Where should I post a question or two dealing with a virus that I've apparently got on my computer?
Don't want to fill the wrong site.

Well, I just did a search with the word virus on this forum and apparently this is where the word appears most often.
so here goes.
I'm doing this on another computer and have shut off the infected one and put it in quaranteen. Dag! I never let it date any other computers.

Today when I clicked on Outlook Express (my email application) it did what it normally does and immediately sends/receives email messages. In the lower right corner of the screen it read "receiving mail" (I had five new messages then in my inbox) Then without my touching a thing it started sending the same five messages out of the outbox. I now had five messages from myself in my inbox and about 10 minutes later I received a phone call from one of my friends saying she just received an email from me with a virus.

Ran, Norton and Command Anti-Virus.
Both detected c:\windows\inetd.exe Infection: W95/Badtrans.A@mm (exact) virus could not be disinfected.

Both detected c:\windows\system\kern32.exe is a security risk or a "backdoor" program. virus could not be disinfected.

Command Anti-Virus also reported two other possibilities.
c:\windows\system\hksdll.dll is a security risk or a "backdoor" program Virus could not be disinfected
c:\windows\temporary internet files\content.IE5\E67B34K0\bbsetuppop[1].exe could be a corrupted executable file.

Anyhow, I went exploring and found the INETD.exe file in windows. I apparently got that thing just yesterday at 11:30am. Am thinking it's the real bugger. I didn't check on the others.

So, how do I get rid of it? How do I fix my email application. What should I not do with the quaranteened computer until then?

Very thankful I discovered this forum recently or I'd have been really messed up by this. I feel violated. I know that sounds silly, but I don't remember opening anything recently that I didn't know what it was or from whom...
Thanks,

It's a system problem, so you're in the right section. Post it as a new topic, rather than continue under this one. Help! I got a virus, or something like that. Be sure to include how you got it (email attachment, etc) and how it has affected your system (what is going wrong). Hope we can help. http://www.PCGuide.com/ubb/frown.gif

------------------
"When I nod my head, hit it with the hammer."
-- (Moe, holding nail, to Curly, holding hammer)

Here is some more info on this virus:http://www.cai.com/press/2000/01/plage2000.htm

------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)

thanks TJ and MJC. Still blows me away how "cool" it is that you guys give this advice for free and usually so quick. MJC I'll go check out your website now and then come back and see what Mr. Madison has to say. And again, thank you.

Yep, MJC that's the one. My friend who receive my "unintentional" email said hers said something about a Hampster and a zip file. I'll go back to that site now and see if they have any advice on what to do. By the way, how did you recognize this so quickly? Incredible!

THis is what they say on that site that MJC led me to.....I'm still so impressed that you diagnosed so quickly and right on.....


"CA's InoculateIT detects the Plage2000 worm. To clean the worm, all executable files reported as infected must be deleted. If the worm cannot be deleted, users must remove the registry entry and the WIN.INI entry (if found), reboot, and then delete the executable file."

What does all that mean? I suppose I know how to go through Windows Explorer and delete the INETD.exe. Is it that simple. Do I need INETD.exe for anything else? How do I remove the registry entry? or the WIN.INI entry?

I can help with the Win.ini edit. Click Start, Run, type Sysedit in the Open box, then click OK. Four or more cascading windows will open in System Configuration Editor. Click on the title bar of Win.ini, and from there you can either use the Search tool or scroll down through the file to look for INETD. It will probably be in a line that has load= or run= at the beginning.

The registry editing is a similar process started with Regedit instead of Sysedit. I hesitate to give advice on Registry editing, because you can really screw up your system if you make even the smallest mistake. Every time I see Registry How-To's, they always advise making a backup copy first. This may seem stupid to do for a file that has a virus in it, but you could back it up to a floppy. Probably not a bad idea for the Win.ini file too. Better safe... http://www.PCGuide.com/ubb/smile.gif

------------------
"When I nod my head, hit it with the hammer."
-- (Moe, holding nail, to Curly, holding hammer)

[This message has been edited by tjaymadison (edited 05-03-2001).]

Tjay, started this response before your post, thought I'd still post something though.....so yeah do what Tjay said.
------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)




[This message has been edited by mjc (edited 05-03-2001).]

