IE security breach

[Etruscan]

Hi Everyone:

I was cruising the internet last night, hit a button, and got taken to a website where a secruirty breach took place through IE. I ended up with a bunch of entries to favourites and a new program loading itself on startup. The problem is: I can't find where in the registry the program is booting from. It appears in Msconfig. I disabled it there by unchecking it, but I want to eliminate it entirely from the system without reinstalling so it doesn't appear in Msconfig.

I checked Win.ini - nothing. I checked registry in Local Machine/software/microsoft/windows/run - nothing. Is there anywhere else to look in the registy for stuff that boots on startup? The OS is 98se. Thanks.

[kendo]

Local Machine/software/microsoft/windows/runLocal Machine/software/microsoft/windows/current version/runservices

also a run key located in current user - navigate to it the same as in local machine


and don't forget the obvious

C:\WINDOWS\Start Menu\Programs\StartUp

[Etruscan]

I'll check out "current user" too. I think I did already, but will check again. Yeah, unfortunately this one is more than skin deep. Startup is clean. Thanks kendo.

[kendo]

you probably already did but since it is 98 check the
autoexec.bat config.sys and system.ini

[SeanC]

Under this key (I think in 98 it's here)

Local Machine/software/microsoft/windows/runLocal Machine/software/microsoft/windows/current version/runservices

For Run, RunOnce, RunServicesOnce.

Ensure it's not in those keys either.

Sean

[Etruscan]

Thanks for the reminder on DOS startup kendo - not there either. But I did find it in currrent_user/software/microsoft/windows/CurrentVersion/run-

The run- is a bit interesting. The virus seems to have created a new run folder in CurrentVersion by adding a - symbol to run. There are now two run folders there: run and run-. I deleted the contents of run- and rebooted. The .exe file in C\Windows that is the problem reappeared even though it was deleted, ran itself on startup, reentered itself in current_user...run- and reactivated itself in msconfig.

I have to go now. I've got other things to do. The best I can do for now is uncheck it in msconfig, that successfully deactivcates it, and delete the exe file in C\Windows. I have to find what's rewriting it current_user ... run- : another entry in registry somewhere. If anyone has any ideas - feel free. I'll be able to check back a few hours from now.

PS: the run runonce etc. in local_machine are all clean as far as know, I'll check again. But assume they are clean sleuths. Thanks.

[kendo]

the run- folder is native to the registry

items you remove via msconfig are stored in it

[Etruscan]

Ahhh!!! Thanks again kendo. Of course, it makes sense now in retrospect - run and [run-] not run.

I still have to find the origin of the species. It is entered somewhere else in the registy in order for it to rewrite itself the currentversion directory. One thing that crossed my mind is java script. I don't how it starts up and works on the computer. Is it possible to initiate a process like have program rewrite itself in a directory and register itself in the registry with java script? Anyone? Big mystery.

PS: I got it. There was another exe in the run directory controlling it. Cleaned - problem solved.