Re: Task Mgr & Registry locked! AV won't load!

From: John Blaustein (no_at_spam.com)
Date: 06/21/04


Date: Sun, 20 Jun 2004 15:25:26 -0700

Bruce,

Thank you for the quick reply and the information.

I ran Housecall and AVG and they found nothing. I then ran McAfee FreeScan
and it found a file: c:\windows\system32\iexpiore.exe NOTE: in
"iexplore.exe," the "I" after the "P" isn't the letter L, it's the letter I
(eye) -- hence, it is iexpiore.exe. The file is dated 6/17/04 and its size
is 5,664. I have renamed this to eliminate the "exe." McAfee reported the
virus in the file as malware.b. Should I delete this file completely?

In comparing files on my laptop (the infected PC) and desktop, I see on the
desktop that iexplore.exe is only in c:program files\internet explorer and
c:\windows\ServicePackFiles\i386. On the laptop, I have iexplore.exe in
c:program files\internet explorer, c:\windows\ServicePackFiles\i386 AND in
windows\system32\dllcache. All three of these files are identical in date
and size -- 8/29/02, 91,136 bytes. (I'm not sure why the desktop doesn't
have the iexplore.exe file in windows\system32\dllcache. Should I delete
the iexplore.exe in windows\system32\dllcache on the laptop?)

A few questions:

-- Do you think I have eliminated the virus? I used System Restore to roll
back the Registry, and I've renamed that bogus iexpiore.exe. I've deleted
the bogus hosts file and it was not recreated on reboot (as it was before
doing the System Restore).
-- Since I have a hardware firewall (SonicWALL) and use AVG, how did I get
this virus?
-- Is AVG sufficient protection? Can you recommend which AV program to use?
Which one do you use?
-- I have IE Security options all set to Default. Is that advisable, or
should I make some custom settings?

John

"Bruce Chambers" <bchambers@nospamcableone.net> wrote in message
news:ODQ$U6vVEHA.2544@TK2MSFTNGP10.phx.gbl...
> Greetings --
>
> Delete that bogus Hosts file; it's specifically designed to
> preclude your getting to any antivirus web sites.
>
> The type of behavior you describe is typical behavior of more than
> one virus/worm, the three below being the most common:
>
> W32.Klez
> http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
>
> W32.Yaha
> http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.c@mm.html
>
> W32.Spybot.Worm
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
>
> Because many of the newer viruses and worms, such as the
> Spybot mentioned above, can disable antivirus applications whose
> definitions aren't kept up-to-date, try using one or more of the free
> on-line scanners to double-check your system.
>
> Trend Micro - Free online virus Scan
> http://housecall.trendmicro.com/
>
> McAfee Security - FreeScan
> http://www.mcafee.com/myapps/mfs/default.asp
>
> Symantec Security Check
> http://security.symantec.com/ssc/home.asp
>
>
> Bruce Chambers
> --
> Help us help you:
> http://dts-l.org/goodpost.htm
> http://www.catb.org/~esr/faqs/smart-questions.html
>
> You can have peace. Or you can have freedom. Don't ever count on
> having both at once. - RAH
>
>
> "John Blaustein" <no@spam.com> wrote in message
> news:enrc%230vVEHA.1764@TK2MSFTNGP10.phx.gbl...
> > In my initial post, I neglected to add that one other symptom of my
> problem
> > is that my hosts file was overwritten to include the following
> entries:
> >
> > 127.172.85.229 www.symantec.com
> > 127.19.30.28 securityresponse.symantec.com
> > 127.39.246.118 symantec.com
> > 127.190.36.116 www.mcafee.com
> > 127.92.240.156 mcafee.com
> > 127.254.113.82 us.mcafee.com
> > 127.227.121.203 www.sophos.com
> > 127.35.187.53 sophos.com
> > 127.232.178.174 www.viruslist.com
> > 127.187.129.243 viruslist.com
> > 127.175.250.143 f-secure.com
> > 127.198.201.161 www.f-secure.com
> > 127.23.235.39 kaspersky.com
> > 127.176.166.155 www.avp.com
> > 127.43.0.62 www.kaspersky.com
> > 127.125.85.69 avp.com
> > 127.28.25.172 www.networkassociates.com
> > 127.220.7.164 networkassociates.com
> > 127.59.78.143 www.ca.com
> > 127.39.187.231 ca.com
> > 127.209.216.216 my-etrust.com
> > 127.124.180.109 www.my-etrust.com
> > 127.224.244.121 secure.nai.com
> > 127.110.104.243 nai.com
> > 127.53.14.218 www.nai.com
> > 127.252.4.233 trendmicro.com
> > 127.85.153.104 www.trendmicro.com
> > 127.216.213.38 housecall.trendmicro.com
> > 127.40.87.79 www.pandasoftware.com
> > 127.32.49.107 www.bitdefender.com
> > 127.109.7.192 www.ravantivirus.com
> > 127.19.193.123 www3.ca.com
> >
> > John
> >
> >
> > "John Blaustein" <no@spam.com> wrote in message
> > news:%23L7OufvVEHA.2408@tk2msftngp13.phx.gbl...
> > > Hi...
> > >
> > > I had a real scare this morning. I booted my XP Home laptop to
> find that
> > my
> > > AV program -- Grisoft AVG Free Edition -- wasn't loaded. I then
> tried to
> > > run AVG and it wouldn't start. When I tried to run Task
> Manager --
> > > Ctrl+Alt+Del -- it would not run properly.
> > >
> > > I ran Ad Aware and it found two registry entries (which I didn't
> write
> > down,
> > > sorry) that referred to blocking access to the registry. Ad Aware
> could
> > not
> > > delete them.
> > >
> > > I then used System Restore and rolled back to last week. Now,
> everything
> > > appears to be working correctly. An AVG full scan (all files)
> shows no
> > > viruses, and Ad Aware now reports no suspicious files.
> > >
> > > What happened? Can someone help explain what went wrong here?
> > >
> > > Even though the system now appears to be working correctly, I am
> worried
> > > that something may still be on the system that caused this
> registry
> > hacking
> > > in the first place. Any ideas on how to identify and remove such
> > programs?
> > >
> > > I use a SonicWALL hardware firewall, along with AVG Free Edition
> with
> > latest
> > > update. My security settings in IE are all set to Default
> settings?
> > Should
> > > I change these.
> > >
> > > Thanks for any help.
> > >
> > > John
> > >
> > >
> >
> >
>
>