I run a dual boot machine, Gentoo / windowsXP SP1.
this is a question about windows, but im not asking for windows specific help, just risk assesement.

After my Dad complained that every time he hit the LOGIN button on his banks website, he was automatically forwarded to "dodgey" website with "just numbers in the address", i did the normal virus scan / spyware removeing, and found several virii / trojans / tracking cookies. i put the forwarding down to just Browser hiJacking...

however, it turned out the "just numbers" were 127.0.0.1:8080 a local proxie.
this machine is connected directly to the internet via ethernet broadband box, and there is no LAN.

i found that all my internet programs had been re-configured to use a local proxie,
after removing all the trojan virii, the proxie was gone.

i had not installed a proxie, which leaves me to the conclusion that one of the trojans was running the proxie, and had changed all the internet and email settings.

even outlook express had been re-configured to use 127.0.0.1 as a smtp / pop proxie.
and worked like this for weeks.

The only reason i could think of for running a local proxie, AND setting my machine to use it (which obviously makes the proxie stand out like a saw thumb to anyone who knows anything about networks) woulkd be for packet sniffing without putting the network card in promiscuous mode and without administration access rights.

so basically, i think the trojan was acting as a low access packet sniffer.... just an educated guess, but hey....

ANYWAYS.... my dad uses the windows machine often to buy from ebay and other online shops. many of which send passwords via email, which have of course passed though the trojan proxie.

i know that all credit card submissions have been encrypted...
however i also know a packet sniffer can catch hashed ssh passwords, and submit them using a modified OpenSSH client to gain access without ever knowing the password.

How much of a risk has he been running by buying online on such a compromised system ?

Quite a bit actually. I suggest he change all his passwords he may have used in the recent past, and closely monitor his accounts for any fraudulent transactions. We had a similar proxy-trojan on one of our machines, and a credit card account was compromised. I also highly suggest using spysweeper+adaware+spybot for scanning and spywareblaster for preventing the crud in the first place.

after a re-boot or 2, its back... all settings re-set to 127.0.0.1.
before i clean it again, what forensics can i perform ???

Virus scanners give the all clear, as does spyware etc etc etc..

HOWEVER..... i think ive been rooted..
a root kit is a virus that modifies the kernel making its own detection impossibly from the local machine.

evidence.....

1) the system32 file ntoskrnl.exe reported am "modifed" by virus scanner
2) firewall is on and set to drop everything.. local port scans fail... a port scan from a linx box on the lan shows the following ports to bo open, and listening for connections..

ALSO.... outgoing http requests ARE BEING MODIFIED to porn site requests...
every 3rd time i click a hyperlink or load a web page, instead of getting the page i required, i recieve a porn web page.. some of which have suspiciously young girls.. possibly underage porn.

this is not IE hijaccking ! it even does it with telnet..
returns yahoo.com 2 out of 3 times... and other porn sites the rest of the time.

its impossible to turn off the proxie.

im going to research what open ports are running... but im certain its a root kit !

Try running trendmicro's online scanner. It seems to be better at detecting trojans and scumware than traditional client-based antivirus software.

The safest way to fix it is unfortunatly to backup-wipe-reinstall, but if that is not an option then you will have to work on it.

What entries do you see in /Winnt/system32/drivers/etc/lmhosts?

nothing... its all commented out.

ill have a google for the trendmicro you speak of. thanX

http://www.trendmicro.com click on 'scan now' or online-virus scanner.

i cant.
like i said, my web browsers are set to onnect to the internet via the proxy the virus put up, and this virus proxie is feeding me a DNS error whenever i try to connect to anti-virus home pages...

i can access the pages in linux, but not in the infected windows machine.

if i change the web browser settings to connect directly to the internet (no proxie) it changes itself back instantly.

any other idea's ?

this seems to be a very powerfull virus.

i REEEALY dont want to have to waste all afternoon re-installing widnows... im a student and its coursework / exam time

but im getting very anoyed at all the browser hijacking...

Well then you got yourself a mutation.

These mutations or custumizations tend to be hard to remove.

I can only suggest that you try and run msconfig. And try there to find the programs and remove them from your boot sequence. Perhaps a diagnosic boot and then using the antivirus might work. And write the program names and do a search using regedit. Usually it goes to RunOnce.

