Re: Firewall won't stay enabled
From: jay (jay_at_discussions.microsoft.com)
Date: 07/22/04
- Next message: Debate2004: "Create Folder / Append Data Problem?"
- Previous message: Shain Wray [MSFT]: "RE: Windows Updates"
- In reply to: Doug Knox MS-MVP: "Re: Firewall won't stay enabled"
- Next in thread: Doug Knox MS-MVP: "Re: Firewall won't stay enabled"
- Reply: Doug Knox MS-MVP: "Re: Firewall won't stay enabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 21 Jul 2004 18:27:01 -0700
Norton AV didn't find this in scans, either. And when I used NAV to first quarantine and then send the file to Symantec, it couldn't identify it as virus, worm, trojan, spy or adware. NAV reported there was nothing wrong with the file. An executable that disables security and interferes with a user viewing system and web information is something I'd like the program to detect, both incoming and during a scan.
Maybe I missed something somewhere to get the infection. But perhaps it's just a new enough critter that Symantec hasn't gotten to isolate it yet. Maybe I helped them with the file and report.
For the record, I've been pleased with the performance of the Norton Security products. And don't expect them to be able to update instantly my virus definitions to counter every new threat. I hope that they'll be fast enough to get updates available so I'll get protected before they spread to my systems. I suspect that this time I got tagged early. That's not Symantec's fault if so. I will be interested to hear from them after they characterize the file and it's behavior. I'm depending on them to identify all the things the virus may have been doing to my system.
As a postscript, Adaware didn't detect the files as malicious, either. But stopping the process, removing the files and deleting the registry keys appears to have restored the computer to normalcy.
"Doug Knox MS-MVP" wrote:
> It may not be what Symantec and others classify as a virus, but Adware or other "scumware". Usually, those that support detection of "scumware" will only notify you of it during a scan. The "real time" protection won't flag it (at least McAfee doesn't).
>
> --
> Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display
> Win 95/98/Me/XP Tweaks and Fixes
> http://www.dougknox.com
> --------------------------------
> Per user Group Policy Restrictions for XP Home and XP Pro
> http://www.dougknox.com/xp/utils/xp_securityconsole.htm
> --------------------------------
> Please reply only to the newsgroup so all may benefit.
> Unsolicited e-mail is not answered.
>
> "jay" <jay@discussions.microsoft.com> wrote in message news:CDE20D41-7761-4F22-9772-0D246B54B14B@microsoft.com...
> > I've isolated the infection. Norton AV does NOT detect it. So I'll send the particulars to them. For everyone else:
> >
> > If your standard XP firewall won't stay enabled. If your AV program won't stay in "auto-protect" and gets automatically terminated when you try to run it. When task manager terminates after about 30 seconds or so. When certain security-related folders disappear after about 30 seconds when you're trying to view them. When looking at security-related URL's with IE and IE terminates unexpectedly. Then look for these:
> >
> > Files & Folders:
> >
> > \Windows\olefiles\iexplore.exe (66k vs 89 for IE6)
> > \Windows\pss\iexplore.exeCommonStartup (66k)
> >
> > Registry Entry:
> >
> > HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^olefiles^iexplore.exe
> > There will be subkeys here, but the whole folder needs to go or you won't be able to stop the process from loading every time you boot.
> >
> > One more thing, you must go open the task manager and, without having Internet Explorer running as an application quickly stop the "iexplore" process running. Once you do it will stop preventing you from cleaning it off the machine. To verify that it's the offending process, you can enable XP's internet firewall, and observe that it does stay enabled for longer than 30 seconds.
> >
> > Thanks, Doug, for your help. I'm reporting this to Symantec and to Microsoft. Perhaps it's something new but more likely something I'm not aware of a fix or preventative for. Unfortunately, I have no idea what other things this critter does once it's infected a system.
>
- Next message: Debate2004: "Create Folder / Append Data Problem?"
- Previous message: Shain Wray [MSFT]: "RE: Windows Updates"
- In reply to: Doug Knox MS-MVP: "Re: Firewall won't stay enabled"
- Next in thread: Doug Knox MS-MVP: "Re: Firewall won't stay enabled"
- Reply: Doug Knox MS-MVP: "Re: Firewall won't stay enabled"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
