Virus: Firewall and antivirus, trojan scanners, .. disabled - How to ?

[Zantafio]

For any reason, Zone Alarm didn't rename a .PIF file attached to a message.

Confusing it with a .TIF, and quite sure the work was correctly done by the
firewall, I confidently clicked on the attachment and within the following
microsecond I realized my mistake.
The result is that Zone Alarm went unloaded as well as The Cleaner Monitor
and TCActive.
All of them don't load again as well as VirusScan.

The first investigations gave the following:
The infected file name is "image023.pif" 54048 bytes long.
It created "mshxbh.com" also 54048 bytes long in the "windows\command"
directory with the attribute "system"
3 Run keys were created in HKCU, HKLM & HKUD with a name "COM Service" and a
value equal to "u:\windows\command\mshxbh.com"

Whatever I attempt to delete them from the registry or to disable them from
MSCONFIG - Start, they are self generating.

Removing "mshxbh.com" from DOS freshly booted from a safe protected diskette
doesn't solve the issue. The file appears to be deleted but it appears again
as soon as Windows is working. When deleted under DOS, It doesn't look to be
active during the DOS session. I mean, the file remains deleted.

I put the file on a floppy and scanned it in an NT protected system.
Virusscan doesn't find it except with the heuristics options. It says it
could be a variant of "New Backdoor 1".

For the moment, the virus looks not to have spreades over my network. It's
located on a client. The four PCs are protected by their own firewalls.
I fear to connect to Internet with the infected one.

I also scanned the client from the server with The Cleaner. It didn't find
anything.


I can't manage to find any clue through google or Yahoo since I don't know
what trojan or virus it is.
Shall I add that the rescue disk created with McAfee gives garbage when it
scans the FAT32 disks, rendering it completely unusable ?
Thanks to VirusScan !

Thanks for your help.

 

[David H. Lipman]

McAfee does NOT have a "rescue disk" it does create an "Emergency Boot Disk"

However, I suggest going to the McAfee Engine directory and executing the commandline
utility, SCAN.EXE. One location for the commandline scanner is: C:\Program Files\Common
Files\Network Associates\Engine
There are other locations as well. You can find it via a search for SCAN.EXE.

I suggest booting from a DOS disk and moving to the engine directory on the hard disk and
execute the following....

scan c: /sub /program /analyze /unzip /html "C:\ScanReport.html"

A report, ScanReport.html, will be created in the root of Drive "C:" with the results.

Dave


| For any reason, Zone Alarm didn't rename a .PIF file attached to a message.
|
| Confusing it with a .TIF, and quite sure the work was correctly done by the
| firewall, I confidently clicked on the attachment and within the following
| microsecond I realized my mistake.
| The result is that Zone Alarm went unloaded as well as The Cleaner Monitor
| and TCActive.
| All of them don't load again as well as VirusScan.
|
| The first investigations gave the following:
| The infected file name is "image023.pif" 54048 bytes long.
| It created "mshxbh.com" also 54048 bytes long in the "windows\command"
| directory with the attribute "system"
| 3 Run keys were created in HKCU, HKLM & HKUD with a name "COM Service" and a
| value equal to "u:\windows\command\mshxbh.com"
|
| Whatever I attempt to delete them from the registry or to disable them from
| MSCONFIG - Start, they are self generating.
|
| Removing "mshxbh.com" from DOS freshly booted from a safe protected diskette
| doesn't solve the issue. The file appears to be deleted but it appears again
| as soon as Windows is working. When deleted under DOS, It doesn't look to be
| active during the DOS session. I mean, the file remains deleted.
|
| I put the file on a floppy and scanned it in an NT protected system.
| Virusscan doesn't find it except with the heuristics options. It says it
| could be a variant of "New Backdoor 1".
|
| For the moment, the virus looks not to have spreades over my network. It's
| located on a client. The four PCs are protected by their own firewalls.
| I fear to connect to Internet with the infected one.
|
| I also scanned the client from the server with The Cleaner. It didn't find
| anything.
|
|
| I can't manage to find any clue through google or Yahoo since I don't know
| what trojan or virus it is.
| Shall I add that the rescue disk created with McAfee gives garbage when it
| scans the FAT32 disks, rendering it completely unusable ?
| Thanks to VirusScan !
|
| Thanks for your help.
|
|
|
|

 

[null]

For any reason, Zone Alarm didn't rename a .PIF file attached to a message.

Confusing it with a .TIF, and quite sure the work was correctly done by the
firewall, I confidently clicked on the attachment and within the following
microsecond I realized my mistake.
The result is that Zone Alarm went unloaded as well as The Cleaner Monitor
and TCActive.
All of them don't load again as well as VirusScan.

The first investigations gave the following:
The infected file name is "image023.pif" 54048 bytes long.
It created "mshxbh.com" also 54048 bytes long in the "windows\command"
directory with the attribute "system"
3 Run keys were created in HKCU, HKLM & HKUD with a name "COM Service" and a
value equal to "u:\windows\command\mshxbh.com"

Whatever I attempt to delete them from the registry or to disable them from
MSCONFIG - Start, they are self generating.

