 |
 One man's job
by Andrew Cooper
February 4, 2005 - Part III
Antivirus scan
Those two programs were good, and they probably had removed many junk elements, but I was afraid that the computer was still infested. To remove the rest of the nefarious elements, I installed the trial version of Norton AntiVirus 2005. After following the installation and update procedures, I scanned the whole system with the program. It spotted and removed a Trojan from the computer:
Subsequent scans yielded negative virus results, and I was happy to have cleaned all the viruses and spyware off the system.
But as Task Manager was still not working, I wanted to know what else I needed to do to refit the PC.
Focus on the suspect
Do you recall the kernels32.exe file written in the Windows startup registry that raised my suspicion? I wanted to know more about what the file was capable of doing. To do that, I made a simple Google search for "kernels32.exe," and Google returned a link to a well-known antivirus company, Sophos. There, I found myself on a virus-specific Web page, where I finally learned that my friend's computer had been infected with the "Troj/Dloader-FS" virus. All the virus descriptions explicitly pointed to that case:
In the Advanced tab of the Virus Information window, the company provided specifics about the virus:
"The virus attempts to disable the Windows Task Manager by changing registry keys and alters the infected computer's internet security settings by adding registry entries to the following registry threads: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains213.159.117.133 and HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains213.159.117.133."
Bingo! Everything I found on the computer was reflected in this advisory, which meant the PC was definitely affected by this type of virus. By following the advisory, I was able to mend Task Manager by reverting the registry changes made by the virus; I also restored Internet Zone's original security settings.
After a protracted battle, I was finally able to cure the ailing computer and hand it over to my friend unscathed. As I later found out, this virus could be acquired simply by visiting a maliciously crafted Web site carrying scripting elements such as ActiveX or JavaScript.
Final thought
You should exercise caution when surfing the Net. Turn your Internet Explorer browser's security settings to "high," and never download any suspicious or unknown file from the Internet. Also, if possible, you should have the "golden three" programs: an antivirus program, a spyware remover, and a firewall.
Furthermore, basic knowledge of the Windows OS and the programs that run on it will help you identify undesirable elements that you should keep a close eye on.
Read next:
Back to Part II
Back to Part I
|
|
