Virus files.

KK · Mar 4, 2003

I noticed my cable modem lights were speeding along this morning, so I decide to run a system check on it using norton. It found about 4 or 5 diferent types of viruses/trojans. I also found some files in the system32 directory that were recently modified and created, within 2 monthes. They are:

Screwed.exe (modified Dec. 31 but created today)
Eleet.exe (Modifed Feb. 22 but created Feb. 23)
PSEXESVC.exe (Created and Modified Feb 26)
shellmon32.exe (Created and Modified Feb 27)
windll32.exe (Created and Modified Feb 27)
Sa.exe (Created Feb20 and modified March 1)
Run.exe (modified Nov. 28 but created Feb 27, 2003)

I believe all these should be deleted but why didn't Norton pick these up?

KK

Mar 4, 2003

Why aren't you running a firewall ?

ZoneAlarm is free you know

KK · Mar 4, 2003

I was just using that Firewall built into XP ever since I had loaded XP onto this PC. Would that be sufficient enough?

KK

radioouman · Mar 4, 2003

Maybe Norton isn't as good as everyone thinks

(Not trying to start a flame war...)

The firewall in WinXP won't protect you if you received the viruses over email, or if you downloaded them accidentally from the internet.

MercenaryForHire · Mar 4, 2003

"Eleet.exe"? "Screwed.exe"? Jesus H Christ. You've been 0wn3d six ways from Sunday. You've probably got more Trojans than a wooden horse. :Q

Reformat. Reinstall from trusted media. Get a virus scanner NOW.

- M4H

MrBond · Mar 4, 2003

Originally posted by: KK
I was just using that Firewall built into XP ever since I had loaded XP onto this PC. Would that be sufficient enough?

KK

It doesn't detect outgoing traffic. Do a search for some of those filenames on google, I'd bet one of them is a trojan horse of some sort. Did you run any programs someone sent you without scanning them first?

Also, if they do turn out to be trojans, and you've used your credit card online today or accessed any websites where you use a password, get you a clean pc and change your passwords, then call up your CC company and report your CC stolen. Chances are whoever's getting the keylogs from the trojan has your credit card number and will either sell it or use it. If it's reported stolen, they won't get far with it.

Entity · Mar 4, 2003

Originally posted by: MercenaryForHire
"Eleet.exe"? "Screwed.exe"? Jesus H Christ. You've been 0wn3d six ways from Sunday. You've probably got more Trojans than a wooden horse. :Q

Reformat. Reinstall from trusted media. Get a virus scanner NOW.

- M4H

The Greeks were in the wooden horse, not the Trojans.

Rob

Mar 4, 2003

The Greeks were in the wooden horse, not the Trojans.

Greeks with Trojans were in the wooden horse

KK · Mar 4, 2003

Originally posted by: MercenaryForHire
"Eleet.exe"? "Screwed.exe"? Jesus H Christ. You've been 0wn3d six ways from Sunday. You've probably got more Trojans than a wooden horse. :Q

Reformat. Reinstall from trusted media. Get a virus scanner NOW.

- M4H

Do you think that would be necessary? Here the list of what norton did find:
W32.Pinfi
Backdoor.Sdbot
Downloader.Trojan
Trojan Horse
Hacktool.Flooder
W32.Nimda.enc
W32.Nimda.E@mm

I couldn't tell that any of the files I listed prior would be associated with any of these.

KK

MrBond · Mar 4, 2003

info on screwed.exe
info on the third infected file
Info on the fith infected file

Thats all I can find from simple googling, you've definatly got at least one major trojan though, so get that pc offline ASAP.

KK · Mar 4, 2003

Originally posted by: MrBond
info on screwed.exe
info on the third infected file

(I'll update this thread as I find more). My advice, unplug your infected pc from the network and get online with a clean one

Yeah, I was just looking at that newbie site. Right after I noticed the lights going crazy, I viewed the task manager and noticed there were two programs I didn't recognize. The first one didn't stop it when I quit it, and the second one was adobea.exe and that ceased it. I also went into the registry and deleted the run thingy for it.

KK

Kadarin · Mar 4, 2003

Originally posted by: KK
I was just using that Firewall built into XP ever since I had loaded XP onto this PC. Would that be sufficient enough?

KK

Apparently not..

