Identifying source of virus

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
On a client's network, there are about 12 XP Pro computers.  Two of them
starting having the exact same problem:  While browsing the internet,
Windows would shut down, and a blue screen would appear that stated, "Page
fault in nonpaged area," and a countdown to a memory dump.  At first, I
thought this was a tremendous coincidence of bad RAM, as I've seen this
error with faulty RAM before.  However, on closer inspection I saw that
Norton had recently found and quarantined the same file on both computers.
After I deleted the files from the quarantine, the problem went away.

However, every few days the problem returns, and sure enough similar (or
same) files are again found in Norton's quarantine.

My questions are:  Can I set Norton to automatically delete the infected
file rather than sending to quarantine (as obviously the virus is doing its
work from within the quarantine)?  And, secondly, what is the method
involved for identifying the hows, wheres, and whys of this repeated virus
infection on these two computers?

thank you very much for any assistance.

jm






Re: Identifying source of virus

'JM' wrote, in part:
| My questions are:  Can I set Norton to automatically delete the infected
| file rather than sending to quarantine (as obviously the virus is doing
its
| work from within the quarantine)?
_____

Seek professional experience.  Malware cannot operate from within Norton
Antivirus quarantine.  You have a hardware problem.

Phil Weldon

| On a client's network, there are about 12 XP Pro computers.  Two of them
| starting having the exact same problem:  While browsing the internet,
| Windows would shut down, and a blue screen would appear that stated, "Page
| fault in nonpaged area," and a countdown to a memory dump.  At first, I
| thought this was a tremendous coincidence of bad RAM, as I've seen this
| error with faulty RAM before.  However, on closer inspection I saw that
| Norton had recently found and quarantined the same file on both computers.
| After I deleted the files from the quarantine, the problem went away.
|
| However, every few days the problem returns, and sure enough similar (or
| same) files are again found in Norton's quarantine.
|
| My questions are:  Can I set Norton to automatically delete the infected
| file rather than sending to quarantine (as obviously the virus is doing
its
| work from within the quarantine)?  And, secondly, what is the method
| involved for identifying the hows, wheres, and whys of this repeated virus
| infection on these two computers?
|
| thank you very much for any assistance.
|
| jm
|
|
|
|
|



Re: Identifying source of virus


Quoted text here. Click to load it

You have too much confidence in "professional experience." ; )  We've
already done that twice.

And you're main arugument may be right, but let's examine some factors more
closely before reaching that conclusion:  First, why would the crash be
happening only during web surfing?  Typically, on both computers everything
will be fine until the user opens a search engine, types in a search, and
then follows the links.  When they are redirected to the page and start
browsing - blue screen.  However, they can run spreadsheets, read and send
email, pull up files, folders, etc, with no ill effects.

Also, after blue screening 2-3 times, I can open the Norton quarantine and
delete the file(s), and everything will be fine - websurfing included -
until the next day or two, when invariably Norton will have found and
quarantined another file.

If the above is accurate, is that consistent with a hardware problem?

jm




















Quoted text here. Click to load it



Re: Identifying source of virus



| You have too much confidence in "professional experience." ; )  We've
| already done that twice.
|
| And you're main arugument may be right, but let's examine some factors more
| closely before reaching that conclusion:  First, why would the crash be
| happening only during web surfing?  Typically, on both computers everything
| will be fine until the user opens a search engine, types in a search, and
| then follows the links.  When they are redirected to the page and start
| browsing - blue screen.  However, they can run spreadsheets, read and send
| email, pull up files, folders, etc, with no ill effects.
|
| Also, after blue screening 2-3 times, I can open the Norton quarantine and
| delete the file(s), and everything will be fine - websurfing included -
| until the next day or two, when invariably Norton will have found and
| quarantined another file.
|
| If the above is accurate, is that consistent with a hardware problem?
|
| jm
|


No.  It sounds like you either have non-viral malware or software corruption.



If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0.  There are vulnerabilities in them and they are actively being
exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun
Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0
Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
  http://www.lavasoft.de /
  http://www.lavasoftusa.com /
  http://www.lavasoft.de/ms/index.htm

* SpyBot Search and Destroy v1.4
  http://security.kolla.de /
  http://www.safer-networking.org/microsoft.en.html

* SuperAntiSpyware
  http://www.superantispyware.com/superantispywarefreevspro.html

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser
Helper Objects
that may be on the PC.

* BHODemon

http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d

For viral malware...

* Download MULTI_AV.EXE from the URL --
  http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.  http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Identifying source of virus

Wow, what a great reply.  Tons of information here.  I will take in all in,
apply what I can, and report back the results.

thank you again,

jm








Quoted text here. Click to load it
http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
Quoted text here. Click to load it



Re: Identifying source of virus

By the way, your remarks regarding Sun Java really pull some things
together.  These computers have been used to run a web-based business
tracking application that initially caused many problems with JRE.

In fact, it got to where the software company made us use one specific
version of JRE, and I do not believe it's the latest one.  Therefore, it's
very possibly that multiple version exist on both computers.

jm









Quoted text here. Click to load it
http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
Quoted text here. Click to load it



Re: Identifying source of virus


| By the way, your remarks regarding Sun Java really pull some things
| together.  These computers have been used to run a web-based business
| tracking application that initially caused many problems with JRE.
|
| In fact, it got to where the software company made us use one specific
| version of JRE, and I do not believe it's the latest one.  Therefore, it's
| very possibly that multiple version exist on both computers.
|
| jm
|


Based upon that...  Please read the following.

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102171-1

I have run into many computers that have multiple versions.  The problem is
allowing Sun
Java to download a new version automatically but it has no ability to remov the
prior
version.  I also find that even fater Sun put out the above alert notification,
Dell
continues to ship NEW computers with a vulnerable version of Sun Java.

Malware is known to exploit this vulnerability and the authors know the old
versions are NOT
removed.  Therefore the malware will look for an exploitable version and take
full advantage
of the vulnerability.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Identifying source of virus

You're batting 1000.  The two computers are new Dells.

jm




Quoted text here. Click to load it



Re: Identifying source of virus


| You're batting 1000.  The two computers are new Dells.
|
| jm

:-)

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline