Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 17 of 17 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #1 ·
Hi:
Wondering if you can help me with this. When i am trying to run WinZip.exe which i dowloaded from the net, i get the following message:
"Winzip Self-Extractor Header corrupt.Possible cause:bad disk or file transfer error."
I tried running another downloaded version but still get the same message.

There is another program that i downloaded and trying to install.I get the message:
"Installer CRC invalid". I feel this error is only with installation of any new downloaded software. What could be the problem?
Would appreciate your help.
Thanks.
Op : Win98
 

·
Super Moderator
Joined
·
37,795 Posts
Hiya and Welcome

I have just looked at the Winzip site. This is what they say:

Why am I suddenly getting "header corrupt" messages when I run self-extractors?
Frequently, the problem with corrupted self-extractors (and corrupted .zip files, as well) is that an error has been introduced into the file during download (e.g., by phone line noise). Normally, downloading the file again resolves the problem. If, however, repeated attempts to download the file do not result in a good copy, your computer may be infected by a virus.

In mid-1998, a new virus named CIH was released (it first showed up in Taiwan in June, 1998). Other names for this virus include "W95.CIH", "Chernobyl", and "Spacefiller". This virus has been reported in a large number of executable files, including self-extracting Zip files created using WinZip Self-Extractor.

This is not a problem in the WinZip or WinZip Self-Extractor applications distributed by WinZip Computing, Inc. Rather, the problem is that the self-extractor you're trying to run may have been infected with this virus. All executable files are susceptible to virus infection, and since self-extractors are executable files, they are susceptible to virus infection, as well.
http://www.winzip.com/xcih.htm

Did you scan the .exe before you ran it? Either way, can you do an online scan here:

http://housecall.antivirus.com/housecall/start_corp.asp

and also download Startup Log from here. Install and run it. Allow the DOS window to close, then copy/paste the list here:

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

If we find the CIH virus on there, you may want to have a look at this:

http://www.symantec.com/avcenter/venc/data/cih.html

but wait until we've had a look at the startup log and you've done the virus scan.

Regards

eddie
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #3 ·
Hi Eddie:
Thanks a ton for such a promt reply. I am happy,i joined this club.
Well, i will follow your instructions and then send you the start up log.(By the end of the day).I got to leave for work now.
Thanks for your help. Will write soon.
r'gards
A.K
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #4 ·
Hi Eddie:
Did run the Housecall antivirus. It found 25 files infected with the CIH virus. Cleaned 24. The one left is C:\\WINDOWS\SYSTEM\DDHELP.EXE.Says it can't be cleaned as it is in use. I don't know how to clean this one.
And ya! I tried installing StartLog after downloading. But it asks for which application to useto open etc. (Winzip is still not installed as it still gives me the same error while installing).
So this is as far as i have gone. Do let me know what to do next. (How to install StartLog etc).
Also wish to thank you for your timely help.
regards
Akhil
 

·
Super Moderator
Joined
·
37,795 Posts

·
Registered
Joined
·
9 Posts
Discussion Starter · #6 ·
Hi Eddie:
Here u r:

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 10-29-2001 9:36:54.86p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~1.DLL,NewDotNetStartup"
"Gator"="\"C:\\Program Files\\Gator.com\\Gator\\Gator.exe\""

==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

*(RegPath not found..)*

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]

==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"

==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.

These are the run and load lines in your WIN.INI file

run=C:\WINDOWS\SYSTEM\cmmpu.exe

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.

This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)

These are your program startups and set paths in your autoexec.bat file

rem - By Windows Setup - C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MTMIDE01 /M:10

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.

These are the shortcuts located in your All Users StartUp folder

*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders

.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]

-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components

"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MTMIDE01 /M:10

-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-

==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS

==========================================================================
__________________________________________________________________________

- End -
And how do i remove CIH from DirectX as u mentioned.
Thanks
AK
 

·
Super Moderator
Joined
·
37,795 Posts
Hiya

well, reading up on CIH, it looks like when its there, its there.

Looking at Symantec's site, there is a program that you can download called KILL_CIH.

The KILL_CIH tool will not detect or remove the W95.CIH virus from files; it will only disable the virus in memory so that an anti-virus program can remove the infection without inadvertently spreading the virus.
http://www.symantec.com/avcenter/kill_cih.html

Also, what I did notice in your startup, was some spyware programs. Gator and New.net. You may want to try to remove these manually but if no joy, and even if you do uninstall, go here and download AddAware www.lavasoftusa.com

Install and run, ensuring that deep registry scan is enabled. remove all except any references to Web3000. You can post the list here.

Back to the problem in hand.

Use the CIH tool before you run a virus scan with your own Antivirus program.

