| Author |
Message |
|
Clayma
#1 / 8
|
 Nimda and XP I am running Win XP Pro on a single computer. (I have plans to add a second computer in a couple of weeks of a small network.) I have a cable modem connection. Yesterday, I noticed that something was writing to my HD in a way that seemed unnatural, so I ran NAV 2002 and it told me that Iesplore.exe was corrupted with the NimdaE virus. I quarran{*filter*}ed and deleted the file and then rebooted. I ran both Nimbda E and A fixes and it told me that I did not have the virus. Since I had rebooted in between getting the virus and finding it, I started looking for corrupted files. I, also, installed Norton Internet Security. I first noticed that the email setting in NAV was showing an error. I was advised to uninstall NAV and reinstall it. The fresh install solved that problem. I was wondering about the IEXPLORE.exe file because I deleted it. It happened to show up again even though I didn't install a fresh copy. However, I'm having a problem accessing Windows Media files on web sites like CNN. When I went to the listing in the Internet Access Control section of Norton Internet Security, it tells me that my copy of Internet Explorer and Windows Media Player, both, "does not have a digital signature or the digital signature is invalid." Is this normal? How did I get a copy of IEXPLORE.exe without installing a fresh file? If these files are corrupted in some way, is there a way to get copies without reformatting my HD? Since I installed Norton Internet Security(firewall), it has alerted me a number of times that several computers have tried to access my computer on known Trojan and Backdoor ports. I've blocked them all. On there web site, Norton advises to reformat and reinstall to be absolutely sure about security. I'd like to avoid this if at all possible. In a search of my HD, there are 5 instances of Iexplore. Three relate to the help files. The other two are inexplore.exe modified on 8/23/2001 and the other is IEXPLORE.exe-27122324.pf modified 11/11/2001. Can anyone shed any light on this at all? TIA
Barry Bernstein
|
| Fri, 30 Apr 2004 13:38:30 GMT |
|
 |
|
Robert Moi
#2 / 8
|
Nimda and XP
Quote: > I am running Win XP Pro on a single computer. (I have plans to add a
second
> computer in a couple of weeks of a small network.) I have a cable modem
> connection. Yesterday, I noticed that something was writing to my HD in a
> way that seemed unnatural, so I ran NAV 2002 and it told me that
> Iesplore.exe was corrupted with the NimdaE virus. I quarran{*filter*}ed and
> deleted the file and then rebooted. I ran both Nimbda E and A fixes and it
> told me that I did not have the virus. Since I had rebooted in between
> getting the virus and finding it, I started looking for corrupted files.
I,
> also, installed Norton Internet Security. I first noticed that the email
> setting in NAV was showing an error. I was advised to uninstall NAV and
> reinstall it. The fresh install solved that problem. I was wondering about
> the IEXPLORE.exe file because I deleted it. It happened to show up again
> even though I didn't install a fresh copy. However, I'm having a problem
> accessing Windows Media files on web sites like CNN. When I went to the
> listing in the Internet Access Control section of Norton Internet
Security,
> it tells me that my copy of Internet Explorer and Windows Media Player,
> both, "does not have a digital signature or the digital signature is
> invalid." Is this normal? How did I get a copy of IEXPLORE.exe without
> installing a fresh file? If these files are corrupted in some way, is
there
> a way to get copies without reformatting my HD? Since I installed Norton
> Internet Security(firewall), it has alerted me a number of times that
> several computers have tried to access my computer on known Trojan and
> Backdoor ports. I've blocked them all. On there web site, Norton advises
to
> reformat and reinstall to be absolutely sure about security. I'd like to
> avoid this if at all possible. In a search of my HD, there are 5 instances
> of Iexplore. Three relate to the help files. The other two are
inexplore.exe
> modified on 8/23/2001 and the other is IEXPLORE.exe-27122324.pf modified
> 11/11/2001.
