OT-ish: Virus or not?

[Paul Burke]

Yesterday, testing a new Ethernet based thingy, having problems. Thought
the firewall might be involved, disabled it. Forgot, logged onto www.
Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got
alert 'netlib.exe trying to access the web'.

Searched for netlib.exe, the virus folks say it's a component of a
virus. Ran virus check with latest updates, no virus found. Ran spybot
with latest updates, no problems.

So is this a virus or not? I don't know if it was there before, I don't
look at what's running except when one of my own programs has crashed.
Can't get rid of netlib.exe, access denied.

The virus description says it installs a number of other files- I can't
see these (I always display hidden files).

Any experiences/ advice much appreciated.

Paul Burke

 

[martin griffith]

On Tue, 05 Jul 2005 08:49:35 +0100, in sci.electronics.design Paul
Burke <paul@scazon.com> wrote:

Yesterday, testing a new Ethernet based thingy, having problems. Thought
the firewall might be involved, disabled it. Forgot, logged onto www.
Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got
alert 'netlib.exe trying to access the web'.

Searched for netlib.exe, the virus folks say it's a component of a
virus. Ran virus check with latest updates, no virus found. Ran spybot
with latest updates, no problems.

So is this a virus or not? I don't know if it was there before, I don't
look at what's running except when one of my own programs has crashed.
Can't get rid of netlib.exe, access denied.

The virus description says it installs a number of other files- I can't
see these (I always display hidden files).

Any experiences/ advice much appreciated.

Paul Burke
nasty. I'm no good at hacking the register thing in windows, but one

little app that i find useful is
moveonboot
http://www.snapfiles.com/get/moveonboot.html
which will move or delete files before windows grabs hold of it
the other prog is regcleaner by jouni vuorio google for the free
version, its not on his website anymore


martin

 

[Roger Hamlett]

"Paul Burke" <paul@scazon.com> wrote in message
news:3iut18FnhfanU1@individual.net...

Yesterday, testing a new Ethernet based thingy, having problems. Thought
the firewall might be involved, disabled it. Forgot, logged onto www.
Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got
alert 'netlib.exe trying to access the web'.

Searched for netlib.exe, the virus folks say it's a component of a
virus. Ran virus check with latest updates, no virus found. Ran spybot
with latest updates, no problems.
Key thing here, is that you have to run the virus checker 'clean'. You

need to be booting a seperate check disk, and using this, rather than the
OS. Unfortunately many worms, 'mark themselves' as friendly to the virus
checker on the machine (basically add themselves to the list of files
excluded).

So is this a virus or not? I don't know if it was there before, I don't
look at what's running except when one of my own programs has crashed.
Can't get rid of netlib.exe, access denied.

The virus description says it installs a number of other files- I can't
see these (I always display hidden files).

Any experiences/ advice much appreciated.

Paul Burke
Spybot is good, but you should try another package like AdAware as well.

You should be able to rename netlib.exe, and this may get rid of this
after a reboot, but many of the packages are smart enough to restore their
own files on reboot.
There are a couple of packages that will allow you to remove a file
automaticaly during the boot process before the OS has fully launched, and
these may get rid of the main body of the infection.

Best Wishes

 

[Paul Burke]

Paul Burke wrote:

Any experiences/ advice much appreciated.

Thanks everyone. I haven't got rid of it yet (if it is a virus), but at
least the firewall seems to be blocking it (fingers xxxxxxxxx).

Paul Burke

 

[Ted Edwards]

Paul Burke wrote:

Yesterday, testing a new Ethernet based thingy, having problems. Thought
the firewall might be involved, disabled it. Forgot, logged onto www.
Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got
alert 'netlib.exe trying to access the web'.

You guys make me so glad I don't run windoze! Think about it.

Ted

 

[Don Taylor]

Paul Burke <paul@scazon.com> writes:

Yesterday, testing a new Ethernet based thingy, having problems. Thought
the firewall might be involved, disabled it. Forgot, logged onto www.
Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got
alert 'netlib.exe trying to access the web'.

Searched for netlib.exe, the virus folks say it's a component of a
virus. Ran virus check with latest updates, no virus found. Ran spybot
with latest updates, no problems.

So is this a virus or not? I don't know if it was there before, I don't
look at what's running except when one of my own programs has crashed.
Can't get rid of netlib.exe, access denied.

The virus description says it installs a number of other files- I can't
see these (I always display hidden files).

Any experiences/ advice much appreciated.

http://www3.ca.com/securityadvisor/ has a nice little search engine
that looks for file names, not just christened names for net sludge.
Their search gives all the details about which virii use that name.
CA also provides free virus scans, perhaps that would help root out
the little scum.

Or, since it seems you are running Windows, booting into safe mode
and starting up the admin account should be enough to give you the
access to delete the file.

Or, if you wanted to mail it to me, with a subject line of
***VIRUS ATTACHED***
I'll turn my firepower against it and let you know what happens.

I've done volunteer virus reporting for a few people in the past and
hope it helps. Just don't start blasting the stuff at me without that
subject line, otherwise the automated reporting system will blast it
right back at the appropriate abuse address.

56465 Swen virus received and reported.
Email address IS valid, I bait SWEN virus with it.
Now if I can just get Bigpond/Telstra to clean up their ongoing infection.

 

[Bob Monsen]

Paul Burke wrote:

Yesterday, testing a new Ethernet based thingy, having problems. Thought
the firewall might be involved, disabled it. Forgot, logged onto www.
Pzzzang, all sorts of popups, logged off fast. Restarted firewall, got
alert 'netlib.exe trying to access the web'.

Searched for netlib.exe, the virus folks say it's a component of a
virus. Ran virus check with latest updates, no virus found. Ran spybot
with latest updates, no problems.

So is this a virus or not? I don't know if it was there before, I don't
look at what's running except when one of my own programs has crashed.
Can't get rid of netlib.exe, access denied.

The virus description says it installs a number of other files- I can't
see these (I always display hidden files).

Any experiences/ advice much appreciated.

Paul Burke

http://www.sophos.com/virusinfo/analyses/trojcratera.html

--
Regards,
Bob Monsen

If a little knowledge is dangerous, where is the man who has
so much as to be out of danger?
Thomas Henry Huxley, 1877