locksky

Discussion in 'Computer Security' started by Jim Watt, Dec 5, 2006.

  1. Jim Watt

    Jim Watt Guest

    Have a W2k PC afflicted with Locksky

    It will run in safe mode but freezes up in normal
    mode.

    Any suggestions, apart from flatten and rebuild.

    A lot of the nastyness has been removed, but it will
    not run enough to do anything useful.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 5, 2006
    #1
    1. Advertising

  2. Jim Watt

    Anders Guest

    Jim Watt skrev:
    > Have a W2k PC afflicted with Locksky
    >
    > It will run in safe mode but freezes up in normal
    > mode.
    >
    > Any suggestions, apart from flatten and rebuild.
    >
    > A lot of the nastyness has been removed, but it will
    > not run enough to do anything useful.
    > --
    > Jim Watt
    > http://www.gibnet.com


    This is probably not helping.

    Delete the file "sachostx.exe"
    Delete this in registery "HostSrv" and "sachost"

    /Anders
     
    Anders, Dec 6, 2006
    #2
    1. Advertising

  3. Anders wrote:

    > Jim Watt skrev:
    >> Have a W2k PC afflicted with Locksky
    >>
    >> It will run in safe mode but freezes up in normal
    >> mode.
    >>
    >> Any suggestions, apart from flatten and rebuild.
    >>
    >> A lot of the nastyness has been removed, but it will
    >> not run enough to do anything useful.
    >> --
    >> Jim Watt
    >> http://www.gibnet.com

    >
    > This is probably not helping.
    >
    > Delete the file "sachostx.exe"
    > Delete this in registery "HostSrv" and "sachost"


    And then reinstall anyway!
     
    Sebastian Gottschalk, Dec 6, 2006
    #3
  4. Jim Watt

    Jim Watt Guest

    On Wed, 6 Dec 2006 15:38:17 +0100, Sebastian Gottschalk
    <> wrote:

    >Anders wrote:
    >
    >> Jim Watt skrev:
    >>> Have a W2k PC afflicted with Locksky
    >>>
    >>> It will run in safe mode but freezes up in normal
    >>> mode.
    >>>
    >>> Any suggestions, apart from flatten and rebuild.
    >>>
    >>> A lot of the nastyness has been removed, but it will
    >>> not run enough to do anything useful.
    >>> --
    >>> Jim Watt
    >>> http://www.gibnet.com

    >>
    >> This is probably not helping.
    >>
    >> Delete the file "sachostx.exe"
    >> Delete this in registery "HostSrv" and "sachost"

    >
    >And then reinstall anyway!


    I think we have discussed this before, reinstalling
    w/2000 takes a l o n g time
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 6, 2006
    #4
  5. Jim Watt

    Todd H. Guest

    Jim Watt <_way> writes:

    > On Wed, 6 Dec 2006 15:38:17 +0100, Sebastian Gottschalk
    > <> wrote:
    >
    > >Anders wrote:
    > >
    > >> Jim Watt skrev:
    > >>> Have a W2k PC afflicted with Locksky
    > >>>
    > >>> It will run in safe mode but freezes up in normal
    > >>> mode.
    > >>>
    > >>> Any suggestions, apart from flatten and rebuild.
    > >>>
    > >>> A lot of the nastyness has been removed, but it will
    > >>> not run enough to do anything useful.
    > >>> --
    > >>> Jim Watt
    > >>> http://www.gibnet.com
    > >>
    > >> This is probably not helping.
    > >>
    > >> Delete the file "sachostx.exe"
    > >> Delete this in registery "HostSrv" and "sachost"

    > >
    > >And then reinstall anyway!

    >
    > I think we have discussed this before, reinstalling
    > w/2000 takes a l o n g time


    Gottschalk is pedantic pain in the ass many times, but this time he is
    correct.

