TechSpot

windows file protection

By bluffer
Oct 25, 2003
  1. well i recently had a redlof virus attack on my pc

    in short this virus puts a vbscript file named kernel32.dll in system folder and executes it when ever an infected file is opened via
    registry entry at hklm/soft/mic/wind/currverr/run

    it infects files with .html .htm extensions ( ihad these only infected dunno if it infects other files) (ie if you have saved some webpages for future reaading (like icz tutes ,msdn kb articles,under the hood articles) it infects them (adds 12 kb of vbscritpt stuff to those files)

    this also uses wscript.exe

    on browsing through for info i read in one symantec(search noscript in symantec) article that you can delete the wscript.exe

    well i tried renaming it but this file refuses to be renamed
    it generates a new version of it every time it is renamed

    so i cut it from that folder and pasted it some where
    still it got generated (pesky file huh)

    so started to search why it is so

    on going through event viewer ( isaw a warning stating a window file protected file is being replaced)

    so searched for info again and came to tech spot
    (i ve read the article by accel to also on disabling sfc)

    is it recommended

    can i delete this wscript alone is it possible to do it
    what kind of implication may be there if it is deleted

    any replies are welcome
     
  2. bluffer

    bluffer TS Rookie Topic Starter

    no answers
    not even some vague replies

    hmmmn is the question sounding stupid or is it hard to reply

    ~6000 members and 65000 posts big forum

    btw my os is w2k
     
  3. StormBringer

    StormBringer TS Rookie Posts: 2,871

    Sounds like you were being a bit confused by the info in the article and the removal. I just copied and pasted the removal instructions below for you.

     
  4. bluffer

    bluffer TS Rookie Topic Starter

    hi stormbringer,

    tx for the reply,

    i have done all that and except this,
    Run a full system scan, and delete all files that are detected as HTML.Redlof.A.

    u know those are html files i have collected and saved over a period of time like i said iczelions assembly tutes,
    elicz pages of system coding ,matt pietreks pages from under the hood ,msdn kb articles which seemed good etc etc

    i did not want to delete them,i wanted to clean them

    the way i do it now is open those pages in frontpage,
    select the **** that was put in and delete it,resave them,

    and i wanted to delete the wscript.exe as this symantecs article says

    http://securityresponse.symantec.com/avcenter/venc/data/win.script.hosting.html

    but to my horror i found that i could not delete it,windows kept on regenrating it (i dont see a option in symantec to send a query bout thier article still i filled a feed back forum that said there will be no reply asking for a reply in the faint hope some one who reads it (if at all they read)may answer)

    so again went on a searching spree why it is so and read that windows protects its system files and puts them back from dllcache ( first time i read about it was from a techspot article and i reached this forum from there)

    on further searches i got this url
    which poses the same question i posed,

    http://cert.uni-stuttgart.de/archive/focus-ms/2002/10/msg00020.html

    i am trying to understand how to do this (i havent understood it
    it seems basically that he is putting notepad.exe in the place of wscript.exe in dll cache and lets the system write the notepad into wscript.exe ) hope i am right

    well will tell if it worked

    btw if you wanna read more about the redlof (including dissembly of it)

    go here http://www.geocities.com/nolege4u/html.redlof.htm

    btw can u give me some ideas on how to clean the infected file (not delete them)

    and any more info is welcome

    thanks



    ps to any of the admins here

    what is the session time to post reply it says i havent logged in
    if i take time to type a long letter (since i frequently visit some forums i always have the post in my clip board before i press submit so that if it bungles up i dont have to type again)
     
  5. StormBringer

    StormBringer TS Rookie Posts: 2,871

    There is no need to disable or uninstall wscript if you are using AV software. The article does not recommend you remove wscript. It says it is not necessary if you have NAV '01 or later. I assume that would pretty much mean that any AV worth its salt that has been released since then would be sufficient.

    The article does tell of another way to disable wscript, by running something called No Spript.exe

    The best advice I can give give, is to get an AV and keep it updated. If the AV you use has an option of trying to clean the files first, try that, if it can't clean the file, it will then delete or quarintine it.
     
  6. bluffer

    bluffer TS Rookie Topic Starter

    tx for reply,

    the noscript does what you pasted in the first reply automatically
    that is it dissassociates the .vbs files association and removes the registry entries

    it does not delete wscript

    btw getting avs etc are prevention i want to do post mortem

    so probably iam alone it seems,

    btw did you read the stuttgart article

    anyway tx again for replying
     
  7. StormBringer

    StormBringer TS Rookie Posts: 2,871

    why do you want to delete Wscript? It is the Windows scripting host service.

    what I pasted in the first reply is the removal instructions for the virus. I think you are getting a little confused, as the virus and Wscript are not the same thing.

    BTW, that article is a bit like cutting off one's nose to spite his face. Unless you want to completely rid your ability to run any script on your system at all(not all scripts are dangerous) I wouldn't recommend doing it. If you wish to do so anyway, go ahead, the stuttgart link tells you how to do it.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.