cdplayer.exe.manifest and windowslogon.manifest

Preparing for a complete reformat , using Repair Console, I removed the
entire System32 directory, and two files were left behind:
Cdplayer.exe.manifest, and windowslogon.manifest. When I tried to remove them
individually, I got a message that "Access is denied." (See related post
under HiPerfCooker, if you like.)

I searched for this topic, and I found nothing about it here. When I look
at these in google, I don't really see that anyone had this particular issue
with these files, although they do show up as being associated with a Trojan,
and many of the questions don't seem to have a resolution.

Curiously enough, when I try to find this post with my public library's
computer, I can't find it. And even more curiously, I found using my computer
this morning that it was posted from
"microsoft.public.ph.philippines.certified." Whatever...

Can anyone shed any light on this for me? Thanks so much to all who answer
here.

Please state your full Windows version (e.g., WinXP SP3; Vista x64 SP2) when
posting to this newsgroup.

What problems are you having that you think would be resolved by a Repair
Install?

Why bother messing with any files and directories if you are going to
reformat? Is this Vista? There are other accounts on the machine that
have higher privileges than the mere 'admin' account has. One of these
accounts probably 'owns' those files.

Which trojan? (just curious)

WIN XP Pro from a retail disk.
Essentially, Bear, the problem I have is that even when I do a reformat,
there appears to be some outside entity that has me connected to a WBEM
server that appears to be set up to capture every bit of data that comes
through this computer.

As ridiculous at that sounds, I got (verbal) confirmation of that when a
Level 3 Microsoft technician looked at my system with me using remote
desktop.

Now, I would be only too happy to get another hard drive, although I have
had three new hard drives on this computer already and still this thing shows
up. The second I probably blew by using contaminated flash drives and CDs
(although a scan of them using someone elses big-company Norton system didn't
show up anything.) The third one got the door opened, I think, by software
from a very cheap digital camera. I have a mechanical firewall, btw.

So I have nuked this hard drive with KILLDISK, with DBAN, with an
installation of Win98 and then followed with a long reformat on install of
WIN XP Pro from a retail disk. So I am the very definition of madness in that
regard.

One very interesting thing I have noticed, lately, is that I am using
Windows Firewall (before I connect to the net) and there's no error message
on the tool bars or popups or anything like that... yet, if you go into
Manage Security Settings for Windows Firewall, and click on the advanced tab,
you get "The Network Settings have become corrupted. To fix this, click
Restore Defaults. [It doesn't fix anything.]This will delete all of your
settings for Windows Firewall, and it might cause some programs to stop
working."

Even before I connect to the Net, I see so many log files that have things
in them such as
-A provider, Rsop Planning Mode Provider, has been registered in the WMI
namespace, root\RSOP, but did not specify the HostingModel property. This
provider will be run using the LocalSystem account. This account is
privileged and the provider may cause a security violation if it does not
correctly impersonate user requests. Ensure that provider has been reviewed
for security behavior and update the HostingModel property of the provider
registration to an account with the least privileges possible for the
required functionality.

Or
--Application image dump failed.
Server Application ID: {01885945-612C-4A53-A479-E97507453926}
Server Application Instance ID:
{E761AC8D-14F9-4522-A149-BC9AB7FA77FE}
Server Application Name: COM+ Explorer
Error Code = 0x80004005 : Unspecified error
COM+ Services Internals Information:
File: f:\xpsp3\com\com1x\src\shared\util\svcerr.cpp, Line: 1259
Comsvcs.dll file version: ENU 2001.12.4414.702 shp

Just to name a couple.

So I came up with this idea to remove all the System32 files (and actually a
bunch of others) before my last reformat adventure, and I thought I would try
a disk repair. The disk repair seemed to work just fine until the part where
there's a reboot after the files are reloaded, and the error message I got
said something like, "This process can't continue because the user key is
invalid." Just for fun, I opened that logfile from the repair console and
saw a whole bunch of lines that talked about "use invalid code."

Like I say, I would try getting another hard drive (although right now even
that is a bit of a financial hardship) but I am just not at all sure that's
going to fix the problem.