Yeah...uh...what he said. Great piece of work there, mjc. http://www.PCGuide.com/ubb/cool.gif Should be saved and put in that "Tips & Tweaks" section, if they do start one. Verrrrrry Cooooool!


EDIT -- PUT IT BACK!! WHERE DID IT GO?
------------------
"When I nod my head, hit it with the hammer."
-- (Moe, holding nail, to Curly, holding hammer)

[This message has been edited by tjaymadison (edited 05-03-2001).]

Okay, one of the first things you need to do is figure when you got it, that will help a little in the clean up.

Run sysedit (from the run box type in sysedit) and look at the windows.ini file and see if there are any referrences to either inetd.exe or kern32.exe in the load or run lines in the [windows] section (should be the first section) if there are remove them and leave both the run= and load= to blank lines.

Now here is when knowing when you got it comes into play, if it was recently then you mave be able to scanreg_/restore (from a DOS prompt outside of Win <f8> or <ctrl> during bootup (after the POST screen/manufacturer logo before Win logo) to bring up the start menu. With a space instead of the underscore.) If you don't know then back into the run box and type regedit (be careful with this program you could do enough damage to the current Windows installation that you would have to reinstall it so just look for the first time --). Look for this registry key: HKEY CURRENT USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\run = <WindowsDir>\INETD.EXE.

http://www.zing.com/picture/pa4be3561b38599e9323881c23890a7ac/fe8fdd3c.jpg
It is the highlighted one in the picture.

Look in the same area for Kern32.exe, both should be in the run key under the main one.

If they are there post back and we'll take it from there and like Tjay said backing up the registry beforehand is a good idea (even with the virus). That can be done by going to the run box and typing in scanreg and when it asks to backup click on the yes button.

You can go ahead and hunt down the infected files, delete inetd.exe move the others to a new folder and rename them by changing at least one letter in the extension (from exe to exd or somthing like that--the list is what the AV program spit out and is in your first post). Go to Internet Options (control panel) and on the first page (general) delete the temporary internet files.


Your wish is my command, oh Great One form tha land of the Cheeseheads http://www.PCGuide.com/ubb/biggrin.gif
------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)

[This message has been edited by mjc (edited 05-03-2001).]

mjc -- ATTA BOY! Beats my post all to .... and back! Primo stuff!!! http://www.PCGuide.com/ubb/biggrin.gif I am humbled in the presence of your eptitude and obviously well-deserved Master Geek-ness. http://www.PCGuide.com/ubb/wink.gif "Ya, hey dere" from the Badgers.

------------------
"When I nod my head, hit it with the hammer."
-- (Moe, holding nail, to Curly, holding hammer)

[This message has been edited by tjaymadison (edited 05-03-2001).]

Gentlemen,
When do you guys sleep? Dag, it was 2:00am and you two were still posting.
Follow up
TJay, I went through start,run,sysedit and clicked on the title bar of win.ini. I didn't need to search or scroll: it was right there on the first screen, 4th entry. It read:
[windows]
load=c:\windows\system\wininit.exe (everytime I boot up this thing pops up on the screen:some sort of dos program that has decided to do something, I just click on it and close everytime. Doesn't seem to be a problem, maybe someday I'll figure out what it is....but first this)
nullport=none
run=c:\windows\inetd.exe (there it is)

So, I followed MJC's directions, dragged my cursor over the c:\windows\inetd.exe and then clicked delete, leaving the run= . Then I closed the window and it asked me if I wanted to save my changes and I clicked on the yes. So far, so good, eh?

Then went to regedit and scrolled HKEY CURRENT USER\SOFTWARE\MICROSOFT\(but no windows NT, just plain windows)\CURRENT VERSION\(then "telephony" not windows nor run=<windowsDir>\inedt.exe.

So, apparently I can't find it in the registry or it is not there.
I'm pretty confident that I got this virus from a furniture web site on Tuesday morning at 11:13 when I clicked on the attachment the thing did exactly what the CA web site reported happens with Plage2000 worm virus.

