[Dshield] A few strange exe's

Doug White doug at clickdoug.com
Mon Jan 12 14:31:22 GMT 2004


Those are good observations:

By having to rescue any number of Windows systems, I use the applications much
the same as you do, HOWEVER, it is a good argument for using a CD-RW which will
hold all the patches and updates (including OFFICE patches, A/V solutions,
Trojan hunters, and Symantec removal tools. for Win XP, 2k, and Win2003.
Before making the house call, I will update the CD-ROM ( prefer to use
re-writable media when possible) and have all the tools available.   Many new
computers (Dell comes to mind) do not come standard with floppy drives any more,
and one can boot from a CDROM.
My Laptop has a CD-RW drive with which I can check for any updates I may have
missed during the preparation stage.
I have learned from experience that it is a best practice to install all the
service packs, security updates, A/V solution, as well as firewall configuration
prior to allowing the new system a connection to the internet.
One of the features in ZoneAlarm Pro (the paid edition) is the mailsafe which
will rename executable extensions as mail attachments even before the A/V can
scan the mail, is one I recommend to everyone.

The realization that there is no one perfect bullet-proof solution to preventing
infections, as technology becomes more sophisticated, one can only try to stay
as current as possible.


======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!


----- Original Message ----- 
From: "Kenneth Coney" <superc at visuallink.com>
To: <list at dshield.org>
Sent: Sunday, January 11, 2004 10:42 PM
Subject: Re: [Dshield] A few strange exe's


: This is one of my hobbies.  I have learned you can't just rely on Norton AV
: alone when dealing with a strange PC.  An updated Norton is an excellent
: way of preventing an infection, but once the infection has set in, Norton
: checks sometimes don't react to some strings.  Likewise some target the
: Norton itself.  With a clean machine and a dial up connection make up some
: disks containing the 12 more common downloadable Symantec solutions.
: FixKlez, FixBugbear, etc. Use the online virus Symantec check to determine
: which repair disk to load and run.  Remember (a txt file on the disk as a
: reminder helps) which ones should be run as an exe and which ones as a cmd
: depending on what kind of system you are dealing with.  Turn off System
: Restore before scanning if dealing with an XP first.  Get AVG (free)
: installed on the victim machine.  There is no downside to this as the
: updates are free and AVG finds some indicators Norton misses (the reverse
: is also true).  Run the AVG and clean up what it finds.  Consisder running
: BoClean or TDS to get some nasties the others ignore.  This only brings you
: halfway home.  Some viruses can destroy vital system files or corrupt them
: so they should be destroyed.  A new system install disk (win 95, 98, XP or
: whatever) is an important part of your toolkit (you should also have the
: convert verison of the same disks which might be needed, depending on the
: history of the victim system).  Use the proper install disk to replace
: corrupt or missing system files.  Load and run the appropriate service pack
: disks (you did bring/do have them too I hope?).  At this time there doesn't
: seem to be a way of getting the 4 megabyte patch for the Blaster Nachia RPC
: vulnerabilities without going on line (unless you have a Zip drive).  Why
: MS won't make that patch smaller or available in small 1 meg chunks so it
: can be installed on older PCs with a 3.5 without going on line, I don't
: know.  The act of going online to get the patch exposes you to the Nachia
: Blaster worms.  (Had one I worked on get infected that way (i.e., while
: attempting to get the patch) with Nachia just yesterday.)  Crazy I know.
: The good news is the patch can be saved to a zip drive, so if the machine
: you are cleaning has a zip, patching without going on line is possible.
: The latest free ZoneAlarm is too big to fit on a 3.5 disk, so you have to
: go online for that too (again a Zip drive on the target machine can
: eliminate some risk).  Installing NIS as a first firewall also won't help,
: as it too has to go online to get the RPC patch instructions and all of the
: updates (about 20 megs).  I say go for it, install a current AVG then scan,
: then take a chance and get the MS patch first before worrying about the
: firewall.  If you get hit, the AVG offers some protection.  The download
: usually stops and the system tries to reboot so remember to scan and clean
: again before (and after) rebooting.  Once the system is Blaster patched you
: can deal with the other 15 megs of critical MS updates and firewall setup
: installation problems.  A patched firewall is little protection if the
: system remains vulnerable to whatever slides by.  Are all your MS critical
: patches up to date?  Fine, rescan with Symantec online and kill whatever
: crept in while you were getting the MS critical patch online.  Reinstall
: any corrupted system files.  Put your firewall on.  Update it.  Write the
: rules you want.  Quick test at GRC.com  Delete AVG, reboot and reinstall
: AVG and run it. Redo the TDS/boclean too.  It has been 3 days since you
: began, is the system clean of nasties yet?  Turn system restore back on if
: you haven't yet.  How about the mail files?  Did you check them yet?  Virus
: attachements in stored mail folders (especially in Netscape) sometimes
: escape casual virus scans as mail folders are sometimes ignored or password
: protected (etc.) and can deny access to the AV, so do a specific check of
: stored mail files.  Both Norton and AVG can sit in memory at the same time
: without a conflict.  TDS 3, AdAware and Reg Protect (from the TDS people)
: can also squeeze in there without too many problems.
: ____________________________________________________
:
: Subject: [Dshield] A few strange exe's
: From:"Paul Marsh" <pmarsh at nmefdn.org>
: Date:Fri, 9 Jan 2004 23:07:05 -0500
: To:<list at dshield.org>
:
: Just and FYI.
:
:    I've been working on an XP home edition for the last few hours having
: all kind of problems with it.
:
:    1.  The system was a default build from Dell, no SP's loaded..ugh
:    2.  No firewall running...ugh
:    3.  No Anti-virus...ugh, ugh
:
:    Had a bitch of a time getting Norton loaded on it just run a virus scan
: once I did it had about 15 instances of 5 different virus.  Had a bitch of
: a time loading Spy-bot also.  The long and the short of it is I found three
: strange exe's running.
:
:    igfxtray.exe
:    hkcmd.exe
:    Found some info on the above, original files are OK but some research
: points to trojan drop compromise.
:
:    wini32.exe can't find anything on this one, but as soon as I got it
: unloaded and removed from the system things started to improve.  Anyone
: know anything about it?  NAV did not detect any of them as being infected
: and spy-bot didn't find anything either.
:
: Thanx, Paul
:
: GO PAT's
:
:
:
:
:
:
:
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
:




More information about the list mailing list