help on it

Discussion in 'malware problems & news' started by swati, Jun 6, 2003.

Thread Status:
Not open for further replies.
  1. swati

    swati Guest

    hi i m in prob ie
    when ever i start my computer after giving password it starts the pictures of gays and then start one gay moviechanges the wall paper with gay pic i set every ting and delete movie fro system32 and then it run good but when i restart it run the same things show pic and creates movie in system32 and i have to set all i m running xp and antivirus is not detectining it any body can help then mail me on shahbaz_khan1@hotmail.com
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    If all of this happens each time you reboot your PC then there has to be startup related keys that can be tracked back to this problem.

    Download StartupList 1.52.1 from http://www.lurkhere.com/~nicefiles/.

    It's a zip file... You download it, unzip it, and run the program StartupList.exe. This will give you a long list of system configuration information which you can copy/paste into a post here. From that, people here can advise you about anything that looks suspicious.
     
  3. swati

    swati Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    5
    here are start up list please chk it and also tell me how to delete from startup if virus/prog found
    StartupList report, 6/7/2003, 5:39:53 AM
    StartupList version: 1.52
    Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.797\StartupList.EXE
    Detected: Windows XP (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 (6.00.2600.0000)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\WINDOWS\System32\RUNDLL32.exe
    C:\Documents and Settings\Administrator\Desktop\em\emule.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EJN1EA.tmp
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    D:\FlashGet\flashget.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    d:\WinRAR\WinRAR.exe
    C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.797\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    CARPService = carpserv.exe
    C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide
    ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - d:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - D:\FLASHGET\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
    NAV Helper - D:\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [MSN Chat Control 4.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
    CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 4,779 bytes
    Report generated in 0.172 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Well, immediately this item stands out:

    C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide

    You have two copies of this in the registry's autorun keys, one in the LOCAL_MACHINE section and one in CURRENT_USER.

    You ought to be able to go in to msconfig and uncheck the entries for this. To do this, from the XP Start (menu) > use the "Run..." option > enter: msconfig and press [OK]. In the new window, choose the Startup tab and look for entires with "Iexplorer32.EXE" in them. This is not a valid copy of Internet Explorer (which is listed in your running processes above as IEXPLORE.EXE). Uncheck the two entries in the msconfig window and hit [OK]. You'll need to reboot to have this all tested out.
     

    Attached Files:

  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    HI,

    I think you can consider the IExplorer32.exe entries suspect as well as the running process that appears to have the tmp extension (running from your local admin profile temp folder (but almost certainly has an additional extention). You can try to manually remove the IExplorer entries manually from the registry (backup registry first!) but I strongly suspect that you have more going on here than is apparent by the output you provided. I would suggest that you get a good anti-trojan application and see what it finds. Also, your AV may have been circumvented so you may want to look at a fresh installation of that.
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Oops, LWM, I didn't catch your response til I finished mine :)
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    No problem, Dan. ;)

    Certainly downloading an evaluation copy of either TDS-3 or Trojan Hunter and doing a full scan would be a good idea seeing as there is something unexplained on the system.

    However, the things seen so far may just be spyware related, so I'd also suggest going back to http://www.lurkhere.com/~nicefiles/ and downloading the first item listed there, SpyBot Search and Destroy v1.2... Install it; run its check for updates; and then scan for additional malware.
     
  8. swati

    swati Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    5
    i m running norten antivirus if it is bypassed then which antivirus should i use .i have disabled two entries will it effect on it?
     

    Attached Files:

    • strt.GIF
      strt.GIF
      File size:
      48.6 KB
      Views:
      787
  9. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Hang on swati - We do not know that Norton was bypassed. Let's leave that aside for the moment!

    Did you reboot to see if that prevented what you were seeing?

    After rebooting and letting us know the effect, I suggest using Spybot S&D next, per my above post.
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    I don't know, the appearance of the apparent tmp fil in running processes seems to me to point to something more than spyware. Even if the the movie thing disappears after a reboot I would look again at the running processes to see if there is an apparent tmp file running from local TMP dir
     
  11. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Yes, it very well could be a problem Dan, but, before we have them reinstalling NAV, I would first like to see if the slide show goes away when the system is rebooted. Then, I'd like to see what Spybot finds. Then, perhaps one of the AT products...

    One step at a time may be best here.

    Edit: Oh, and yes I agree, rerunning StartupList is always part of the process until the job is fully done.
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    swati,

    if you like, feel free to email me the two files

    C:\WINDOWS\system32\Iexplorer32.EXE

    and

    the tmp file menitioned in the running process list

    You can use the email address I used to give you a heads up on our replies. This way we can check whatever results you get with your AV scanner and the Spybot app with my TDS, WG, KAV, PestPatrol, etc...
     
