Re: [H] infected?

[DSinc]

Greg/Ali,
OK, now I get it. However, I am not down to checking specific files yet. 
Yes, I suspect I may have some bogus files.  Just now I am still trying 
to remove a troublesome Service AND cull what appear to be locked 
registry keys pointing at this service.  Perhaps my plan is backward, 
but I am following my Even Log ATM.  I'll post more questions as I get 
deeper into this situation.
Yes, ultimately, I can just erase the HD and start all over.
I am beginning to opine that my latest observation of my "catchme" 
non-PNP hidden driver may be connected with my ComboFix scan some time 
back.  This sleeping dog will have to wait.
Thanks for the links.  When I get down to file investigation, I will use 
your suggestions.
Best,
Duncan


On 11/02/2010 21:59, Greg Sevart wrote:
I kinda like Hashtab. Adds a tab to file properties in explorer, supports
CRC, MD5, SHA1, and a bunch of others.

http://beeblebrox.org/


-----Original Message-----
From: hardware-boun...@lists.hardwaregroup.com [mailto:hardware-
boun...@lists.hardwaregroup.com] On Behalf Of Mesdaq, Ali
Sent: Tuesday, November 02, 2010 7:06 PM
To: hardware@lists.hardwaregroup.com
Subject: Re: [H] infected?

MS has a tool that can generate SHA1 and MD5 hashes on files
http://support.microsoft.com/kb/841290 . You can generate the hashes and
either check online (http://www.virustotal.com/search.html) or send them
to the list to see if any of us can point you in the right direction.

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Sr. Security Researcher
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------


-----Original Message-----
From: hardware-boun...@lists.hardwaregroup.com [mailto:hardware-
boun...@lists.hardwaregroup.com] On Behalf Of DSinc
Sent: Tuesday, November 02, 2010 2:37 PM
To: hardware@lists.hardwaregroup.com
Subject: Re: [H] infected?

Ali,
Thanks. I do not know how to answer your question.
My view is above filenames ATM, and, I know zip about "hashes."
Duncan

On 11/02/2010 17:14, Mesdaq, Ali wrote:
Got filenames and hashes?

Thanks,
------------------------------------------
Ali Mesdaq (CISSP, GIAC-GREM)
Sr. Security Researcher
Websense Security Labs
http://www.WebsenseSecurityLabs.com
------------------------------------------


-----Original Message-----
From: hardware-boun...@lists.hardwaregroup.com
[mailto:hardware-boun...@lists.hardwaregroup.com] On Behalf Of DSinc
Sent: Tuesday, November 02, 2010 12:41 PM
To: HWG
Subject: [H] infected?

I suspect my home LAN is infected.
I am chasing an odd trouble on one of my clients (jnk).
Today, I find I have a Non-PlugNPlay Driver labeled "catchme" in my DM
view.
Best I can trace it to may be 10/14/2010.

Worse, I find this item on all of my XP clients!!
Sorry, I forgot how to view None-PnP hidden items in W2K Server.
I can not view them ATM, so, I will accept that my server has this
item also! My bad.

6 hours of surfing and research leads me to rootkit.
How painful is the cure?
Best,
Duncan



   To report this as spam, please forward to s...@websense.com.  Thank
you.

   Protected by Websense Hosted Email Security -- www.websense.com