First I hope I'm doing this in the right forum and not having a need to dbl post in the Nod Forum as well. Ok. I am running Wormguard (Demo) - and TDS-3 (Demo) with purchased Nod32 I also opted to run DiamondCS Regprot. today Well not good - I had a HKEY ROOT file actually HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\ popped up in the RegProt . Now I'm somewhat concerned by this as my understanding is wormguard was to have caught this as it is a worm or at least classified as a worm by Symantec back in 2002 Also because I'm running Nod32 I was also under the impression that this worm should have been caught in the scan. My settings are deep / all files / and I set the heuristics to maximum. running both IMON and AMON. I'm not passing judgement yet as this could be a case of Operator error. So I'm looking for some guidance and assistance from those a bit wiser then me when dealing with these issues. First off how did it come in - friend - family - email as I check the reg it shows it listed in the \Software\Microsoft\InternetExplorer\ExplorerBars\ something called win32.pops Looking forward to the help. Thanks
Hi C05, The information you provided doesn't seem totally complete. First of all, you listed the registry key: "HKEY_CLASSES_ROOT \ VBSFile \ Shell \ Open \ Command \" which is a valid key to be present in the registry. The issue may well be what is defined in it, not that it exists. The image below is from Regedit on my XP system, which shows that I have ScriptSentry linked there, which is another script checker though not nearly as powerful as Wormguard. Second, you listed another registry key (though the upper level isn't specified here): "? \ Software \ Microsoft \ InternetExplorer \ ExplorerBars\". What's in that key for a value? What's the top part of that key (HKEY_LOCAL_MACHINE maybe)? How exactly are you looking this up at the Symantec site in order to determine that it might be a worm? I'm thinking that with more information here we may find that it isn't a worm at all. (Though certainly it could be, we just don't have all the data posted here yet.)
My apologies LowWaterMark Here is the appropriate information I think that will help solve the puzzle. I looked up the following in Google HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\ And I checked this link http://securityresponse.symantec.com/avcenter/venc/data/w32.pops.html I then went to regedit and searched for Janis and found Pass.on BetLog.bin Janis Sex.com it was located in My Computer\HKEY_USERS\misc numbers letters\Software\Microsoft\Internet Explorer\Explorer Bars\ {MiscNumbers and letters
Hi, The registry key in question is related to telling Windows HOW to run files with the extension .VBS. By default this is to use Windows Scripting Technology, and this is inherently dangerous - so RegProt shows you what is being used to handle these files. Most users have no need to be able to run VBS files, and should modify the handler to be NOTEPAD.EXE %1 This means when you double click a VBS file it will simply open in notepad. You probably wont EVER see this happen unless you use VBS files for advanced operations. Even then, most admins prefer PERL scripts
Hi All, I'm kinda confused, what was it that was leading you (C05) to believe that this is a recent infestation (if in fact it is an infestation). As Gavin pointed out, RegProt will show the VBS open key by default when it runs (and this key setting is the Windows default as he mentioned. It may be that the other keys are dregs of a previous infestation that is no longer active Perhaps you can post a ASViewer log? That might help us see what is going on. Please download and run DCS's AutostartViewer from http://www.diamondcs.com.au/downloads/asviewer.zip Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review. Thanks
I think being that this was found should be some form of evidence that something was residing on the box. To much focus is being directed away from the main subject matter of what I'm seeking which is shouldnt worm guard have caught it? The comment above is regarding something that popped up when I installed regport. The box was a clean box as updates for the OS was done after I installed TDS3 and Worm Guard after Nod32 Now granted I didnt do the update to Nod32 right away. But after several updates to MS and some additional tools from the analogx site I did the update and went about my business for several weeks. After installing regprot I had several items pop up that I could justify, then the system was up everything was loaded and I'm in MS Word and up pops the regprot with the HKEY Root info. Now all I'm asking is how did it get past wormguard?
C05 I see no evidence that anything got past Wormguard. It might possibly be the case that something has, but there is nothing in what I understood you to write that would indicate it. This is why I was trying to get some clarification and more info so we can determine what, if anything, happened. Regards, Dan
Thanks for your patience Dan. This has been a learning experience. I learned a few things and hopefully will be able to provide the info next time around. Thanks for the zip file. As for the box in question - going through a restore. Gonna reload Nod/Wormguard/TDS-3 then do the winupdates/ then drop regprot. Had a sit down with my son and found a few things out that was mentioned about a previous infection. Thank you for your patience in dealing with my somewhat impatient writing, and lack of knowledge.
Oh! No Worries at all!, I know well enough how stressful it is to deal with these sorts of things. Please don't hesitate to ask additional questions whenever the situation warrants. Warm Regards, Dan
