Re: Task Mgr & Registry locked! AV won't load!
From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 06/22/04
- Next message: cquirke (MVP Win9x): "Re: XP boot problem.......will not allow the user"
- Previous message: NonDisputandum.com: "Re: hijacked"
- In reply to: John Blaustein: "Re: Task Mgr & Registry locked! AV won't load!"
- Next in thread: John Blaustein: "Re: Task Mgr & Registry locked! AV won't load!"
- Reply: John Blaustein: "Re: Task Mgr & Registry locked! AV won't load!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 22 Jun 2004 11:55:48 +0200
On Sun, 20 Jun 2004 15:25:26 -0700, "John Blaustein" <no@spam.com>
>I ran Housecall and AVG and they found nothing. I then ran McAfee FreeScan
>and it found a file: c:\windows\system32\iexpiore.exe NOTE: in
>"iexplore.exe," the "I" after the "P" isn't the letter L, it's the letter I
>(eye) -- hence, it is iexpiore.exe.
That's an old trick; in the font often used by Notepad, the big "i"
and small "L" are isoglyphs - so when the user looks at the
"shell=explorer.exe" line in System.ini, it looks normal.
Who'd have thought a font would have risk implications? :-)
>The file is dated 6/17/04 and its size
>is 5,664. I have renamed this to eliminate the "exe." McAfee reported the
>virus in the file as malware.b. Should I delete this file completely?
Never delete what you can rename or ;comment out.
But: Never trust a rename done within Windows - do these from a
maintenance OS (while Windows is not running and thus can't defend
itself)! Else you finf registry pointers still pointing to...
"C:\Not\Where\It\Was\ShouldntRun.ex!"
...and RUNNING the code even though it's .ext-spoofed!
The main reason to keep the (de-activated) file is that "Malware.B"
doesn't look like a finely-resolved identification that will give you
joy when Google'ing for specifics and caveats.
>From memory, these expiorer.exe tricks were pioneered by some RATs;
may be SDbot or Gaobot variants. Traditional av are sometimes weak on
these, especially if they take the "not by problem, they don't
auto-spread so they aren't viruses" line. AFAIK the source code of
both of these is widespread, so you can expect mutants of these to pop
up regularly - they may not "spread" but recreational graphics
newsgroups, chat and peer file-sharing networks are regularly seeded.
>In comparing files on my laptop (the infected PC) and desktop, I see on the
>desktop that iexplore.exe is only in c:program files\internet explorer and
>c:\windows\ServicePackFiles\i386. On the laptop, I have iexplore.exe in
>c:program files\internet explorer, c:\windows\ServicePackFiles\i386 AND in
>windows\system32\dllcache. All three of these files are identical in date
>and size -- 8/29/02, 91,136 bytes. (I'm not sure why the desktop doesn't
>have the iexplore.exe file in windows\system32\dllcache. Should I delete
>the iexplore.exe in windows\system32\dllcache on the laptop?)
Those look OK. Does FC /B say the contents are identical?
>-- Do you think I have eliminated the virus?
Until you do a formal av scan, the answer has to be "maybe". Well,
it's always "maybe" for small adverse probabilities, but without that
basic step, all bets are off. So far all I've read here is
Windows-based-av this, online-scan that.
Those things are nice if they say "hi", bad if the malware says "die",
but silence (including the "also..." silence of a "hi" is meaningless.
>I used System Restore to roll back the Registry, and I've renamed
>that bogus iexpiore.exe. I've deleted the bogus hosts file and it
>was not recreated on reboot (as it was before doing the System Restore).
All of that looks good. That SR rollback didn't nuke the .exe
suggests the restore point was made after the file arrived or dropped
itself, but before it went active... something like this:
1) You trigger the malware's dropper procedure
2) It sets itself up to go active on next boot
3) System makes a restore point here
4) You shutdown and restart
5) Malware goes fully active
>-- Since I have a hardware firewall (SonicWALL) and use AVG, how did I get
>this virus?
These things leak in different ways. A firewall does not block what
you allow. An av cannot detect what it doesn't know, which is why
every new malware has the potential for Day Zero spread (if it's
released before the av vendors get a sample and handle it)
>-- Is AVG sufficient protection?
No av is sufficient protection on its own - they will all leak, given
similar circumstances. A new malware will drill right through your
ISP's av, your frontier server's av (unless trapped by risk screening,
e.g. "no file attachments of type {x1,x2,x3...} allowed"), your
desktop's resident av, and the tier of on-demand scanners a malware
researcher would bring to bear on incoming material.
Think of av as the "goalie of last resort", and add other players to
the field so that malware is less likely to get a shot at goal -
patching, risk management, user and sware "safe hex" clue.
Patching = fixing software coding defects
Risk management = curbing software design defects
Safe Hex = making smart decisions about what to risk
Antivirus = back-checking on what you decided to risk
>Which one do you use?
Free AVG for on-access frontier scanning, free F-Prot for DOS for
on-demand frontier and formal post-breach scanning. I keep my systems
in range of the latter by avoiding NTFS, and will continue to do so
until someone provides a decent maintenance OS for this great but
unmaintainable file system, and there are av that run from that mOS.
See http://cquirke.mvps.org/whatmos.htm
>-- I have IE Security options all set to Default. Is that advisable, or
>should I make some custom settings?
Assume that MS duhfaults suck, and back-check the details.
There are "by design" problems that MS are slow to fix (if they ever
do) and you will have to apply the requisite clue yourself.
There are also "not by design" problems that MS is more likely to fix;
this is the whole "updates and patches" thing. Often these holes are
just the code-defect barnacle on the tip of a volcano of bad design,
and if you can rip out the bad design, that's better.
But you can't ignore patching in favor of risk management, because it
is the nature of code defects to rip through any levels of abstraction
that are designed to hold risks in check.
>-------------------- ----- ---- --- -- - - - -
No, perfection is not an entrance requirement.
We'll settle for integrity and humility
>-------------------- ----- ---- --- -- - - - -
- Next message: cquirke (MVP Win9x): "Re: XP boot problem.......will not allow the user"
- Previous message: NonDisputandum.com: "Re: hijacked"
- In reply to: John Blaustein: "Re: Task Mgr & Registry locked! AV won't load!"
- Next in thread: John Blaustein: "Re: Task Mgr & Registry locked! AV won't load!"
- Reply: John Blaustein: "Re: Task Mgr & Registry locked! AV won't load!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
