I Think I'm Infected!!!!! - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: I Think I'm Infected!!!!!

  1. #11
    Ryan, loveletter tries to download a trojan called Barok (password stealer) from a website that has shut down long ago, unless the code was updated to reflect a new site.

    From what you say, you do not have any strange variant of the virus, but that does not mean anything... for now, to clean it manually, use this technique:

    taken from:http://securityresponse.symantec.com...eletter.a.html

    Manual removal instructions
    The VBS.LoveLetter.Worm places several files on your hard drive or drives, and also makes changes to the Windows registry. In addition, it also changes the attribute of some files to hidden. All of this varies with the particular variant of the worm with which the computer was infected.

    Enable show all files
    Follow these steps to make sure that Windows is set to show all files:
    1. Start Windows Explorer.
    2. Click the View menu (Windows 95/98/NT) or the Tools menu (Windows Me/2000), and then click Options or Folder options.
    3. Click the View tab.
    4. Uncheck "Hide file extensions for known file types."
    5. Do one of the following:
    Windows 95/NT. Click "Show all files."
    Windows 98. In the Advanced settings box, under the "Hidden files" folder, click Show all files.
    Windows Me/2000. Uncheck "Hide protected operating system files" and under the "Hidden files" folder, click "Show hidden files and folders."
    6. Click Apply, and then click OK.


    Restart the computer in Safe mode
    You must restart the computer in Safe Mode (Windows 95/98/Me/200 only) Follow the instructions in the document for your operating system.

    How to restart Windows 9x or Windows Me in Safe Mode.
    How to start Windows 2000 in Safe mode.
    Find and delete files
    1. Click Start, point to Find or Search, and click Files or Folders.
    2. Make sure that "Look in" is set to (C and that Include subfolders is checked.
    3. In the "Named" or "Search for..." box, type--or copy and paste--the following file names:

    *letter-for-you* MSKernel32.vbs Win32DLL.vbs WinFAT32.EXE WIN-BUGSFIX.EXE script.ini mothersday.vbs funny love.vbs funny love.htm virus_warning.jpg.vbs urgent_virus_warning.htm protect.vbs important.txt.vbs eskernel32.vbs es32dll.vbs kiler.htm killer2.htm killer1.htm KillEmAll.TXT.VBS ArabAir.TXT.vbs no-hate-FOR-YOU.HTM vir-killer.vbs look.vbs bewerbung.txt.vbs reload.vbs

    4. Click Find Now or Search Now.

    CAUTION: The next step is to delete these files from your system. Make sure that you delete only the files listed, and if you typed the file names, that they were typed exactly as shown. Deleting the wrong file could cause your system to fail to start.

    5. Delete the files that are displayed.

    NOTES:
    There is a space between each file name.
    If you copy and paste all of the file names into the Named box, most will not be found. (If you have run a full system scan and NAV has successfully removed these infected files, none may be found. If that is the case, go on to the next section.) This list contains all known files for all known variants. As an alternative, see the previous section (which provides details on the variants) and enter only the files that apply to the variant that the computer was infected with.


    Remove entries from the registry

    CAUTION: We strongly recommend that you back up the system registry before making any changes. Incorrect changes to the registry could result in permanent data loss or corrupted files. Please make sure you modify only the keys specified. Please see the document How to back up the Windows registry before proceeding.

    1. Click Start, and click Run. The Run dialog box appears.
    2. Type regedit and then click OK. The Registry Editor opens.
    3. Navigate to the following key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    4. Look for the following String values in the right pane:

    WIN32DLL "C:\Windows\WIN32DLL.vbs"
    MSKernel32 "C:\Windows\System\MSKernel32.vbs"
    Win-bugsfix "<Path varies>"
    Winfat32.exe
    ESKernel32
    ES32dll
    Reload "C:\Windows\System\Reload.vbs"
    Any entries that refer to .vbs


    5. For those that appear, select each one, press Delete, and then click Yes to confirm.
    6. Navigate to the following key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

    7. Look for the following String values in the right pane:

    WIN32DLL "C:\Windows\WIN32DLL.vbs"
    MSKernel32 "C:\Windows\System\MSKernel32.vbs"
    Win-bugsfix "<Path varies>"
    Winfat32.exe
    ESKernel32
    ES32dll
    Reload "C:\Windows\System\Reload.vbs"
    Any entries that refer to .vbs

    8. For those that appear, select each one, press Delete, and then click Yes to confirm.
    9. Navigate to the following key:

    HKEY_USERS\<username> or <.default>\Software\Microsoft\Windows\CurrentVersion\RunServices

    10. Look for the following String values in the right pane:

    WIN32DLL "C:\Windows\WIN32DLL.vbs"
    MSKernel32 "C:\Windows\System\MSKernel32.vbs"
    Win-bugsfix "<Path varies>"
    Winfat32.exe
    ESKernel32
    ES32dll
    Reload "C:\Windows\System\Reload.vbs"
    Any entries that refer to .vbs

    11. For those that appear, select each one, press Delete, and then click Yes to confirm.
    12. Exit the Registry editor.

