Kramer8u
asked on
Malware Hosts file hidden and attrib un editable XP
G'day all
Just finished removing a painful last aprt of a infection and wanted some advice.
Rmoved a rootkit with combo fix ,
cleaned up other multiple threats with malwarebytes.
cleanup browser with hijack this.
but the client still complained of google redirects.
After much pain
I found the host file missing under c:\%systemroot%\system32\d
when i tried to copy a fresh HOSTS back i got a replace existing file warning.
But acces was denied.
unhid files in folder options still couldnt see the host file , tried command prompt aswell.
So i booted from my falcon four boot disk, into mini XP ( ramdisk)
And i could the see the host file (transparent)
opened it up and it had a heap of IP redirects for all things google , to a chinese Proxy i assume to facilitate some sort of piggy in the middle data collection.
anyways i tried to delete it and it said access denied
I tried to change the file attributes via attrib command again with access denied
I tried to change NTFS permissions with command also with access denied.
All I could do to facilitate a repair was rename it the file to "hostsold" which it allowed me to do.
then I copied a fresh hosts file in its place..
Viola problem solved !
My question is ?
How come i couldn't modify the comprimsed file and see it under the normal windows , is there some sort of file system hack going around?
Even the recovery console acces denied me under administrator account. nor could i see it under DOS.
This worries me that there is some file system exploit allowing this file to exist in limbo, invisble when the OS is running
and uneditable outside the operating system.
Any Help would put my mind at ease
Just finished removing a painful last aprt of a infection and wanted some advice.
Rmoved a rootkit with combo fix ,
cleaned up other multiple threats with malwarebytes.
cleanup browser with hijack this.
but the client still complained of google redirects.
After much pain
I found the host file missing under c:\%systemroot%\system32\d
when i tried to copy a fresh HOSTS back i got a replace existing file warning.
But acces was denied.
unhid files in folder options still couldnt see the host file , tried command prompt aswell.
So i booted from my falcon four boot disk, into mini XP ( ramdisk)
And i could the see the host file (transparent)
opened it up and it had a heap of IP redirects for all things google , to a chinese Proxy i assume to facilitate some sort of piggy in the middle data collection.
anyways i tried to delete it and it said access denied
I tried to change the file attributes via attrib command again with access denied
I tried to change NTFS permissions with command also with access denied.
All I could do to facilitate a repair was rename it the file to "hostsold" which it allowed me to do.
then I copied a fresh hosts file in its place..
Viola problem solved !
My question is ?
How come i couldn't modify the comprimsed file and see it under the normal windows , is there some sort of file system hack going around?
Even the recovery console acces denied me under administrator account. nor could i see it under DOS.
This worries me that there is some file system exploit allowing this file to exist in limbo, invisble when the OS is running
and uneditable outside the operating system.
Any Help would put my mind at ease
Dave Baldwin
I don't know how it's hiding but I use Linux Live CDs to remove malware files. Linux doesn't care about Windows permissions. Knoppix is what I use the most but I've used my Ubuntu 8.04 CD for something I couldn't do with Knoppix.
I use Linux Live CDs to remove malware files. Linux doesn't care about Windows file permissions. I use Knoppix the most but Ubuntu 8.04 did one job Knoppix couldn't.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
First in the mini XP try to take ownership of the file.
Then give everyone full access on security level.
boot into the full Windows and change the file security to
- administrators: full access
- system: full access
- users: read and 'read and execute'
Then give everyone full access on security level.
boot into the full Windows and change the file security to
- administrators: full access
- system: full access
- users: read and 'read and execute'
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nah combofix froze just b4 stage 1
and I tried resetingbtge permissions and attributes via bot disk.
Again I have removed and checked with root repeal the rootkit ( fake sys driver) and Trojans. Just was curious why I couldn't see in os or edit out of os the compromised host file
and I tried resetingbtge permissions and attributes via bot disk.
Again I have removed and checked with root repeal the rootkit ( fake sys driver) and Trojans. Just was curious why I couldn't see in os or edit out of os the compromised host file
Usually when you unhide folders etc, you can see it.
Using Mini Xp will also lead to the file being "locked", hence using unlocker to delete it or use a Linux boot cd :)
Using Mini Xp will also lead to the file being "locked", hence using unlocker to delete it or use a Linux boot cd :)
ASKER
Ok well it doesn't sound like I should be too concerned then.
I'll split the points across those who suggested additional tools a processes to refine my removal process.
Thankyou all
I'll split the points across those who suggested additional tools a processes to refine my removal process.
Thankyou all
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.