Re: Renaming blank files from cmd line
On Sat, Oct 29, 2011 at 3:47 PM, Tammy copper...@personainternet.com wrote: However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. Some things that may be useful that I haven't seen mentioned yet: CHKDSK CACLS *.* ... DEL *.* /P Also, if the system's been compromised, I usually start with a disk wipe and reinstall from known-good media. Presumably you judge the cost of that to be too high for whatever reason, but keep in mind that if the system has been compromised, you can't really ever be sure you've cleaned it. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Renaming blank files from cmd line
Have not tried chkdsk -- good idea. Cacls/icacls usually works Del *.* /p works if the blank is not in a directory where other files reside that I cannot blanket delete. (such as sytem32) Believe I found a way to find these blanks. We have an ARK tool I can specify directories to scan from cmd line so that should work. I forgot about being able to specify directories for it to scan. Tool did pick up a blank buried in the windows\install directory. Just a few directories that seem cacls/icacls refuse to work. (GAC_32 GAC_64) Have to re-visit the ark tool and see about having it rip out those files. Quite a bit of the time yes -- wipe/reload is chosen due to the nature of the beast being fought, what the system is being used for, etc but not everyone has this luxury because either the admin for whatever reason has no backups or in case of it being an end user there are rarely ever recovery CDs that come with PCs anymore. (but these arguments are another subject entirely lol) -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, October 31, 2011 8:35 AM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line On Sat, Oct 29, 2011 at 3:47 PM, Tammy copper...@personainternet.com wrote: However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. Some things that may be useful that I haven't seen mentioned yet: CHKDSK CACLS *.* ... DEL *.* /P Also, if the system's been compromised, I usually start with a disk wipe and reinstall from known-good media. Presumably you judge the cost of that to be too high for whatever reason, but keep in mind that if the system has been compromised, you can't really ever be sure you've cleaned it. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Renaming blank files from cmd line
On Mon, Oct 31, 2011 at 9:06 AM, Tammy Stewart copper...@personainternet.com wrote: Del *.* /p works if the blank is not in a directory where other files reside that I cannot blanket delete. (such as sytem32) When you do a DEL *.* /P, it will prompt you for each file. If the blank name file comes first, answer Yes to that one, then CTRL+BREAK out of the command for the rest. If the blank name file comes last, yah, it won't help for a huge directory like SYSTEM32. Might be practical for a directory with a smaller number of files, though. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Renaming blank files from cmd line
Thanks Ben, Indeed that should work fine. The blank always shows first in the directory when listed by name. The machine I worked on today did not have these blanks. Tammy -Original Message- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, October 31, 2011 10:30 AM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line On Mon, Oct 31, 2011 at 9:06 AM, Tammy Stewart copper...@personainternet.com wrote: Del *.* /p works if the blank is not in a directory where other files reside that I cannot blanket delete. (such as sytem32) When you do a DEL *.* /P, it will prompt you for each file. If the blank name file comes first, answer Yes to that one, then CTRL+BREAK out of the command for the rest. If the blank name file comes last, yah, it won't help for a huge directory like SYSTEM32. Might be practical for a directory with a smaller number of files, though. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
Re: Renaming blank files from cmd line
AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
RE: Renaming blank files from cmd line
Well, it’s got a name. You just can’t access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn’t. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what’s necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I’m pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.commailto:copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums
RE: Renaming blank files from cmd line
Kewl. You have a link or something with details to do/use those tools? Most of the removals I am doing is remote.. I don't actually have my hands on the box physically. Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana
RE: Renaming blank files from cmd line
This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=bl anks.jpg current=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need to be able to search entire drive for files with no file name/extension 2. I need to be able to adjust permissions on said files so I can delete them. (without messing with permissions on entire directory) 3. I need to delete said files without nuking the remaining contents of whatever directory these files live in. Google-Fu soes not seem to be working well. Ideas on a batch or script to perform the above? TIA! Tammy ~ Finally, powerful endpoint security that ISN'T
RE: Renaming blank files from cmd line
Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files- http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Fold ers -Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy _ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=bl anks.jpg current=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see how this can be a security issue. So to make a long story short (er). 1. I need
RE: Renaming blank files from cmd line
