unsharpTech » Windows

Trojan.Rootkit-1835 ClamAV False Positive

sam — Tue, 15 Dec 2009 18:24:11 +0000

This morning I was going over last night’s ClamWin scan results on my Windows XP box and found a few instances of Trojan.Rootkit-1835 infecting the following files:

C:\WINDOWS\Driver Cache\i386\sp3.cab: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\dllcache\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\drivers\atapi.sys: Trojan.Rootkit-1835 FOUND
C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\i386\atapi.sys: Trojan.Rootkit-1835 FOUND

This was interesting because lately I’ve been cleaning up computers that end up missing atapi.sys and need it replaced in order to boot without a BSOD. But upon looking into it and finding a note in a recent ClamAV database update I am confident that this was a false positive.

It appears that this happened back in 2005 as well but was taken care of and now it’s happened again. I went as far as to grab an SP3 XP Pro install disc and scan it with ClamWin and it found the same false positive Trojan.Rootkit-1835.

Luckily the false postive has been removed from the ClamAV database as of 15 Dec 2009 04-20 -0500 according to this daily.csv submission note:

ClamAV database updated (15 Dec 2009 04-20 -0500): daily.cvd Version: 10173 ... Submission notes: Trojan.Rootkit-1835 dropped due to false positive

So just update your ClamWin Database and no more false positives. You may want to run the System File Checker before you reboot just in case ClamWin deleted your atapi.sys, otherwise you’ll probably get a Blue Screen Of Death.

Just run the following commands and insert the install CD when it asks for it:

sfc /purgecache
sfc /scannow

Sources:

http://lists.clamav.net/lurker/attach/1@20091215.092101.11505bd1.attach

http://forums.clamwin.com/viewtopic.php?p=11247

Relevant Windows 7 facts

sam — Sun, 01 Nov 2009 03:37:26 +0000

This is not meant to be a thorough report, just the highlights I found relevant related to its recent release.

Versions

Starter is weak (for netbooks) 32-bit only, OEM pre-install only
Home Basic is for emerging markets (we probably won’t see it in the US much)
Home Premium is what most consumers will end up with
Professional is the lowest version to include features such as Remote Desktop Serving, Domain Joining, and Windows XP Mode
Enterprise is the same as Ultimate but with volume licensing and they both include BitLocker
Ultimate has all possible features (of course)

Wikipedia detailed Windows 7 Version Comparison Chart

General

Supposedly 7 can be installed from a USB drive (without hacking).
Internet Explorer 8 can pretty much be removed – many parts are integrated into the OS, but the browser can go bye-bye.
The sidebar is gone but Gadgets remain, and are more efficient and movable.
There is an overly hyped new taskbar.

Sometimes Ghost is truly the best tool

sam — Sat, 01 Aug 2009 11:37:16 +0000

Lately I’ve been loving Clonezilla for rolling out refurbed Dell workstations. It’s been really cool, boot from USB “liveCD”, clone disk to disk directly over gigabit ethernet, reboot, repeat. But after doing 10 of them, I ran into the true limitation of Clonezilla. Clonezilla relies on ntfsclone and partimage (great tools) but they share a key weakness: neither can restore an NTFS drive or partition image to a smaller target – in my case it was a matter of a dozen sectors. It’s ironic because both tools only copy the used blocks and seem to support resizing but they just plain don’t do it. Needless to say I couldn’t accept that fact until I was done pounding my head against the issue thoroughly, then I used the de facto Windows imaging tool: Norton Ghost.

So, its 4:00 AM and I’m in the lab finishing up my Ghost disk-to-disk imaging on the remaining machines…

Total time to break remaining boxes and yank HDs + Ghost imaging time = 30 mins.

Time wasted to get to this point = 3 hours.

If anyone can prove me wrong concerning the shortcomings of Clonezilla, please do (and comment, duh).

Fix Slow Scrolling in jEdit

sam — Wed, 06 May 2009 05:25:07 +0000

So far jEdit is proving to be a great editor (FTP/SFTP support is great) but after tweaking it to my liking (BufferTabs plugin, fonts, etc.) I noticed that scrolling the main text area had become very slow. I didn’t want to just blame Java so I looked it up and found the cause.

