PDA

View Full Version : Computer Viruses



guest_Doc
03-16-2004, 09:42 PM
I picked up a virus through a hole in my Internet Explorer 6.0 as a hijacking page hijacked my homepage. I deleted the hijacking page and it's host file with ease by using the appropriate software. After successfully deleting the hijacking page and host file from my computer and it's registry, my Grisoft AVG 6.0 contiued to send me a "virus detected" message. It looks as if some infected files were bundled along with the hijacking page as those infected files remained after the hijacking page itself was deleted. My AVG 6.0 eventually healed those infected files except for one which AVG says could not be healed but had to be moved to the virus vault. All of those healed files totalling 5 files although healed, are still in my virus vault. Here are the actual names of those healed files: 2 files named Blackbox[1].class ; 2 named Verifierbug[1].class and one named msdos.exe. The actual virus names associated with these infected files are Backdoor.Jeemp.A and Java/Byte Verify. The other infected file which AVG says could not be healed is named olehelp.exe, and the virus name directly associated with that one is Trojan horse Startpage.3.AR. Currently, my hard drive is virus free as long as keep those "healed files" stay in my virus vault, but when I go into my virus vault and try to restore those healed files back to my hard drive, I get the virus detected message again when I run the AVG . Given the name of those files, could you possibly tell me why those "healed files" remain infected while in my virus vault, and whether or not the infected files named above are actually windows files or are they something created by the persons who created the hijacking homepage. Can I delete them ? I will send you a copy of my log file generated by my software responsible for moving the hijacking file in the first place. I will restore from my virus vault the actual infected file olehelp.exe which could not be healed by AVG, and I will run my hijacker software so that you can see where that file was actually picked up. Please see Log file below Thanks for your time. CWShredder v1.53.1 scan only report

Windows 98 (4.10.2222 A)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system
AppData folder: C:\WINDOWS\Application Data
Username: User

Hosts file not present
Found CWS.Control (if filesize is over 50k) file: C:\WINDOWS\control.exe (2112 bytes, A)
Found CWS.Olehelp file: C:\WINDOWS\olehelp.exe (11776 bytes, A)
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A)
Found line in Win.ini: load=essspk.exe
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A)
Found line in System.ini: shell=Explorer.exe

- END OF REPORT -

locustfurnace
03-16-2004, 10:17 PM
Here are the actual names of those healed files: 2 files named Blackbox[1].class ; 2 named Verifierbug[1].class and one named msdos.exe.
None of the listed files you provided are necessary for Windows to function.
The reason those files probably remain infected, is that your virus scanner is unable to alter them, such as deleting them, as they are inuse while windows is running.
A problem with Windows based Anti-Virus apps is they can not alter any files that are currently inuse. So they quarantee the files.
If you want to remove the files, you will have to start up the computer is DOS, and remove them.
One good program for this is F-Prots DOS Anti-Virus program, which runs in DOS. This can repair, patch, delete any infected files, since the program runs in DOS, so that none of these infected files are loaded into memory.
The use of DOS based Anti-Virus programs have this benefit to them that Windows based A/V apps do not have. They are really simple to use also. Just download the F-prot for DOS, unzip it into the root dir, such as into C:\f-prot. make a windows bootup floppy disk.
Restart Windows with floppy inserted.
Then it will boot up into DOS. on the command line, just type
cd \
cd f-prot
f-prot.exe

pick the options you want, let it scan the system, also note that DOS A/V scanners will be faster than Windows scanner, and also much smaller, the F-prot download is just alittle less than 2megs.

Found Win.ini file: C:\WINDOWS\win.ini (8778 bytes, A)
Found line in Win.ini: load=essspk.exe
Found line in Win.ini: run=
Found System.ini file: C:\WINDOWS\system.ini (2101 bytes, A)
Found line in System.ini: shell=Explorer.exe
System.ini is a normal txt file used by windows, you can open it to examine its contents in notepad, wordpad. If it does not open in these programs, then it is not a .ini file.
the esspk.exe might be your soundcard related utility(?) What sound card do you have? an ESSolo? SoundBlaster?
the comment about found explorer.exe is normal. this is the shell that windows loads that gives you your start menu, task bar....

your computer needs a hosts file, just create a txt file called hosts in the c:\windows folder. you need to insert just the line
localhost 127.0.0.1, this is the loopback address, some program wont work properly without.
Use this FREE app to prevent browser hi-jacking
http://www.wilderssecurity.net/spywareguard.html

also check out the posting on the forum for similar related apps
http://www.oldversion.com/talk/index.php?a...t=ST&f=2&t=1405 (http://www.oldversion.com/talk/index.php?act=ST&f=2&t=1405)

Jaime Andrés
03-17-2004, 06:54 PM
I had a look at the F-prot web-site re. the F-Prot DOS antivirus. It doesn't sound very user friendly, but of course without downloading and trying it, one just can't tell.
I'm probably wrong but isn't a virus scan more effective if it is run in windows safe mode :unsure:

locustfurnace
03-17-2004, 07:14 PM
Originally posted by Jaime Andrés@Mar 17 2004, 06:54 PM
It doesn't sound very user friendly, ....isn't a virus scan more effective if it is run in windows safe mode
define 'user-friendly.'
For those users who never seen a commandline prompt, never had to type in a command to execute a program, then I suppose F-port may not be easy for those users, but for someone who has used DOS in the past or present, it's simple to use. I wrote out exactly how to run it in the last posting, if you read it, it really is not that difficult to run. I feel if anyone can use an ATM these days to withdrawl money, they can handle running F-prot.
It only looks difficult til you try it.