MJC, you wrote earlier that if I knew when I got this virus I might do something with scanreg_/restore from Dos. ....my brain locked up. How? What? I can read above what you wrote, but I'm a little afraid of the process. Wah! http://www.PCGuide.com/ubb/frown.gif

When run scanreg from DOS it will give you a list of several backups to choose from, pick one from before the time that you got the virus. So if you got it Tuesday then Mondays backup should be ok, they are listed by number and have a date on them. Sacnreg by default keeps five backups. The key with inetd is most likely the correct one, it may morph somewhat as to the exact key it writes to, but the effect would be the same. You can also export the qustionable key before deleting it, just click on edit and then export, name it something like viruskey, and then it will save it as a .reg file, so if there is a problem you can then right click the .reg file and it will be inserted back into the registry.

But the "safest" way is to restore from a backup....

Also I would email/call the tech support for the furniture site and let them know what happened, and maybe send some messages to a couple of the anti-virus companies. (All from a known clean system, of course)

------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)

You can try searching for stuff in RegEdit. Click Edit, and then there's a Find option. Don't forget, the InoculateIt message said "if found", so it may not even be there at all. Then it seems like all that's left to do is to delete the actual files in Explorer. Or, if you do remember the date of the infection (or even just close), you could look for other suspicious files with Start > Find > Files or Folders. Click the Date tab, click the button for Find all Files, and try some of the options you get. Looks like the prognosis is upbeat, and the patient can be expected to make a full recovery. Good for you! http://www.PCGuide.com/ubb/biggrin.gif

EDIT -- Sorry, I was writing and mjc's post was there when I submitted. No harm, no foul. http://www.PCGuide.com/ubb/wink.gif
------------------
"When I nod my head, hit it with the hammer."
-- (Moe, holding nail, to Curly, holding hammer)

[This message has been edited by tjaymadison (edited 05-03-2001).]

Alright both of you. I feel like I did years ago when my older brother would bring his friends over to the house, and I would try with all my best little brother intentions to never let them know that I had no idea what they were talking about, but I never fooled them either.
MJC what is a "key" How do I "run scanreg from dos?" And TJay what should I put in the Find what: box? What am I supposed to be looking for and what should I do with it if I find it? I hope you guys aren't rolling your eyes right now like my big brother use to.

Now what? I go into find files down in the start menu and Command Anti virus fires itself up and overwrites and deletes INETD.exe. Now I can't even find the file. Is it gone? or did it morph? Is it like some alien thing slinking around waiting for an undetectable moment to send my address book to mass mailers and telephone solicitors?

Is it possible that once I had changed the Windows ini and gotten rid of the inetd.exe that Command Anti Virus was able to disinfect the file? It wouldn't do that last night.

hey

to run scanreg:

reboot to command prompt only type at the prompt: scanreg_/restore
with the (_) underscore respresenting a s_pace.
you will be presented with a list of registry dates. Choose one prior- to when you had installed the offending program or change.

to get to "command prompt only": when pc 1st boots, press "delete" on keyboard, or F8.. there will be a list of start up options, choose "Command Prompt Only".

http://www.PCGuide.com/ubb/smile.gif


------------------
sea1_69@hotmail.com

homepage (http://www.seanweb1.homestead.com/3.html)

Key is the name given to the major entries (left hand column)in the registry. Think of an outline the keys are the major groupings of the outline.

Scanreg can be run from DOS by hitting the <f8> or <ctrl> during the boot process, after the POST or manufacturer logo (whichever happens first on your machine) and then selecting Command Promt from the menu. And then tyoing scanreg at the prompt (See Sea69's post)

If you run the anti-virus program again and it doesn't find anything then more than likely you've got it all, just keep and eye out for any suspect files and run several checks over the next few days, maybe keeping this machine from sending any emails.

You can use the find features like Tjay said to hunt down anything else that may have been left behind, if you don't find then you can probably be fairly sure you've got it all. This stuff I read on it said that it didn't carry a destructive payload and was more or less a pain in the ... virus, but that it could spread rapidly and or provide a "backdoor" into your system, but it also looks that maybe one of its components didn't quite work correctly because the registry key (which alot of viri use to load and stay resident) wasn't written. the particular one that it was supposed to write enables prgrams to run at the start of Windows...if it is there and not found yet, you got rid of the actual program file so it should just be a dead end and nothing much to worry about (you get them every time you uninstall software, some programs are just better at cleaning up than others but almost everything leaves something behind).

