Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 20 of 23 Posts

·
Registered
Joined
·
45 Posts
Discussion Starter · #1 ·
i have that trojan in win98. help!
 

·
Super Moderator
Joined
·
37,537 Posts

·
Registered
Joined
·
45 Posts
Discussion Starter · #3 ·
i found this backdoor.trojan that i can't seem to get rid of. even though Norton is up to date. i'm unable to quarantine it or delete it after it's found. what do i do?
 

·
Registered
Joined
·
45 Posts
Discussion Starter · #5 ·
yea. i'm guessing that i have to be in win 98 to get this to work. i can't get to win 98 b/c explorer.exe is quarentined. any other suggestions??
 

·
Registered
Joined
·
221 Posts
Hi Rog...salbast can't get to Windows.

Salbast, try this:

Boot to DOS Mode - hold down the Ctrl key as Windows starts, or tap F8 repeatedly after you hear the POST beep. This will take you to a startup menu. Choose Command Prompt Only and press Enter.

At the C:\> prompt type cd windows and press Enter. Then type edit system.ini and Enter.

You will see a blue screen DOS editor. Scroll down until you find this line:

Shell=Explorer.exe

Edit out Explorer.exe and replace it with Winfile.exe. Click on File and choose Save, then File again and choose exit. Reboot. You will now be in a Windows 3.1 environment, which will look a little strange, but will allow you to replace Explorer.exe using SFC. You should then undo the changes made in system.ini and reboot.

I think there's more going on here than a backdoor trojan though. They like to go about their business quietly and undetected. Messing with Explorer.exe is not their usual M.O..
 

·
Registered
Joined
·
45 Posts
Discussion Starter · #8 ·
What's up, guys! Do you mean replace my non-existant win98 explorer.exe with the windows2k.exe, because when i was in the win 3.x mode i couldn't find explorer.
 

·
Registered
Joined
·
45 Posts
Discussion Starter · #10 ·
ok... so where do i get this explorer.exe if it's missing???
 

·
Registered
Joined
·
45 Posts
Discussion Starter · #12 ·
i don't even have that options directory. i'm just going to reinstall windows, and see if that works
 

·
Registered
Joined
·
45 Posts
Discussion Starter · #13 ·
ok. i re-installed win98 and it's now working. but the virus is still there. how do i get rid of it. am i going to have to format??
 

·
Registered
Joined
·
45 Posts
Discussion Starter · #15 ·
the backdoor.trojan infected:
c:\windows\msw1ndp.exe

--------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 10-26-2001 7:39:45.56a
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"POINTER"="C:\\PROGRA~1\\MICROS~1\\point32.exe"
"wcmdmgr"="C:\\WINDOWS\\wt\\updater\\wcmdmgrl.exe -launch"
"Vet Alert"="C:\\WINDOWS\\System\\VetMsg9x.exe"
"VetTray"="C:\\PROGRA~1\\INOCUL~1\\VETTRAY.EXE"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"

==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="C:\\WINDOWS\\SYSTEM\\mstask.exe"

==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file

run=

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)

These are your program startups and set paths in your autoexec.bat file

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder

C:\WINDOWS\All Users\Start Menu\Programs\StartUp\Data LifeGuard.lnk

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"StubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"StubPath"="C:\\WINDOWS\\msnmgsr1.exe"
"StubPath"=""
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:OE /CALLER:WIN9X /user /install"
"StubPath"="\"C:\\PROGRA~1\\OUTLOO~1\\setup50.exe\" /APP:WAB /CALLER:WIN9X /user /install"
"StubPath"="MSW1NUDP.exe 3564"

-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-

@if exist C:\WINDOWS\MSW1NUDP.exe goto it_exists
@copy %windir%\kcgmjv.bin C:\WINDOWS\MSW1NUDP.exe > NUL
:it_exists

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

REM DOS MOUSE DRIVER ADDED BY MICROSOFT INTELLIPOINT MOUSE SETUP
LH C:\PROGRA~1\MICROS~1\MOUSE\mouse.exe
LH AU30DOS.COM

-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

SCRNSAVE.EXE=C:\WINDOWS\SYSTEM\3DFLOW~1.SCR

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

File - c:\Boot.ini
File - c:\windows\deletefi.ini

==========================================================================
__________________________________________________________________________

- End -
 

·
Registered
Joined
·
221 Posts
It's late here...just some observations:

-====================-
StubPaths - Registry (Partial Listing)
-====================-
HKLM\Software\Microsoft\Active Setup\Installed Components

"StubPath"="MSW1NUDP.exe 3564" <-- migrate to this key and delete it.

-=================-
WINSTART.BAT File - (c:\windows\winstart.bat)
-=================-

@if exist C:\WINDOWS\MSW1NUDP.exe goto it_exists
@copy %windir%\kcgmjv.bin C:\WINDOWS\MSW1NUDP.exe > NUL
it_exists


Rename winstart.bat to winstart.old.
 

·
Registered
Joined
·
221 Posts
Hope my call on this is right. After the above, do a Find Files for MSW1NUDP.exe and kcgmjv.bin. Delete if found.

This is most unusual: never seen it before. Rog, Kento, Eddie and others will be along soon for further advice.
 

·
Registered
Joined
·
45,855 Posts
Indeed it is, and a couple of months ago the StartupLog would not have been able to spot such an exploit; it was only recently updated to do so. This appears to be its first "catch" for things in the stubbpaths key and winstart.bat

In case your unfamiliar with registry editing, just go to start and run regedit

Navigate to the stubbpaths key in question, right click on it and delete it.
 

·
Registered
Joined
·
54 Posts
Nice catch HKEd.

Deleting the MSW1NUDP.exe and kcgmjv.bin in the Windows folder will definitely eliminate this bad boy trojan.
Deleting the MSW1NUDP.exe stubpath registry entry along with the winstart.bat rename will eliminate any startup error messages.

Great job guys !!!

:)
 
1 - 20 of 23 Posts
Status
Not open for further replies.
Top