Calling SDMB Tech Squad -- Vista Question with Botnet

brujaja · November 26, 2008, 8:31pm

Much as I dislike distracting the SDMB with a pesky computer question, I am really at my wits’ end, and I know one of us will know the answer to this.

I work parttime as a personal assistant to an older gentleman who has an HP desktop running VistaSP1. My own pc is homebuilt, runs XP, & I’m the only one who uses it; so I’ve never had occasion to learn much about permissions, group policies, etc. I know almost nothing about how to work vista. (everything has been moved!)

Long story short, I’m sure he has been compromised by a botnet. There are many reasons for this, but the main two are:

The appending of a second username he has never heard of to his own administrative account, with a roaming profile and folders full of shortcuts to programs he does not have, and
He is locked out of his own “Documents & Settings” folder! (access denied.)

Oh, and did I mention, when I clicked “map network drive”, there were two systems listed – his own, and one called “Rogue 1.”

What I need to know is, how do I restore his pc to his own (autonomous) control? I can’t delete his profile: in addition to being the only one, it has all kinds of documents and program settings and stuff he does not wish to endanger. Also, I suspect that this interloper will interfere with any attempts to take back over. Obviously, I will need to unplug from the net while doing this, but how do I do it?

Here is what his directory tree looks like:

Desktop
Ronald (“not his actual name”)
Public
Computer
AVG8.vault
Documents and Settings
Programs
Ratchet (“not actual username of interloper”)
System Volume Information
Users
Windows
The “Ratchet” folder is of course protected. Halp!!

brujaja · November 26, 2008, 8:43pm

Okay, I googled on “locked out of documents and settings folder” and found out that that is normal, and also that roaming profiles are apparently by default.

However, I still need to know how to remove “Ratchet”.

Quartz · November 26, 2008, 11:39pm

Given the evidence of intrusion, I’d back up all his data and reinstall from scratch. Make sure you have a full set of apps and patches first! And I’d suggest an antivirus package other than AVG.

But if you can’t do that, you can disable the Ratchet user by going into Computer Management | Local Users & Groups. To gain access to that area, you need to Take Ownership of the directories and files. Then run the msconfig utility and check everything that’s starting up automatically.

Manduck · November 27, 2008, 2:11am

Is he on a wireless network, and if so, is it unsecured? Rogue 1 may just be somebody connecting to his router to use the free bandwidth.

brujaja · November 27, 2008, 9:07pm

No, he shares the internet connection with his roommate upstairs, but they do not have a network per se, and all connections are through actual cables.

Now, like I said, I know almost nothing about Vista, but I share an internet connection with my roommate, and his system doesn’t show up on mine; I have no access to his pc nor he mine.

I saw a little app somewhere to add taking ownership to the right-context menu. But, if the Ronald and Ratchet names both have administrative priveleges, can the one take ownership of the other one’s files? Even if they’re protected? How far up the tree can he take ownership – i.e., can I take ownership of the whole root directory, all at once?

In fact, since I’m asking and because clear, comprehensive information about Vista seems to be difficult to find online (I really have looked extensively), perhaps someone would be gracious enough to explain something else to me:

In XP, my root directory is C:. My desktop is made up of data stored in a folder under my username which is contained in the Docs & Sets folder, which is a subfolder of C:. So, any function that I wished to apply to all aspects of my system, I would apply to “C:” and not to “Desktop”, even though “Desktop” is shown at the top of the directory tree in Explorer.

If I wanted to, say, set attribute “read only” on my entire hard drive, I would not right-click “desktop”, select “properties”, & check the read-only box; but rather I would select “C:” below it and do the same, otherwise it would only set the attribute on my little user kingdom. (I know; actually I would do it on the command line too. But for the sake of argument…)

To me, it is counter-intuitive that the top of a heirarchy be actually a subfolder; but that’s the way it is in Windows. Is Vista organized in the same way? And why aren’t “Ronald”, “Ratchet”, and “Public” filed inside the “users” folder?

Oh yes – about AVG – I haven’t used it since it failed to detect a master boot virus that caused me to lose a 10,000-word story I had written. Irretrievably. I use Bit Defender & rootkit revealer now. ;-]

Quartz · November 27, 2008, 10:06pm

To change ownership, open Explorer and browse to the directory (typically c:\users\ratchet). Right-click and select Properties. Go to the Security tab and click Advanced. Click the Owner tab then the Edit button. UAC will kick in but you can then change the owner - do tick the ‘Replace owner on subcontainers and objects’ checkbox.

brujaja · November 28, 2008, 3:39am

Okay, I’ll try that; but notice that’s what I’m saying about the directory tree – I thought it was odd that the [username] folders which contain individual desktop, settings, etc. are located outside the “users” folder. Makes me wonder about those (theoretical) botnets where the unsuspecting user’s whole system is run inside a little simulation…

Thanks, Quartz.