Platform: Windows XP Pro SP3 + Java 1.6.0_13
jEdit Version: 4.3pre16

Utilities -> Global Options -> jEdit -> Text Area:

Anti Aliased smooth text: subpixel

UNCHECK: Fractal font metrics (for better smooth text display)

The combination of subpixel antialiasing (a must) and Fractal font metrics (makes little difference) causes the unbearably slow scolling.

Thanks to the jEdit Community Forums.

Source:

http://community.jedit.org/?q=node/view/4148

Hide Administrator from Welcome Screen in Vista

sam — Thu, 22 Jan 2009 22:04:20 +0000

By default the Administrator account in Vista is Disabled – everything is run in a sudo fashion without actually logging in to the Administrator account. Some times due to external password recovery systems or other various reasons the built-in Administrator account is enabled, causing it to show up on the Welcome Screen.

In order to stop the Administrator account from showing as a login option on the Welcome Screen in Windows Vista you need to set the Administrator account to not active with the net user command from an Administrative cmd prompt as follows:

net user Administrator /active:no

Some people report that the “/” causes the command to fail, try it without:

net user Administrator active:no

From then on the the Administrator account should no longer show on the Welcome Screen.

SOURCE:

http://www.mydigitallife.info/2007/08/10/activate-enable-and-show-administrator-account-in-vista-welcome-screen/

Fix Vista Update Loop

sam — Fri, 19 Dec 2008 00:08:46 +0000

Symptoms include this message on boot:

“configuring updates stage 3 of 3. 0% complete”

and then an automatic reboot and the same message over and over again in an endless loop.

Some people say to just let it sit while plugged in to the ‘net or to try a repair install but without any restore points you aren’t going to get anywhere.

For some odd reason they removed the Method 3 from this MS help article, here is a copy of it:
Method 3:

Rename the Pending.xml file, and then edit the registry.

To rename the Pending.xml file and to edit the registry, follow these steps.

Start Windows Vista and go to the System Recovery options:

1. Insert the Windows Vista installation disc in the disc drive, and then restart the computer.

2. When you are prompted to restart from the disc, press any key.

3. When you are prompted, configure the Language to install, Time and currency format, and Keyboard or input method options that you want, and then click Next.

4. On the Install Windows page, click Repair your computer.

5. On the System Recovery Options page, click the version of the Windows Vista operating system that you want to repair, and then click Next.

Use the System Recovery options to rename the Pending.xml file and edit the registry:

1. On the System Recovery Options page, click Command Prompt.

2. Type cd C:\windows\winsxs, and then press ENTER.

3. Type ren pending.xml pending.old, and then press ENTER.

4. Type regedit, and then press ENTER.

5. Select HKEY_LOCAL_MACHINE.

6. On the File menu, click Load Hive.

7. Locate the following folder: C:\windows\system32\config\components

8. When you are prompted for a name, type Offline_Components.

9. In Registry Editor, locate and then delete the following registry subkey:

HLKM\Offline Components\AdvancedInstallersNeedResolving

HKLM\Offline Components\PendingXmlIdentifier

Exit Registry Editor:

1. At the command prompt, type exit to exit Registry Editor.

2. Press ENTER.

3. Click Restart.

When you can actually log in again, the following hotfixes are supposed to prevent the loop from returning – I haven’t had much luck in installing them (usually says I don’t need them) but maybe they will help you:

http://www.microsoft.com/downloads/details.aspx?FamilyID=5639710d-dfbf-4527-806e-9a1634d0cc8e&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=1adf1d6c-ad46-4d09-a99c-ba3b1d9bcf4f&displaylang=en

Missing User Accounts in Windows XP

sam — Fri, 12 Dec 2008 20:37:35 +0000

So this time they weren’t hidden ’cause they weren’t in the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList

But they didn’t show up in the Accounts Control Panel or in Run > control userpasswords2.

But they do show up when you run the command:

net user

aaand each account is active.. BUT they had no groups assigned to them and since it was XP Home Edition we didn’t have access to the groups snap in.

