I think I'm infected

Discussion in 'malware problems & news' started by Andrew B., Jul 17, 2003.

Thread Status:
Not open for further replies.
  1. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Here are a couple things I learned from this.

    1. No matter how much I think I know about safe practices, it is still possible to make a mistake.

    2. If a program is denying access to regedit, try a startup manager instead.

    But I still haven't figured out why some of the programs under RUN are not putting icons in the tray. The only thing that makes me worry less about this is there is no information that says this worm/trojan knows stealth techniques.
     
  2. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Actually it takes some work to get an icon in the systray: http://delphi.about.com/library/weekly/aa121801a.htm
    and why would any malware want to do that?
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    One thing I learned: don't activate a virus on my "normal" computer, even if the resident AV recognizes it. :doubt:

    We both got rid of it and it was added to NOD's definitions.
    To quote Paul: All's well that ends well. ;)

    Regards,

    Pieter
     
  4. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    I think maybe I didn't explain well enough. The problem I'm seeing is that there are regular programs (not malware) in Machine Run that used to put icons in the tray, but have stopped doing this since I was hit. Also, if I run these programs manually, they do put icons there. And, after I run them I cannot see their process in memory. But then again, maybe all they are supposed to do is put icons there.

    Anyway, I am going to contact the companies that authored these programs to see if any information they can give me will help. And, or course, if anyone has a hunch I would appreaciate knowing.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Please send a copy of this one to submit@diamondcs.com.au anyone who has it..

    A trojans reason to get systray icons ? Easy - create fake ones after killing say, your firewall :mad: Then it looks like your firewall is still running..
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Gavin,

    Sample is on it's way.

    Andrew,

    Are the icons provided by SysTray.exe working OK or are they gone as well?

    Regards,

    Pieter
     
  7. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Pieter,

    The only standard Windows tray icon I had was volume control and it still works. Zone Alarm and Post-It Notes remained and still worked. And what is very odd is the ones that disappeared are starting to show up again.

    I've tested them all, and they work as they should. Of course, it is possible to piggyback on a DLL of one of these, so I am counting on the fact that nobody has reported this ability in any spybot.gen.

    One other thing. I've been watching my processes by using the freeware program called Starter. And yesterday I noticed a hand (palm up) with no process information. To me, the hand means a share. And it might be that I just never noticed it before. But it does make me wonder.

    Regards,

    Andrew
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    This program might be another useful tool:
    http://www.turboware.com/WhatsHappening.htm

    I had to remove an empty line from msconfig as well, now that you mention it.
    Thought it was related to a program I uninstalled.

    Regards,

    Pieter
     
  9. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    Pieter,

    Thanks for the tip on the program. And thanks for staying with this exploration of the problem. I didn't get a chance to use the program because I've been trying other things, and I think I found a pattern here.

    1. The programs with icons that did *not* disappear from the tray were all starting from the Startup folder.

    2. The programs with icons that disappeared were all starting from Machine Run.

    3. It might be that NOTHING was starting from Machine Run after I was hit. IOW, maybe the whole thing was shut down, but I didn't notice some things not running because they don't put icons into the tray.

    4. Windows 2000 does not have MSCONFIG. So I just located a copy of Win XP's MSCONFIG and used it instead. MSCONFIG shows only some of the programs in Machine Run. And the ones it is not showing are also not running. IOW, MSCONFIG cannot see part of the Machine Run list, and the part it cannot see is the same as the part that is not running. But Regedit sees these, and so does a program called Starter.

    So, maybe the worm had a way to shut down everything in Machine Run except itself. Maybe by entering an odd character in the Registry entry for each one. And maybe some of the icons are coming back because I've been tinkering with that area and causing it to rewrite. Or maybe one of the startup managers I first tried messed this up. I have no way to know now. But if any of the vendors who are reading this decide to let it loose on a test computer, it might be worth checking to see if it disables things in Machine Run.

    And I sure hope all of this is NOT because the malware is sill active somewhere.

    Regards,

    Andrew
     
  10. Andrew B.

    Andrew B. Registered Member

    Joined:
    Jul 17, 2003
    Posts:
    34
    This is just a follow-up, and maybe it will help someone else who gets hit with this.

    1. I was able to get all my icons working again by removing their start commands from Machine Start, rebooting, putting them back, rebooting.

    2. In Starter I was seeing a process that was the Share icon, but the rest of the line was blank. I checked in Control Panel and looked at the properties for my network Local Area Connection. File and Printer sharing were turned on (which I don't remember ever doing). I unchecked the box and now that icon is gone from Starter.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.