Jaime
> 3rd. A copy is saved into the WINDOWS directory as INETD.EXE and an entry is
> entered into the WIN.INI file to run INETD.EXE at startup. KERN32.EXE (a
> backdoor Trojan), and HKSDLL.DLL (a valid keylogger DLL) are written to the
> WINDOWS SYSTEM directory, and a registry entry is created to load the Trojan
> upon system startup.
Sorry to disagree, but I think you are not correct. In the
messages of the last day or 2 you will see that James Swan and I have
had a late night session cleaning out his computer. He is a Netscape
user just like me.
His computer had the virus just like mine did and yet
it manifested with a different file. I found a log file generated by the
virus in my computer. Stripped of all the gobbledegook here is what it
did. I have added the numbers.
Hkk32.exe (0) (Virus?)
Wsock32.dll (1) (Genuine Windows file?)
Msvcrt.dll (2)
Win.ini (Genuine Windows file - but modified.)
Ws_32.dll (3)
Ws2help.dll (4)
Wininet.dll (5) (Virus? Name is similar to "Inetd.exe" the virus file)
Shlwapi.dll (6)
Mswsock.dll (7)
Kern32.dll (8) (Virus)
Now you will notice that Hkk32.exe is not mentioned in your email, BUT
I did not find any instance of Hksdll.dll! But it was present on James
computer!
What I need is for one of our "hard core computer types" in this group
(Chuck Chris? or Arthur?) to have a look at the above list and tell me
which of the numbered events is the execution of a genuine Windows
subroutine and which are virus files that have a very similar name
(eg Kern32.exe which is a similar name to Kernel32.dll - a genuine
Windows file) and tell me if any of the above indicates a remaining
virus file that I (and perhaps the rest of you) need to kill?
I don't want to go and gleefully delete essential Windows subroutines
in teh mistaken belief they are virus files and end up with a computer
that only displays "the blue screen of death".
Do remember that I have already run a supposedly successfull Virus
kill program (Norton 2001) yet it proved totally incapable of removing
Kern32.exe and Hkk32.exe both of which I had to delete via a boot
disk and DOS commands.
Most importantly, although the Virus was killed, the Trojan horse
(Kern32.exe) still remained along with Hkk32.exe (whatever it may be).
So much for those vaunted Anti-Virus programmes!
There are far too many ".dll"'s in that above list for my liking, the
problem being to recognise the genuine from the fake, just relying on
"date created" is not reliable?
Help please?
I am still stumped for the compulsory MV content as I am more concerned
about not having an active spy (Virus) in my computer! When I know I
have my computer back to rights I can enthrall all of you with an
intriguing (infuriating actually) Greyhound idle miss saga.
Regards
Doug
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Armoured Vehicles Collector
_______
_/_(_o_)_\_ ____
_/|___|_|___|\_ /____\
/ [___] [___] \ Douglas Greville _/[o]___\_
/\_ [o] [o] _/\ Broken Hill __/=_|____|_=\__
|w||___________||w| N.S.W. /__\__________/__\
|w|\u u/|w| Australia |w| \ / |w|
|w| \_________/ |w| |w|$ \______/ $|w|
[w] [w] [w] [w]
M8 Ferret
dgrev@ruralnet.net.au
Web Armour site at:
http://www.users.zetnet.co.uk/lsm/dhmg/index.html (UK mirror site)
and
http://members.nbci.com/dgrev/index.html (US mirror site)
This archive was generated by hypermail 2b29 : Tue May 01 2001 - 07:42:42 PDT