Re: Task Mgr & Registry locked! AV won't load!

From: John Blaustein (no_at_spam.com)
Date: 06/21/04 

Date: Sun, 20 Jun 2004 16:54:28 -0700

More information...

It seems I was mistaken about the name of the virus that McAfee found. It's
in iexplore.exe -- it's an L, not an I (eye) as I first thought. The virus
is "New Malware.b"

I renamed the infected file to iexplore.e and moved it to a temp folder. I
re-ran McAfee and it still found the virus. When the scanner completed, I
clicked the info link to the virus and got a new page saying it couldn't
find New Malware.b in the McAfee database. Odd. (I sure dislike how
McAfee's web site constantly opens popups!)

I have now deleted the infected file. It concerns me, however, that only
one AV scan found the file -- McAfee -- and that the others -- AVG and
Housecall -- didn't. I didn't try Symantec's online scanner.

My questions remain -- how did I get this virus, why didn't my current
protection work, what protection should I use to prevent this in the future?

John

"John Blaustein" <no@spam.com> wrote in message
news:%23PGoXWxVEHA.3596@tk2msftngp13.phx.gbl...
> Bruce,
>
> Thank you for the quick reply and the information.
>
> I ran Housecall and AVG and they found nothing. I then ran McAfee
FreeScan
> and it found a file: c:\windows\system32\iexpiore.exe NOTE: in
> "iexplore.exe," the "I" after the "P" isn't the letter L, it's the letter
I
> (eye) -- hence, it is iexpiore.exe. The file is dated 6/17/04 and its
size
> is 5,664. I have renamed this to eliminate the "exe." McAfee reported
the
> virus in the file as malware.b. Should I delete this file completely?
>
> In comparing files on my laptop (the infected PC) and desktop, I see on
the
> desktop that iexplore.exe is only in c:program files\internet explorer and
> c:\windows\ServicePackFiles\i386. On the laptop, I have iexplore.exe in
> c:program files\internet explorer, c:\windows\ServicePackFiles\i386 AND in
> windows\system32\dllcache. All three of these files are identical in date
> and size -- 8/29/02, 91,136 bytes. (I'm not sure why the desktop doesn't
> have the iexplore.exe file in windows\system32\dllcache. Should I delete
> the iexplore.exe in windows\system32\dllcache on the laptop?)
>
> A few questions:
>
> -- Do you think I have eliminated the virus? I used System Restore to
roll
> back the Registry, and I've renamed that bogus iexpiore.exe. I've deleted
> the bogus hosts file and it was not recreated on reboot (as it was before
> doing the System Restore).
> -- Since I have a hardware firewall (SonicWALL) and use AVG, how did I get
> this virus?
> -- Is AVG sufficient protection? Can you recommend which AV program to
use?
> Which one do you use?
> -- I have IE Security options all set to Default. Is that advisable, or
> should I make some custom settings?
>
> John
>
>
>
> "Bruce Chambers" <bchambers@nospamcableone.net> wrote in message
> news:ODQ$U6vVEHA.2544@TK2MSFTNGP10.phx.gbl...
> > Greetings --
> >
> > Delete that bogus Hosts file; it's specifically designed to
> > preclude your getting to any antivirus web sites.
> >
> > The type of behavior you describe is typical behavior of more than
> > one virus/worm, the three below being the most common:
> >
> > W32.Klez
> >
http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.e@mm.html
> >
> > W32.Yaha
> >
http://securityresponse.symantec.com/avcenter/venc/data/w32.yaha.c@mm.html
> >
> > W32.Spybot.Worm
> >
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
> >
> > Because many of the newer viruses and worms, such as the
> > Spybot mentioned above, can disable antivirus applications whose