Removing "mshxbh.com" from DOS freshly booted from a safe protected diskette
doesn't solve the issue. The file appears to be deleted but it appears again
as soon as Windows is working. When deleted under DOS, It doesn't look to be
active during the DOS session. I mean, the file remains deleted.

I put the file on a floppy and scanned it in an NT protected system.
Virusscan doesn't find it except with the heuristics options. It says it
could be a variant of "New Backdoor 1".

For the moment, the virus looks not to have spreades over my network. It's
located on a client. The four PCs are protected by their own firewalls.
I fear to connect to Internet with the infected one.

I also scanned the client from the server with The Cleaner. It didn't find
anything.


I can't manage to find any clue through google or Yahoo since I don't know
what trojan or virus it is.
Shall I add that the rescue disk created with McAfee gives garbage when it
scans the FAT32 disks, rendering it completely unusable ?
Thanks to VirusScan !

Upload a copy of image023.pif and mshxbh.com to av scanner sites
listed here:

http://www.claymania.com/anti-virus.html

Especially, see what Kaspersky finds.


Art
http://www.epix.net/~artnpeg

 

[Buffalo]

Yeah strange, usually ZA will rename a .PIF file to .zlo.
Perhaps the virus(?) did something to it.
Curious, why didn't your McAfee catch it? Doesn't it have a mail scan
feature?

 

[Zantafio]

First thanks to all for your prompt responses.

VirusScan wasn't resident at the moment because it produces BSODs. I use it
occasionnaly.
Normally I trust ZA, the reason why I didn't look twice before clicking on
the attachment. But it failed !

Recently I modified my registry in order to display some extentions Windows
normally dont, including ".pif".
I'll get a closer look. This could be the origin od the misfunctioning of
ZA.
Otherwise, I'll come back to this group.

Today, the priority is to restore the functionalities of my protections.
Everything I tried didn't work because within Windows the scanners are
automatically disabled.
Scan under DOS doesn't give any results.
I still have no idea of what is in the computer, except what virus scan said
under NT.

Yeah strange, usually ZA will rename a .PIF file to .zlo.
Perhaps the virus(?) did something to it.
Curious, why didn't your McAfee catch it? Doesn't it have a mail scan
feature?

For any reason, Zone Alarm didn't rename a .PIF file attached to a message.

Confusing it with a .TIF, and quite sure the work was correctly done by the
firewall, I confidently clicked on the attachment and within the following
microsecond I realized my mistake.
The result is that Zone Alarm went unloaded as well as The Cleaner Monitor
and TCActive.
All of them don't load again as well as VirusScan.
[snip]

 

[Zantafio]

Thanks,

I tried. The result is negative.
I've to find something else. In safe mode the virus isn't activated. It
might be a solution for the scanners to work.
I'll search in this way.
I reviewed the bootlog. Some lines are rather weird. I'll report later. Now
it's time to go to bed !
Bye

 

[Zantafio]

I'll try tomorrow. Thanks.

Upload a copy of image023.pif and mshxbh.com to av scanner sites
listed here:

http://www.claymania.com/anti-virus.html

Especially, see what Kaspersky finds.


Art
http://www.epix.net/~artnpeg

 

[Zantafio]

I finally restored my computer defences. At least I hope so ! The
virus-trojan-worm (?) is probably still present but doesn't appear active
anylonger.


Its actions:
It disabled Zone Alarm, VirusScan when launched, TC-Active and T-C Monitor,
The Cleaner (scaning machine on demand), The Windows System File Compare
(SFC), every attempt done with scan engines.

It didn't stop the functioning of "Ad-Aware 6" (free), dedicated virus
removers as "fixSbigF;exe, "stinger.exe", "The cleaner" launched from the
network server, even under normal sessions of Windows. I didn't try
VirusScan from the server.


Its activity/detection:
It wasn't active under the safe mode (probably because it was loaded by the
run keys).
Neither detected by "The cleaner", nor "stinger", "fixSbigF", "VirusScan"
unless the heuristics scanning was selected. In that case only the
"image023.pif" was recognized to contain "NewBackdoor1".
Later on I applied VirusScan to the other files without positive result,
even in heuristics mode.


Its system installation:
There were three "Com Service = "Wins98\command\" " entries in the registry
Run keys (HKCU, HKLM, and HKUD\Software\Microsoft\Windows\Current
version\Run).


This NewsGroup gave me the idea to look for strange file names with the same
date as the two known files (image023 and mshxbh).
I found two other occurrences: Win98\services.exe and
Win98\System\msulwy.com. They've exactly the same date (05.05.99 22:22)
identical to the Windows file's date and the same length (54 048bytes) and
the same contents (Quick view). These characteristics also apply to
"image023.pif".
The characteristics of the four infected files follow here-below in case
this could bring some information more.