Safe-mode for window's just disables certain drivers for hardware, such as the VGA, sound, ethernet. It is not "safe" from virus.
When your in Safe-Mode, your still loading part of the OS into memory, things such as kernel, certain .dlls, .exe's, .drv's. Any number of these could be infected with trojaned or virus's. Which will not be fixed while in-use.
So you run the anti-virus app in DOS, not DOS-Mode either, but from a floppy disk with DOS, this way that none of the Systems DOS files are in-use as well. This way absolutely nothing pertaining to the Windows OS is loaded into memeory, so that any and all files can be examined.

BitDefender Free Edition for MS DOS (http://www.bitdefender.com/bd/site/products.php?p_id=1) (FREEWARE)
F-Prot Antivirus for DOS (http://www.f-prot.com/products/home_use/dos/) (FREEWARE)


Title: Living with F-Prot for DOS Antivirus (http://www.geocities.com/ResearchTriangle/Lab/1131/eng/f-prot.html), might find this write-up useful if planning to run a DOS A/V scanner

Jaime Andrés
03-18-2004, 01:13 PM
Originally posted by locustfurnace@Mar 18 2004, 01:14 AM

define 'user-friendly.'
For those users who never seen a commandline prompt, never had to type in a command to execute a program
I did mean someone that has recently begun using computers with say Win XP and would not have encountered the myriad of Dos commands that someone like yourself are probably more at home with.


I'm probably wrong but isn't a virus scan more effective if it is run in windows safe mode I meant that files can be deleted more easily when running in safe mode. I know from experience that if I try to delete an adware .exe file when running normally, I get a message that says access denied to the file and the only easy way I have found to delete access denied files is to boot up in safe mode and delete them from there.

locustfurnace
03-18-2004, 06:48 PM
Yes, I do understand that most new computer users will never had the experience of running in DOS. Thats too bad too since there is alot of things you can do in dos that is still faster, and more stable than in Windows.
Yes, running in safe-mode would be better than running in real mode, but DOS mode, for those who can still run in DOS would be better than both.
But if your runing XP, then you would have to use safe mode.

Just for amusement purposes, I ran a DOS A/V scanner and a Windows A/V scanner, not a scientific with controlled variables either, test, just to see how much difference scanning took.
I used F-prot, a DOS scanner, and Free A/V Persion Edition 6 for Windows.
I scanned 14,743 files, I ran the DOS scanner from a Windows DOS prompt even.
It took 2:02 minutes for the DOS scanner, and over 4 minutes for the Windows scanner to perform the same tests.

guest_Doc
03-19-2004, 06:48 PM
I succesfully downloaded, unzipped, extracted, updated and ran the f-prot antivirus software with some results. It scanned and found only 1 of the 3 infected files that I have. When I ran it , the infected file that it found was the msdos.exe file which says it had a virus name of Backdoor.Jeemp.A. The f-prot software said that the file could not be disinfected, but could only be deleted. Reluctantly I did. My questions are: 1. Do you think that was the right thing to do ? 2. Was the msdos.exe file was essential to properly running Windows ? If so, is there a website available where an .exe file like msdos can be downloaded ? And 4. was the msdos.exe file a junk file created by the author of the virus ? Also, the other infected files were not picked up by f-prot even though I ran it in all 3 available file modes with a very new and fresh update. The other 2 infected files along with the other one which I restored from my virus vault to their original places for the purposes of giving f- prot access to them, are now back in my virus vault until I can decide what to do with them. Do you know of any anti-virus software that can handle these 2 infected files with the names of olehelp.exe which has a virus name of Trojan horse Startpage.3.AR and xwxload.exe which has the virus name of Trojan horse Downloader.X , or should I just delete them ? You were right when you said that the downloading and installation of f-prot was simple. I can say that now because now I have actually done it. But at first, looking at your instructions, I wasn't so sure. I am one those computer users of a new generation, accustomed to new OSs like Windows, but I did it. It took me a little time to find a website that could spell out all of the major and minor details of installing f-prot, complete with pictures correlating to every detail. Anyone needing this website can find it at www.computerjunk.net/fprot.html . I look forward to hearing any ideas. Thank You for all of your help.

locustfurnace
03-19-2004, 09:11 PM
The msdos.exe is not a valid MS Windows file. The ONLY files with that similar name that do exist on the system are;
1.) msdos.sys
optionally may exist
1.) msdos.inf
2.) msdosdrv.txt

So your safe deleting it, as long as it was named MSDOS.exe. More than likely it was a file from the virus/trojan creator to appear as a valid msdos file.
If the files were not detected from F-Prot, then it is possible you did not download the updated signature and definiton file? If you did also download those updated files, then you may wish you send a report to the creators of f-prot so they can examine and include those files into the next def file release.
I am not aware of the current abilites of any A/V program, as I am not in a habbit of even running a/v apps. I can honestly say in a 10 year span of messing with computer, and not running anti-virus apps, I have only been infect 4 times. And I've been using computers for a much longer time than that.
Maybe you can try the additional DOS program mentioned - Bit-Defender, they also do offer a windows version also.
If your wanting a free windows a/v app, check in the pinned here
http://www.oldversion.com/talk/index.php?a...t=ST&f=2&t=1405 (http://www.oldversion.com/talk/index.php?act=ST&f=2&t=1405) scroll to the bottom of the page and click on the anti-virus link, myself & others have posted links to several free A/V apps.