    I'm willing to bet you have it reinstalled by the time you get an
    answer on this unless you don't have access to broadband to dl the
    updates.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Dec 6, 2006
    #5
  6. Jim Watt

    erewhon Guest

    Ack - once any system is compromised, the only solution to be sure of
    security is a format & reinstall of the o.s from scratch
     
    erewhon, Dec 7, 2006
    #6
  7. Jim Watt

    Jim Watt Guest

    On Thu, 7 Dec 2006 08:01:43 -0000, "erewhon" <>
    wrote:

    >Ack - once any system is compromised, the only solution to be sure of
    >security is a format & reinstall of the o.s from scratch


    So say all children

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 7, 2006
    #7
  8. Jim Watt

    Todd H. Guest

    Jim Watt <_way> writes:

    > On Thu, 7 Dec 2006 08:01:43 -0000, "erewhon" <>
    > wrote:
    >
    > >Ack - once any system is compromised, the only solution to be sure of
    > >security is a format & reinstall of the o.s from scratch

    >
    > So say all children


    Jim, you're posting to alt.computer.security, not alt.computer.easy or
    alt.computer.lazy.

    Will I find you next in alt.autos.repair taking the position "that
    whole, 'you need to change your oil' thing is way overblown. You only
    really need to change it every 100,000miles." I can't believe anyone
    is arguing what the secure thing to do is after a compromise.

    You can take the position of "Yeah, I know, but I'm too lazy, and I'm
    willing to accept the possibility/likelihood that I'll still be using
    a compromised machine" if you like, but arguing against rebuilding the
    box as being the secure thing to do is pretty out there....

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Dec 7, 2006
    #8
  9. Jim Watt

    Jim Watt Guest

    On 07 Dec 2006 09:39:50 -0600, (Todd H.) wrote:

    >Jim Watt <_way> writes:
    >
    >> On Thu, 7 Dec 2006 08:01:43 -0000, "erewhon" <>
    >> wrote:
    >>
    >> >Ack - once any system is compromised, the only solution to be sure of
    >> >security is a format & reinstall of the o.s from scratch

    >>
    >> So say all children

    >
    >Jim, you're posting to alt.computer.security, not alt.computer.easy or
    >alt.computer.lazy.
    >
    >Will I find you next in alt.autos.repair taking the position "that
    >whole, 'you need to change your oil' thing is way overblown. You only
    >really need to change it every 100,000miles." I can't believe anyone
    >is arguing what the secure thing to do is after a compromise.
    >
    >You can take the position of "Yeah, I know, but I'm too lazy, and I'm
    >willing to accept the possibility/likelihood that I'll still be using
    >a compromised machine" if you like, but arguing against rebuilding the
    >box as being the secure thing to do is pretty out there....
    >
    >Best Regards,


    I think you missed the point. Any idiot with a day to waste
    can reload the system, I was inquiring if someone had a clue
    which you clearly haven't.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 7, 2006
    #9
  10. Jim Watt

    Todd H. Guest

    Jim Watt <_way> writes:

    > I think you missed the point. Any idiot with a day to waste
    > can reload the system, I was inquiring if someone had a clue
    > which you clearly haven't.


    I've seen many idiots waste a lot more than the hours it takes to
    reload the system asking forums and newsgroups and god and everyone
    how to get their system back to a usable state after a severe malware
    infection.

    With a system reinstall you have a finite set of tasks, well defined,
    and when you're done you know exactly where your system stands.

    I used to chase these things down until I thought I conquered them and
    achieved clean scans. Then I learned more about exploit details,
    repackers, how easily attackers can changing source code of publicly
    available exploits, how much 0 day exploit code it out there that only
    individuals or tightly held groups even know about, and how relatively
    easy it is to modify exploits in ways to evade detection.... that's
    when I lowered the bar to "wipe and reload."

    It's not a day wasted reloading, it's a day invested on a system you
    can actually trust again.

    The rest of us who chant the "wipe and reload" mantra are wondering
    when the same clue will dawn upon you Jim. You're defending an
    indefensible position. If reloading an OS takes you a day to do,
    learn about slipstreaming, or take image backups after you do one
    reload.... But you're living in a fantasy land if you think you can
    recover a system back to a trustworthy state after a malware infection
    doing anything but wiping and reloading. And I dare wager that
    you'll even get there FASTER if the goal is simply a system that can
    do "anything useful" as you describe in your original post... from 2
    days ago.

    Let me guess, that win2k system is still f-ed up?

    Best Regards,
    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Dec 7, 2006
    #10
  11. Todd H. wrote:

    > And I dare wager that you'll even get there FASTER if the goal is simply
    > a system that can do "anything useful" as you describe in your original post...


