[FoRK] Argh! Help! Windows config mystery

Eugen Leitl < eugen at leitl.org > on > Thu Oct 12 11:39:04 PDT 2006

On Thu, Oct 12, 2006 at 05:46:43PM +0000, corinna wrote:

> I don't know enough about Windows config. I learned a ton in the last few hours,
> though. But my basic problem is still there. I got hit by a worm (I think), and
> it appears to have spread through our interal network. I think it's a spybot (

Your hosts on the internal network have no firewall?

> or rBot IRC trojan) variant - found registry keys with wuamgrd.exe.
> 
> I cleaned that stuff up (at least on my own machine). 

You can't possibly know. Malware is chronically difficult to clean,
though you can get lucky. The only way to make sure is to reinstall
from known good media.
 
> So that makes me think there's a file somewhere blocking traffic based on the
> domain name. I don't know where to look. I don't want to reinstall Windows.

You did mean http://en.wikipedia.org/wiki/Hosts_file when you said hosts,
right? Did you use the usual malware scanners, and Windows rootkits 
detectors (there are at least 5-7 free ones)?
 
> A second question is, how do I know if my machine is now a bot? Will running
> Ethereal for a few minutes tell me?

Possible, though I would use a dedicated firewall, and sniff there.
If you need a good firewall, http://pfsense.com/ should go 1.0 tomorrow,
or shortly after. I shouldn't plug the project, since some of the developers
are assholes, but the firewall is good.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.ativel.com
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

More information about the FoRK mailing list