    NOTES:
    If you are a network administrator, be aware that the following registry keys may have been deleted by the worm:
    HKLM\Software\Microsoft\Windows\CurrentVersion\
    Policies\Network\HideSharePwds

    HKLM\Software\Microsoft\Windows\CurrentVersion\
    Policies\Network\DisablePwdCaching

    HKLM\Software\Microsoft\Windows\CurrentVersion\
    Policies\Network\HideSharePwds

    HKLM\Software\Microsoft\Windows\CurrentVersion\
    Policies\Network\DisablePwdCaching

    For all users, be aware that potentially hundreds of DWORD registry values are created in
    HKEY_USERS\username\SOFTWARE\Microsoft\WAB
    This is based on how many email messages were sent out. These keys will be different on each computer.

    The Worm is now removed from your system. Restart the computer.

    NOTE: If you are running Windows 98 and you enabled the Startup menu using MSCONFIG, you should turn it off. If you do not turn it off, the startup menu will appear each time you start the computer.

    Delete email attachments
    In your email program, delete any file attachments that state I LOVE YOU or LOVE-LETTER-FOR-YOU.TXT.vbs. Make sure to remove them from all of the program's folders.

    Verification
    This is a difficult worm to remove. If you performed the manual removal procedure, we suggest that you repeat the procedure in the section Find and delete files to make sure that all the files have been found and removed.

    Cleanup
    If any files were infected by the worm--and have had the .vbs extension appended, as described in the Technical information section--you must delete them and restore them from a backup.

    CAUTION: Do not attempt to run files that have been overwritten or renamed by this worm. If you do, the worm is executed again.

    NOTE: Files with .mp2 and .mp3 extensions are not infected; only the file name has been changed by adding the .vbs extension (see the Technical Infor
    mation section for details). You can recover these files by renaming them back to the original file name in Windows or in DOS. Files with the .jpg extension are destroyed, and must be restored from a backup.

    Restore start page
    To restore the Internet Explore start page that was modified by the worm, please follow these steps:
    1. Start Internet Explorer.
    2. Click the Tools menu, and click Internet Options.
    3. On the General tab, replace your home page address as desired.





    Additional information:

    Besides running LiveUpdate frequently, one other thing that you can do to protect your system from this type of worm is to block scripts of this type (NAV 2001) or disable or remove the Windows Scripting Host. VBS.LoveLetter, and others such as the Wscript.KakWorm, use the VBScript computer language to run.


    If you are using Norton AntiVirus 2001, a free program update that includes Script Blocking is available.Please run LiveUpdate to obtain this.
    For other versions of Norton AntiVirus, Symantec Security Response offers a tool to disable the Windows Scripting Host.
    This is the manual removal instructions. MAKE SURE you know which variant it is and see what it does before you go about fixing it. Also, make sure your AV definitions are up to date and as they say, curiosity kills the cat.

    Good luck

  2. #12
    Banned
    Join Date
    Apr 2002
    Posts
    156
    Thanks. The "trojan file" that it referred to was not Barok. I have heard of Barok many times before an I would have recognized it. The file that was detected could have been a file that downloaded on KaZaA because KaZaA was running at the time and stuff was downloading. LoveLetter was not detected on a McAfee scan in fact, nothing was found. I checked the Exclusions on my Norton and changed them to include .vbs files (.vbs was excluded for some reason).

    NO WAIT! I just got another warning. The trojan name is JS\NoClose. I am not downloading anything either. Nothing was downloadind at the time of the warning. I will check into the trojan later. I have to go out right now.

  3. #13
    Banned
    Join Date
    Apr 2002
    Posts
    156
    McAfee's Virus Encyclopedia says that this virus is most likely to be found on ads and banners especially pornographic. I was using KaZaA (listening to songs) and an ad came up about dating or something. Right around when that ad came up, I got the warning.

    ohh ya. and about KZOP. I thought KZOP was the trojan name but it turns out KZPOP was the file name. The entire file name was KZPOP(1).HTM (I'm guessing this is the translation: KazaaPopup1. then HTM as in html). KZOP was actually KZPOP when I read it better.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides