Tedr Posted April 6, 2004 Posted April 6, 2004 Can anyone help me with this - a spam email contianed a virus, which was removed by my virus checker. When I submittted it for analysis I recieved the following message back : Developer notes: C:\WINDOWS\Temporary Internet Files\Content.IE5\W9S5CPKL\re_direct5[1].php The submitted file will utilize an exploit to download and execute a file on the system. When I checked my "dial up networking" I found 2 new connections had been installed. I of course deleted them but ... will this stop any malicious use of my computer by a third party?
Miss Betsy Posted April 6, 2004 Posted April 6, 2004 I don't know who you submitted the email for analysis to or why. You need to run a virus scan on your computer. If it is infected, there will be files that you can't find on your own. If the email you received contained a virus that was removed by your virus scanner, it seems unlikely that that is the source of the new connections. You may have been infected some other way and the two connections you found were just the tip of the iceberg. For people to help you, it would be best if you gave the name of your operating system (Windows__), whether you use dial up or cable, the name of your virus scanner and when you last updated it, whether you have a firewall, the name of your browser and email client (for instance Internet Explorer and Outlook Express). Miss Betsy
Tedr Posted April 6, 2004 Author Posted April 6, 2004 Miss Betsey, thanks for your reply. I have windows milleneum with a 56K modem dial-up system Freeserve is my ISP, with Norton Anti-virus 7.07.23D, which I check DAILY for updates, so I know my virus definitions are as up to date as my provider, I haven't a firewall and I use Internet Explorer 6.0. Rather stupidly, in hindsight, I just deleted the icons from my control panel rather than uninstall them (tho' I'm not even sure I was give the uninstall option). I still get a pop-up saying that a dail-up system is already in progress - I take this to mean that there is another in operation apart from my 'legal' system. When I run a full virus check with Norton it says I don't have any viruses. I saw a program on the TV here in the UK where an unfortunate user has just had a telephone bill for £1100 (c. $2,200) for his internet connection for ONE MONTH due to something like this and both the phone company and his ISP are not interested as they say it is his responsibility.
yourbuddy Posted April 7, 2004 Posted April 7, 2004 If you have a dial-up ISP, then it's easy to turn off. When you single left click on the connection icon, does it show any inbound or outbound traffic? Get a firewall (there are several good free ones) or pay for one. You may also want to go to Trend Micro's "housecall" service, just to get a second opinion on any virus, and also use Ad-aware or Spybot S&D (both can be free). Godd luck, and let us know the results.
Wazoo Posted April 7, 2004 Posted April 7, 2004 When I submittted it for analysis You've yet t answer the question on "submitted to whom and for what" C:\WINDOWS\Temporary Internet Files\Content.IE5\W9S5CPKL\re_direct5[1].php The submitted file will utilize an exploit to download and execute a file on the system. Tools | Internet Options | Delete Files (check All Offline contents) will (should) remove the file identified in your Tempory Internet Files folder. (though, admitidly, it sounds too late for that to actually solve anything right ow) checked my "dial up networking" I found 2 new connections had been installed. I of course deleted them but ... will this stop any malicious use of my computer by a third party? All this did was remove the option for you to "click on them" and start the dialers yourself. Nothing to do with the code apparnelty dropped elsewhere on your system. Norton Anti-virus 7.07.23D, which I check DAILY for updates, so I know my virus definitions There are virus issues, there are trojans, there is spyware, there is malware, there are backdoors, etc .... Guess what? Runnning an anti-virus application doesn't check for the whole range of nasties. This kind of application tends to focus on virii ... so the "I clicked on it and it installed" or the "I installed that, but now I see that all 'this crap' is now installed" items of impact don't fall under the guise of "it's a virus" .. Kazaa is an example. Way back when, installing Kazaa also installed a bunch of other "fantastic software" that usually tended to screw "your" system up .. and removing Kazaa didn't touch any of this other stuff. Threatened with a class action suit, Kazaa "solved" the problem by being nice enough to include the notice of this other garbage in the EULA (End User Licensing Agreement) that 99% of people don't seem to want to read ... thus, folks kept right installing all the garbage, having the same problems, but ... the critical item now was .. the user had "agreed" to the install by clicking on the "agreement" .. and, under these conditions, the scumware could not be called a "virus, trojan, or any of those other bad words" .. and this also meant that most anti-virus software companies chose not to get into that fray, so this kind of software is not looked for and handled as a "virus infection" ... and this is why so many folks say the same as you just have ... you know there's something rotten on your system, but my "anti-virus" tool says everything is OK. Thus the need these days for additional tools that look for things beyond viruii. I haven't a firewall shame on you. There are a number of free ones, some low-cost .. most poular seems to be ZoneAlarm .... While looking up the previously mentioned AdAware and SpyBot - S & D tools (remember to do an update to the database for each of these before actually running their main tools), also go grab a copy of ZoneAlarm and get it installed. I still get a pop-up saying that a dail-up system is already in progress For example, under Outlook Express | Options | Connection - you'll see a check box for "Ask before switching dial-up connections" .... This option was placed there for just the reasons you're discussing ... the infamous porno-dialers that turned the modem speaker off, dropped the current connection, and re-dialed to one of those nice phone numbers that rang up the big bucks for the spammer / lowlife. That you're getting the pop-up is a good thing, in that you've been given the opportunity to stop this kind of thing from happening ... but I note the absence of the details in which you would have stated that you have verified that the number actually being dialed at your connect time is actually still the correct number to your ISP. Much more could be said, more actions cna be taken, but let's wait until you get your system squared away using the minimum of these two power tools first, as they'll do most of the heavy work. And get some kind of firewall in place!
dra007 Posted April 7, 2004 Posted April 7, 2004 there are freeware and trial version programs that remove trojan and dialers for you..Norton is not good at fixing those after the virus was activated...I cannot tell of the top of my head, but they should be easy to find with a search engine, maybe someone has suggestions....I have had to test a lot of them after I got attacked with viruses and spam recently, that is what brought me to this forum...
turetzsr Posted April 7, 2004 Posted April 7, 2004 there are freeware and trial version programs that remove trojan and dialers for you..Norton is not good at fixing those after the virus was activated...I cannot tell of the top of my head, but they should be easy to find with a search engine, maybe someone has suggestions....I have had to test a lot of them after I got attacked with viruses and spam recently, that is what brought me to this forum... ...I'd suggest looking for posts by "yourbuddy." He has a lot of what I would consider to be unfounded negative things to say about SpamCop but he also has posted a number of very helpful replies, including a list of such products.
Tedr Posted April 7, 2004 Author Posted April 7, 2004 Thank you all for your replies - I will try to digest them and will certainly look to get a firewall - However, now that my system is infected, how will the firewall know what it's start point is - or am I being too naive? In answer to Miss Betsy - I submitted the file to Symantic - Norton Anti-virus gives the option of submitting quarantined files to them for analysis - hence their 'helpful' comment. I have noticed that when I go into msconfig and look at the startup files there is a new file entitled "Callme". If I leave this checked my computer automatically logs on when switched on (it logs on to my normal freeserve number - at least that dialler dialogue box comes up), if I uncheck it I have to log on manually. However, when I use the "search for files or folders" option and type Callme in either the file name or the "containing text" box the search comes up with nothing found. (The other information I omitted was I have outlook express 9.0.0.2711). I'm afraid that even though I use computers a lot for my work, I'm obviously not very competent in technical matters - this is all quite new to me.
Tedr Posted April 7, 2004 Author Posted April 7, 2004 Many thanks to you all. I've completed the 1st stage & installed Ad-aware - I didn't realise how much 'spyware' and how many 'hi-jack' diallers were installed (and now subsequently removed!). The next stage of obtaining a firewall is in progress. Once again thank you all
Wazoo Posted April 7, 2004 Posted April 7, 2004 Many thanks to you all. I've completed the 1st stage & installed Ad-aware - I didn't realise how much 'spyware' and how many 'hi-jack' diallers were installed (and now subsequently removed!). The next stage of obtaining a firewall is in progress. Once again thank you all OK, but don't stop there .. AdAware and SpyBot (just the first two recommendations) find different things ... so once again, it's advisable to install (update the databases) and run both tools. The numbers of things found is almost always a definite surprise for most users <g> I go into msconfig and look at the startup files there is a new file entitled "Callme" I thought about adding this (and some Regedit stuff) to my last post, but information overload was flashing and also had no idea of your comfort levels at using these items. There may not be something specifically nasty about this specific item (though it doesn't ring a bell) .. I just have to note that a local ISP here adds some third-party dialer to their install package for some reason ... it hasn't caused problems (that I know of) but I've taken it off of most systems I've been asked to support as I personally think it sucks and it sure screws up my normal "tool -set" ... All I could find out from this ISP was that there was a new owner, and none of the techs there knew why this thrid=party was added other than "instructions from the boss" ...??? To "find" it, you need to actually look at the command string as found in the msconfig listing and look for the actual executable file name. Then do some research to see if you can track down its source. If the only thing you use the computer for is on-line stuff, maybe it's not an issue, but ..??? how will the firewall know what it's start point is I'm not exactly sure what the question actually means. But a firewall sits between your computer and the outside world ... and its intended use is to allow the "good" traffic and block the "bad" traffic. If you were surprised by the amount of dialers and scumware "accidentally" installed, you're going to be in for quite a shock when you see just how much traffic is out there, and that's been knocking on your "door" all this time. No reason to go into panic mode, as this is just how the "net" works, but ... be prepared to be amazed <g>
yourbuddy Posted April 7, 2004 Posted April 7, 2004 A good free Firewall is ZoneAlarm. Sometimes it doesn't "play well" with all other programs, but most people have no problem. If you do, try Outpost Firewall (just as good) but IMHO not as good interface. To answer your previous question, several Firewals check your current configuration when they install, and may (may not) find existing problems. It's highly unlikely they would ok a virus/worm that was already on your system.
turetzsr Posted April 7, 2004 Posted April 7, 2004 <snip> how will the firewall know what it's start point is I'm not exactly sure what the question actually means. But a firewall sits between your computer and the outside world ... and its intended use is to allow the "good" traffic and block the "bad" traffic. If you were surprised by the amount of dialers and scumware "accidentally" installed, you're going to be in for quite a shock when you see just how much traffic is out there, and that's been knocking on your "door" all this time. No reason to go into panic mode, as this is just how the "net" works, but ... be prepared to be amazed <g> ...Going back to the original: However, now that my system is infected, how will the firewall know what it's start point is - or am I being too naive? my guess is that he means, now that I've installed a firewall, how will it know what trash I've inadvertently installed on my system? The answer to which (for Tedr's benefit): it can't but it will help protect you from further damage!
Wazoo Posted April 7, 2004 Posted April 7, 2004 how will the firewall know what it's start point is my guess is that he means, now that I've installed a firewall, how will it know what trash reference another Topic, those "plain and simple terms" .... my mind went to "starting point" as something dealing with IP address, which really would have gotten off into a wild tangent .. Thanks for the interpretation, no doubt you actually hit what was really asked <g>
dra007 Posted April 7, 2004 Posted April 7, 2004 thanks for the paraphraze...hope my simple minded, non-technical input was of some help....