Ok, I thought it through a bit. You should be able to do a ls -ial This will list all of the files in the current directory - including their permission information, and something called an inode, which uniquely identifies the file. Then, to adjust the permissions chmod +0777 -i inode Then, to remove the file rm -i inode Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:48 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Kewl. You have a link or something with details to do/use those tools? Most of the removals I am doing is remote.. I don't actually have my hands on the box physically. Thanks, Tammy From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com]mailto:[mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.commailto:copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when it hits this blank it is either haulted can't scan any deeper so just hangs or passes the directory entirely without scanning contents. (so one cannot scan (or even properly monitor) the entire system until this file is cleared out) If you have a dozen of these files including a few in large system directories -- you can see
Re: Renaming blank files from cmd line
Wonder if you can create a blank-looking file using something like the non-breaking space instead of a normal space (I think it is Alt-0160 or something similar) Sent from my SR-71 Blackbird -Original Message- From: Tammy Stewart copper...@personainternet.com Date: Sat, 29 Oct 2011 17:05:55 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com Reply-To: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.comSubject: RE: Renaming blank files from cmd line Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files- http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Fold ers -Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy _ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=bl anks.jpg current=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever
RE: Renaming blank files from cmd line
Oh that's smart. Although on modern OS's you may find that disabled. Again, using Cygwin, you could Echo But that fails using cmd.exe. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 5:06 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy From: Tammy Stewart [mailto:copper...@personainternet.com]mailto:[mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com]mailto:[mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.commailto:copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues and restore brings OS to worse condition than half fixed infection. How can one look for delete totally blank file names without nuking everything else in said directory? Biggest issue seems to be 64 bit OSes. No specific file size. All are different. Leaving said blank files often cause issues with whatever program this blank is in. These blanks also often cause issues with updating said software or successful uninstall/re-install. Often system directories are affected. (system32, drivers, assembly, etc) To further complicate things permissions on said file are trashed so nothing has enough access to it to remove. Cannot do it in explorer because windows cannot read the files. (I assume blank file names are illegal in windows) You can see them in explorer but cannot do anything from there. This blank is usually a copy of whatever exe that was infected. Because of the above... Most AV scanners when
RE: Renaming blank files from cmd line
Alt-255 and Alt-0160 make blank looking file names. Is that what's really going on here though? I thought these were files that actually had no names. If they're just names with an unspecified number of blanks, then this bat should prompt you for each file in the folder and allow you to choose to fix and delete them. Activate it by running: for %1 in (*.*) do fixblanks.bat %1 ---fixblanks.bat--- @echo off set /p FIX=Fix %1 if %fix%==n goto end cacls %1 /G Everyone:F del %1 :end ---fixblanks.bat--- From: Rankin, James R [mailto:kz2...@googlemail.com] Sent: Saturday, October 29, 2011 4:11 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line Wonder if you can create a blank-looking file using something like the non-breaking space instead of a normal space (I think it is Alt-0160 or something similar) Sent from my SR-71 Blackbird From: Tammy Stewart copper...@personainternet.commailto:copper...@personainternet.com Date: Sat, 29 Oct 2011 17:05:55 -0400 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: Renaming blank files from cmd line Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy From: Tammy Stewart [mailto:copper...@personainternet.com]mailto:[mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com]mailto:[mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.commailto:copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways. Cleaning up the rootkit infected exes then trying to do a system retore (because at this point the infection is not blocking it) is at best sketchy. Either it works well or blanks cause issues
RE: Renaming blank files from cmd line
Scott, I believe they were asking about making a blank filename to actually test a batch file before letting it loose on a live server. From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Saturday, October 29, 2011 7:26 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Alt-255 and Alt-0160 make blank looking file names. Is that what's really going on here though? I thought these were files that actually had no names. If they're just names with an unspecified number of blanks, then this bat should prompt you for each file in the folder and allow you to choose to fix and delete them. Activate it by running: for %1 in (*.*) do fixblanks.bat %1 ---fixblanks.bat--- @echo off set /p FIX=Fix %1 if %fix%==n goto end cacls %1 /G Everyone:F del %1 :end ---fixblanks.bat--- From: Rankin, James R [mailto:kz2...@googlemail.com] Sent: Saturday, October 29, 2011 4:11 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line Wonder if you can create a blank-looking file using something like the non-breaking space instead of a normal space (I think it is Alt-0160 or something similar) Sent from my SR-71 Blackbird _ From: Tammy Stewart copper...