Running Downloaded Exe. {cih}

Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
Hi:
Wondering if you can help me with this. When i am trying to run WinZip.exe which i dowloaded from the net, i get the following message:
"Winzip Self-Extractor Header corrupt.Possible cause:bad disk or file transfer error."
I tried running another downloaded version but still get the same message.

There is another program that i downloaded and trying to install.I get the message:
"Installer CRC invalid". I feel this error is only with installation of any new downloaded software. What could be the problem?
Would appreciate your help.
Thanks.
Op : Win98
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,315
Hiya and Welcome

I have just looked at the Winzip site. This is what they say:

Why am I suddenly getting "header corrupt" messages when I run self-extractors?
Frequently, the problem with corrupted self-extractors (and corrupted .zip files, as well) is that an error has been introduced into the file during download (e.g., by phone line noise). Normally, downloading the file again resolves the problem. If, however, repeated attempts to download the file do not result in a good copy, your computer may be infected by a virus.

In mid-1998, a new virus named CIH was released (it first showed up in Taiwan in June, 1998). Other names for this virus include "W95.CIH", "Chernobyl", and "Spacefiller". This virus has been reported in a large number of executable files, including self-extracting Zip files created using WinZip Self-Extractor.

This is not a problem in the WinZip or WinZip Self-Extractor applications distributed by WinZip Computing, Inc. Rather, the problem is that the self-extractor you're trying to run may have been infected with this virus. All executable files are susceptible to virus infection, and since self-extractors are executable files, they are susceptible to virus infection, as well.
http://www.winzip.com/xcih.htm

Did you scan the .exe before you ran it? Either way, can you do an online scan here:

http://housecall.antivirus.com/housecall/start_corp.asp

and also download Startup Log from here. Install and run it. Allow the DOS window to close, then copy/paste the list here:

http://home.earthlink.net/~rmbox/Reticulated/Toys.html

If we find the CIH virus on there, you may want to have a look at this:

http://www.symantec.com/avcenter/venc/data/cih.html

but wait until we've had a look at the startup log and you've done the virus scan.

Regards

eddie
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
Hi Eddie:
Thanks a ton for such a promt reply. I am happy,i joined this club.
Well, i will follow your instructions and then send you the start up log.(By the end of the day).I got to leave for work now.
Thanks for your help. Will write soon.
r'gards
A.K
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
Hi Eddie:
Did run the Housecall antivirus. It found 25 files infected with the CIH virus. Cleaned 24. The one left is C:\\WINDOWS\SYSTEM\DDHELP.EXE.Says it can't be cleaned as it is in use. I don't know how to clean this one.
And ya! I tried installing StartLog after downloading. But it asks for which application to useto open etc. (Winzip is still not installed as it still gives me the same error while installing).
So this is as far as i have gone. Do let me know what to do next. (How to install StartLog etc).
Also wish to thank you for your timely help.
regards
Akhil
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
Hi Eddie:
Here u r:

---------- C:\WINDOWS\desktop\StartUp.Log

Start-Ups checked at 10-29-2001 9:36:54.86p
__________________________________________________________________________
__________________________________________________________________________

StartUp Log for Windows 95/98 - Freeware by rmbox
__________________________________________________________________________
__________________________________________________________________________

Comments:

This is a log of all the programs on your computer that
are starting automatically every time you start Windows.
Using this log can be a quick way to spot trojans.

StartUp Log (version 1.53) - Release Date 8/19/2001

__________________________________________________________________________
__________________________________________________________________________

StartUp Log Index

1. HKLM Run
2. HKCU Run
3. HKLM RunOnce
4. HKCU RunOnce
5. HKLM RunServices
6. HKLM RunServicesOnce
7. WIN.INI file
8. SYSTEM.INI file
9. AUTOEXEC.BAT file
10. StartUp folder
11. All Users StartUp
12. Misc. StartUp Configurations

__________________________________________________________________________
__________________________________________________________________________

The following is a list of your current Start-Ups
__________________________________________________________________________
__________________________________________________________________________

1. HKLM Run - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
"TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
"SystemTray"="SysTray.Exe"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~1.DLL,NewDotNetStartup"
"Gator"="\"C:\\Program Files\\Gator.com\\Gator\\Gator.exe\""


==========================================================================
__________________________________________________________________________

2. HKCU Run - Registry

[RegPath]
"StartUp"

*(RegPath not found..)*

==========================================================================
__________________________________________________________________________

3. HKLM RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

4. HKCU RunOnce - Registry

[RegPath]
"StartUp"


[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


==========================================================================
__________________________________________________________________________

5. HKLM RunServices - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"SchedulingAgent"="mstask.exe"


==========================================================================
__________________________________________________________________________

6. HKLM RunServicesOnce - Registry

[RegPath]
"StartUp"


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


==========================================================================
__________________________________________________________________________

7. WIN.INI File - (c:\windows\win.ini)

Your win.ini run/load lines should look like run= and load= exclusively.
There should be nothing to the right of the equal signs.


