Can't see q*.* files after removing spyware?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I had to remove some spyware from one of my user's PCs earlier today. It was
quite a bugger - couple of items installed in WinLogon\Notify subkey. Anyway
- after the cleanup, I was running through some basic tests and noticed that
I can't retrieve/see any files that start with the letter 'Q' on the C:
drive. (Was trying to install a Windows patch that included a file with q as
the first letter - the patch bombed because it couldn't find the file).

However, if I view the drive via it's network admin share
(\\MachineName\C$), I can see the files - even from the affected PC. How
strange is that?

Anyway - I have NO idea on where to look to see where the problem might be.
Anyone have any ideas before I blow the machine away and rebuild?

- Mark


It's only the letter 'q' that's affected.
 
Need to qualify this a bit more. I'm testing both from the Windows 'Search'
tool and from DOS (dir q*.* /s/a).

Also - even though I thought querying \\MachineName\C$ from the local
machine was working - it's not, at least not completely. I got 18 files
running the test locally - from another machine on the network, I got 120
files.

This is just really strange...

- Mark
 
petersonmd1 said:
Need to qualify this a bit more. I'm testing both from the Windows
'Search' tool and from DOS (dir q*.* /s/a).

Also - even though I thought querying \\MachineName\C$ from the local
machine was working - it's not, at least not completely. I got 18
files running the test locally - from another machine on the network,
I got 120 files.

This is just really strange...

- Mark
Click to expand...

I cannot confirm this on WinXP SP2.
 
Frank Saunders said:
I cannot confirm this on WinXP SP2.
Click to expand...

Of course not - neither can I! It's only this one machine out of the
hundreds that I support.

I'm thinking that there's still some remnant of spyware left out there
that's blocking files that begin with the letter 'q'. I've just never heard
of anything like this...

When running from the affected PC:

C:\>dir q*.* /s
Volume in drive C has no label.
Volume Serial Number is A43D-C8B8
File Not Found

C:\>dir q*.* /s/a
Volume in drive C has no label.
Volume Serial Number is A43D-C8B8
File Not Found

C:\>

When running from another PC on the network...

C:\>dir \\1mgr111\c$\q*.* /s/a
Volume in drive \\1mgr111\c$ has no label.
Volume Serial Number is A43D-C8B8

Directory of \\1mgr111\c$\Documents and Settings\Administrator\Application
Data
\Microsoft\Internet Explorer

08/01/2005 01:09 PM <DIR> Quick Launch
0 File(s) 0 bytes

Directory of \\1mgr111\c$\Documents and Settings\Administrator\Templates

08/29/2002 06:00 AM 4,017 quattro.wb2
1 File(s) 4,017 bytes

Directory of \\1mgr111\c$\Documents and Settings\All Users\Application
Data\Mic
rosoft\Internet Explorer

01/06/2006 12:57 AM <DIR> Quick Launch
0 File(s) 0 bytes

Directory of \\1mgr111\c$\Documents and Settings\All Users\Application
Data\Mic
rosoft\Network\Downloader

01/06/2006 02:52 AM 4,232 qmgr0.dat
01/06/2006 02:52 AM 4,617 qmgr1.dat
2 File(s) 8,849 bytes

<----------- file abbreviated for brevity ---------------->

Directory of \\1mgr111\c$\WINDOWS\system32\dllcache

08/29/2002 06:00 AM 16,896 qappsrv.exe
08/11/2004 12:45 AM 221,184 qasf.dll
08/29/2002 06:00 AM 8,192 qosname.dll
08/29/2002 06:00 AM 9,728 query.exe
08/03/2004 10:04 PM 77,824 quick.ime
08/29/2002 06:00 AM 16,384 quser.exe
08/29/2002 06:00 AM 22,016 qwinsta.exe
7 File(s) 372,224 bytes

Directory of \\1mgr111\c$\WINDOWS\system32\oobe\images

08/29/2002 06:00 AM 1,174,050 qmark.acs
08/29/2002 06:00 AM 2,479 qmark.gif
2 File(s) 1,176,529 bytes

Total Files Listed:
113 File(s) 21,520,845 bytes
14 Dir(s) 11,684,544,512 bytes free

I'm just trying to figure out if there's some sort of spyware left on this
machine. Microsoft AntiSpyware isn't reporting anything - neither is
HijackThis, AdAware, or Spybot.

I hate to blow the machine away and reinstall - was hoping someone here
might have seen something like this in the past and have a solution.

- Mark
 
There's definitely something still left behind.

I don't think that I know enough to tell you whether it is an active
element, or some modification to a standard part of the system. I'm
inclined to think something active--this is rootkit type behavior. The
network redirector is showing the filesystem properly, but attempting to
look at it directly on the local machine fails to tell the whole story--this
is exactly what a rootkit does.

Have you been running the Malicious Software Removal tool--part of the
montly security patches from Microsoft--regularly?

You can hit it directly here:

http://www.microsoft.com/security/malwareremove/default.mspx

This tool has minimal UI, but targets a number of rootkit families
explicitly.

