hi i m in prob ie when ever i start my computer after giving password it starts the pictures of gays and then start one gay moviechanges the wall paper with gay pic i set every ting and delete movie fro system32 and then it run good but when i restart it run the same things show pic and creates movie in system32 and i have to set all i m running xp and antivirus is not detectining it any body can help then mail me on shahbaz_khan1@hotmail.com
If all of this happens each time you reboot your PC then there has to be startup related keys that can be tracked back to this problem. Download StartupList 1.52.1 from http://www.lurkhere.com/~nicefiles/. It's a zip file... You download it, unzip it, and run the program StartupList.exe. This will give you a long list of system configuration information which you can copy/paste into a post here. From that, people here can advise you about anything that looks suspicious.
here are start up list please chk it and also tell me how to delete from startup if virus/prog found StartupList report, 6/7/2003, 5:39:53 AM StartupList version: 1.52 Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.797\StartupList.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\carpserv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Documents and Settings\Administrator\Desktop\em\emule.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EJN1EA.tmp C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\FlashGet\flashget.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE d:\WinRAR\WinRAR.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.797\StartupList.exe -------------------------------------------------- Listing of startup folders: Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run CARPService = carpserv.exe C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - d:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (no name) - D:\FLASHGET\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B} NAV Helper - D:\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872} -------------------------------------------------- Enumerating Task Scheduler jobs: Symantec NetDetect.job -------------------------------------------------- Enumerating Download Program Files: [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [MSN Chat Control 4.5] InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 4,779 bytes Report generated in 0.172 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only
Well, immediately this item stands out: C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide You have two copies of this in the registry's autorun keys, one in the LOCAL_MACHINE section and one in CURRENT_USER. You ought to be able to go in to msconfig and uncheck the entries for this. To do this, from the XP Start (menu) > use the "Run..." option > enter: msconfig and press [OK]. In the new window, choose the Startup tab and look for entires with "Iexplorer32.EXE" in them. This is not a valid copy of Internet Explorer (which is listed in your running processes above as IEXPLORE.EXE). Uncheck the two entries in the msconfig window and hit [OK]. You'll need to reboot to have this all tested out.
HI, I think you can consider the IExplorer32.exe entries suspect as well as the running process that appears to have the tmp extension (running from your local admin profile temp folder (but almost certainly has an additional extention). You can try to manually remove the IExplorer entries manually from the registry (backup registry first!) but I strongly suspect that you have more going on here than is apparent by the output you provided. I would suggest that you get a good anti-trojan application and see what it finds. Also, your AV may have been circumvented so you may want to look at a fresh installation of that.
No problem, Dan. Certainly downloading an evaluation copy of either TDS-3 or Trojan Hunter and doing a full scan would be a good idea seeing as there is something unexplained on the system. However, the things seen so far may just be spyware related, so I'd also suggest going back to http://www.lurkhere.com/~nicefiles/ and downloading the first item listed there, SpyBot Search and Destroy v1.2... Install it; run its check for updates; and then scan for additional malware.
i m running norten antivirus if it is bypassed then which antivirus should i use .i have disabled two entries will it effect on it?
Hang on swati - We do not know that Norton was bypassed. Let's leave that aside for the moment! Did you reboot to see if that prevented what you were seeing? After rebooting and letting us know the effect, I suggest using Spybot S&D next, per my above post.
I don't know, the appearance of the apparent tmp fil in running processes seems to me to point to something more than spyware. Even if the the movie thing disappears after a reboot I would look again at the running processes to see if there is an apparent tmp file running from local TMP dir
Yes, it very well could be a problem Dan, but, before we have them reinstalling NAV, I would first like to see if the slide show goes away when the system is rebooted. Then, I'd like to see what Spybot finds. Then, perhaps one of the AT products... One step at a time may be best here. Edit: Oh, and yes I agree, rerunning StartupList is always part of the process until the job is fully done.
swati, if you like, feel free to email me the two files C:\WINDOWS\system32\Iexplorer32.EXE and the tmp file menitioned in the running process list You can use the email address I used to give you a heads up on our replies. This way we can check whatever results you get with your AV scanner and the Spybot app with my TDS, WG, KAV, PestPatrol, etc...