Rafters, here's an example link: What seems to be the deal
there is that Norton found these files and couldn't scan, repair or
quarantine. Later in the post, after many scan files, it says,

"Note: Had tried various external/on line scans to hope to route out this
virus, scans included: Norton Antivirus, Bitdefender, Trendmicro, Panda and
AVG. NONE of these other antivirus programs even picked up the virus. So as
far as McAfee, yes, there needs to be a better antivirus program out there
that not only can detect but remove the virus, but at least it caught the
virus. Also, the reason McAfee couldn't clean, disinfect or quarantine the
virus was because it embedded itself onto a system file, which needed repair
before you could delete the virus.

Once the system file of winlogon.exe was repaired, McAfee got rid of the
virus with no problems. "

It appears as if this case was resolved, eventually, but again, it's sort of
apples and oranges.

This "New Win32 virus" looks to me like a heuristic detection for
suspected malware. Those files you are worried about seem to be
mentioned *only* because they have the "hidden" attribute set. I never
bothered to learn how to read HijackThis logs because my interest was
with viruses (whose starting method is of a piece with them *being*
viruses - and won't show up in HJT logs).

Could be there is no virus (malware) or it is being hidden by a rootkit
of some sort.

If indeed this is a malware instance, the best thing is to detect it. In
order to remove it (and other associated software) it has to be
positively *identified* - which is not the job of the heuristic detector
(you would get a more definite malware name than "New Win32 virus").

....actually because the OS protects *system* files from being tampered
with (or rather can change them back *after* being tampered with in some
cases).

Actually - it was able to delete the suspect file.

(I know...it *calls* it a virus. What it actually means is it *might* be
malware)

Yes, not exactly *your* problem - but it helps me to understand what may
be happening here.

I may be going down the wrong road with you - I suspected
W32.red-herring or Backdoor.wild.goose if you get my drift. Then I read
your response to PA Bear and got lost in new information I didn't have
before.

I will leave you in his capable hands - you may want to be more
forthcoming with pertinent information and avoid sidetracking to *other*
peoples problems/solutions.

If you actually have malware that persists through partitioning and
formatting the affected system disk - you are a rare case indeed.

Can you tell me more about such cases, FTR?

Will you - please?

Google or Bing.

For what it's worth, I tried looking up things like "Low-level format can't
remove malware" and "malware persists through partitioning formatting" and I
didn't get much. I happened to be at my public library computer, the one
with NetNanny that doesn't allow ANY downloads from the net, and all the
entries that looked as if they might be promising were blocked because of the
threat of spyware.

So, Peter, I am sure you probably are much better at finding these things
than I, and it would be interesting to hear from you about that.

How kind of you to comment, Eliza - thank you! :)

FWIW, I went through this whole exercise a year or two ago and, despite
all action taken (including installing a new hard drive - twice!) I
remained *convinced* that my machine had been compromised in some way.

This was following the theft of £245 via eBay/PayPal (later recovered!).
My subsequent involvement with our police high-tech crime unit
culminated with them advising me to scrap the machine in question. Like
a fool, I didn't believe that I wouldn't be able to 'fix' my computer -
but, in the end, I took it out of service *permanently* ........ and
bought a new machine!

I already did, last year - in fact we had a rather lengthy discussion on
the subject.

Google "backdoor", "malware" or "rootkit" along with "PCI", EEPROM"
"flash BIOS" "expansion ROM", "option ROM" or "firmware" sift your way
through the mostly useless "forum" posts to find the occasional gem.

Do not waste your time. Just do a clean reformat. Since you have already deleted
your System32 folder the above would be the logical choice

I well recall our discussion and felt that Eliza might benefit from
hearing your views. In essence, I believe we established that a computer
*can* be compromised ............ so that even a replacement of the hard
disk with a new one will not erradicate the infection.

Do you concur?

Are you able to cite any examples of how such "extremely rare"
infections might actually happen?

Yes, but it is *extremely* rare. Far more likely is to get reinfected by
restoring or revisiting the malware after being cleaned. Also there are
times when a false positive on a system file persists after cleaning,
leaving the user convinced that it is *real* malware hiding somewhere
other than the harddrive and reinfecting the system file. This is where
submitting the file to scanning by several scanning engines can help
weed out the false positive declaration (see jotti.org or
virustotal.com).

I have no first hand experience with any such infections. Anything other
than first hand experience would be a *purported* incident as far as
that goes.

I can't help with that, because those same people can have "hinky"
feelings about me. After all, I am an anonymous (sort of) poster on
usenet.