So, thanks to Google we found the proper syntax for adding a user (“username”) to a group (“Administrators”) with the net command:

net localgroup Administrators username /add

Sources:

http://www.ss64.com/nt/net_useradmin.html

http://www.theeldergeek.com/create_hidden_user_account.htm

Using SIW to Find Hardware in Windows

sam — Thu, 21 Aug 2008 05:55:41 +0000

I’ve often resorted to loading up a Linux livecd and running “lspci” just to get an idea of what hardware is in a box. Let’s face it, even if box manufacturers do provide the drivers you need, that model may have shipped with one of 4 different NICs, video cards, etc. So it used to be I had to run a linux cd and the lspci command to get the PCI devices table but not anymore…

I thought SIW (System Information for Windows) was a nifty tool from the beginning, it replaced CPU-Z for RAM and Mobo information and since discovering the PCI listing, getting appropriate drivers has become much easier. Now don’t think just cause it’s under PCI that only PCI related devices are there, pretty much every relevant device is in there including VGA controllers, Bluetooth adapters, SATA Controllers, and more.

Anyway, all you gotta do is get siw.exe from gtopala.com, run it and go down to the Hardware tree, then click PCI. You can also click on the Hardware menu up top then PCI or hit File, then Create Report File to get it to go.

Don’t forget, SIW also has a Password Revealer (Tools -> Eureka!), a MAC Address Changer (Tools -> Mac Address Changer), a Licenses List (Software -> Licenses), and much more fun.

Warning: FileZilla FTP Passwords now Stored in Plaintext

sam — Wed, 21 May 2008 03:51:13 +0000

I feel that this should be brought to the attention of FileZilla users out there even though it may be a huge concern. (Lots of apps do this but potentially giving up FTP access info to a bunch of servers you are responsible for is something to be avoided). Jump to the Important Stuff

I love the FTP client FileZilla, and I used to share my filezilla.xml file between machines because it stored all my recent servers and passwords (encrypted). Recently I tried to do the same and came to find out that the most recent versions of FileZilla version ~ 3.0.9.2+ (and possibly older) store all saved FTP account connection info in plaintext .xml files. This applys to both Linux and Windows installations (Mac OS X has yet to be tested but I would bet the same applies).

In some cases this is convenient – often I connect over FileZilla then don’t have access to the password but need to use it in a different app/machine, I could just look it up in these plaintext config files.

But in other cases this is a serious problem. From a practical standpoint, let’s say we connect to our FTP server using FileZilla on a semi-public machine like at a buddy’s place where you may not be concerned about keyloggers but don’t necessarily want your stuff available in plaintext after you walk away.

And let’s not forget that someone could write an app that runs in the background, slurping up that info and putting it in the hands of people you may not trust.

Personally, I am not gonna stop using FileZilla at my primary FTP client on my Linux and Windows boxes, it really is a great app – one of the best clients if not the best. But I feel that awareness pertaining to storage of sensitive data should be a major concern to any serious user.
Text to be displayed
The following files are what you need to know about:

filezilla.xml – Stores most recent server info including password in plaintext.
recentservers.xml – Stores all recent server info including password in plaintext.
sitemanager.xml – Stores all saved sites server info including password in plaintext.

These files can usually be found in the following directories:

Windows XP/2K: “C:\Documents and Settings\username\Application Data\FileZilla”
Windows Vista: “C:\Users\username\AppData\Roaming\FileZilla\”
Linux: “/home/username/.filezilla/”

It seems that this has been brought to the developer’s attention but it also seems that this won’t be changing any time soon. There seems to be a bit of a dispute as to how this should be handled, but I say why not use weak cryptography/obfuscation like they used to, at least that way it would take someone some minor effort/know-how to get to these passwords.

If you have further information regarding the subject, please comment.

Related resources:

Security posting: http://seclists.org/fulldisclosure/2008/Apr/0511.html

FileZilla Password Recovery Apps/Scripts: (may only apply to older encryption scheme)

http://www.reactive-software.com/filezilla-password-recovery.html

http://www.ianwootten.co.uk/2008/01/05/decrypting-filezilla-passwords-with-php/

My Apps List: Windows XP

sam — Wed, 09 Apr 2008 23:46:37 +0000

I’ve been doing a few reinstalls on my workstation boxes lately so I put together this list to save myself some time. This will change as I remember/find stuff.

System/Utilities

Media

Web

Firefox + Firebug + ColorZilla + Prism + Web Developer
Flash Plugin
Thunderbird
Pidgin

Development

Dreamweaver + Updates
Eclipse with PHP Development Tools (jEdit + FTP/SFTP Plugin (Aptana Studio))
Filezilla
Notepad++
Putty
WAMP