Task Mgr & Registry locked! AV won't load!

Discussion in 'Virus Information' started by John Blaustein, Jun 20, 2004.

  1. Hi...

    I had a real scare this morning. I booted my XP Home laptop to find that my
    AV program -- Grisoft AVG Free Edition -- wasn't loaded. I then tried to
    run AVG and it wouldn't start. When I tried to run Task Manager --
    Ctrl+Alt+Del -- it would not run properly.

    I ran Ad Aware and it found two registry entries (which I didn't write down,
    sorry) that referred to blocking access to the registry. Ad Aware could not
    delete them.

    I then used System Restore and rolled back to last week. Now, everything
    appears to be working correctly. An AVG full scan (all files) shows no
    viruses, and Ad Aware now reports no suspicious files.

    What happened? Can someone help explain what went wrong here?

    Even though the system now appears to be working correctly, I am worried
    that something may still be on the system that caused this registry hacking
    in the first place. Any ideas on how to identify and remove such programs?

    I use a SonicWALL hardware firewall, along with AVG Free Edition with latest
    update. My security settings in IE are all set to Default settings? Should
    I change these.

    Thanks for any help.

    John
     
    John Blaustein, Jun 20, 2004
    #1
    1. Advertisements

  2. In my initial post, I neglected to add that one other symptom of my problem
    is that my hosts file was overwritten to include the following entries:

    127.172.85.229 www.symantec.com
    127.19.30.28 securityresponse.symantec.com
    127.39.246.118 symantec.com
    127.190.36.116 www.mcafee.com
    127.92.240.156 mcafee.com
    127.254.113.82 us.mcafee.com
    127.227.121.203 www.sophos.com
    127.35.187.53 sophos.com
    127.232.178.174 www.viruslist.com
    127.187.129.243 viruslist.com
    127.175.250.143 f-secure.com
    127.198.201.161 www.f-secure.com
    127.23.235.39 kaspersky.com
    127.176.166.155 www.avp.com
    127.43.0.62 www.kaspersky.com
    127.125.85.69 avp.com
    127.28.25.172 www.networkassociates.com
    127.220.7.164 networkassociates.com
    127.59.78.143 www.ca.com
    127.39.187.231 ca.com
    127.209.216.216 my-etrust.com
    127.124.180.109 www.my-etrust.com
    127.224.244.121 secure.nai.com
    127.110.104.243 nai.com
    127.53.14.218 www.nai.com
    127.252.4.233 trendmicro.com
    127.85.153.104 www.trendmicro.com
    127.216.213.38 housecall.trendmicro.com
    127.40.87.79 www.pandasoftware.com
    127.32.49.107 www.bitdefender.com
    127.109.7.192 www.ravantivirus.com
    127.19.193.123 www3.ca.com

    John
     
    John Blaustein, Jun 20, 2004
    #2
    1. Advertisements

  3. Greetings --

    Delete that bogus Hosts file; it's specifically designed to
    preclude your getting to any antivirus web sites.

    The type of behavior you describe is typical behavior of more than
    one virus/worm, the three below being the most common:

    W32.Klez
    http://securityresponse.symantec.com/avcenter/venc/data/

    W32.Yaha
    http://securityresponse.symantec.com/avcenter/venc/data/

    W32.Spybot.Worm
    http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

    Because many of the newer viruses and worms, such as the
    Spybot mentioned above, can disable antivirus applications whose
    definitions aren't kept up-to-date, try using one or more of the free
    on-line scanners to double-check your system.

    Trend Micro - Free online virus Scan
    http://housecall.trendmicro.com/

    McAfee Security - FreeScan
    http://www.mcafee.com/myapps/mfs/default.asp

    Symantec Security Check
    http://security.symantec.com/ssc/home.asp


    Bruce Chambers
    --
    Help us help you:
    http://dts-l.org/goodpost.htm
    http://www.catb.org/~esr/faqs/smart-questions.html

    You can have peace. Or you can have freedom. Don't ever count on
    having both at once. - RAH
     
    Bruce Chambers, Jun 20, 2004
    #3
  4. Bruce,

    Thank you for the quick reply and the information.

