Identifying source of virus

[JM]

On a client's network, there are about 12 XP Pro computers. Two of them
starting having the exact same problem: While browsing the internet,
Windows would shut down, and a blue screen would appear that stated, "Page
fault in nonpaged area," and a countdown to a memory dump. At first, I
thought this was a tremendous coincidence of bad RAM, as I've seen this
error with faulty RAM before. However, on closer inspection I saw that
Norton had recently found and quarantined the same file on both computers.
After I deleted the files from the quarantine, the problem went away.

However, every few days the problem returns, and sure enough similar (or
same) files are again found in Norton's quarantine.

My questions are: Can I set Norton to automatically delete the infected
file rather than sending to quarantine (as obviously the virus is doing its
work from within the quarantine)? And, secondly, what is the method
involved for identifying the hows, wheres, and whys of this repeated virus
infection on these two computers?

thank you very much for any assistance.

jm

 

[Phil Weldon]

'JM' wrote, in part:
| My questions are: Can I set Norton to automatically delete the infected
| file rather than sending to quarantine (as obviously the virus is doing
its
| work from within the quarantine)?
_____

Seek professional experience. Malware cannot operate from within Norton
Antivirus quarantine. You have a hardware problem.

Phil Weldon

| On a client's network, there are about 12 XP Pro computers. Two of them
| starting having the exact same problem: While browsing the internet,
| Windows would shut down, and a blue screen would appear that stated, "Page
| fault in nonpaged area," and a countdown to a memory dump. At first, I
| thought this was a tremendous coincidence of bad RAM, as I've seen this
| error with faulty RAM before. However, on closer inspection I saw that
| Norton had recently found and quarantined the same file on both computers.
| After I deleted the files from the quarantine, the problem went away.
|
| However, every few days the problem returns, and sure enough similar (or
| same) files are again found in Norton's quarantine.
|
| My questions are: Can I set Norton to automatically delete the infected
| file rather than sending to quarantine (as obviously the virus is doing
its
| work from within the quarantine)? And, secondly, what is the method
| involved for identifying the hows, wheres, and whys of this repeated virus
| infection on these two computers?
|
| thank you very much for any assistance.
|
| jm
|
|
|
|
|

 

[JM]

'JM' wrote, in part:
| My questions are: Can I set Norton to automatically delete the infected
| file rather than sending to quarantine (as obviously the virus is doing
its
| work from within the quarantine)?
_____

Seek professional experience. Malware cannot operate from within Norton
Antivirus quarantine. You have a hardware problem.

You have too much confidence in "professional experience." ; ) We've
already done that twice.

And you're main arugument may be right, but let's examine some factors more
closely before reaching that conclusion: First, why would the crash be
happening only during web surfing? Typically, on both computers everything
will be fine until the user opens a search engine, types in a search, and
then follows the links. When they are redirected to the page and start
browsing - blue screen. However, they can run spreadsheets, read and send
email, pull up files, folders, etc, with no ill effects.

Also, after blue screening 2-3 times, I can open the Norton quarantine and
delete the file(s), and everything will be fine - websurfing included -
until the next day or two, when invariably Norton will have found and
quarantined another file.

If the above is accurate, is that consistent with a hardware problem?

jm

 

[David H. Lipman]

From: "JM" <[email protected]>


| You have too much confidence in "professional experience." ; ) We've
| already done that twice.
|
| And you're main arugument may be right, but let's examine some factors more
| closely before reaching that conclusion: First, why would the crash be
| happening only during web surfing? Typically, on both computers everything
| will be fine until the user opens a search engine, types in a search, and
| then follows the links. When they are redirected to the page and start
| browsing - blue screen. However, they can run spreadsheets, read and send
| email, pull up files, folders, etc, with no ill effects.
|
| Also, after blue screening 2-3 times, I can open the Norton quarantine and
| delete the file(s), and everything will be fine - websurfing included -
| until the next day or two, when invariably Norton will have found and
| quarantined another file.
|
| If the above is accurate, is that consistent with a hardware problem?
|
| jm
|


No. It sounds like you either have non-viral malware or software corruption.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[JM]

Wow, what a great reply. Tons of information here. I will take in all in,
apply what I can, and report back the results.

thank you again,

jm

From: "JM" <[email protected]>


| You have too much confidence in "professional experience." ; ) We've
| already done that twice.
|
| And you're main arugument may be right, but let's examine some factors
more
| closely before reaching that conclusion: First, why would the crash be
| happening only during web surfing? Typically, on both computers
everything
| will be fine until the user opens a search engine, types in a search,
and
| then follows the links. When they are redirected to the page and start
| browsing - blue screen. However, they can run spreadsheets, read and
send
| email, pull up files, folders, etc, with no ill effects.
|
| Also, after blue screening 2-3 times, I can open the Norton quarantine
and
| delete the file(s), and everything will be fine - websurfing included -
| until the next day or two, when invariably Norton will have found and
| quarantined another file.
|
| If the above is accurate, is that consistent with a hardware problem?
|
| jm
|


No. It sounds like you either have non-viral malware or software
corruption.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to
JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively
being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of
Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version
5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any
Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[JM]

By the way, your remarks regarding Sun Java really pull some things
together. These computers have been used to run a web-based business
tracking application that initially caused many problems with JRE.