One other thing to consider is to go into IE -> Tools -> Internet Options -> Advanced and then scroll down the list to Enable Install on Demand and remove the check. This will provide an added layer of security by forcing action on your part to perform install requests from websites (you may loose a little convenience but it will help prevent something from installing without your knowledge)

And it probably didn't remove it last night because it was in use by Windows and running at the time, so you probably got it all now that the AV program removed it (usually they are pretty good at finding all the pieces of an older virus), but still run a couple of checks over the next few days just in case.

Oh, and for me it is about 2 -3 am for bedtime (after the last Star Trek-Next Gen is over....), and I've got several brothers and sisters (all younger than me)
------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)

[This message has been edited by mjc (edited 05-03-2001).]

[This message has been edited by mjc (edited 05-03-2001).]

Thanks gang,
I still want to know what made MJC pick this virus out of his hat correctly when there are thousands of virus' floating around out there.
Anyhow, I think I'm going to go to Outlook express and open it up and see what happens. I suppose I could disconnect the modem cable as protection. I think if the virus is still lingering somewhere and still has its capabilities it would attempt to deliver but would be thwarted. I still feel like a whore passing sickness to all my "friends"
Peace all. No further posts on this subject unless it's not fixed. thanks to all too!

Simple, I cut the name from your post and then pasted it into Google (http://www.google.com) and then had a large number of hits to check on.....

And now I'm going to be drummed out of the majicians guild for revealing to secret of the trick..... http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/biggrin.gif

------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)

whyyyyyyyyyyyy youuuuuuuuuuuuuuuuu !@!$~%^&%@~*&(~!@!**&%$@#!!!

thought of putting google (http://www.google.com/) in my sig... hehe

lol

http://www.PCGuide.com/ubb/wink.gif



[This message has been edited by sea69 (edited 05-03-2001).]

Of all the SNEAKY, UNDER-HANDED, LOW-DOWN, ROTTEN, NO-GOOD tricks to pull, you had to go and pick that one! http://www.PCGuide.com/ubb/biggrin.gif And then just give away the secret on top of it all! You won't get away with this, Black Bart (alias mjc)! http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/wink.gif http://www.PCGuide.com/ubb/biggrin.gif http://www.PCGuide.com/ubb/smile.gif http://www.PCGuide.com/ubb/biggrin.gif

------------------
"When I nod my head, hit it with the hammer."
-- (Moe, holding nail, to Curly, holding hammer)

[This message has been edited by tjaymadison (edited 05-03-2001).]

Dag! Not out of the woods yet. I still haven't resorted to a registry before Tuesday when I got that virus. I've gotten rid of INETD.exe but now I've got Command Anti-Virus running its "Dynamic Virus Protection" in the background and it continually reminds me that hksdll.dll is a security risk or backdoor program and/or KERN32.exe is a security risk or etc. I can hardly type a single letter or key stroke in some applications without the warning from Command AV.
I've checked through Windows explorer and indeed the hksdll.dll was "modified" at the same time and day that INETD.exe was. I'm persuaded that I need to get rid of the two offenders. I tried to delete them manually through Windows Explorer and was told, no way,jose. both files are either write protected or in use by windows.
So, if I go to a backup registry from say Monday, then will I be able to delete those two files through Windows Explorer. Or should I end all of this and put the whole thing in the trash.????
Sorry, I'm frustrated. I thought we were doing really well.

OK, boot into DOS, and at the prompt type del windows/system/hkdll.dll then <enter>

Then del windows/system/kern32.exe

This will get rid of both of these files, since they are running when Windows is running doing it from DOS is the only way.


------------------
mjc
Links list:Computer Links (http://www.fortunecity.com/skyscraper/highrise/11/index.htm)

Well I went ahead and restored the registry to Monday's with scanreg \restore (that one or six of you told me to do.) Then restarted the computer and before I could manually delete the files through Windows Explorer, Command Anti Virus deleted them both. Now that's what I call hitting a home run! I think, I/we've had success. Only 26 posts and more than half are mine. Paleo Pete, I'm sorry I filled so much space. I'll try to do better next time. Bless you all.