User Problem (Worm ?)

Discussion in 'malware problems & news' started by antg, Sep 7, 2003.

Thread Status:
Not open for further replies.
  1. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Hi Pieter,

    Could you please cast your [Legendary} eye over this log and advise...possible worm ?

    Thanks so much

    Antg :)
     

    Attached Files:

  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    Have a look at this page: http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html
    You will find instructions for removal and links to the patch and a removal tool.

    As an extra you have this entry I can't find any info about:
    F0 - system.ini: Shell=explorer.exe attend.exe
    What is attend.exe and what is it doing there?

    Regards,

    Pieter
     
  3. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Pieter I have no idea... It's prpoerties say it was created in 1999...B4 this computer was born I think

    antg

    want me to send it to you? 16KB
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Please do. I'll see what I can make of it.
    You clean out that worm in the meantime, ok?

    Regards,

    Pieter
     
  5. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    OK I'll email it to you . I went to symantec and d0ownloaded the worm blaster tool but it says No blaster worm found on this pc .

    My virus tester says I have a win32.Nachi.a worm worm at windows\system32\wins\dllhost.exe Can I delete it?

    antg
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    Yes you can delete that one: http://www.bitdefender.com/bd/site/virusinfo.php?menu_id=1&v_id=151
    The name put me off, but that is Welchia.A
    Note that there is a tool available for that one at the link above.

    Regards,

    Pieter
     
  7. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    dllhost.exe deleted.

    Let me know 'bout that attend.exe file when you have a sec.

    "How is the average Joe to deal with this problem continuously - more prosecutions needed against the perpertrators !"

    antg
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    This attend.exe is puzzling me. It appears to be a (renamed) copy of a legit Windows 98 file called CHLINST.EXE
    Could you see if you can find CONTENT.INF and CDCACHE.EXE on your computer and mail me those as well?

    Regards,

    Pieter
     
  9. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Pieter those files don't show up

    :oops:
    antg
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    That is extra strange. Both get called from that attend.exe
    Let's not waste too much time trying to figure this out.
    Find system.ini in your Windows folder, make a copy and rename that to systemini.bak
    Then have HijackThis Fix:
    F0 - system.ini: Shell=explorer.exe attend.exe
    and reboot.

    Keep us posted. I will send attend.exe to some people who are way better at this. I will let you know if they come up with something interesting.

    Regards,

    Pieter
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Pieter, allow me two questions burning overhere:
    -- which windows version are you using currently Antg?
    Oops, just saw in the hjt file you're on win2000 so the file should not belong on your system at all most probably, including those files it's pointing to. Which makes the next question more logical:
    -- could this be part / rest / result of an infection spreading around other people's filesand because of something was able to add itself to that place?
    Googling around i see for instance a file with that name added to a yahoo newsgroup message, looking rather suspicious, i copied it to a txt file and looked at the avp.ru online virus scan which did't find nothing in it but it does look strange.

    I found only the first file in an old IE 4 backup and nowhere else so i don't think you should have it at all if using a newer IE version.

    Hope these questions help somewhat?
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jooske,

    You are running 98, right?
    Could you mail me your CHLINST.EXE so I can compare it with what antg sent me?
    Or if you want a copy of antg's file, let me know.

    Regards,

    Pieter
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You should have the first two by now.
    The first is a channel installation file, like we have in IE for installing the channels for first connections to internet, guess that's what it is as i found it in two old places, not in the current one.
    The second content.inf i found in an older windows/inf and it looks like the settings of the browser.
    The third i thought maybe part of real player which was originally integrated with windows/IE and could maybe be a CD-cache for played CDs --sounds more or less logical-- but without checking the file hard to say!
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Jooske,

    Thanks for the files.
    Some minor differences, not due to versions.
    Both are 4.72.3110.0
    *Pieter gets his magnifying glasses and is of hunting

    Regards,

    Pieter
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Found some more old copies on other ageold backups but i think it is not the file but some infection renamed original files to something else so they could no more be found when using the programs they belonged to.
    And maybe some email infection mailed that garbadge around, which nested itself somehow in the place where you found it.
    If this was part of blaster or another recent one it would have been named in more descriptions.
    The file itself will be completely innocent, just renamed.
    Any ideas how long it could be on your system illegal around or when was it created on your system? The properties should be able to show you.
    Might have been long long time surfing around on internet to rest safely in your system, completely harmless most probable.
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
  17. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    The properties of the file say the file was created in were in 1999 [ before the PC was Born I think ]

    It is a home PC so I will do as you suggested after work.
    Thanks people ;)

    antg
     
  18. antg

    antg Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    22
    Hi Pieter two things;
    1]I am not familiar with checking the registry any tips?
    2] I made a backup of system.ini but is it a matter of just running hijackthis ? do I have to set it to do what you suggested? "Then have HijackThis Fix:
    F0 - system.ini: Shell=explorer.exe attend.exe
    and reboot."

    antg
     
  19. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi antg,

    If you've never been in the registry before, be careful not to delete or change anything manually without a backup. Sofar we have no plans to do so.

    Click Start > Run > type or copy&paste regedit > click OK

    You will see a screen similar to explorer, by clicking plusses (similar to opening folders in explorer) navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer
    If you see a "folder" called Channels in there, select it.
    Then click Registry (upper left corner) > Export registry-file

    That will create a .reg file at the location you select. Open that file in notepad and post it's content here.

    After making the copy of system.ini, run HijackThis, put a checkmark in front of
    F0 - system.ini: Shell=explorer.exe attend.exe
    and click Fix checked.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.