Regards

eddie
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #8 ·
HI EDDIE:
RAN KILL_CIH.EXE. THEN LAVASOFT. IT FOUND 102 SPYWARE COMPONENTS .I REMOVED ALL ACCEPT WEB3000.
NOW I GUESS I WILL RUN THE ANTI VIRUS TO CLEAR CIH OUT OF THE SYSTEM ONCE AND FOR ALL.
ONE DRAWBACK THOUGH. I LOST GATOR WHICH HAD ALL MY PASSWORD INFO FOR ALL THE FORMS AND WEB BANKING AND VARIOUS OTHER WEB-SITES.
ANYWAY BETTER BE SAFE THAN SORRY.
CAN'T THANK YOU ENOUGH. AND YA! WINZIP IS INSTALLED AND RUNS FINE.
IT'S HEARTENING TO KNOW THAT THERE ARE GOOD SAMARITANS LIKE YOU WHO VOLUNTEER THIER TIME AND RESOURCES TO HELP PEOPLE THEY DON'T EVEN KNOW.
HATS OFF TO YOU SIR!! MY PC IS ONCE AGAIN HEALTHY.
REGARDS ALWAYS,
AKHIL
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #10 ·
HI EDDIE:
I DO HAVE THREE COMPONENTS OF WEB3000. I THOUGHT YOU SAID REMOVE EVERY SPYWARE COMPONENT BESIDES WEB3000.
SO THAT'S WHAT I DID.
AS OF NOW I STILL HAVE 3 COMP. OF WEB3000. IS IT A PROBLEM?
PLEASE ADVISE.
THANKS
AKHIL
 

·
Super Moderator
Joined
·
37,795 Posts
Hiya

Sorry about that. Its just that I put about Web3000 as standard as its one of the little sods that you need to manually remove. When I say it in your reply, it got me thinking.

Here it is:

http://www.uninet.net/~blaisdel/web3000.htm#Removing Web3000

And here's a snippet

Warning: Do not use AD-aware to remove Web3000 without first removing the host software. Web3000 replaces wsock32.dll (C:\Windows\System\Wsock32.dll) and possibly other Windows system files. These will not be restored if AD-aware is used first. By default, users of Windows Millennium, may be protected. Windows Me stores files in protected form. The System File Protection (SFP) prevents a user from installing software that might make the operating system unstable. To learn more about SFP see my Windows Millennium Help and How to page.

Keep Windows Me safe with System File Protection

First figure out which software installed is using Web3000, then uninstall that software using the Windows Control panel, add/remove software window. This should also uninstall most of Web3000 also, and restore the Windows files that were replaced. Then run Lavasoft's AD-aware utility www.lavasoft.de to clean up the loads of junk left behind by Web3000.

If the software title isn't listed in the Windows Control panel, add/remove software window, try reinstalling it. This may force it into the list. Then uninstall it as outlined above, then run AD-aware. If you can't get the software host to show up in the uninstall window, contact Tech Support for the particular program for exact directions on removing it, including Registry keys and all files.
If you have any problems, let us know.

Regards

eddie
 

·
Super Moderator
Joined
·
37,795 Posts
Hiya

Do you have may programs on your machine? It may be something that you downloaded from the web, so if you can think of any, post them here and we'll find out for you.
If not, you could try listing all your programs, except Microsoft stuff.

Regards

eddie
 

·
Super Moderator
Joined
·
37,795 Posts
Hiya

Off the top of my head, I can see that you have Kazaa. That is a major piece of Spyware software. This could be the one. I know its good for files, etc, but its still spyware.

Lavasoft is your AddAware. I don't have my bookmarks here at work, but remove Kazaa for now. I'll doublecheck the others when I get home but I think this is the only one.

Regards

eddie
 

·
Registered
Joined
·
9 Posts
Discussion Starter · #16 ·
Hi Eddie:
In pursuance with my efforts to keep my pc virus-free, i am trying to install Norton Antivirus 2002. But i get the error message
"illegal operation performed etc" .Details are as follows:

MSIEXEC caused an invalid page fault in
module MSIEXEC.EXE at 015f:00400280.
Registers:
EAX=00400280 CS=015f EIP=00400280 EFLGS=00010a82
EBX=00530000 SS=0167 ESP=0063fe3c EBP=0063ff78
ECX=817059f0 DS=0167 ESI=817059d0 FS=4987
EDX=81705a30 ES=0167 EDI=00000000 GS=0000
Bytes at CS:EIP:
00 00 00 00 00 00 00 00 4b 45 52 4e 45 4c 33 32
Stack dump:
bff8b537 00000000 817059d0 00530000 6569734d 00636578 00455845 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

I tried going to norton site for info on this. It does give some solution for MSIEXEC.EXE at 015f:00400288 but not 400280.
I tried whatever is mentioned but still get the same illegal error message.
Its something to do with the win Installer file. I can see it under Win/system on my pc. but what the prob is , i can't understand.
Can u throw some light on this if u can spare the time.
Thanks and regards,
AKhil
 
1 - 17 of 17 Posts
Status
Not open for further replies.
Top