@personainternet.com Date: Sat, 29 Oct 2011 17:05:55 -0400 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com Subject: RE: Renaming blank files from cmd line Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files- http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Fold ers -Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy _ From: Tammy Stewart [mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=view http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=bl anks.jpg current=blanks.jpg In the pic - the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy _ From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it's got a name. You just can't access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn't. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what's necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I'm pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out (even temporary) obviously I can't do del *.*. If it is in say the system32 directory (which is common) where tools like Gmer does not work because it is not compatible with the system (64 bit OS, critical server where one cannot chance a crash (gmer is not the most stable ARK tool on the planet) ) The ones that seem to be the biggest issue are the ones that are burried in some \assembly sub directories where permissions are different anyways
RE: Renaming blank files from cmd line
copy con [alt-255] [ENTER] Some text [F6] will create a file with a blank name. My question is if that's what's meant by one of the blank files Sent from my Palm Pre on the Now Network from Sprint On Oct 29, 2011 7:53 PM, Gary Whitten li...@undiscoveredworlds.com wrote: Scott, I believe they were asking about making a blank filename to actually test a batch file before letting it loose on a live server. From: Crawford, Scott [mailto:crawfo...@evangel.edu] Sent: Saturday, October 29, 2011 7:26 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Alt-255 and Alt-0160 make blank looking file names. Is that what’s really going on here though? I thought these were files that actually had no names. If they’re just names with an unspecified number of blanks, then this bat should prompt you for each file in the folder and allow you to choose to fix and delete them. Activate it by running: for %1 in (*.*) do fixblanks.bat %1 ---fixblanks.bat--- @echo off set /p FIX=Fix %1 if %fix%==n goto end cacls %1 /G Everyone:F del %1 :end ---fixblanks.bat--- From: Rankin, James R [mailto:kz2...@googlemail.com]mailto:[mailto:kz2...@googlemail.com] Sent: Saturday, October 29, 2011 4:11 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line Wonder if you can create a blank-looking file using something like the non-breaking space instead of a normal space (I think it is Alt-0160 or something similar) Sent from my SR-71 Blackbird From: Tammy Stewart copper...@personainternet.commailto:copper...@personainternet.com Date: Sat, 29 Oct 2011 17:05:55 -0400 To: NT System Admin Issuesntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com ReplyTo: NT System Admin Issues ntsysadmin@lyris.sunbelt-software.commailto:ntsysadmin@lyris.sunbelt-software.com Subject: RE: Renaming blank files from cmd line Hmmm use short name? http://www.techiwarehouse.com/engine/8bc34522/Removing-No-Name-Files--Folders Would love to know how to create a complete blank file to test the above. Thanks, Tammy From: Tammy Stewart [mailto:copper...@personainternet.com]mailto:[mailto:copper...@personainternet.com] Sent: Saturday, October 29, 2011 4:52 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line This is a screenshot of what they look like: http://s257.photobucket.com/albums/hh239/blendersww/?action=viewcurrent=blanks.jpg In the pic – the renamed exe (exe_) is the infected file. The proper exe is the cleaned exe the blank is a copy of the exe. (but often infected) Thanks, Tammy From: Michael B. Smith [mailto:mich...@smithcons.com]mailto:[mailto:mich...@smithcons.com] Sent: Saturday, October 29, 2011 4:40 PM To: NT System Admin Issues Subject: RE: Renaming blank files from cmd line Well, it’s got a name. You just can’t access it through the normal cmd.exe or Windows utilities. And that name may be blanks. NTFS provides full POSIX support including VLFNs and Unicode filenames. Windows doesn’t. Loading cygwin1.dll along with ls.exe and find.exe and od.exe and rm.exe should give what’s necessary: the ability to look at every file, translate its name to hex for identification, and then do arbitrary removals. I’m pretty sure that Cygwin can be loaded on USB key these days. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Kurt Buff [mailto:kurt.b...@gmail.com]mailto:[mailto:kurt.b...@gmail.com] Sent: Saturday, October 29, 2011 4:26 PM To: NT System Admin Issues Subject: Re: Renaming blank files from cmd line AFAIK, you can't have a file without a file name of some sort. What happens if you do a dir /b in the directory? What do you get if you use PowerShell to enumerate the directory? Are you sure that it's not creating an ADS? Try this to make sure: http://technet.microsoft.com/en-us/sysinternals/bb897440 Kurt On Sat, Oct 29, 2011 at 12:47, Tammy copper...@personainternet.commailto:copper...@personainternet.com wrote: Hi, Interesting issue. One of the variants of sirefef/zeroaccess trojan while it infects several 3rd party exe files that usually run as services such as google updater service (just as an example) also in the same directory creates a totally blank file. No file name no extension. File is completely blank. Having the AV repair infected exes is not an issue. Removing the main rootkit(s) is not an issue. Issue is mostly with 64 bit vista/windows7 Not usually an issue removing these blanks (on 32 bit OS) with the likes of GMER (an anti-rootkit tool) or if that is the only file in the directory (moved orig exe so nothing is in that directory besides the blank) doing del *.* from cmd will wipe out the file. However if this file is there along with a bunch of others that cannot be moved out