first of all thanx all of you who replied and helped me i disabled from msconfig and also run the spy bot prog which catched some spam i dont rem name of them then i restarted and now it starts normally . but i dont know it deleted it or just disabled any thanx all of you i m try ing to send u files
Sounds good so far swati. After you've mailed Dan those files you need to decide which way you'd like to proceed. You can go get an evaluation copy of one of the AT products noted above and do an in-depth scan of your entire system for Trojans. This is a good idea. You could try one of the more powerful online virus scanners, such as the Panda Scanner. (There's a link to it here: http://www.wilders.org/free_services.htm). You can download GAV, a combo AV/AT product that is in Beta right now, but is very powerful. (See it here: http://www.gladiator-antivirus.com/) You can also test your NAV to see if it is still scanning properly using the Eicar test file. (Get it here: http://www.eicar.org/) This might be a smart move, too, just to see that NAV is still working. Oh, and of course, rerunning StartupList after a clean boot to see if you still have any questionable keys or programs running is always a good idea. You should keep StartupList and use it over time to see when things change.
An additional option (but requiring investing a bit of effort in setting up) is a Host Intrusion Detection Audit project I have been setting up outlined at http://sourceforge.net/projects/ntida which is basically a few scripts using freely available utilities to audit critical aspects of your system (Auto-Start values, critical file hashes, port to process mappings, File and Registry ACL changes, ADStreams , etc) I am still considering it beta as it hasn;t been tested as widely as I think necessary for full release but it should work fine Once I receive the files you are sending I will scan them with everything I have and then let you
hi again yesterday i told that the prob is solved but the prob again exist after disabling it from startup it ru n better but after 2nd restart it created it self again now it crating it again and again i think it is due to emule 0.29 because i m using its cracked version.last night i disabled it from start up and also disabled one thing in win.ini ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 =====>> disabled below section[MCI Extensions.BAK] ;msconfig aif=MPEGVideo ;msconfig aifc=MPEGVideo ;msconfig aiff=MPEGVideo ;msconfig asf=MPEGVideo2 ;msconfig asx=MPEGVideo2 ;msconfig au=MPEGVideo ;msconfig ivf=MPEGVideo2 ;msconfig m1v=MPEGVideo ;msconfig m3u=MPEGVideo2 ;msconfig mp2=MPEGVideo ;msconfig mp2v=MPEGVideo ;msconfig mp3=MPEGVideo2 ;msconfig mpa=MPEGVideo ;msconfig mpe=MPEGVideo ;msconfig mpeg=MPEGVideo ;msconfig mpg=MPEGVideo ;msconfig mpv2=MPEGVideo ;msconfig snd=MPEGVideo ;msconfig wax=MPEGVideo2 ;msconfig wm=MPEGVideo2 ;msconfig wma=MPEGVideo2 ;msconfig wmp=MPEGVideo2 ;msconfig wmv=MPEGVideo2 ;msconfig wmx=MPEGVideo2 ;msconfig wvx=MPEGVideo2 and then restarted it 4 or 5 times it didnt came but now when i started emule to download books it came in start up again but no anti virus is detecting any virus in emule any suggetion?
AntiVirus products will only indifferently detect Trojans. Your emule may be trojaned or you may have some other trojan in there (or both) My own preferred AntiTrojan is TDS3 from http://www.diamondcs.com.au/
Looking on eMule's site, they indicate that it is free (though they accept donations). Is it possible that the someone released a so-called cracked version only to release a trojan they embedded in it?
i got this emule from edonkey eMule v0.29a offical noratio UPLOAD CRACK - complete Patch - Relased 05.jun.2003.NoMod. - hack - edonkey today i will chk that if i dont run emule then wht happens if there is a way to chk exe of emule then guide me i will chk it u can also get this from edonkey thanx for response
The best way to check that a file is untampered is to run what is called a hash algorithm on the possible suspect file and compare it against a hash on a "known good" file. There are various hash algorithms, the three most used are CRC (or its modified CRC32), MD5 and SHA1. Of these the CRCs are possible to circumvent. I would recommend that you get the md5 hash on these files. The Homepage of eMule is http://www.emule-project.net/index.php?s=home and you can download what is hopefully a safe version there (.29a IS the latest) You can get a hash calculator (command-line) from http://www.keir.net/download/md5file.zip