Other tools for rootkits:

Sysinternals RootkitRevealer:

http://www.sysinternals.com/Utilities/RootkitRevealer.html

F-secure's beta Blacklight

http://www.f-secure.com/blacklight/try.shtml

RootkitRevealer results may take some interpretation--read the help files
before panicking. I've never seen any output of interest from Blacklight--I
seem to work with pretty uninteresting systems--but I know that it work.

I'm not sure that what you are seeing is a rootkit--it could be something
more prosaic, but what you are reporting is suggestive of that.

Other helps:

1-866-pcsafety in the U.S. or canada. Elsewhere--call the local Microsoft
support number and ask for the free help with virus or security-patch
issues. You've got an interesting problem. I don't know what the chances
are of the first level response folks knowing how to handle this--but it may
well be worth trying.

In the end--if you've had a trojan or rootkit in place, flattening
(reformatting) is safest, assuming you have learned enough to keep the issue
from repeating on the new install. However, it'd be interesting to try to
learn a bit more from the current conditions, maybe.

--
 
The Microsoft link didn't help (I'd run it before but did it again to
double-check). The SysInternals link did shed some light on a few files that
were still lurking around. Use their RegMon and FileMon utils all the time -
don't know how I overlooked this one.

Anyway - got rid of them and everything's looking good.

Thanks...
Mark
 
Terrific--spyware with rootkit characteristics is definitely "the coming
thing." Congratulations for being on the leading edge, and also
successfully dealing with it without resorting to custom tools and lengthy
diagnostic help. That was definitely an interesting set of "presenting
symptoms!"

--
 
The only thing I'm still trying to figure out is how it got on there to begin
with. The PC was running XP Sp2 with all the latest updates (minus the one
released last Thursday - the PC was infected Thursday morning, before the
patch made it to my WSUS server for distribution). I'm not sure if spyware
took advantage of that vulnerability to install itself. The user that was
infected is a fairly proficient user - she's running with PowerUser rights
(not Administrator) and is smart enough not to be clicking on just anything.

She does listen to CDs - don't know if the whole Sony rootkit flap might
have been at fault. Didn't cross my mind until this morning after my morning
IV of caffeine. :-)

- Mark
 
The Sony rootkit and some related (other's by Sony) stuff should be gone--if
you are running Microsoft Antispyware and the Malicious Software Removal
tool. Both of those targeted and removed the rootkit portions of the
Sony-provided code. There are other vendors doing things which aren't
altogether different, but I haven't heard of exploitation in the wild.

The WMF vulnerability patched by that out-of-band update was somewhat
limited in terms of the number and type of sites infected, but there were
some spammed email messages containing the infected WMF--I recall hearing of
two variants, both of which had "new years" in the subject header--one was a
greeting, and the other talked about vandalism and had an "ivy league"
context. In addition, I've seen one report that a relatively reputable
site--I think one of the Linux distributions--was infected for some period
of time.

To counter that suspicion, I don't know who your antivirus vendor is, but a
good number of the larger vendors, I believe including Symantec, McAfee,
Microsoft, some CA products, and probably a good many others--claimed to
cover 100% of the bugs known to be distributed via that vulnerability. That
"known to be" didn't give me a warm fuzzy feeling, though, nor do I know
what update methods you'd need to have employed to stay current.

Given the timing, the WMF vulnerability seems a good possiblity, but I'm not
sure how to do the forensics that might help pin that down. Full scans of
the machine with up to date defs might find something in TIF, perhaps.

The user would have had to click on a URL hosting an infected image file, or
open an email containing such an image--but no more than that was needed.
I'm unclear whether Microsoft Antispyware would have raised any alerts--I
believe it likely would have--it was listed as a mitigating factor in the
advisory issued before the patch came out.

Another thing to check is old and vulnerable Java versions--there are some
sites which seem to be infecting via exploits in older Java version known to
be vulnerable--Sun's update process does not remove old versions. There's a
good deal of suspicion that old Java versions constitute a vulnerability,
but nobody's come up with hard proof that I've seen yet.


--
 
Neither Microsoft AntiSpyware or MRT found anything - so I can guess I can
rule out the Sony bit. If I had to guess, it was a malformed image received
via email. She's running a slightly older version of Outlook (Outlook
XP/2002 - whatever you want to call it). Very possible it came through that
way...

I'll tell you one thing, though - this was definitely the most sophistacted
bit of spyware I've run across. Aside from the normal, annoying pop-ups and
another normal nuisances associated with spyware, this one also deleted a
registry entry or two so Windows Firewall no longer appeared in the Services
list. It intercepted calls on port 3389 and the port that NetMeeting RDS
uses (can't think of it off the top of my head). That almost blocked me from
assisting/diagnosing remotely - remotely started up the XP telnet server and
was able to get in that way. Between that and accessing the registry from
another PC, I was able to tell that this wouldn't be a quick "Run AntiSpyware
and call me in the morning" fix.

We haven't had an actual "virus" infection on any of our PCs in over 4
years. It's this d*mn spyware crap that tends to give us all the headaches.

Is this what they call job security?

- Mark
 
Back
Top