WB8TYW Posted April 8, 2004 Posted April 8, 2004 Thank you all for your replies - I will try to digest them and will certainly look to get a firewall - However, now that my system is infected, how will the firewall know what it's start point is - or am I being too naive? A firewall only stops certain communications between your computer and the outside world. It does nothing about any infections currently on your machine. An infection that is on your machine can disable a software firewall, or virus scanner, yet make it look like the protection is still running. In addition, some software firewalls/internet sharing software have remote passwords that need to be changed, and I know of one person that found that out from a "ethical" cracker that pointed out their security hole. According to CERT, and other security experts, the only way to make sure that a compromised computer is cleaned up, is to quaratine the infected media/files. This is done by either replacing the disks, or by booting from known good read only media, and doing a backup of the disks with out running any programs on those disks. This is a standard and usually trivial task on the commercial computer systems that I normally use. Then the disks are erased, and programs loaded from known good media. Data files are then restored carefully from the quarantined media. Using an anti-virus/anti-spyware program may or may not be sufficient to clean out an infected machine. They only can remove infections that they know about, and some woms, like the classic "PRANK" MS-WORD macro can take years before they make themselves known. All Microsoft operating systems according to Microsoft require a firewall, hardware or software between them an the public internet. Recent versions of their software comes with a software firewall that is not installed by default. News reports from Microsoft state that default will change for PC's oriented for home users. If you are on a broadband connection, hardware firewalls will usually offer the best protection, and in the U.S. sell for as little as $29.00 on sale after rebates. They also allow you to share up to 253 computers on one broadband connection. The hardware firewalls are trivial to set up for most users. The hardest step is cloning the MAC address, which may be required by your ISP settings. Even if it is not required, it is recommended as if you have problems, they will usually require removing the firewall as part of the step, and with out cloning the MAC address, it makes that step harder. -John Personal Opinion Only
Tedr Posted April 9, 2004 Author Posted April 9, 2004 Once again thanks to all for your patience and advice. Everything went swimmingly well with Ad-aware and Spybot - although I am still concerned at the file called "..Callme.." that is still present in the startup group when I look in MSConfig. I still can't trace it, find out it's real name/location and thus delete it - I also can't delete it from my startup group unless someone can tell me how. I've tried looking in "..Add/Remove Programs .." in control panel and also "..Software .." in the system restore utility .. but there is nothing there that I would recognise as (obviously) related to "..Callme.."/needing to be removed. However, things are not quite so good with ZoneAlarm ... If I allow the computer to load zonealarm at startup, then my email will not send/recieve - unless I change the account details back to their default settings (i.e. disable the Norton Virus check), but if I start my email FIRST (with Norton Virus checker active) and THEN switch on zonealarm it appears to happily function. I guess I should've known that things were too good to be true with Ad-aware/Spybot working first time!
StevenUnderwood Posted April 9, 2004 Posted April 9, 2004 although I am still concerned at the file called "..Callme.." that is still present in the startup group when I look in MSConfig. I still can't trace it, find out it's real name/location and thus delete it - I also can't delete it from my startup group unless someone can tell me how. That will probably include searching your registry and deleting from there. I will not go into details because you can really mess things up if you delete the wrong things, but you can look it up if you are interested. Just backup everything first.
Miss Betsy Posted April 9, 2004 Posted April 9, 2004 I don't know how compatible ZA and Norton are, but firewalls need to be told which applications may have access to the internet. And I don't know how you choose to be asked if this is an application that can use the internet in the preferences rather than setting them and then letting ZA do it automatically. I would make sure that "Callme" is not a legitimate thing to have. Once I went through and deleted all the "Unwise" files because they didn't sound kosher to me. Miss Betsy
Wazoo Posted April 9, 2004 Posted April 9, 2004 file called "..Callme.." that is still present in the startup group when I look in MSConfig. I still can't trace it, find out it's real name/location and thus delete it In the MSCONFIG window, the "path name" and/or "command string" is to the right of the file name. What's that data state? Entry in the Add/Remove Control Panel would be due to a "standard and proper" Windows installation of an application. Information derived from the above question might indicate that it is just a "special" file invoked as a "process" . prehaps you'll see a Rundll type command string?? unless I change the account details back to their default settings (i.e. disable the Norton Virus check) and for most folks, this is the actual recommended setting. In general, here's what happens (which might help explain the won't run issue) .. With the "virus checking" invoked, Norton sets up a proxy on your system, and then changes your r-mail app to look at 0.0.0.0 or 127.0.0.1 instead of the iP of your e-mail server. The other side of the porxy then handles the e-mail transfer from your e-mail server to the temporary store of the proxy. (and noting that wehn stuff happens, this is the most likely spot) From the "safety" side of things, this is also where the majority of my supported folks get instruction on setting up Outlook Express to "read as plain text" and "run in restricted zone" ... and for the newbies, "don't allow open or save attachments" .. this pretty much rules out the "accidental" virus infestation. (further instruction on how to bypass these restrictions on a case by case basis, but find that most newbies seem to then consider the "fantatsic attachment" usually isn't worth the effort <g> That said, if you still want to run it with the virus check on, I've no doubt that someone has the exact bits to toggle over in the ZoneAlarm support Forums. But it's obviously a set-up mode in ZoneAlarm that needs a bit of a nudge.
