windows file protection

Status
Not open for further replies.
well i recently had a redlof virus attack on my pc

in short this virus puts a vbscript file named kernel32.dll in system folder and executes it when ever an infected file is opened via
registry entry at hklm/soft/mic/wind/currverr/run

it infects files with .html .htm extensions ( ihad these only infected dunno if it infects other files) (ie if you have saved some webpages for future reaading (like icz tutes ,msdn kb articles,under the hood articles) it infects them (adds 12 kb of vbscritpt stuff to those files)

this also uses wscript.exe

on browsing through for info i read in one symantec(search noscript in symantec) article that you can delete the wscript.exe

well i tried renaming it but this file refuses to be renamed
it generates a new version of it every time it is renamed

so i cut it from that folder and pasted it some where
still it got generated (pesky file huh)

so started to search why it is so

on going through event viewer ( isaw a warning stating a window file protected file is being replaced)

so searched for info again and came to tech spot
(i ve read the article by accel to also on disabling sfc)

is it recommended

can i delete this wscript alone is it possible to do it
what kind of implication may be there if it is deleted

any replies are welcome
 
no answers
not even some vague replies

hmmmn is the question sounding stupid or is it hard to reply

~6000 members and 65000 posts big forum

btw my os is w2k
 
Sounds like you were being a bit confused by the info in the article and the removal. I just copied and pasted the removal instructions below for you.

NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

Update the virus definitions.
Run a full system scan, and delete all files that are detected as HTML.Redlof.A.
Reverse the changes that the virus made to the registry.

For details on how to do this, read the following instructions.

To update the virus definitions:
All virus definitions receive full quality assurance testing by Symantec Security Response before being posted to our servers. There are two ways to obtain the most recent virus definitions:
Run LiveUpdate, which is the easiest way to obtain virus definitions. These virus definitions are posted to the LiveUpdate servers one time each week (usually Wednesdays) unless there is a major virus outbreak. To determine whether definitions for this threat are available by LiveUpdate, look at the Virus Definitions (LiveUpdate) line at the top of this write-up.
Download the definitions using the Intelligent Updater. Intelligent Updater virus definitions are posted on U.S. business days (Monday through Friday). They must be downloaded from the Symantec Security Response Web site and installed manually. To determine whether definitions for this threat are available by the Intelligent Updater, look at the Virus Definitions (Intelligent Updater) line at the top of this write-up.

Intelligent Updater virus definitions are available here. For detailed instructions on how to download and install the Intelligent Updater virus definitions from the Symantec Security Response Web site, click here.

To scan for and delete the infected files:
Start your Symantec antivirus program, and make sure that it is configured to scan all files.
Norton AntiVirus consumer products: Read the document How to configure Norton AntiVirus to scan all files.
Symantec enterprise antivirus products: Read the document How to verify a Symantec Corporate antivirus product is set to scan All Files.
Run a full system scan.
If any files are detected as infected with HTML.Redlof.A, click Delete. Replace deleted files from a clean backup or reinstall them.

To reverse the changes that the virus made to the registry:

CAUTION: Symantec strongly recommends that you back up the registry before you make any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify only the keys that are specified. Read the document How to make a backup of the Windows registry for instructions.

Click Start, and click Run. The Run dialog box appears.
Type regedit and then click OK. The Registry Editor opens.
Navigate to the key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In the right pane, delete the value

Kernel32

Navigate to the key

HKEY_CURRENT_USER\Identities\[Default Use ID]\Software\
Microsoft\Outlook Express\[Outlook Version].0\Mail


In the right pane, delete the values

Compose Use Stationery
Stationery Name
Wide Stationery Name

Navigate to the key

HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Outlook\Options\Mail

In the right pane, delete the value

EditorPreference

Navigate to and delete these subkeys:

HKEY_CLASSES_ROOT\dllFile\Shell
HKEY_CLASSES_ROOT\dllFile\ShellEx
HKEY_CLASSES_ROOT\dllFile\ScriptEngine
HKEY_CLASSES_ROOT\dllFile\ScriptHostEncode

Exit the Registry Editor.
 
hi stormbringer,

tx for the reply,

i have done all that and except this,
Run a full system scan, and delete all files that are detected as HTML.Redlof.A.

u know those are html files i have collected and saved over a period of time like i said iczelions assembly tutes,
elicz pages of system coding ,matt pietreks pages from under the hood ,msdn kb articles which seemed good etc etc

i did not want to delete them,i wanted to clean them

the way i do it now is open those pages in frontpage,
select the **** that was put in and delete it,resave them,

and i wanted to delete the wscript.exe as this symantecs article says

http://securityresponse.symantec.com/avcenter/venc/data/win.script.hosting.html

but to my horror i found that i could not delete it,windows kept on regenrating it (i dont see a option in symantec to send a query bout thier article still i filled a feed back forum that said there will be no reply asking for a reply in the faint hope some one who reads it (if at all they read)may answer)

so again went on a searching spree why it is so and read that windows protects its system files and puts them back from dllcache ( first time i read about it was from a techspot article and i reached this forum from there)

on further searches i got this url
which poses the same question i posed,

http://cert.uni-stuttgart.de/archive/focus-ms/2002/10/msg00020.html

i am trying to understand how to do this (i havent understood it
it seems basically that he is putting notepad.exe in the place of wscript.exe in dll cache and lets the system write the notepad into wscript.exe ) hope i am right

well will tell if it worked

btw if you wanna read more about the redlof (including dissembly of it)

go here http://www.geocities.com/nolege4u/html.redlof.htm

btw can u give me some ideas on how to clean the infected file (not delete them)

and any more info is welcome

thanks



ps to any of the admins here

what is the session time to post reply it says i havent logged in
if i take time to type a long letter (since i frequently visit some forums i always have the post in my clip board before i press submit so that if it bungles up i dont have to type again)
 
There is no need to disable or uninstall wscript if you are using AV software. The article does not recommend you remove wscript. It says it is not necessary if you have NAV '01 or later. I assume that would pretty much mean that any AV worth its salt that has been released since then would be sufficient.

The article does tell of another way to disable wscript, by running something called No Spript.exe

The best advice I can give give, is to get an AV and keep it updated. If the AV you use has an option of trying to clean the files first, try that, if it can't clean the file, it will then delete or quarintine it.
 
tx for reply,

the noscript does what you pasted in the first reply automatically
that is it dissassociates the .vbs files association and removes the registry entries

it does not delete wscript

btw getting avs etc are prevention i want to do post mortem

so probably iam alone it seems,

btw did you read the stuttgart article

anyway tx again for replying
 
why do you want to delete Wscript? It is the Windows scripting host service.

what I pasted in the first reply is the removal instructions for the virus. I think you are getting a little confused, as the virus and Wscript are not the same thing.

BTW, that article is a bit like cutting off one's nose to spite his face. Unless you want to completely rid your ability to run any script on your system at all(not all scripts are dangerous) I wouldn't recommend doing it. If you wish to do so anyway, go ahead, the stuttgart link tells you how to do it.
 
Status
Not open for further replies.
Back