Lets try a reality check; what do you get if you scan your computer with a different virus scanner besides Norton AntiVirus?
|
| Sat, 01 May 2004 02:00:56 GMT |
|
|
|
Clayma
#3 / 8
|
Nimda and XP Robert, I'm going to download and run a different virus software and see what comes
up. However, I'm not sure exactly what you mean by "reality check". 1)Are
you saying that Norton is exagerating the problem? That is quite possible. I
installed the Norton firewall after I received the Nimda warning. I'm also
noticing that I get an alert that a backdoor/trojan is accessing my computer
when I start to download a streaming media file. Heck, I got one when I
tried to download a couple of XP updates from the Windows Update site.
2)Are you saying that I'm overreacting? That is also quite possible. I ran
NAV twice afterwards. I downloaded and ran "The Cleaner" software. I
installed the Norton personal firewall. My problem is that I don't
understand what got corrupted and what didn't when NAV told me my one file
IExplore .exe was corrupted with nimda. I'm particularily sensitve towards
it because my brothers office was attacked twice by the virus and a good
friend at Ford Motor said that they have had a terrible time getting rid of
the virus.
Barry
Quote: > I am running Win XP Pro on a single computer. (I have plans to add a second > computer in a couple of weeks of a small network.) I have a cable modem > connection. Yesterday, I noticed that something was writing to my HD in a > way that seemed unnatural, so I ran NAV 2002 and it told me that > Iesplore.exe was corrupted with the NimdaE virus. I quarran{*filter*}ed and > deleted the file and then rebooted. I ran both Nimbda E and A fixes and it > told me that I did not have the virus. Since I had rebooted in between > getting the virus and finding it, I started looking for corrupted files. I, > also, installed Norton Internet Security. I first noticed that the email > setting in NAV was showing an error. I was advised to uninstall NAV and > reinstall it. The fresh install solved that problem. I was wondering about > the IEXPLORE.exe file because I deleted it. It happened to show up again > even though I didn't install a fresh copy. However, I'm having a problem > accessing Windows Media files on web sites like CNN. When I went to the > listing in the Internet Access Control section of Norton Internet Security, > it tells me that my copy of Internet Explorer and Windows Media Player, > both, "does not have a digital signature or the digital signature is > invalid." Is this normal? How did I get a copy of IEXPLORE.exe without > installing a fresh file? If these files are corrupted in some way, is there > a way to get copies without reformatting my HD? Since I installed Norton > Internet Security(firewall), it has alerted me a number of times that > several computers have tried to access my computer on known Trojan and > Backdoor ports. I've blocked them all. On there web site, Norton advises to > reformat and reinstall to be absolutely sure about security. I'd like to > avoid this if at all possible. In a search of my HD, there are 5 instances > of Iexplore. Three relate to the help files. The other two are inexplore.exe > modified on 8/23/2001 and the other is IEXPLORE.exe-27122324.pf modified > 11/11/2001. > Can anyone shed any light on this at all? TIA
> Barry Bernstein
|
| Sat, 01 May 2004 02:38:14 GMT |
|
|
|
Robert Moi
#4 / 8
|
Nimda and XP
Quote: > Robert, > I'm going to download and run a different virus software and see what
comes
> up. However, I'm not sure exactly what you mean by "reality check". 1)Are
> you saying that Norton is exagerating the problem?
Well ALL virus scanners (as much as I don't like it, I want to make it clear I'm not picking on Nortons here) have the occasional problem with false alarms. A reality check is where you simply get another opinion from another scanner; if your normal scanner is suggesting something strange and you don't see how it could have happened, its always a good idea to get a 2nd opinion. You might find the following link interesting -
http://www.symantec.com/avcenter/venc/data/false.positive.on.ikernel....
m.installshield.html - while I don't think this applies directly to your
problem here, it does suggest the recent updates of NAV may have had a few
problems. Do things make more sense if you apply the updates they post to
fix this problem?
Quote: > That is quite possible. I
> installed the Norton firewall after I received the Nimda warning. I'm also
> noticing that I get an alert that a backdoor/trojan is accessing my
computer
> when I start to download a streaming media file. Heck, I got one when I
> tried to download a couple of XP updates from the Windows Update site.
I don't know enough about how norton's firewall works to comment/help in detail here, but sometimes all personal firewalls can mistake legitmate (if slightly different from normal) requests for data transfer as attacks. Quote: > 2)Are you saying that I'm overreacting? That is also quite possible. I ran > NAV twice afterwards. I downloaded and ran "The Cleaner" software. I > installed the Norton personal firewall. My problem is that I don't > understand what got corrupted and what didn't when NAV told me my one file > IExplore .exe was corrupted with nimda. I'm particularily sensitve towards > it because my brothers office was attacked twice by the virus and a good > friend at Ford Motor said that they have had a terrible time getting rid of > the virus. > Barry
I don't think *you* are over reacting, more that *possibly* your virus scanner may well be over reacting. And yes, Nimda can be tricky to get rid of, but this is more a case on networks due to how it spreads than it is on a single home machine. --
--
Robert Moir, Microsoft Windows 2000/NT MVP
To search the MS Knowledge base use the link below:
http://support.microsoft.com/support/search/c.asp?PSL=1
My Homepage - http://www.robertmoir.co.uk
** Emailed questions will not be answered **
|
| Sun, 02 May 2004 01:57:57 GMT |
|
|
|
Clayma
#5 / 8
|
Nimda and XP Robert, This clarifies the whole thing. First of all, is there egg on my face? The
link to the lkernel.exe false positive has either been moved or deleted from
the Norton site. However, I get the idea about false positives. Also, I
believe that it was the ikernel.exe file, not the iexplore.exe file that
Norton said was corrupted with Nimda. I guess I never had the virus. I did
delete the Install Shield file ikernal.exe. Is this something I need and
can I install a fresh copy? Secondly, I typed false positve into the search
engine at Symantec and read about false warnings about trojans and
backdoors. I see that I was paranoid for nothing. I guess I'm the one who
really needed a reality check.
It kind of upsets me because I wasted a lot of time and it created a certain
amount of needless stress. My brothers investment business had the Nimda
virus, twice, and getting rid of it was time consuming and expensive for
them. Have you tried Zone Alarm or any other type of firewall that you
like?
Anyway, thanks for helping me get to the bottom of this thing.
Barry
Quote:
> > Robert,
> > I'm going to download and run a different virus software and see what
> comes
> > up. However, I'm not sure exactly what you mean by "reality check".
1)Are
> > you saying that Norton is exagerating the problem?
> Well ALL virus scanners (as much as I don't like it, I want to make it
clear
> I'm not picking on Nortons here) have the occasional problem with false
> alarms. A reality check is where you simply get another opinion from
another
> scanner; if your normal scanner is suggesting something strange and you
> don't see how it could have happened, its always a good idea to get a 2nd
> opinion.
> You might find the following link interesting -
http://www.symantec.com/avcenter/venc/data/false.positive.on.ikernel.... Quote: > m.installshield.html - while I don't think this applies directly to your > problem here, it does suggest the recent updates of NAV may have had a few > problems. Do things make more sense if you apply the updates they post to > fix this problem? > > That is quite possible. I
> > installed the Norton firewall after I received the Nimda warning. I'm
also
> > noticing that I get an alert that a backdoor/trojan is accessing my
> computer
> > when I start to download a streaming media file. Heck, I got one when I
> > tried to download a couple of XP updates from the Windows Update site.
> I don't know enough about how norton's firewall works to comment/help in
> detail here, but sometimes all personal firewalls can mistake legitmate
(if
> slightly different from normal) requests for data transfer as attacks.
> > 2)Are you saying that I'm overreacting? That is also quite possible. I
ran
> > NAV twice afterwards. I downloaded and ran "The Cleaner" software. I
> > installed the Norton personal firewall. My problem is that I don't
> > understand what got corrupted and what didn't when NAV told me my one
file
> > IExplore .exe was corrupted with nimda. I'm particularily sensitve
towards
> > it because my brothers office was attacked twice by the virus and a good
> > friend at Ford Motor said that they have had a terrible time getting rid
> of
> > the virus.
> > Barry
> I don't think *you* are over reacting, more that *possibly* your virus
> scanner may well be over reacting. And yes, Nimda can be tricky to get rid
> of, but this is more a case on networks due to how it spreads than it is
on
> a single home machine.
> --
> --
> Robert Moir, Microsoft Windows 2000/NT MVP
> To search the MS Knowledge base use the link below:
> http://support.microsoft.com/support/search/c.asp?PSL=1
> My Homepage - http://www.robertmoir.co.uk
> ** Emailed questions will not be answered **
|
| Sun, 02 May 2004 02:48:56 GMT |
|
|
|
Robert Moi
#6 / 8
|
Nimda and XP
Quote: > Robert, > This clarifies the whole thing. First of all, is there egg on my face?
The
> link to the lkernel.exe false positive has either been moved or deleted
from
> the Norton site. However, I get the idea about false positives. Also, I
> believe that it was the ikernel.exe file, not the iexplore.exe file that
> Norton said was corrupted with Nimda. I guess I never had the virus. I did
> delete the Install Shield file ikernal.exe. Is this something I need and
> can I install a fresh copy? Secondly, I typed false positve into the
search
> engine at Symantec and read about false warnings about trojans and
> backdoors. I see that I was paranoid for nothing. I guess I'm the one who
> really needed a reality check.
Well, not at all, if you haven't come across this issue with false alarms before how are you supposed to know? I do this sort of stuff for a living, so dealing with viruses and security stuff is just another day at the office for me, and therefore I'm used to all this sort of nonsense, which is why us regulars here all sound so blase about it all. I am sure if you dropped me into your desk and your job and environment there are things I would struggle with. As for recovering the file, I think the link below might prove helpful. I
don't know if you need to or not, because I don't know much about
installshield.
http://support.installshield.com/kb/view.asp?pcode=ALL&articleid=Q105740
http://www.f-prot.com/f-prot/news/nonimda.html might also be interesting,
from a antivirus company whose install routine uses installshield and was
affected.
Quote: > It kind of upsets me because I wasted a lot of time and it created a
certain
> amount of needless stress. My brothers investment business had the Nimda
> virus, twice, and getting rid of it was time consuming and expensive for
> them.
Yes, no end of people have had a lot of trouble with it, I can understand why you'd worry about an alert on it. Quote: > Have you tried Zone Alarm or any other type of firewall that you
> like?
I like Zone Alarm... I use the XP firewall now but I did like ZA. Quote: > Anyway, thanks for helping me get to the bottom of this thing.
You are more than welcome, glad to help!
|
| Sun, 02 May 2004 04:08:28 GMT |
|
|
|
Clayma
#7 / 8
|
Nimda and XP Robert, I followed the Install Shield link and easily reinstalled it. Now everything
is back to normal.
Thanks again. At first I was a little skeptical about the inability to talk
to a human being at Microsoft. I am, however, a veteran of newsgroups and
I'm quite comfortable using them. I see that this process works and would
not hesitate to use it again. In fact, I've accessed some of the other MS
help newsgroups and have posted replies to help other people with their
problems. It's fun and I'm good at it. I was wondering, where does one
become knowledgeable about security and security issues? I have helped
numerous people in my area get rid of viruses like Sircam. In fact, an
unknowing friend was about to release the Sircam virus to numerous people
all over town. He had Zone Alarm and at a chance meeting he mentioned that
his computer wasn't running right and Zone Alarm kept asking him if he
wanted to send out emails to all his friends. He wanted to know what that
"scam" thing was. Of course, I knew right away that he had the Sircam virus.
Actually, my first experience with viruses occurred when a gallery, I'm a
clay artist, that I sell to, gave me the Kakworm virus. I had the foresight
to manually delete the files and registry entries even though the "fix" said
that it had taken care of the problem. I've been interested in the subject
ever since.
Barry Bernstein
Quote:
> > Robert,
> > This clarifies the whole thing. First of all, is there egg on my face?