These are the run and load lines in your WIN.INI file

run=C:\WINDOWS\SYSTEM\cmmpu.exe

load=

==========================================================================
__________________________________________________________________________

8. SYSTEM.INI File - (c:\windows\system.ini)

Your system.ini shell line should look like shell=Explorer.exe exclusively.
You should only see Explorer.exe following the equal sign.


This is the shell line in your SYSTEM.INI file

shell=Explorer.exe

==========================================================================
__________________________________________________________________________

9. AUTOEXEC.BAT File - (c:\autoexec.bat)

(Some trojans have been known to start from this file)


These are your program startups and set paths in your autoexec.bat file

rem - By Windows Setup - C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MTMIDE01 /M:10

==========================================================================
__________________________________________________________________________

10. StartUp Folder - (c:\windows\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your StartUp folder

C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

==========================================================================
__________________________________________________________________________

11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

Shortcuts to any program will automatically start when placed here.


These are the shortcuts located in your All Users StartUp folder


*(No start-ups found)*

==========================================================================
__________________________________________________________________________

12. Miscellaneous StartUp Configurations

-============================-
Registry StartUp Directories
-============================-

Should show the Start Menu StartUp and All Users StartUp directories

.....................................................................

[1] HKCU - Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

"Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

.....................................................................

[2] HKCU - User Shell Folders

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


.....................................................................

[3] HKLM - Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

"Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

.....................................................................

[4] HKLM - User Shell Folders

HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


.....................................................................

-=======================-
Registry Shell Spawning
-=======================-

Open Commands for Executable File Types

@="\"%1\" %*"
(.exe file - RegPath = HKCR\exefile\shell\open\command)

@="\"%1\" %*"
(.com file - RegPath = HKCR\comfile\shell\open\command)

@="\"%1\" /S"
(.scr file - RegPath = HKCR\scrfile\shell\open\command)

@="\"%1\" %*"
(.bat file - RegPath = HKCR\batfile\shell\open\command)

@="\"%1\" %*"
(.pif file - RegPath = HKCR\piffile\shell\open\command)

@="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
(.hta file - RegPath = HKCR\htafile\shell\open\command)

-=========================-
HKLM RunOnceEx - Registry
-=========================-


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


-====================-
StubPaths - Registry (Partial Listing)
-====================-

(Please see the StubPath.txt on your desktop for complete listing)

HKLM\Software\Microsoft\Active Setup\Installed Components


"OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
"RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
"StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"

-=================-
DOSSTART.BAT File - (c:\windows\dosstart.bat)
-=================-

C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MTMIDE01 /M:10

-=====================-
Screen Saver Settings (Possible system.ini start-up)
-=====================-


==========================================================================
__________________________________________________________________________

- Supplemental Environment Information -

TMP=C:\WINDOWS\TEMP
TEMP=C:\WINDOWS\TEMP
winbootdir=C:\WINDOWS
PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
COMSPEC=C:\WINDOWS\COMMAND.COM
windir=C:\WINDOWS


==========================================================================
__________________________________________________________________________

- End -
And how do i remove CIH from DirectX as u mentioned.
Thanks
AK
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,315
Hiya

well, reading up on CIH, it looks like when its there, its there.

Looking at Symantec's site, there is a program that you can download called KILL_CIH.

The KILL_CIH tool will not detect or remove the W95.CIH virus from files; it will only disable the virus in memory so that an anti-virus program can remove the infection without inadvertently spreading the virus.
http://www.symantec.com/avcenter/kill_cih.html

Also, what I did notice in your startup, was some spyware programs. Gator and New.net. You may want to try to remove these manually but if no joy, and even if you do uninstall, go here and download AddAware www.lavasoftusa.com

Install and run, ensuring that deep registry scan is enabled. remove all except any references to Web3000. You can post the list here.

Back to the problem in hand.