KK · Mar 4, 2003

Originally posted by: Astaroth33

Originally posted by: KK
I was just using that Firewall built into XP ever since I had loaded XP onto this PC. Would that be sufficient enough?

KK

Click to expand...

Apparently not..

Well, I did have it off since about 2 weeks ago. Oh well,live and learn, this isn't my first brush with bugs and surely won't be the last.

KK

KK · Mar 4, 2003

Do you guy have under HKLM/software/microsoft/windows/CurrentVersion/Run a winlog32=windll32.exe or a shell monitor=shellmon32.exe. And also look into the runservices and is there a winlog32=windll32.exe?

Thanks.

MercenaryForHire · Mar 4, 2003

If that's an L as in Lock, then yes.

If that's wind I l - uppercase i - then no, and notch up another trojan.

What are you doing online, anyways? Shouldn't you be reformatting and changing passwords?

- M4H

KK · Mar 4, 2003

Originally posted by: MercenaryForHire
If that's an L as in Lock, then yes.

If that's wind I l - uppercase i - then no, and notch up another trojan.

What are you doing online, anyways? Shouldn't you be reformatting and changing passwords?

- M4H

No no, don't say that.

Wife would kick me in the nads. yes, those are L. How about the sheLLmon32?

KK

KC5AV · Mar 4, 2003

Dude, get yourself a protective cup, because she is gonna be kicking. As infected as that machine is, you need to remove it from any other pc you might have networked. Nimda and variants are network aware. They will find shared drives and infect them. Some of the others you listed probably will, too. Your best bet is to format the drive and reinstall everything. Start with you OS and then install your antivirus. Make sure you keep the definition files up to date. Install a good firewall program (there are some decent free ones out there). Sorry to break the bad news to you, but you are in deep doodoo. Good luck.

KK · Mar 6, 2003

What is the purpose of the windll32.exe file. I've been checking more into it and cannot find anything on Microsoft's site. The only reference on symantecs website is on this page. and what it says as far as whats in the registry is not like it say. Anyone know what this file is for?

Thanks,
KK

Tiger · Mar 6, 2003

What is the purpose of the windll32.exe file.

Oh, it's just a little file that lets someone have remote access to your machine.Linky
Have you been hanging out on IRC? I suspect someone was getting ready to use your machine for a DDoS attack.
Flush the drive, get a good firewall. The one in XP is a freaking joke.

DaFinn · Mar 6, 2003

Ewww,

reading this as a network admin, sends chills down my spine...
Man, format, reinstall windows, install virus scan, install "a real" firewall! In that order!!! Norton Internet security is a good package with frequent updates! Tiny softwares firewall is good and free and lets you fiddle with a lot of settings. Zone alarm is free and good too if you are not that experienced...

What... are you still reading this... from that machine? Get offline NOW!

-DaFinn

KK · Mar 6, 2003

Originally posted by: Tiger

What is the purpose of the windll32.exe file.

Click to expand...

Oh, it's just a little file that lets someone have remote access to your machine.Linky
Have you been hanging out on IRC? I suspect someone was getting ready to use your machine for a DDoS attack.
Flush the drive, get a good firewall. The one in XP is a freaking joke.

Thanks for that website. I guess I'll delete that program from the PC. You wouldn't happen to know the purpose of run.exe would you?

I put up ZoneAlarm, will that prevent anything from getting sent in the future?

KK

deftron · Mar 6, 2003

7 different viruses !?!?!?

pwned

Lay off the Kazaa porn....

KK · Mar 6, 2003

Originally posted by: deftron
7 different viruses !?!?!?

pwned

Lay off the Kazaa porn....

LOL...well, I don't use Kazaa. The only way I think it could have gotten on was through the newgroups via outlook express. Why norton didn't pick it up I don't know.

KK

deftron · Mar 6, 2003

Get a real newsreader.

Xnews is good and free.

It won't automatically open attachments

KK · Mar 6, 2003

I usually use newsbin pro for downloading but I just was checking out a discussion group in which outlook express seemed to suit the purpose. Guess it didn't.

KK

Virus files.

Lifer

Lifer

Diamond Member

Lifer

Diamond Member

Lifer

Lifer

Diamond Member

Lifer

Lifer

Lifer

Lifer

Lifer

Lifer

Golden Member

Lifer

Platinum Member

Diamond Member

Lifer

Lifer

Lifer

Lifer

Lifer