAN, CopyWipe or Eraser removes ABSOLUTELY ALL ACCESSIBLE data and metadata from a hard drive. (Metadata is simply data about data as opposed to the files themselves).
Reformatting an existing partition affects very little of the data on it but does create brand new indexes or lists of contents if you like. With the old indexes gone all new files will overwrite existing data as they are created. The process of formatting is de facto the creation of one of a number of different file systems on a partition. A file system must be present before files can be stored on a partition.
Before a zero-filled drive can be used it must first be initialised or partitioned and any created partitions must also be formatted appropriately. This can be done from the Windows setup procedures or by using a number of 3rd Party Utilities but Windows set-up should prompt you appropriately during the installation.
When booting to a Windows setup CD with either a brand new or a zeroed hard drive setup normally starts automatically and you will not be presented with any repair options.
When you boot to the Windows setup on a system with an existing Windows installation you should first get an option "to repair" which uses the Recovery Console and if this is ignored then a bit later on an option to repair an existing installation (but only if setup can recognise such an installation exists and that is not always the case).
If a hard drive is larger than 32 GB (nearly all are nowadays) then Windows setup will give you options to format any chosen or newly created partition using NTFS or NTFS (quick) and the latter is just fine - if under 32 GB you will also be given options to format using the FAT file system.


If you have functional WiFi hardware and access to its drivers you should be able to get on line just fine (This assumes you know any router's internet access password before you begin. If in doubt disable this aspect of router security while you can still access the router's settings).

Paul Komski
04-09-2011, 10:30 PM
Two simple Wiping Utilities

You can get DBAN from http://www.dban.org/ by downloading the ISO file. You can then burn that ISO file to a CD using BurnCDCC from http://www.terabyteunlimited.com/downloads-free-software.htm.

I'm pretty sure that DBAN runs automatically and wipes the hard drive automatically so do not boot to the CD you make if you have a hard drive that contains data you need.

Alternatively use TerabyteUnlimited's CopyWipe (http://www.terabyteunlimited.com/copywipe.php) - I have only ever used the DOS version. When you create and then boot to this CD you will be given prompts about copying or of wiping data.