You problem is that the virus has multiple backup programs running, so when you fail to delete all of them the virus repair itself. I don't believe you got yourself a rootkit for windows installed. That shouldn't even trigger a AV warning.

It would be quite insteresting if the virus would have pipes between all the processes and for each SIGPIPE would rebuild itself.

Maybe it is easier to just reinstall the system.

And check the binaries you are running. Like for example explore.exe might just be part of the virus and it might have hidden the real explorer as another file.

I would *STRONGLY* recommend reformatting the system and re-installing from scratch. It can be extremely hard to identify and remove all traces of a compromise on a linux box and it can be even harder to do so on a Windows system. If you are transmitting sensitive info like credit card and bank account info on that system then you should be sure it's absolutely clean. On that note, you should immediately have your father call the bank and cancel any bank/credit cards. There is a time limit on how long the bank will refund any lost/stolen funds, so you could literally be out thousands if you aren't very careful.

Disconnect that machine from the Internet...now.

Work on getting rid of the trojaned binaries, and copying all data off the drive that you must absolutely have.

Get a hardware firewall between your machine and the Internet.

Do a zero-fill on the windoze partition and re-write the MBR from a read-only copy of fdisk.

Don't bother re-installing windoze...it'll probably just happen again.

Make a list of all credit cards, online accounts and bank accounts that have been accessed through that machine--ever--and contact all the appropriate institutuions to make account changes. Change all passwords for all online accounts from a secured (Linux) machine.

Get a copy of all transactions from those same institutions for the past 6 months. You might want to have your dad run a credit report on himself now, notifying the reporting agency that he may be the victim of identity theft.
Do another credit report in another 6 months or so.

Don't worry unnecessarily, but keep on top of this. If could come back to bite you later.

Thanks for the advice...
is this situation realy THAT bad.. a zero fill ? and a credit report !?

i dont have any faith in windows security, but surely Internet explorer SHOULD have encrypted the credit details before the trojan proxy (or is it proxie?) got its hands on them.

oh its constantly happening, ill usually find a trojan virus every few weeks,
and my linux firewall shows im constantly being port scanned, ESPECIALLY on port 8080 (quite alot from amstrdam) however this is the first trojan that has been smart enough to dissable the firewall, and turn off the virus scanner.

I dont use windows, but this is a family PC, and the other users have never used a standard Operating System.

Windows has the up 2 date program running constantly, a firewall that SHOULD block all incomming connection attempts, a virus scanner (with automatic updates running).. everything... and its infected with virii and needs to be completely re-installed every few months due to the general degredation of the file system (especially the system32 config files) hands up who desided to make a CONFIG file a central point of failure !?

My Linux system is running an FTP and HTTP web server for shareing files. an SSH server, a CUPS printing server, and a Peer to Peer filesyareing program (giFT)

the firewall is set to Allow incomming connections to these sevices..

and yet in the 3 years ive been using linux, not a single crash, not a single re-install, not a single virus, trojan or anything.

how did Microsoft manage to do such a lame job ! i know windows is just a Cheap Operating system, but cummon !!!! i wouldnt be surprised if the anti-virus company's were paying microsoft to put the securetty holes in delibratly, A whole market.. anti-virus software thats supported by microsofts mistakes.

ANYWAYS... after christmas im planning on resurecting a dead machine, with a few major upgrades,
so i will need to buy a router, i found a good one with all the works, plus a firewall.

will a hardware firewall improve MS-WIndows securetty much ?
i know it will make remote incomming connections impossible, but it wont protect windows from itself (MS internet explorer) will it ?

unless ofcourse i remove all links to IE, and install firefox and thunderbird ???

if it was me i would install firefox and run any web basedvirus scaning though that also if you did find where the infected files are write them all down and go into safe mode change, replace, delete them if you can the ones you canot change alter go back into windows but dont connect to the internet infact even unplug it incase if it tries dialing out byitself! and try deleating the other files and if its windows xp it should detect that a system file hase been changed delaeted and will ask you to put your xp disk in so it can replace them although it night do that in safe mode if you can do it in safe mode otherwise the files may become infected again, reinstall all software that is effected and you could also try putting in your windows xp disk in at boot time and run a repar

but back up your files first just incase

also if you can try running your AV in safe mode it might find it then as in save mode hopefully it shouldnt be a running proccess

this is what i did on my dads computer when it hade a very similar problem and it worked for that machine

hope you get it sorted