Use the CIH tool before you run a virus scan with your own Antivirus program.

Regards

eddie
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
HI EDDIE:
RAN KILL_CIH.EXE. THEN LAVASOFT. IT FOUND 102 SPYWARE COMPONENTS .I REMOVED ALL ACCEPT WEB3000.
NOW I GUESS I WILL RUN THE ANTI VIRUS TO CLEAR CIH OUT OF THE SYSTEM ONCE AND FOR ALL.
ONE DRAWBACK THOUGH. I LOST GATOR WHICH HAD ALL MY PASSWORD INFO FOR ALL THE FORMS AND WEB BANKING AND VARIOUS OTHER WEB-SITES.
ANYWAY BETTER BE SAFE THAN SORRY.
CAN'T THANK YOU ENOUGH. AND YA! WINZIP IS INSTALLED AND RUNS FINE.
IT'S HEARTENING TO KNOW THAT THERE ARE GOOD SAMARITANS LIKE YOU WHO VOLUNTEER THIER TIME AND RESOURCES TO HELP PEOPLE THEY DON'T EVEN KNOW.
HATS OFF TO YOU SIR!! MY PC IS ONCE AGAIN HEALTHY.
REGARDS ALWAYS,
AKHIL
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,315
Hiya

Glad its working again. Did you have Web3000? I asume not, its just that you mentioned it on your reply.

Anyway, at least you've got rid of CIH.

See Ya

eddie
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
HI EDDIE:
I DO HAVE THREE COMPONENTS OF WEB3000. I THOUGHT YOU SAID REMOVE EVERY SPYWARE COMPONENT BESIDES WEB3000.
SO THAT'S WHAT I DID.
AS OF NOW I STILL HAVE 3 COMP. OF WEB3000. IS IT A PROBLEM?
PLEASE ADVISE.
THANKS
AKHIL
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,315
Hiya

Sorry about that. Its just that I put about Web3000 as standard as its one of the little sods that you need to manually remove. When I say it in your reply, it got me thinking.

Here it is:

http://www.uninet.net/~blaisdel/web3000.htm#Removing Web3000

And here's a snippet

Warning: Do not use AD-aware to remove Web3000 without first removing the host software. Web3000 replaces wsock32.dll (C:\Windows\System\Wsock32.dll) and possibly other Windows system files. These will not be restored if AD-aware is used first. By default, users of Windows Millennium, may be protected. Windows Me stores files in protected form. The System File Protection (SFP) prevents a user from installing software that might make the operating system unstable. To learn more about SFP see my Windows Millennium Help and How to page.

Keep Windows Me safe with System File Protection

First figure out which software installed is using Web3000, then uninstall that software using the Windows Control panel, add/remove software window. This should also uninstall most of Web3000 also, and restore the Windows files that were replaced. Then run Lavasoft's AD-aware utility www.lavasoft.de to clean up the loads of junk left behind by Web3000.

If the software title isn't listed in the Windows Control panel, add/remove software window, try reinstalling it. This may force it into the list. Then uninstall it as outlined above, then run AD-aware. If you can't get the software host to show up in the uninstall window, contact Tech Support for the particular program for exact directions on removing it, including Registry keys and all files.
If you have any problems, let us know.

Regards

eddie
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
HI EDDIE:
HOW DO I FIND OUT WHICH PROGRAM OR SOFTWARE IS USING WEB3000??
REGARDS
AKHIL
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,315
Hiya

Do you have may programs on your machine? It may be something that you downloaded from the web, so if you can think of any, post them here and we'll find out for you.
If not, you could try listing all your programs, except Microsoft stuff.

Regards

eddie
 

AKHIL

Thread Starter
Joined
Oct 28, 2001
Messages
9
here's the list:
ADAPTEC
KAAZA
LAVASOFT
DIRECTX
WINAMP
WINZIP
WINMX
MESSENGER
REST ARE ALL MS PROGRAMS.

THANKS
AK
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,315
Hiya

Off the top of my head, I can see that you have Kazaa. That is a major piece of Spyware software. This could be the one. I know its good for files, etc, but its still spyware.

Lavasoft is your AddAware. I don't have my bookmarks here at work, but remove Kazaa for now. I'll doublecheck the others when I get home but I think this is the only one.

Regards

eddie
 
Status
This thread has been Locked and is not open to further replies. The original thread starter may use the Report button to request it be reopened but anyone else with a similar issue should start a New Thread. Watch our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top