cancel
Showing results for 
Search instead for 
Did you mean: 

Do I have a Virus/Worm?

God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Do I have a Virus/Worm?

Two reasons for this post, one to ask a question and the other, hopefully provide useful information for others:
I have a non windows (and I must admit slightly dubious) executable file that has sat on two of my PC’s for several months and therefore regularly scanned by several different antivirus and antispyware programs without being flagged. However today it was flagged by Avast . I then downloaded Trend and scanned with that, it wasn’t flagged.
Then  (the useful bit for those that don’t already know) I uploaded the file to www.virustotal.com where it was checked automatically by about 30 scanners including most of the big names and came up with varying results:
Antivirus Version Last Update Result
AhnLab-V3 2007.10.20.0 2007.10.19 -
AntiVir 7.6.0.27 2007.10.21 -
Authentium 4.93.8 2007.10.20 -
Avast 4.7.1051.0 2007.10.21 Win32:Trojan-gen {UPX}
AVG 7.5.0.488 2007.10.21 -
BitDefender 7.2 2007.10.21 -
CAT-QuickHeal 9.00 2007.10.20 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.10.21 -
DrWeb 4.44.0.09170 2007.10.21 -
eSafe 7.0.15.0 2007.10.15 suspicious Trojan/Worm
eTrust-Vet 31.2.5225 2007.10.20 -
Ewido 4.0 2007.10.21 -
FileAdvisor 1 2007.10.21 -
Fortinet 3.11.0.0 2007.10.19 Agent.GAU!tr
F-Prot 4.3.2.48 2007.10.20 -
F-Secure 6.70.13030.0 2007.10.21 -
Ikarus T3.1.1.12 2007.10.21 Virus.Win32.Trojan
Kaspersky 7.0.0.125 2007.10.21 -
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.21 -
Norman 5.80.02 2007.10.19 -
Panda 9.0.0.4 2007.10.21 -
Prevx1 V2 2007.10.21 -
Rising 19.45.62.00 2007.10.21 -
Sophos 4.22.0 2007.10.21 Troj/Agent-GAU
Sunbelt 2.2.907.0 2007.10.20 VIPRE.Suspicious
Symantec 10 2007.10.21 -
TheHacker 6.2.9.103 2007.10.21 -
VBA32 3.12.2.4 2007.10.19 -
VirusBuster 4.3.26:9 2007.10.21 -
Webwasher-Gateway 6.6.1 2007.10.21 Win32.Malware.gen!80 (suspicious)

Additional information
File size: 237056 bytes
MD5: a357c09f259edac1920375cb2df01545
SHA1: 9323ff10e7ed5206e56a37780f16063273d61bc9
packers: UPX
packers: UPX
packers: UPX
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Now this seems like a great free service. I hope folks here find it of value.
The question? Well, searching for info on the net I found a forum posting saying that I need to delete the following key :
HKEY_CURRENT_USER>Software>Microsoft>
Windows>CurrentVersion>Run
In the right panel, locate and delete the entry:
IExplorer = "C:\Arquivos de programas\IExplorer.EXE"

However this doesn’t appear on either of my machines. Has anyone come across this malware before? I am still wondering if it is possibly a false positive.
9 REPLIES 9
MikeWhitehead
Grafter
Posts: 748
Registered: ‎19-08-2007

Re: Do I have a Virus/Worm?

It isn't actually asking to delete Internet Explorer, but rather stopping the IExplorer.EXE file from running on startup. The Internet Explorer executable is called iexplore.exe, and I don't really see why an English (I presume?) copy of Windows would have a Portuguese folder name for anything that was legit.
Post a HJT log and I'll look at it when I get in tomorrow, but it will no doubt be checked before then by PJ and others Smiley
My verdict without the log: Delete the registry key.
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Do I have a Virus/Worm?

The key doesnt exist. I will post the log in a couple of mins.
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Do I have a Virus/Worm?

Hijackthis had some errors when running. But the output is as follows:
Logfile of HijackThis v1.99.1
Scan saved at 23:35:20, on 21/10/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\GamesByEmail\My Turns Notifier\GbeMyTurns.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\PROGRAM FILES\ITUNES\ITUNESHELPER.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Diino\Diino.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: GBE My Turns Notifier.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{16F11F71-0373-4C18-8919-692E832D0349}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{16F11F71-0373-4C18-8919-692E832D0349}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{16F11F71-0373-4C18-8919-692E832D0349}: NameServer = 192.168.0.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Unknown owner - C:\Program Files\Trend Micro\BM\TMBMSRV.exe" /service (file missing)
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
I think just to be safe the best thing is for me to roll the vista box back, then I will install the Acronis 'Try and Decide' safety feature. I am more concerned about the XP box which is more hassle for me to roll back.
Having double checked, I don't think the offending file now exists on the XP box (or if it does it is deep in an archive). Am I right in thinking that if Avast picks up the 'infected' exe it should also detect the payload if it has already been deployed?
MikeWhitehead
Grafter
Posts: 748
Registered: ‎19-08-2007

Re: Do I have a Virus/Worm?

All looks fine to me. Only things are the GamesByEmail things, but I assume you know what these are.
C:\Program Files\GamesByEmail\My Turns Notifier\GbeMyTurns.exe
O4 - Startup: GBE My Turns Notifier.lnk = ?

Hope this helps Smiley
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Do I have a Virus/Worm?

Thanks for that gents. Yes the games by email turn checker is a known process on my machines. I will roll my Vista box back simply because the way I have it set up it is so easy to do with little disruption just some apps re-installs (all data is on another partition).
A full scan of the XP box with Avast found nothing so I guess I might run a test with another security program and then let it pass.
I did test the file with another AV package at the time of downloading and it appeared clean, I will be more careful in future! Next time I need to take a trip to the dark side I will check the file on www.virustotal.com and then also run the exe in a controlled space (Acronis/Sandboxie).
Firejack
Grafter
Posts: 921
Registered: ‎26-06-2007

Re: Do I have a Virus/Worm?

Quote from: God
...www.totalvirus.com ....
Shouldn't that be http://www.virustotal.com/ ? Smiley
fceluk
Grafter
Posts: 164
Registered: ‎06-08-2007

Re: Do I have a Virus/Worm?

At the risk of stating the obvious.
Please be aware that roll-backs can re-introduce a virus painstakingly removed from a system if a restore point was created while infected.
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Do I have a Virus/Worm?

Quote from: fcel
At the risk of stating the obvious.
Please be aware that roll-backs can re-introduce a virus painstakingly removed from a system if a restore point was created while infected.

Yes it should have been! I have been back and changed them so noboby pick up the wrong site.
God
Grafter
Posts: 1,112
Registered: ‎30-07-2007

Re: Do I have a Virus/Worm?

Quote from: fcel
At the risk of stating the obvious.
Please be aware that roll-backs can re-introduce a virus painstakingly removed from a system if a restore point was created while infected.

Yup, I am rolling back to a point before that file was executed or stored on the machine.  Wink