W32 JeempB??

[Sung]

Hi, I have a question from a girl I know and would greatly appreciate any
answers! She did a "Freedom Anti-virus" scan on her hard drive and got the
following results (see below, please.) Just FYI, I think she has Windows
XP equipped computer and logs on under own name but her husband is listed
as the main user)

c:\Program Files\Outlook Express\outl32c.exe
File infected with "W32/Jeemp.B" virus and was successfuly deleted.

c:\Program Files\Outlook Express\outlkl.exe
File infected with "W32/Jeemp.B" virus and was successfuly deleted.

C:\WINDOWS\msin32.dll
File is infected with a virus. The file could not be disinfected.

C:\WINDOWS\svchost.exe
File is infected with "W32/Jeemp.B" virus. The file could not be disinfected.

C:\system32\msrexe.exe
File infected with "W32/Jeemp.B" virus and was successfully deleted.

The message she gets is "Cannot delete access is denied. Make sure the disk
is not full or write protected and that the file is not currently in use."
I think she said she didn't have any other programs open at time she did
virus check.

She's worried about the svchost.exe, and msin32.dll files which her program
claimed were infected but could not be disinfected (don't know why it won't).
I know absolutely nothing about the program she's using and why it can't
disinfect those files. Afraid I don't know much about the files which are
supposedly infected with w32/jeemp.b (whatever that is) and so would be glad
of any assistence even if it's just a link where she can find more info.
Thank you very much!
-Sungyi


---------------------------POST VIA--------------------------------
news://nntp.xusenet.com http://www.xusenet.com
===================================================================

 

[taff]

Hi, I have a question from a girl I know and would greatly appreciate any
answers! She did a "Freedom Anti-virus" scan on her hard drive and got the
following results (see below, please.) Just FYI, I think she has Windows
XP equipped computer and logs on under own name but her husband is listed
as the main user)

c:\Program Files\Outlook Express\outl32c.exe
File infected with "W32/Jeemp.B" virus and was successfuly deleted.

c:\Program Files\Outlook Express\outlkl.exe
File infected with "W32/Jeemp.B" virus and was successfuly deleted.

C:\WINDOWS\msin32.dll
File is infected with a virus. The file could not be disinfected.

C:\WINDOWS\svchost.exe
File is infected with "W32/Jeemp.B" virus. The file could not be disinfected.

C:\system32\msrexe.exe
File infected with "W32/Jeemp.B" virus and was successfully deleted.

The message she gets is "Cannot delete access is denied. Make sure the disk
is not full or write protected and that the file is not currently in use."
I think she said she didn't have any other programs open at time she did
virus check.

She's worried about the svchost.exe, and msin32.dll files which her program
claimed were infected but could not be disinfected (don't know why it won't).
I know absolutely nothing about the program she's using and why it can't
disinfect those files. Afraid I don't know much about the files which are
supposedly infected with w32/jeemp.b (whatever that is) and so would be glad
of any assistence even if it's just a link where she can find more info.
Thank you very much!
-Sungyi


---------------------------POST VIA--------------------------------
news://nntp.xusenet.com http://www.xusenet.com
===================================================================

This is a backdoor trojan problem. You will need a dedicated trojan
removal tool.
Try Adaware
http://www.lavasoft.de/support/download/
Download, install, update and run.

Taff....................



www.sounds-pa.com | www.thecomputerworkshop.com

 

[Gabriele Neukam]

On that special day, Sung, ([email protected]) said...

The message she gets is "Cannot delete access is denied. Make sure the disk
is not full or write protected and that the file is not currently in use."

A backdoor is meant to be active and running in the background all time.
Windows XP will prevent the deleteion of any file actually in use.

Find out the name of the proces generated by the backdoor. Is it Ctrl-
Alt-Del for Taskmanager, or rather Ctrl-Shift-Esc in WinXP? However, you
have to open the taskmanager and kill the process created by jeem.p, and
then go and try to remove the "infected" file (in fact it isn't
infected, the file itself is the parasite). It seems to disguise itself
by adopting the name of Windows XP system files, but not sitting in the
proper directory but a different one.

If deletion doesn't work, start the computer with the Ctrl pressed and
choose Safe mode, try again.

If the file is coming back, disable the System Restore process, try the
same again.

If the files are *still* coming back, you'll have to search for a
dropper, ie a file that is also running in the background, checking
every n seconds for the existance of the Jeem.p, and replacing it from
some storage file if it was gone. This will probably involve the usage
of a specialized program.

Jeem is a mass mailer trojan used for sending endless streams of
unsolicited commercial emails all over the world. Your girlfriend should
be too amazed when she is getting the bill from her ISP together with a
letter that she should better decrease her mail traffic.


Gabriele Neukam

(e-mail address removed)

 

[Sung]

Hi, I just wanted to say thank you for your comments. I've made note of them
and I'll refer to them when I sit down and look at her computer next week!
Thanks again, it's very much appreciated!

On that special day, Sung, ([email protected]) said...


A backdoor is meant to be active and running in the background all time.

