need to figure out if an .scr file contains a security threat - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

I can't find "CA4896E7" when searching the registry, so I guess that
key is missing from the registry.

Quoted text here. Click to load it

This is one of the keys I found that are associated with 'syshelps'.
I've found 5 of such keys and listed them in my other posting.

Quoted text here. Click to load it

I'm pretty sure these files are already deleted.

Quoted text here. Click to load it



Re: need to figure out if an .scr file contains a security threat


| wrote:
Quoted text here. Click to load it
|>> Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
|>> file... bit late though after my computer had already been infected.
Quoted text here. Click to load it
|
| I can't find "CA4896E7" when searching the registry, so I guess that
| key is missing from the registry.
|

It may randomize the CLSID value.  Thus what I obtained was different from what
you found.
However, it still created the same file and that was the "key".

I think you have a handle on this now and I doubt you need to reformat your PC.

Both the DLL and SCR file were submitted to numerous anti-malware companies.

McAfee came back on the SCR as "w32/sdbot.worm.gen.ca" and provided an interim
EXTRA.DAT
file.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat



|
| Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
| file... bit late though after my computer had already been infected.

Complete scanning result of "syshelps.dll", processed in VirusTotal at
06/16/2007 04:52:30
(CET).

[ file data ]
* name: syshelps.dll
* size: 23016
* md5.: aacb24330feafef87101314b4195cb8f
* sha1: 772f20be59f6377cbad014f388b8334c820c8457

[ scan result ]
AhnLab-V3 2007.6.16.0/20070615 found [Win-Trojan/ShadoBot.22016.B]
AntiVir 7.4.0.32/20070615 found [Worm/IRCBot.23016]
Authentium 4.93.8/20070616 found nothing
Avast 4.7.997.0/20070615 found nothing
AVG 7.5.0.467/20070615 found [BackDoor.Generic7.EAK]
BitDefender 7.2/20070616 found [Backdoor.IRCBot.ABDD]
CAT-QuickHeal 9.00/20070615 found [Backdoor.IRCBot.acd]
ClamAV devel-20070416/20070616 found nothing
DrWeb 4.33/20070615 found [Win32.HLLW.Sodoku]
eSafe 7.0.15.0/20070614 found [Win32.Mubla]
eTrust-Vet 30.7.3721/20070615 found nothing
Ewido 4.0/20070615 found [Backdoor.IRCBot.acd]
F-Prot 4.3.2.48/20070615 found nothing
F-Secure 6.70.13030.0/20070615 found [Backdoor.Win32.IRCBot.acd]
FileAdvisor 1/20070616 found [Not analyzed yet]
Fortinet 2.85.0.0/20070616 found [W32/IRCBot.ACD!tr.bdr]
Ikarus T3.1.1.8/20070615 found [Backdoor.Win32.IRCBot.acd]
Kaspersky 4.0.2.24/20070616 found [Backdoor.Win32.IRCBot.acd]
McAfee 5054/20070615 found nothing
Microsoft 1.2607/20070616 found nothing
Norman 5.80.02/20070615 found nothing
Panda 9.0.0.4/20070616 found [Malware Generic]
Prevx1 V2/20070616 found nothing
Sophos 4.18.0/20070612 found nothing
Sunbelt 2.2.907.0/20070614 found [W32.Mubla]
TheHacker 6.1.6.133/20070615 found [Backdoor/IRCBot.acd]
VBA32 3.12.0.2/20070615 found [Win32.HLLW.Sodoku]
VirusBuster 4.3.23:9/20070615 found [Backdoor.IRCBot.AYW]
Webwasher-Gateway 6.0.1/20070616 found nothing

[ notes ]
Bit9 info:
http://fileadvisor.bit9.com/services/extinfo.aspx?md5=aacb24330feafef87101314b4195cb8f


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it
Davehttp://www.claymania.com/removal-trojan-adware.htmlhttp://www.ik-cs.com/got-a-virus.htm

When searching for files with "syshelps" in the filename, I find no
such files on my local drives.
So I assume BitDefender got rid of the 'syshelps.dll' file.

When searching for "syshelps" in the registry, I find:

HKCR\CLSID\\InProcServer32
"(Default)" = "syshelps.dll"

HKCR\CLSID\\InProcServer32
"(Default)" = "syshelps.dll"

HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
"(Default)" = "syshelps.dll"

HKLM\SOFTWARE\Classes\CLSID\
\InProcServer32
"(Default)" = "syshelps.dll"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\ShellServiceObjectDelayLoad
"syshelps" = ""


Should I get rid of all these suspicious entries in the registry?