    What about a comparison against a trusted installation base (checksums)?
    That is usually faster than a complete reinstall, but also leads back to a
    well-defined state, since you can detect all differences and just address
    these (by either ignoring them as a well-understood change, f.e. temp
    files, or by restoring just these from a backup).

    At any rate, your argument can be extended even further: Since there's no
    qualitative alternative to "flatten and rebuild" and this costs a lot of
    time, one should invest more effort to avoid such a situation in first
    place.
     
    Sebastian Gottschalk, Dec 7, 2006
    #11
  12. Jim Watt

    Jim Watt Guest

    On 07 Dec 2006 14:50:01 -0600, (Todd H.) wrote:

    >The rest of us who chant the "wipe and reload" mantra are wondering
    >when the same clue will dawn upon you Jim.


    I've been doing this stuff for a long time and always
    willing to learn, but if you can't answer the question
    don't waste my time.

    You give too much credit to the perpetrators of third
    rate malware.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 8, 2006
    #12
  13. Jim Watt

    Jim Watt Guest

    On Thu, 7 Dec 2006 23:03:17 +0100, Sebastian Gottschalk
    <> wrote:

    >one should invest more effort to avoid such a situation in first
    >place.


    For once I agree. However the machine in question is in an
    office where there have been no virus issues for some time
    due to preventative efforts. Exactly why this one has a
    problem is a mystery.

    As nobody has anything constructive to say about Locksky
    (tried Google first) and indeed that might not be the only
    problem, the mystery continues.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 8, 2006
    #13
  14. Jim Watt

    Todd H. Guest

    Jim Watt <_way> writes:

    > On 07 Dec 2006 14:50:01 -0600, (Todd H.) wrote:
    >
    > >The rest of us who chant the "wipe and reload" mantra are wondering
    > >when the same clue will dawn upon you Jim.

    >
    > I've been doing this stuff for a long time and always
    > willing to learn, but if you can't answer the question
    > don't waste my time.


    I won't be wasting my time further with you if you've been doing this
    that long and are still this thick about an issue that's crystal clear
    to thinking people.

    *plonk* goes the kill file. Though I have to admit, just like folks
    cant' help but crane their neck when they see sirens and lights, i
    can't promise I won't ever check to see your logic's progress in the
    future.

    > You give too much credit to the perpetrators of third rate malware.


    You fail to realize that once you're compromised you have no way of
    reliably differentiating whether you've been attacked by third rate
    malware or someonething worse.


    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Dec 8, 2006
    #14
  15. Jim Watt

    Jim Watt Guest

    On 08 Dec 2006 09:27:39 -0600, (Todd H.) wrote:

    >I won't be wasting my time further


    Excellent, close the door on the way out
    you were as much use as an empty roll of lav paper.


    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 8, 2006
    #15
  16. Jim Watt

    Todd H. Guest

    Jim Watt <_way> writes:

    > On 08 Dec 2006 09:27:39 -0600, (Todd H.) wrote:
    >
    > >I won't be wasting my time further

    >
    > Excellent, close the door on the way out
    > you were as much use as an empty roll of lav paper.


    And your receptiveness to the unanimous and correct advice you were
    given was more akin to that which the "lav paper" is designed to
    remove.

    --
    Todd H.
    http://www.toddh.net/
     
    Todd H., Dec 8, 2006
    #16
  17. Jim Watt

    Jim Watt Guest

    On 08 Dec 2006 16:30:44 -0600, (Todd H.) wrote:

    >Jim Watt <_way> writes:
    >
    >> On 08 Dec 2006 09:27:39 -0600, (Todd H.) wrote:
    >>
    >> >I won't be wasting my time further

    >>
    >> Excellent, close the door on the way out
    >> you were as much use as an empty roll of lav paper.

    >
    >And your receptiveness to the unanimous and correct advice you were
    >given was more akin to that which the "lav paper" is designed to
    >remove.


    Correct in your opinion.

    As there is a large range of AV and other products which detect
    and remove malware, it seems not everyone agrees.

    It still remains a mystery where this problem came from
    but its gone. Time to move on.

    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Dec 9, 2006
    #17
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page