Absolutely - do you remember me saying "it pays to be first" where
malware is concerned? AV is an application that depends on the OS
supplying certain facts to it. If the malware runs first, it can filter
out those facts - leaving the AV application thinking all is well. If
this wasn't true, you probably wouldn't have anti-rootkit programs as
there would be no need for them.

You have always seemed straight-forward and honest, too - even though
'anonymous'. Again, I thank you for so being.

I did two stupid things before becoming aware of what information I gave
away simply by visiting a URL

One was finding and watching a video of the American prisoner being
beheaded and the other was looking for, and finding, the infamous
Islamic cartoons published by a Dutch newspaper. I have an inkling that
one or both of those actions might have been detrimental to the
well-being of my computer - the first was certainly detrimental to *my*
well-being!

At that time my computer was also connected physically to my
broadband-enabled telephone line via a modem (which had been supplied by
my ISP). This was common practice when broadband first became available
in the UK

You will be pleased to note that in recent years my computers have
been/are connected to the Internet via a wireless connection to a
router! An exception to this is when afloat - when I connect using a
dongle and the 3G network.

Thanks for your help here. You may not have seen the top of the post where I
talked about taking System32 (or trying to) out *before* a nuke and burn. I
do things like that because I strongly suspect that I have something that
survives a complete reformat. I removed, or tried to remove, the system32
file using a DOS editor.

I think what happens is that "a rock in the door" resides in the MBR, and
that "rock" allows a door to be opened to bring in the full complement of
things that basically connects me to a remote server somewhere.

The reason I think this is because I have often used the Active@ freebie
write 0s wiper and seen the fleeting message at boot "InitDiskillegal
partition table - drive 00 sector 0
illegal partition table - drive 00 sector 0
illegal partition table - drive 00 sector 0
illegal partition table - drive 00 sector 0

AND ALSO, when I run SCANDISK, I get a message that is something like.
ScanDisk encountered damage to the hard drive while reading cluster 2. Do
you want to repair?

Then, when I click yes for that, I get a message that says something like,
"Cluster 2 is currently being used by the \IO.SYS file" then "Scandisk cannot
repair damaged cluster 2 because other damage to drive A (the hard drive)
prevents it".

Thanks and kindest regards to all who answer here.

for the sake of anyone who might be looking for the esoteric collection of
keywords in this thread, one of the "gems" you pointed me to, a news release
dated last week, says this:

BIOS Vulnerable to Modern Malware Attacks
'Basic Input/Output System', a firmware run by a PC at the time of boot-up,
is increasingly targeted by malware attacks as modern hackers having
administrative OS rights are effectively conducting BIOS updates or BIOS on
the Internet to load customized low-level firmware.

Recently, experts have shown how BIOS malware could be used to attack
multiple operating systems and infect different kinds of motherboards.
According to them, BIOS-based malicious software can disseminate not just on
various OSs, but also by a number of hardware. These attacks are hard to
identify and block.

Earlier during March 2009 at the Vancouver CanSecWest security conference,
researchers Anibal Sacco and Alfredo Ortega of Core Security Technologies
Inc. performed a general BIOS attack that could push malware inside various
BIOS types, as reported by search security on June 18, 2009.

A hacker who hijacked the BIOS in the above manner could gain complete
control over the basic firmware irrespective of the OS.

Even if all browser applications and OS patches are put in place, it is
still possible to fully compromise computers at a very low level without any
vulnerability exploitation. Evidently, the BIOS malware has been effectively
utilized on both OpenBSD and Windows platforms as well as on virtual machines
through the VMware Player program.

Sacco and Ortega emphasized that for carrying out the attacks, one needs to
either directly access the target computer or obtain the root privileges of
the same, which restricts the scope. In any case, the techniques are
extremely workable and the two researchers are presently experimenting with a
BIOS rootkit that might help to execute the attack.

Following the experiments by the Core researchers, John Heasman at Next
Generation Security Software performed another research on stubborn rootkits
and was successful in creating a technique for planting them on computers
utilizing 'Peripheral Component Interconnect' (PCI) cards.

Previously during 2007, Heasman at Black Hat DC demonstrated a fully
functional technique for installing rootkits on a PCI card through the
device's flashable ROM. He also showed how bogus stack pointers could be
built through the circumvention of Windows NT kernel.