Re: need to figure out if an .scr file contains a security threat


| wrote:
Quoted text here. Click to load it
|>> It doesn't mean they are one in  the same.
|>>
|>> It could be the same BUT... a different variant.
|>>
Quoted text here. Click to load it
|
| When searching for files with "syshelps" in the filename, I find no
| such files on my local drives.
| So I assume BitDefender got rid of the 'syshelps.dll' file.
|
| When searching for "syshelps" in the registry, I find:
|
| HKCR\CLSID\\InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKCR\CLSID\\InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Classes\CLSID\
| \InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Classes\CLSID\
| \InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
| \ShellServiceObjectDelayLoad
| "syshelps" = ""
|
| Should I get rid of all these suspicious entries in the registry?

Delete the following...

HKCR\CLSID\\InProcServer32
HKCR\CLSID\\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\
HKLM\SOFTWARE\Classes\CLSID\
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshelps

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

Ok, let me just get this exactly right... these four keys all seem
similar and I have a screenshot of the first one:

http://www.ibbu.nl/~nsprakel/regedit1.jpg

I assume I can right-click the selected item (visible in the
screenshot) on the left pane and pick 'delete' from the pop-up menu,
right?

Quoted text here. Click to load it


This key is different... I have another screenshot:

http://www.ibbu.nl/~nsprakel/regedit2.jpg

I assume in this case, I right-click the selected item (visible in the
screenshot) on the right pane and pick 'delete' from the pop-up menu,
right?


Quoted text here. Click to load it



Re: need to figure out if an .scr file contains a security threat



|
| Ok, let me just get this exactly right... these four keys all seem
| similar and I have a screenshot of the first one:
|
| http://www.ibbu.nl/~nsprakel/regedit1.jpg
|
| I assume I can right-click the selected item (visible in the
| screenshot) on the left pane and pick 'delete' from the pop-up menu,
| right?
|
Quoted text here. Click to load it
|
| This key is different... I have another screenshot:
|
| http://www.ibbu.nl/~nsprakel/regedit2.jpg
|
| I assume in this case, I right-click the selected item (visible in the
| screenshot) on the right pane and pick 'delete' from the pop-up menu,
| right?
|

Bingo !

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: need to figure out if an .scr file contains a security threat

wrote:
Quoted text here. Click to load it

Ok, thanks a lot for the extensive help (also muchos gracias to all
other people in this thread)!
I'm sure glad I won't have to format my entire HD.
I'll scan my computer once more with BitDefender and Kaspersky to be
sure it's clean and I'll report back if anything suspicious turns up.


Re: need to figure out if an .scr file contains a security threat


Quoted text here. Click to load it

If I may butt in, after doing the above, image your hard drive to a
USB drive, from which you could burn it to DVDs. Repeat weekly, making
incremental backups weekly and full backups monthly, to avoid future
anguish. The probability of getting screwed by malware or a bad
install is proportional to the time since last image. I also back up
critical files to a slave drive hourly, using Cobiam Backup.

Larry

Re: need to figure out if an .scr file contains a security threat

Quoted text here. Click to load it

Most of the stuff that I've spend a lot of time on, like various stuff
collected on p2p, is backed up on external drives and I can (and
should) put sensitive stuff on a second computer. But it's such a
hassle to reinstall and reconfigure all programs (hence the anguish)
and an image would indeed offer a good backup of the system in that
respect.


Re: need to figure out if an .scr file contains a security threat

posted on Fri, 15 Jun 2007 20:02:40 -0700, name wrote: Begin  

Quoted text here. Click to load it

If they are pointing to a nonexistent file,
any reg cleaner should flag and remove them for you.

--

Bart

Re: need to figure out if an .scr file contains a security threat

Trojan Backdoor.IRCBot.aaq

--

Newsgroup Trolls. Read about mine here http://www.pcbutts1.com/downloads
The list grows. Leythos the stalker http://www.leythosthestalker.com , David
H. Lipman, Max M Wachtell III  aka What's in a Name?, Fitz,
Rhonda Lea Kirk, Meat Plow, F Kwatu F, George Orwell



Quoted text here. Click to load it



Site Timeline