Wazoo Posted April 9, 2004 Posted April 9, 2004 deleted all the "Unwise" files because they didn't sound kosher to me And come some day when you try the "Remove" option from the "Add/Remove Software" control panel, you're going to find out what some of those "unwise" files were for <g>
yourbuddy Posted April 9, 2004 Posted April 9, 2004 Hi Tedr ... Some time back (in this post) I mentioned that ZA does not always play well with other applications, and suggested Outpost Firewall which you can get here: http://www.agnitum.com/index.html They have a free version, and also, there is BlackICE at: http://blackice.iss.net/ (it takes a bit of looking on their web sites to find the free stuff) If you want to go in for the "heavy duty stuff" (ie: pay for it) then you might consider "Norton Anti-Virus" and "Norton Personal Firewall". Both work great for most people - but some people like other programs. However, the best Spyware/Anti-virus/Firewall protection you can get (free or paid) will not compensate/prevent doing silly things to yourself
dra007 Posted April 9, 2004 Posted April 9, 2004 start my email FIRST (with Norton Virus checker active) and THEN switch on zonealarm it appears to happily function you may have to re-install Norton with the firewall active, and that's a difficult task! There is also a possibility that the type of virus you have has rendered Norton innoperative, I would go to their technical help site...but I may be wrong, just a huntch!
Tedr Posted April 9, 2004 Author Posted April 9, 2004 Hello again, I really am grateful to you all for your help and advice. Ithas been really comforting at a time when I came close to throwing my computer in the bin & starting again! The latest developments are that I ran Norton WinDoctor followed by Norton Disk Doctor and now everything seems to be functioning as it should - I've reset ZA to start when my computer starts and my email (with Norton Anti-virus activated) seems to work fine so thanks very much Yourbuddy (I did remember your advice about ZA not always playing along but was reluctant to uninstall it and start again until I was sure I'd tried everything I knew and had been advised) and with regards to the "Callme" file when I look in MSConfig startup next to it it just says "Registry Machine run". There is no path/file name. As you all say it's far too dangerous to mess about with the registries this computer doesn't need my help to screw up it's quite capable of doing it itself! So now I've even managed to update AD-Aware, Spybot AND ZA and run them all again! - so hopefully there are no malicious files lurking anywhere - though I must admit to feeling a trifle paranoid after reading all your advice/comments. But thank you all once again you have been tremendously helpful
Wazoo Posted April 9, 2004 Posted April 9, 2004 Congrats! Great news that it's all come together and got you into Happy mode <g> I am curious about the "Registry Machine Run" thing .. but then again, did you ever say what version of Windows you were running? Anyway, If you don't want to persue, that's understandable <g>
Tedr Posted April 10, 2004 Author Posted April 10, 2004 I have windows Millenium Edition - I would like to be able to determine whetther this "Callme" file is malicious - I suspect it is but only because I think that is not it's real name if every search I've tried doesn't recognise it - but, on the other hand, neither Ad-aware nor Spybot has deleted it so, knowing my luck, I'm inclined not to dabble any further in case I do irreparaable damage!
Recommended Posts
Archived
This topic is now archived and is closed to further replies.