Windows XP will prevent the deleteion of any file actually in use.

Find out the name of the proces generated by the backdoor. Is it Ctrl-
Alt-Del for Taskmanager, or rather Ctrl-Shift-Esc in WinXP? However, you

have to open the taskmanager and kill the process created by jeem.p, and

then go and try to remove the "infected" file (in fact it isn't
infected, the file itself is the parasite). It seems to disguise itself

by adopting the name of Windows XP system files, but not sitting in the

proper directory but a different one.

If deletion doesn't work, start the computer with the Ctrl pressed and
choose Safe mode, try again.

If the file is coming back, disable the System Restore process, try the

same again.

If the files are *still* coming back, you'll have to search for a
dropper, ie a file that is also running in the background, checking
every n seconds for the existance of the Jeem.p, and replacing it from
some storage file if it was gone. This will probably involve the usage
of a specialized program.

Jeem is a mass mailer trojan used for sending endless streams of
unsolicited commercial emails all over the world. Your girlfriend should

be too amazed when she is getting the bill from her ISP together with a

letter that she should better decrease her mail traffic.


Gabriele Neukam

(e-mail address removed)

so, at no cost.

-Sungyi


---------------------------POST VIA--------------------------------
news://nntp.xusenet.com http://www.xusenet.com
===================================================================

 

[Sung]

This is a backdoor trojan problem. You will need a dedicated trojan
removal tool.
Try Adaware
http://www.lavasoft.de/support/download/
Download, install, update and run.

Taff....................

Hmmm...adaware huh? Is this a good program for finding dialers as well? Few
weeks ago she got phone bill and figured must've had one of those happen.
(figures her brother had once accidentally downloaded a dialer when looking
at adult web sites)

Thank you for the program recommendation. I'll pass it along!-


-Sungyi


---------------------------POST VIA--------------------------------
news://nntp.xusenet.com http://www.xusenet.com
===================================================================

 

[Beauregard T. Shagnasty]

Quoth the raven named Sung:

Hmmm...adaware huh? Is this a good program for finding dialers as
well? Few weeks ago she got phone bill and figured must've had one
of those happen. (figures her brother had once accidentally
downloaded a dialer when looking at adult web sites)

Thank you for the program recommendation. I'll pass it along!-

It was my understanding that the AdAware program found and killed
mostly advertising malware. I've seen it recommended many places to
run both AdAware /and/ Spybot S&D. Spybot does find dialers,
keyloggers, and other trojan-type stuff that AdAware will not.

Spybot Search & Destroy: http://security.kolla.de/

Be sure to get the latest updates after installation of both, and
before you scan.

 

[taff]

Quoth the raven named Sung:


It was my understanding that the AdAware program found and killed
mostly advertising malware. I've seen it recommended many places to
run both AdAware /and/ Spybot S&D. Spybot does find dialers,
keyloggers, and other trojan-type stuff that AdAware will not.

Spybot Search & Destroy: http://security.kolla.de/

Be sure to get the latest updates after installation of both, and
before you scan.

True, but Spybot can also be dangerous for someone who does not know a
lot about their system and so I generally suggest Adaware first, then
if they still have problems, spybot.
I have seen it remove many things that will stop programs running,
mind you , adaware sometimes does the same thing.
The problems are with programs that depend on adware to operate.

Taff.................



www.sounds-pa.com | www.thecomputerworkshop.com

 

[Beauregard T. Shagnasty]

Quoth the raven named taff:

True, but Spybot can also be dangerous for someone who does not
know a lot about their system and so I generally suggest Adaware
first, then if they still have problems, spybot. I have seen it
remove many things that will stop programs running, mind you ,
adaware sometimes does the same thing. The problems are with
programs that depend on adware to operate.

True, <g> but would you rather have a dialer making expensive phone
charges, or some other inoperable software?

Personally, I would not really want to run programs that depended on
adware to operate.

I would still recommend running Spybot S&D, and of course pay
attention to what it wants to remove. It is usually quite good about
describing what it found.

 

[Beauregard T. Shagnasty]

Quoth the raven named taff:

True, but Spybot can also be dangerous for someone who does not know a
lot about their system and so I generally suggest Adaware first, then
if they still have problems, spybot.

Addendum: heh, I just noticed in the "Virus inside an Agent *.dat
file?" thread, you recommended col_klink run Spybot, but with no
mention that it "can be dangerous."

The best advice is to run /both/ programs, and pay attention to what
is happening. If necessary, describe the result and ask someone if
it's ok to delete what it found.

 

[taff]

Quoth the raven named taff:


Addendum: heh, I just noticed in the "Virus inside an Agent *.dat
file?" thread, you recommended col_klink run Spybot, but with no
mention that it "can be dangerous."

The best advice is to run /both/ programs, and pay attention to what
is happening. If necessary, describe the result and ask someone if
it's ok to delete what it found.

You caught me out on that one ) but I do tend to recommend on the
perceived knowledge of the poster and that guy obviously knew what he
was looking for. Point taken though.

Taff.............



www.sounds-pa.com | www.thecomputerworkshop.com