> The
> > link to the lkernel.exe false positive has either been moved or deleted
> from
> > the Norton site. However, I get the idea about false positives. Also, I
> > believe that it was the ikernel.exe file, not the iexplore.exe file that
> > Norton said was corrupted with Nimda. I guess I never had the virus. I
did
> > delete the Install Shield file ikernal.exe. Is this something I need
and
> > can I install a fresh copy? Secondly, I typed false positve into the
> search
> > engine at Symantec and read about false warnings about trojans and
> > backdoors. I see that I was paranoid for nothing. I guess I'm the one
who
> > really needed a reality check.
> Well, not at all, if you haven't come across this issue with false alarms
> before how are you supposed to know? I do this sort of stuff for a living,
> so dealing with viruses and security stuff is just another day at the
office
> for me, and therefore I'm used to all this sort of nonsense, which is why
us
> regulars here all sound so blase about it all. I am sure if you dropped me
> into your desk and your job and environment there are things I would
> struggle with.
> As for recovering the file, I think the link below might prove helpful. I
> don't know if you need to or not, because I don't know much about
> installshield.
> http://support.installshield.com/kb/view.asp?pcode=ALL&articleid=Q105740
> http://www.f-prot.com/f-prot/news/nonimda.html might also be interesting,
> from a antivirus company whose install routine uses installshield and was
> affected.
> > It kind of upsets me because I wasted a lot of time and it created a
> certain
> > amount of needless stress. My brothers investment business had the
Nimda
> > virus, twice, and getting rid of it was time consuming and expensive for
> > them.
> Yes, no end of people have had a lot of trouble with it, I can understand
> why you'd worry about an alert on it.
> > Have you tried Zone Alarm or any other type of firewall that you
> > like?
> I like Zone Alarm... I use the XP firewall now but I did like ZA.
> > Anyway, thanks for helping me get to the bottom of this thing.
> You are more than welcome, glad to help!
|
| Sun, 02 May 2004 07:31:39 GMT |
|
|
|
Robert Moi
#8 / 8
|
Nimda and XP
Quote: > Robert, > I followed the Install Shield link and easily reinstalled it. Now
everything
> is back to normal.
> Thanks again. At first I was a little skeptical about the inability to
talk
> to a human being at Microsoft. I am, however, a veteran of newsgroups and
> I'm quite comfortable using them. I see that this process works and would
> not hesitate to use it again. In fact, I've accessed some of the other MS
> help newsgroups and have posted replies to help other people with their
> problems. It's fun and I'm good at it.
Yeah I enjoy this too... I like the challange of solving problems, and helping people, and learning something new.. 3 things I like. Quote: > I was wondering, where does one
> become knowledgeable about security and security issues?
Well I wouldn't claim I was an expert or especially knowledgeable, I got into security stuff purely because no one else in my office at the time wanted to do it... Then once you start its like "He did security stuff before". And since I found I enjoyed the bits I can do... well.. I didn't resist too hard. There are good sites on security in general out there like www.sans.org and
if you are very interested in viruses the alt.comp.virus and
alt.comp.antivirus newsgroups can be interesting - as long as you take some
of the stuff in there with a pinch of salt!
Quote: > I have helped
> numerous people in my area get rid of viruses like Sircam. In fact, an
> unknowing friend was about to release the Sircam virus to numerous people
> all over town. He had Zone Alarm and at a chance meeting he mentioned that
> his computer wasn't running right and Zone Alarm kept asking him if he
> wanted to send out emails to all his friends. He wanted to know what that
> "scam" thing was. Of course, I knew right away that he had the Sircam
virus.
> Actually, my first experience with viruses occurred when a gallery, I'm a
> clay artist, that I sell to, gave me the Kakworm virus. I had the
foresight
> to manually delete the files and registry entries even though the "fix"
said
> that it had taken care of the problem. I've been interested in the subject
> ever since.
Yeah, its a challenge, I think some people have a mind-set to get into it and others just don't - its not about how smart people are either. I know people with PhDs in mathematics who just don't "get" stuff that sounds so basic to me, but I feel the same when they show me a bunch of equations on a board and say "There, isn't that obvious?".
|
| Mon, 03 May 2004 03:11:39 GMT |
|
| |
|
