|
|
#1
February 24th, 2002, 08:54 PM
|
||||
|
||||
Openme.exe trojan
Lately, *I've seen a number of similar cases present itself regarding some trojan starting up from the System.ini, editing the Shell= line to read shell=explorer.exe openme.exe
We've been using StartLog by Rmbox as a very useful tool to troubleshoot startup problems and detecting trojans, but it only works with Win95, 98 and ME. What about XP? *Anything much known about all the possible startup locations there? And from where would this openme.exe thing start up in XP? I've seen two cases of people running XP that had this trojan, and who were unable to determine from where it started up. I'm running Win 98SE myself, so I'm really at a loss. Anyone able to shed some light on this issue?
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#2
February 24th, 2002, 09:28 PM
|
||||
|
||||
|
Re: Openme.exe trojan
Tony,
Although not designed for XP, you might play around with TrojanCheck - a little but very nice freeware app we helped developping in the past. You can grab a copy from our downloads page: www.wilders.org/downloads.htm Some remarks: - forget about the anti-trojan engine (outdated); - it's been known to produce one false positive on XP: *shadow.exe - *belonging to XP. No guarantees here, since as stated it's not designed for XP. Nevertheless, it might come in very helpfull. Keep us posted. regards. paul
__________________
01110010 01100101 01100111 01100001 01110010 01100100 01110011 00100000 01110000 01100001 01110101 01101100 |
|
#3
February 24th, 2002, 09:59 PM
|
||||
|
||||
|
Re: Openme.exe trojan
Thanks Paul,
What I was really looking for, however, is a neat list of *all* possible startup locations in XP, *something like what has been done for Win98. As a matter of fact I seem to remember one of your posts called something like "All Known Autostart Methods". Do you still have a link to that one? And is some of that appliccable to XP? Thanks! *Tony
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#4
February 25th, 2002, 02:37 AM
|
||||
|
||||
|
Re: Openme.exe trojan
Apart from the usual registry keys under HKLM HKCU and HKUD -
Run RunServices RunOnce It would start from the startup folder, or most likely the "marklord method" HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<some key>\StubPath = or HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders - <some folder>, Windows runs the files in this folder |
|
#5
February 25th, 2002, 06:30 AM
|
||||
|
||||
|
Re: Openme.exe trojan
Thank you, Gavin,
That's most helpful, and I think with this we may be able to help people with XP to get rid of this and possibly other trojans by checking these locations, in case they didn't get a chance to run an antitrojan. Thanks again. Cheers, *Tony
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#6
February 25th, 2002, 09:32 AM
|
||||
|
||||
|
Re: Openme.exe trojan
Tony - This may be the post from the old site that you were referring to: http://pub24.ezboard.com/fsecureyesecurityfrm2.showMessage?topicID=18.topic . Pete
__________________
"When fascism comes to America it will come wrapped in the flag and carrying a cross." Sinclair Lewis |
|
#7
February 25th, 2002, 09:38 AM
|
||||
|
||||
|
Re: Openme.exe trojan
Hi spy1,
That's the one I meant. Thanks! Cheers, *Tony
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
|
#9
March 8th, 2002, 05:36 PM
|
||||
|
||||
|
Re: Openme.exe trojan
Meanwhile, we've been able to detect the trojan's startup location in Windows 2000:
Its the Shell= line in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon The default value is "Shell"="Explorer.exe", *but the trojan modifies it. Should be helpful for XP as well. Thought I'd update this one. Greetz, *Tony
__________________
Tony < > CLSID List - A Collection of Autostart Locations |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