    I ran Housecall and AVG and they found nothing. I then ran McAfee FreeScan
    and it found a file: c:\windows\system32\iexpiore.exe NOTE: in
    "iexplore.exe," the "I" after the "P" isn't the letter L, it's the letter I
    (eye) -- hence, it is iexpiore.exe. The file is dated 6/17/04 and its size
    is 5,664. I have renamed this to eliminate the "exe." McAfee reported the
    virus in the file as malware.b. Should I delete this file completely?

    In comparing files on my laptop (the infected PC) and desktop, I see on the
    desktop that iexplore.exe is only in c:program files\internet explorer and
    c:\windows\ServicePackFiles\i386. On the laptop, I have iexplore.exe in
    c:program files\internet explorer, c:\windows\ServicePackFiles\i386 AND in
    windows\system32\dllcache. All three of these files are identical in date
    and size -- 8/29/02, 91,136 bytes. (I'm not sure why the desktop doesn't
    have the iexplore.exe file in windows\system32\dllcache. Should I delete
    the iexplore.exe in windows\system32\dllcache on the laptop?)

    A few questions:

    -- Do you think I have eliminated the virus? I used System Restore to roll
    back the Registry, and I've renamed that bogus iexpiore.exe. I've deleted
    the bogus hosts file and it was not recreated on reboot (as it was before
    doing the System Restore).
    -- Since I have a hardware firewall (SonicWALL) and use AVG, how did I get
    this virus?
    -- Is AVG sufficient protection? Can you recommend which AV program to use?
    Which one do you use?
    -- I have IE Security options all set to Default. Is that advisable, or
    should I make some custom settings?

    John
     
    John Blaustein, Jun 20, 2004
    #4
  5. More information...

    It seems I was mistaken about the name of the virus that McAfee found. It's
    in iexplore.exe -- it's an L, not an I (eye) as I first thought. The virus
    is "New Malware.b"

    I renamed the infected file to iexplore.e and moved it to a temp folder. I
    re-ran McAfee and it still found the virus. When the scanner completed, I
    clicked the info link to the virus and got a new page saying it couldn't
    find New Malware.b in the McAfee database. Odd. (I sure dislike how
    McAfee's web site constantly opens popups!)

    I have now deleted the infected file. It concerns me, however, that only
    one AV scan found the file -- McAfee -- and that the others -- AVG and
    Housecall -- didn't. I didn't try Symantec's online scanner.

    My questions remain -- how did I get this virus, why didn't my current
    protection work, what protection should I use to prevent this in the future?

    John
     
    John Blaustein, Jun 21, 2004
    #5
  6. John Blaustein

    Jason Wade Guest

    Probably internet explorer or outlook let it in.
    You need more than one av program-three preferably. And one of those
    three should be kav.
     
    Jason Wade, Jun 21, 2004
    #6
  7. Hi

    No, you should not delete the iexplore.exe file in
    the dllcache folder...
     
    Torgeir Bakken \(MVP\), Jun 21, 2004
    #7
  8. Torgeir,

    Thanks. I'll leave that file alone.

    John
     
    John Blaustein, Jun 21, 2004
    #8
  9. Thanks, Jason.

    Sorry, but I'm not familiar with "kav." What's that?
    Am I doing that???

    John


     
    John Blaustein, Jun 21, 2004
    #9
  10. John Blaustein

    Jason Wade Guest

    Kaspersky anti virus. It's an av program that also finds some trojans
    and spyware.
    No, it's just a joke in my signature. If I enable my fw logs, I see that
    hundreds of you windows users are probing me constantly-trying to send
    me viruses. No thanks.
     
    Jason Wade, Jun 22, 2004
    #10
  11. Jason,
    The Symantec web site claims that the latest version of NAV does that too.
    I wonder if it does a good job at it? I've heard of Kaspersky and will
    check it out. Thanks.
    OK.