  13. swati

    swati Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    5
    first of all thanx all of you who replied and helped me i disabled from msconfig and also run the spy bot prog which catched some spam i dont rem name of them then i restarted and now it starts normally . but i dont know it deleted it or just disabled
    any thanx all of you i m try ing to send u files
     
  14. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,873
    Location:
    New England
    Sounds good so far swati. After you've mailed Dan those files you need to decide which way you'd like to proceed. You can go get an evaluation copy of one of the AT products noted above and do an in-depth scan of your entire system for Trojans. This is a good idea.

    You could try one of the more powerful online virus scanners, such as the Panda Scanner. (There's a link to it here: http://www.wilders.org/free_services.htm).

    You can download GAV, a combo AV/AT product that is in Beta right now, but is very powerful. (See it here: http://www.gladiator-antivirus.com/)

    You can also test your NAV to see if it is still scanning properly using the Eicar test file. (Get it here: http://www.eicar.org/) This might be a smart move, too, just to see that NAV is still working.

    Oh, and of course, rerunning StartupList after a clean boot to see if you still have any questionable keys or programs running is always a good idea. You should keep StartupList and use it over time to see when things change.
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    An additional option (but requiring investing a bit of effort in setting up) is a Host Intrusion Detection Audit project I have been setting up outlined at

    http://sourceforge.net/projects/ntida

    which is basically a few scripts using freely available utilities to audit critical aspects of your system (Auto-Start values, critical file hashes, port to process mappings, File and Registry ACL changes, ADStreams , etc) I am still considering it beta as it hasn;t been tested as widely as I think necessary for full release but it should work fine :)

    Once I receive the files you are sending I will scan them with everything I have and then let you
     
  16. swati

    swati Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    5
    hi again yesterday i told that the prob is solved but the prob again exist after disabling it from startup it ru n better but after 2nd restart it created it self again now it crating it again and again i think it is due to emule 0.29 because i m using its cracked version.last night i disabled it from start up and also disabled one thing in win.ini
    ; for 16-bit app support
    [fonts]
    [extensions]
    [mci extensions]
    [files]
    [Mail]
    MAPI=1
    =====>> disabled below section[MCI Extensions.BAK]
    ;msconfig aif=MPEGVideo
    ;msconfig aifc=MPEGVideo
    ;msconfig aiff=MPEGVideo
    ;msconfig asf=MPEGVideo2
    ;msconfig asx=MPEGVideo2
    ;msconfig au=MPEGVideo
    ;msconfig ivf=MPEGVideo2
    ;msconfig m1v=MPEGVideo
    ;msconfig m3u=MPEGVideo2
    ;msconfig mp2=MPEGVideo
    ;msconfig mp2v=MPEGVideo
    ;msconfig mp3=MPEGVideo2
    ;msconfig mpa=MPEGVideo
    ;msconfig mpe=MPEGVideo
    ;msconfig mpeg=MPEGVideo
    ;msconfig mpg=MPEGVideo
    ;msconfig mpv2=MPEGVideo
    ;msconfig snd=MPEGVideo
    ;msconfig wax=MPEGVideo2
    ;msconfig wm=MPEGVideo2
    ;msconfig wma=MPEGVideo2
    ;msconfig wmp=MPEGVideo2
    ;msconfig wmv=MPEGVideo2
    ;msconfig wmx=MPEGVideo2
    ;msconfig wvx=MPEGVideo2

    and then restarted it 4 or 5 times it didnt came but now when i started emule to download books it came in start up again
    but no anti virus is detecting any virus in emule o_O
    any suggetion?
     
  17. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    AntiVirus products will only indifferently detect Trojans. Your emule may be trojaned or you may have some other trojan in there (or both)

    My own preferred AntiTrojan is TDS3 from

    http://www.diamondcs.com.au/
     
  18. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Looking on eMule's site, they indicate that it is free (though they accept donations). Is it possible that the someone released a so-called cracked version only to release a trojan they embedded in it?
     
  19. swati

    swati Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    5
    i got this emule from edonkey
    eMule v0.29a offical noratio UPLOAD CRACK - complete Patch - Relased 05.jun.2003.NoMod. - hack - edonkey
    today i will chk that if i dont run emule then wht happens
    if there is a way to chk exe of emule then guide me i will chk it u can also get this from edonkey
    thanx for response
     
  20. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    The best way to check that a file is untampered is to run what is called a hash algorithm on the possible suspect file and compare it against a hash on a "known good" file. There are various hash algorithms, the three most used are CRC (or its modified CRC32), MD5 and SHA1. Of these the CRCs are possible to circumvent. I would recommend that you get the md5 hash on these files.

    The Homepage of eMule is

    http://www.emule-project.net/index.php?s=home and you can download what is hopefully a safe version there (.29a IS the latest)

    You can get a hash calculator (command-line) from

    http://www.keir.net/download/md5file.zip
     
Loading...
Thread Status:
Not open for further replies.