> > definitions aren't kept up-to-date, try using one or more of the free
> > on-line scanners to double-check your system.
> >
> > Trend Micro - Free online virus Scan
> > http://housecall.trendmicro.com/
> >
> > McAfee Security - FreeScan
> > http://www.mcafee.com/myapps/mfs/default.asp
> >
> > Symantec Security Check
> > http://security.symantec.com/ssc/home.asp
> >
> >
> > Bruce Chambers
> > --
> > Help us help you:
> > http://dts-l.org/goodpost.htm
> > http://www.catb.org/~esr/faqs/smart-questions.html
> >
> > You can have peace. Or you can have freedom. Don't ever count on
> > having both at once. - RAH
> >
> >
> > "John Blaustein" <no@spam.com> wrote in message
> > news:enrc%230vVEHA.1764@TK2MSFTNGP10.phx.gbl...
> > > In my initial post, I neglected to add that one other symptom of my
> > problem
> > > is that my hosts file was overwritten to include the following
> > entries:
> > >
> > > 127.172.85.229 www.symantec.com
> > > 127.19.30.28 securityresponse.symantec.com
> > > 127.39.246.118 symantec.com
> > > 127.190.36.116 www.mcafee.com
> > > 127.92.240.156 mcafee.com
> > > 127.254.113.82 us.mcafee.com
> > > 127.227.121.203 www.sophos.com
> > > 127.35.187.53 sophos.com
> > > 127.232.178.174 www.viruslist.com
> > > 127.187.129.243 viruslist.com
> > > 127.175.250.143 f-secure.com
> > > 127.198.201.161 www.f-secure.com
> > > 127.23.235.39 kaspersky.com
> > > 127.176.166.155 www.avp.com
> > > 127.43.0.62 www.kaspersky.com
> > > 127.125.85.69 avp.com
> > > 127.28.25.172 www.networkassociates.com
> > > 127.220.7.164 networkassociates.com
> > > 127.59.78.143 www.ca.com
> > > 127.39.187.231 ca.com
> > > 127.209.216.216 my-etrust.com
> > > 127.124.180.109 www.my-etrust.com
> > > 127.224.244.121 secure.nai.com
> > > 127.110.104.243 nai.com
> > > 127.53.14.218 www.nai.com
> > > 127.252.4.233 trendmicro.com
> > > 127.85.153.104 www.trendmicro.com
> > > 127.216.213.38 housecall.trendmicro.com
> > > 127.40.87.79 www.pandasoftware.com
> > > 127.32.49.107 www.bitdefender.com
> > > 127.109.7.192 www.ravantivirus.com
> > > 127.19.193.123 www3.ca.com
> > >
> > > John
> > >
> > >
> > > "John Blaustein" <no@spam.com> wrote in message
> > > news:%23L7OufvVEHA.2408@tk2msftngp13.phx.gbl...
> > > > Hi...
> > > >
> > > > I had a real scare this morning. I booted my XP Home laptop to
> > find that
> > > my
> > > > AV program -- Grisoft AVG Free Edition -- wasn't loaded. I then
> > tried to
> > > > run AVG and it wouldn't start. When I tried to run Task
> > Manager --
> > > > Ctrl+Alt+Del -- it would not run properly.
> > > >
> > > > I ran Ad Aware and it found two registry entries (which I didn't
> > write
> > > down,
> > > > sorry) that referred to blocking access to the registry. Ad Aware
> > could
> > > not
> > > > delete them.
> > > >
> > > > I then used System Restore and rolled back to last week. Now,
> > everything
> > > > appears to be working correctly. An AVG full scan (all files)
> > shows no
> > > > viruses, and Ad Aware now reports no suspicious files.
> > > >
> > > > What happened? Can someone help explain what went wrong here?
> > > >
> > > > Even though the system now appears to be working correctly, I am
> > worried
> > > > that something may still be on the system that caused this
> > registry
> > > hacking
> > > > in the first place. Any ideas on how to identify and remove such
> > > programs?
> > > >
> > > > I use a SonicWALL hardware firewall, along with AVG Free Edition
> > with
> > > latest
> > > > update. My security settings in IE are all set to Default
> > settings?
> > > Should
> > > > I change these.
> > > >
> > > > Thanks for any help.
> > > >
> > > > John
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Quantcast