    John
     
    John Blaustein, Jun 22, 2004
    #11
  12. That's an old trick; in the font often used by Notepad, the big "i"
    and small "L" are isoglyphs - so when the user looks at the
    "shell=explorer.exe" line in System.ini, it looks normal.

    Who'd have thought a font would have risk implications? :)
    Never delete what you can rename or ;comment out.

    But: Never trust a rename done within Windows - do these from a
    maintenance OS (while Windows is not running and thus can't defend
    itself)! Else you finf registry pointers still pointing to...

    "C:\Not\Where\It\Was\ShouldntRun.ex!"

    ....and RUNNING the code even though it's .ext-spoofed!

    The main reason to keep the (de-activated) file is that "Malware.B"
    doesn't look like a finely-resolved identification that will give you
    joy when Google'ing for specifics and caveats.

    From memory, these expiorer.exe tricks were pioneered by some RATs;
    may be SDbot or Gaobot variants. Traditional av are sometimes weak on
    these, especially if they take the "not by problem, they don't
    auto-spread so they aren't viruses" line. AFAIK the source code of
    both of these is widespread, so you can expect mutants of these to pop
    up regularly - they may not "spread" but recreational graphics
    newsgroups, chat and peer file-sharing networks are regularly seeded.
    Those look OK. Does FC /B say the contents are identical?
    Until you do a formal av scan, the answer has to be "maybe". Well,
    it's always "maybe" for small adverse probabilities, but without that
    basic step, all bets are off. So far all I've read here is
    Windows-based-av this, online-scan that.

    Those things are nice if they say "hi", bad if the malware says "die",
    but silence (including the "also..." silence of a "hi" is meaningless.
    All of that looks good. That SR rollback didn't nuke the .exe
    suggests the restore point was made after the file arrived or dropped
    itself, but before it went active... something like this:

    1) You trigger the malware's dropper procedure
    2) It sets itself up to go active on next boot
    3) System makes a restore point here
    4) You shutdown and restart
    5) Malware goes fully active
    These things leak in different ways. A firewall does not block what
    you allow. An av cannot detect what it doesn't know, which is why
    every new malware has the potential for Day Zero spread (if it's
    released before the av vendors get a sample and handle it)
    No av is sufficient protection on its own - they will all leak, given
    similar circumstances. A new malware will drill right through your
    ISP's av, your frontier server's av (unless trapped by risk screening,
    e.g. "no file attachments of type {x1,x2,x3...} allowed"), your
    desktop's resident av, and the tier of on-demand scanners a malware
    researcher would bring to bear on incoming material.

    Think of av as the "goalie of last resort", and add other players to
    the field so that malware is less likely to get a shot at goal -
    patching, risk management, user and sware "safe hex" clue.

    Patching = fixing software coding defects
    Risk management = curbing software design defects
    Safe Hex = making smart decisions about what to risk
    Antivirus = back-checking on what you decided to risk
    Free AVG for on-access frontier scanning, free F-Prot for DOS for
    on-demand frontier and formal post-breach scanning. I keep my systems
    in range of the latter by avoiding NTFS, and will continue to do so
    until someone provides a decent maintenance OS for this great but
    unmaintainable file system, and there are av that run from that mOS.

    See http://cquirke.mvps.org/whatmos.htm
    Assume that MS duhfaults suck, and back-check the details.

    There are "by design" problems that MS are slow to fix (if they ever
    do) and you will have to apply the requisite clue yourself.

    There are also "not by design" problems that MS is more likely to fix;
    this is the whole "updates and patches" thing. Often these holes are
    just the code-defect barnacle on the tip of a volcano of bad design,
    and if you can rip out the bad design, that's better.

    But you can't ignore patching in favor of risk management, because it
    is the nature of code defects to rip through any levels of abstraction
    that are designed to hold risks in check.


    No, perfection is not an entrance requirement.
    We'll settle for integrity and humility
     
    cquirke (MVP Win9x), Jun 22, 2004
    #12
  13. cquirke,

    Thanks for all the info!

    John

     
    John Blaustein, Jun 22, 2004
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.