In fact, it got to where the software company made us use one specific
version of JRE, and I do not believe it's the latest one. Therefore, it's
very possibly that multiple version exist on both computers.

jm

From: "JM" <[email protected]>


| You have too much confidence in "professional experience." ; ) We've
| already done that twice.
|
| And you're main arugument may be right, but let's examine some factors
more
| closely before reaching that conclusion: First, why would the crash be
| happening only during web surfing? Typically, on both computers
everything
| will be fine until the user opens a search engine, types in a search,
and
| then follows the links. When they are redirected to the page and start
| browsing - blue screen. However, they can run spreadsheets, read and
send
| email, pull up files, folders, etc, with no ill effects.
|
| Also, after blue screening 2-3 times, I can open the Norton quarantine
and
| delete the file(s), and everything will be fine - websurfing included -
| until the next day or two, when invariably Norton will have found and
| quarantined another file.
|
| If the above is accurate, is that consistent with a hardware problem?
|
| jm
|


No. It sounds like you either have non-viral malware or software
corruption.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to
JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively
being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of
Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version
5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
http://security.kolla.de/
http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any
Browser Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to
go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in
Normal Mode.
This way all the components can be downloaded from each AV vendor's web
site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and
Reboot the PC.

You can choose to go to each menu item and just download the needed files
or you can
download the files and perform a scan in Normal Mode. Once you have
downloaded the files
needed for each scanner you want to use, you should reboot the PC into
Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want
to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal
Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more
comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *

 

[David H. Lipman]

From: "JM" <[email protected]>

| By the way, your remarks regarding Sun Java really pull some things
| together. These computers have been used to run a web-based business
| tracking application that initially caused many problems with JRE.
|
| In fact, it got to where the software company made us use one specific
| version of JRE, and I do not believe it's the latest one. Therefore, it's
| very possibly that multiple version exist on both computers.
|
| jm
|


Based upon that... Please read the following.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

I have run into many computers that have multiple versions. The problem is allowing Sun
Java to download a new version automatically but it has no ability to remov the prior
version. I also find that even fater Sun put out the above alert notification, Dell
continues to ship NEW computers with a vulnerable version of Sun Java.

Malware is known to exploit this vulnerability and the authors know the old versions are NOT
removed. Therefore the malware will look for an exploitable version and take full advantage
of the vulnerability.

 

[JM]

You're batting 1000. The two computers are new Dells.

jm

 

[David H. Lipman]

From: "JM" <[email protected]>

| You're batting 1000. The two computers are new Dells.
|
| jm

 

[Virus Guy]

thank you very much for any assistance.

Remove the hard drive from one of the systems and connect it as a
slave drive to a trusted computer and then scan the slaved drive for
viruses/trojans etc.

You will need to slave it to another computer running XP (not Win-2k,
etc).

A Windows-XP drive that is operating as the primary drive is too
convoluted and tricky to be able to scan or track down any malware and
remove it while it is operating. Your best bet is to scan it when it
is slaved.

 

[Virus Guy]

I have run into many computers that have multiple versions.

I'm under the impression that some custom apps require certain
versions of Java to run correctly, and that they can somehow "request"
the OS to execute java instructions using a particular version of Java
runtime if so installed on the system - hence the reason why older
versions of java are not automatically un-installed when new versions
are installed. (let me know if this is correct or incorrect).

With the potential to have many different versions simultaneously
installed on a system, I'm under the impression that all of them are
in fact available to handle java execution if the OS or over-lying app
requests it.

If the above is correct (that apps running on a system can tell the OS
to use a particular version of Java if so installed on the system)
then I ask - can java code on a web site perform the same function?
That is, can web-based java code request (or force) a browser or the
OS to use a particular version of the Java runtime if it's installed
on the system in question? Do you realize the consequences of this?

 

[David H. Lipman]

From: "Virus Guy" <[email protected]>

| "David H. Lipman" wrote:
||
| I'm under the impression that some custom apps require certain
| versions of Java to run correctly, and that they can somehow "request"
| the OS to execute java instructions using a particular version of Java
| runtime if so installed on the system - hence the reason why older
| versions of java are not automatically un-installed when new versions
| are installed. (let me know if this is correct or incorrect).
|
| With the potential to have many different versions simultaneously
| installed on a system, I'm under the impression that all of them are
| in fact available to handle java execution if the OS or over-lying app
| requests it.
|
| If the above is correct (that apps running on a system can tell the OS
| to use a particular version of Java if so installed on the system)
| then I ask - can java code on a web site perform the same function?
| That is, can web-based java code request (or force) a browser or the
| OS to use a particular version of the Java runtime if it's installed
| on the system in question? Do you realize the consequences of this?


Yes. There are Run-Time applications that use Java. However, they are not tied to the
Browser and are not in the C:\Program Files\Java folder .

As far as I know the malware does NOT target these versions. However, I don't know that for
a fact.