The disabling:
I went again in safe mode, (off then boot) and renamed "mshxbh.com",
"msulwy.com" and "Services.exe". I edited the registry searching for these
filenames as well as for "Com Service" and deleted the run keys launching
"mshxbh.com". I found a new one:
HKLM\Software\Microsoft\Active Setup\Installed
Components\{42AC0312-EE51-A3CC-EA32-40AA12E6115C}
containing "StubPath=E:\Win98\System\msulwy.com". I renamed its name &
value. It will be deleted later on if necessary.
Nothing concerning "Services.exe". This looks rather strange for me because
it's never called by any key or something else.

Should I mention that I also used "HiJackThis" after the cleaning was
manually done ? It didn't reveal anything more.



Rather satisfied I turned the computer Off and rebooted in normal mode. All
the protections were SUCCESSFULLY restored.
I tested ZoneAlarm attachment filters with fake files. The ".pif" is
correctly filtered. I'll give a complete try but I lost the Internet site
address allowing to do that. I'd appreciate to get this address. I still
don't understand why this attachment went through the protection.

I'm conscious the virus is still here. I still don't know what's its name
and what its activity is.
The ways to follow:
To find the free search engines and scan again the computer
To send a copy of the infected files to some antivirus manufacturers'
sites.
To compare the dates and the CRCs of the dll files called by the virus
in order to know if they were garbaged. But where to find the correct CRCs ?
Any other proposals ?

This post was rather long. I hope it is in the policy of this group. I
really thank everybody who answered and those who will bring some help more.

Bye



This is the information of the infected files Quick View provided:

WINDOWS EXECUTABLE
32bit for Windows 95 and Windows NT

Technical File Information:

Image File Header

Signature: 00004550
Machine: Intel 386
Number of Sections: 0003
Time Date Stamp: 2a425e19
Symbols Pointer: 00000000
Number of Symbols: 00000000
Size of Optional Header 00e0
Characteristics: Relocation info stripped from file.
File is executable (i.e. no unresolved external references).
Line numbers stripped from file.
Local symbols stripped from file.
Low bytes of machine word are reversed.
32 bit word machine.
High bytes of machine word are reversed.



Image Optional Header

Magic: 010b
Linker Version: 2.25
Size of Code: 0000c000
Size of Initialized Data: 00001000
Size of Uninitialized Data: 0001b000
Address of Entry Point: 0002794f
Base of Code: 0001c000
Base of Data: 00028000
Image Base: 00400000
Section Alignment: 00001000
File Alignment: 00000200
Operating System Version: 4.00
Image Version: 0.00
Subsystem Version: 4.00
Reserved1: 00000000
Size of Image: 00029000
Size of Headers: 00001000
Checksum: 00000000
Subsystem: Image runs in the Windows GUI subsystem.
DLL Characteristics: 0000
Size of Stack Reserve: 00100000
Size of Stack Commit: 00004000
Size of Heap Reserve: 00100000
Size of Heap Commit: 00001000
Loader Flags: 00000000
Size of Data Directory: 00000010
Import Directory Virtual Address: 0002849c
Import Directory Size: 00000264
Resource Directory
Virtual Address: 00028000
Resource Directory Size: 0000049c
TLS Directory Virtual Address: 00027aa4
TLS Directory Size: 00000018




Import Table

KERNEL32.DLL
Ordinal Function Name

0000 LoadLibraryA
0000 GetProcAddress
0000 ExitProcess


advapi32.dll
Ordinal Function Name

0000 RegEnumKeyA


AVICAP32.DLL
Ordinal Function Name

0000 capCreateCaptureWindowA


gdi32.dll
Ordinal Function Name

0000 BitBlt


oleaut32.dll
Ordinal Function Name

0000 SysFreeString


URLMON.DLL
Ordinal Function Name

0000 URLDownloadToFileA


user32.dll
Ordinal Function Name

0000 GetDC


wininet.dll
Ordinal Function Name

0000 InternetCheckConnectionA


winmm.dll
Ordinal Function Name

0000 mciSendStringA


wsock32.dll
Ordinal Function Name

0000 send


Section Table

Section name: code
Virtual Size: 0001b000
Virtual Address: 00001000
Size of raw data: 00000000
Pointer to Raw Data: 00000200
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable



Section name: text
Virtual Size: 0000c000
Virtual Address: 0001c000
Size of raw data: 0000bc00
Pointer to Raw Data: 00000200
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable



Section name: .rsrc
Virtual Size: 00001000
Virtual Address: 00028000
Size of raw data: 00000800
Pointer to Raw Data: 0000be00
Pointer to Relocations: 00000000
Pointer to Line Numbers: 00000000
Number of Relocations: 0000
Number of Line Numbers: 0000
Characteristics: Section contains initialized data
Section is readable
Section is writeable


Header Information

Signature: 5a4d
Last Page Size: 0050
Total Pages in File: 0002
Relocation Items: 0000
Paragraphs in Header: 0004
Minimum Extra Paragraphs: 000f
Maximum Extra Paragraphs: ffff
Initial Stack Segment: 0000
Initial Stack Pointer: 00b8
Complemented Checksum: 0000
Initial Instruction Pointer: 0000
Initial Code Segment: 0000
Relocation Table Offset: 0040
Overlay Number: 001a
Reserved: 0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
0000 0000 0000 0000
Offset to New Header: 00000080
Memory Needed: 1K