# help on it

Discussion in 'malware problems & news' started by swati, Jun 6, 2003.

Not open for further replies.
1. ### swatiGuest

hi i m in prob ie
when ever i start my computer after giving password it starts the pictures of gays and then start one gay moviechanges the wall paper with gay pic i set every ting and delete movie fro system32 and then it run good but when i restart it run the same things show pic and creates movie in system32 and i have to set all i m running xp and antivirus is not detectining it any body can help then mail me on shahbaz_khan1@hotmail.com

Joined:
Aug 10, 2002
Posts:
18,118
Location:
New England
If all of this happens each time you reboot your PC then there has to be startup related keys that can be tracked back to this problem.

It's a zip file... You download it, unzip it, and run the program StartupList.exe. This will give you a long list of system configuration information which you can copy/paste into a post here. From that, people here can advise you about anything that looks suspicious.

3. ### swatiRegistered Member

Joined:
Jun 6, 2003
Posts:
5
here are start up list please chk it and also tell me how to delete from startup if virus/prog found
StartupList report, 6/7/2003, 5:39:53 AM
StartupList version: 1.52
Started from : C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.797\StartupList.EXE Detected: Windows XP (WinNT 5.01.2600) Detected: Internet Explorer v6.00 (6.00.2600.0000) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe D:\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\carpserv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\RUNDLL32.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Documents and Settings\Administrator\Desktop\em\emule.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\EJN1EA.tmp C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE D:\FlashGet\flashget.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE d:\WinRAR\WinRAR.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rar$EX00.797\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
Microsoft Office.lnk = D:\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CARPService = carpserv.exe
C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

Policies Shell key:

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - d:\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\FLASHGET\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}

--------------------------------------------------

Symantec NetDetect.job

--------------------------------------------------

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

[MSN Chat Control 4.5]
CODEBASE = http://fdl.msn.com/public/chat/msnchat45.cab

--------------------------------------------------

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 4,779 bytes
Report generated in 0.172 seconds

Command line options:
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Joined:
Aug 10, 2002
Posts:
18,118
Location:
New England
Well, immediately this item stands out:

C:\WINDOWS\system32\Iexplorer32.EXE slide = C:\WINDOWS\system32\Iexplorer32.EXE slide

You have two copies of this in the registry's autorun keys, one in the LOCAL_MACHINE section and one in CURRENT_USER.

You ought to be able to go in to msconfig and uncheck the entries for this. To do this, from the XP Start (menu) > use the "Run..." option > enter: msconfig and press [OK]. In the new window, choose the Startup tab and look for entires with "Iexplorer32.EXE" in them. This is not a valid copy of Internet Explorer (which is listed in your running processes above as IEXPLORE.EXE). Uncheck the two entries in the msconfig window and hit [OK]. You'll need to reboot to have this all tested out.

File size:
31.3 KB
Views:
788
5. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
HI,

I think you can consider the IExplorer32.exe entries suspect as well as the running process that appears to have the tmp extension (running from your local admin profile temp folder (but almost certainly has an additional extention). You can try to manually remove the IExplorer entries manually from the registry (backup registry first!) but I strongly suspect that you have more going on here than is apparent by the output you provided. I would suggest that you get a good anti-trojan application and see what it finds. Also, your AV may have been circumvented so you may want to look at a fresh installation of that.

6. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
Oops, LWM, I didn't catch your response til I finished mine

Joined:
Aug 10, 2002
Posts:
18,118
Location:
New England
No problem, Dan.

Certainly downloading an evaluation copy of either TDS-3 or Trojan Hunter and doing a full scan would be a good idea seeing as there is something unexplained on the system.

However, the things seen so far may just be spyware related, so I'd also suggest going back to http://www.lurkhere.com/~nicefiles/ and downloading the first item listed there, SpyBot Search and Destroy v1.2... Install it; run its check for updates; and then scan for additional malware.

8. ### swatiRegistered Member

Joined:
Jun 6, 2003
Posts:
5
i m running norten antivirus if it is bypassed then which antivirus should i use .i have disabled two entries will it effect on it?

#### Attached Files:

• ###### strt.GIF
File size:
48.6 KB
Views:
788

Joined:
Aug 10, 2002
Posts:
18,118
Location:
New England
Hang on swati - We do not know that Norton was bypassed. Let's leave that aside for the moment!

Did you reboot to see if that prevented what you were seeing?

After rebooting and letting us know the effect, I suggest using Spybot S&D next, per my above post.

10. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
I don't know, the appearance of the apparent tmp fil in running processes seems to me to point to something more than spyware. Even if the the movie thing disappears after a reboot I would look again at the running processes to see if there is an apparent tmp file running from local TMP dir

Joined:
Aug 10, 2002
Posts:
18,118
Location:
New England
Yes, it very well could be a problem Dan, but, before we have them reinstalling NAV, I would first like to see if the slide show goes away when the system is rebooted. Then, I'd like to see what Spybot finds. Then, perhaps one of the AT products...

One step at a time may be best here.

Edit: Oh, and yes I agree, rerunning StartupList is always part of the process until the job is fully done.

12. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
swati,

if you like, feel free to email me the two files

C:\WINDOWS\system32\Iexplorer32.EXE

and

the tmp file menitioned in the running process list

You can use the email address I used to give you a heads up on our replies. This way we can check whatever results you get with your AV scanner and the Spybot app with my TDS, WG, KAV, PestPatrol, etc...

13. ### swatiRegistered Member

Joined:
Jun 6, 2003
Posts:
5
first of all thanx all of you who replied and helped me i disabled from msconfig and also run the spy bot prog which catched some spam i dont rem name of them then i restarted and now it starts normally . but i dont know it deleted it or just disabled
any thanx all of you i m try ing to send u files

Joined:
Aug 10, 2002
Posts:
18,118
Location:
New England
Sounds good so far swati. After you've mailed Dan those files you need to decide which way you'd like to proceed. You can go get an evaluation copy of one of the AT products noted above and do an in-depth scan of your entire system for Trojans. This is a good idea.

You could try one of the more powerful online virus scanners, such as the Panda Scanner. (There's a link to it here: http://www.wilders.org/free_services.htm).

You can download GAV, a combo AV/AT product that is in Beta right now, but is very powerful. (See it here: http://www.gladiator-antivirus.com/)

You can also test your NAV to see if it is still scanning properly using the Eicar test file. (Get it here: http://www.eicar.org/) This might be a smart move, too, just to see that NAV is still working.

Oh, and of course, rerunning StartupList after a clean boot to see if you still have any questionable keys or programs running is always a good idea. You should keep StartupList and use it over time to see when things change.

15. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
An additional option (but requiring investing a bit of effort in setting up) is a Host Intrusion Detection Audit project I have been setting up outlined at

http://sourceforge.net/projects/ntida

which is basically a few scripts using freely available utilities to audit critical aspects of your system (Auto-Start values, critical file hashes, port to process mappings, File and Registry ACL changes, ADStreams , etc) I am still considering it beta as it hasn;t been tested as widely as I think necessary for full release but it should work fine

Once I receive the files you are sending I will scan them with everything I have and then let you

16. ### swatiRegistered Member

Joined:
Jun 6, 2003
Posts:
5
hi again yesterday i told that the prob is solved but the prob again exist after disabling it from startup it ru n better but after 2nd restart it created it self again now it crating it again and again i think it is due to emule 0.29 because i m using its cracked version.last night i disabled it from start up and also disabled one thing in win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
=====>> disabled below section[MCI Extensions.BAK]
;msconfig aif=MPEGVideo
;msconfig aifc=MPEGVideo
;msconfig aiff=MPEGVideo
;msconfig asf=MPEGVideo2
;msconfig asx=MPEGVideo2
;msconfig au=MPEGVideo
;msconfig ivf=MPEGVideo2
;msconfig m1v=MPEGVideo
;msconfig m3u=MPEGVideo2
;msconfig mp2=MPEGVideo
;msconfig mp2v=MPEGVideo
;msconfig mp3=MPEGVideo2
;msconfig mpa=MPEGVideo
;msconfig mpe=MPEGVideo
;msconfig mpeg=MPEGVideo
;msconfig mpg=MPEGVideo
;msconfig mpv2=MPEGVideo
;msconfig snd=MPEGVideo
;msconfig wax=MPEGVideo2
;msconfig wm=MPEGVideo2
;msconfig wma=MPEGVideo2
;msconfig wmp=MPEGVideo2
;msconfig wmv=MPEGVideo2
;msconfig wmx=MPEGVideo2
;msconfig wvx=MPEGVideo2

and then restarted it 4 or 5 times it didnt came but now when i started emule to download books it came in start up again
but no anti virus is detecting any virus in emule
any suggetion?

17. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
AntiVirus products will only indifferently detect Trojans. Your emule may be trojaned or you may have some other trojan in there (or both)

My own preferred AntiTrojan is TDS3 from

http://www.diamondcs.com.au/

18. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
Looking on eMule's site, they indicate that it is free (though they accept donations). Is it possible that the someone released a so-called cracked version only to release a trojan they embedded in it?

19. ### swatiRegistered Member

Joined:
Jun 6, 2003
Posts:
5
i got this emule from edonkey
eMule v0.29a offical noratio UPLOAD CRACK - complete Patch - Relased 05.jun.2003.NoMod. - hack - edonkey
today i will chk that if i dont run emule then wht happens
if there is a way to chk exe of emule then guide me i will chk it u can also get this from edonkey
thanx for response

20. ### Dan PerezRetired Moderator

Joined:
May 18, 2003
Posts:
1,495
Location:
Sunny San Diego
The best way to check that a file is untampered is to run what is called a hash algorithm on the possible suspect file and compare it against a hash on a "known good" file. There are various hash algorithms, the three most used are CRC (or its modified CRC32), MD5 and SHA1. Of these the CRCs are possible to circumvent. I would recommend that you get the md5 hash on these files.

The Homepage of eMule is

http://www.emule-project.net/index.php?s=home and you can download what is hopefully a safe version there (.29a IS the latest)

You can get a hash calculator (command-line) from