1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Running Downloaded Exe. {cih}

Discussion in 'Virus & Other Malware Removal' started by AKHIL, Oct 28, 2001.

Thread Status:
Not open for further replies.
Advertisement
  1. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    Hi:
    Wondering if you can help me with this. When i am trying to run WinZip.exe which i dowloaded from the net, i get the following message:
    "Winzip Self-Extractor Header corrupt.Possible cause:bad disk or file transfer error."
    I tried running another downloaded version but still get the same message.

    There is another program that i downloaded and trying to install.I get the message:
    "Installer CRC invalid". I feel this error is only with installation of any new downloaded software. What could be the problem?
    Would appreciate your help.
    Thanks.
    Op : Win98
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
    Hiya and Welcome

    I have just looked at the Winzip site. This is what they say:

    http://www.winzip.com/xcih.htm

    Did you scan the .exe before you ran it? Either way, can you do an online scan here:

    http://housecall.antivirus.com/housecall/start_corp.asp

    and also download Startup Log from here. Install and run it. Allow the DOS window to close, then copy/paste the list here:

    http://home.earthlink.net/~rmbox/Reticulated/Toys.html

    If we find the CIH virus on there, you may want to have a look at this:

    http://www.symantec.com/avcenter/venc/data/cih.html

    but wait until we've had a look at the startup log and you've done the virus scan.

    Regards

    eddie
     
  3. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    Hi Eddie:
    Thanks a ton for such a promt reply. I am happy,i joined this club.
    Well, i will follow your instructions and then send you the start up log.(By the end of the day).I got to leave for work now.
    Thanks for your help. Will write soon.
    r'gards
    A.K
     
  4. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    Hi Eddie:
    Did run the Housecall antivirus. It found 25 files infected with the CIH virus. Cleaned 24. The one left is C:\\WINDOWS\SYSTEM\DDHELP.EXE.Says it can't be cleaned as it is in use. I don't know how to clean this one.
    And ya! I tried installing StartLog after downloading. But it asks for which application to useto open etc. (Winzip is still not installed as it still gives me the same error while installing).
    So this is as far as i have gone. Do let me know what to do next. (How to install StartLog etc).
    Also wish to thank you for your timely help.
    regards
    Akhil
     
  5. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
  6. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    Hi Eddie:
    Here u r:

    ---------- C:\WINDOWS\desktop\StartUp.Log

    Start-Ups checked at 10-29-2001 9:36:54.86p
    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log for Windows 95/98 - Freeware by rmbox
    __________________________________________________________________________
    __________________________________________________________________________

    Comments:

    This is a log of all the programs on your computer that
    are starting automatically every time you start Windows.
    Using this log can be a quick way to spot trojans.

    StartUp Log (version 1.53) - Release Date 8/19/2001

    __________________________________________________________________________
    __________________________________________________________________________

    StartUp Log Index

    1. HKLM Run
    2. HKCU Run
    3. HKLM RunOnce
    4. HKCU RunOnce
    5. HKLM RunServices
    6. HKLM RunServicesOnce
    7. WIN.INI file
    8. SYSTEM.INI file
    9. AUTOEXEC.BAT file
    10. StartUp folder
    11. All Users StartUp
    12. Misc. StartUp Configurations

    __________________________________________________________________________
    __________________________________________________________________________

    The following is a list of your current Start-Ups
    __________________________________________________________________________
    __________________________________________________________________________

    1. HKLM Run - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ScanRegistry"="C:\\WINDOWS\\scanregw.exe /autorun"
    "TaskMonitor"="C:\\WINDOWS\\taskmon.exe"
    "SystemTray"="SysTray.Exe"
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "New.net Startup"="rundll32 C:\\WINDOWS\\NEWDOT~1.DLL,NewDotNetStartup"
    "Gator"="\"C:\\Program Files\\Gator.com\\Gator\\Gator.exe\""


    ==========================================================================
    __________________________________________________________________________

    2. HKCU Run - Registry

    [RegPath]
    "StartUp"

    *(RegPath not found..)*

    ==========================================================================
    __________________________________________________________________________

    3. HKLM RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    4. HKCU RunOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]


    ==========================================================================
    __________________________________________________________________________

    5. HKLM RunServices - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
    "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
    "SchedulingAgent"="mstask.exe"


    ==========================================================================
    __________________________________________________________________________

    6. HKLM RunServicesOnce - Registry

    [RegPath]
    "StartUp"


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]


    ==========================================================================
    __________________________________________________________________________

    7. WIN.INI File - (c:\windows\win.ini)

    Your win.ini run/load lines should look like run= and load= exclusively.
    There should be nothing to the right of the equal signs.


    These are the run and load lines in your WIN.INI file

    run=C:\WINDOWS\SYSTEM\cmmpu.exe

    load=

    ==========================================================================
    __________________________________________________________________________

    8. SYSTEM.INI File - (c:\windows\system.ini)

    Your system.ini shell line should look like shell=Explorer.exe exclusively.
    You should only see Explorer.exe following the equal sign.


    This is the shell line in your SYSTEM.INI file

    shell=Explorer.exe

    ==========================================================================
    __________________________________________________________________________

    9. AUTOEXEC.BAT File - (c:\autoexec.bat)

    (Some trojans have been known to start from this file)


    These are your program startups and set paths in your autoexec.bat file

    rem - By Windows Setup - C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MTMIDE01 /M:10

    ==========================================================================
    __________________________________________________________________________

    10. StartUp Folder - (c:\windows\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your StartUp folder

    C:\WINDOWS\Start Menu\Programs\StartUp\Office Startup.lnk
    C:\WINDOWS\Start Menu\Programs\StartUp\Microsoft Find Fast.lnk

    ==========================================================================
    __________________________________________________________________________

    11. All Users Folder - (c:\windows\all users\start menu\programs\startup)

    Shortcuts to any program will automatically start when placed here.


    These are the shortcuts located in your All Users StartUp folder


    *(No start-ups found)*

    ==========================================================================
    __________________________________________________________________________

    12. Miscellaneous StartUp Configurations

    -============================-
    Registry StartUp Directories
    -============================-

    Should show the Start Menu StartUp and All Users StartUp directories

    .....................................................................

    [1] HKCU - Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

    "Startup"="C:\\WINDOWS\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [2] HKCU - User Shell Folders

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


    .....................................................................

    [3] HKLM - Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders

    "Common Startup"="C:\\WINDOWS\\All Users\\Start Menu\\Programs\\StartUp"

    .....................................................................

    [4] HKLM - User Shell Folders

    HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders


    .....................................................................

    -=======================-
    Registry Shell Spawning
    -=======================-

    Open Commands for Executable File Types

    @="\"%1\" %*"
    (.exe file - RegPath = HKCR\exefile\shell\open\command)

    @="\"%1\" %*"
    (.com file - RegPath = HKCR\comfile\shell\open\command)

    @="\"%1\" /S"
    (.scr file - RegPath = HKCR\scrfile\shell\open\command)

    @="\"%1\" %*"
    (.bat file - RegPath = HKCR\batfile\shell\open\command)

    @="\"%1\" %*"
    (.pif file - RegPath = HKCR\piffile\shell\open\command)

    @="C:\\WINDOWS\\SYSTEM\\MSHTA.EXE \"%1\" %*"
    (.hta file - RegPath = HKCR\htafile\shell\open\command)

    -=========================-
    HKLM RunOnceEx - Registry
    -=========================-


    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx]


    -====================-
    StubPaths - Registry (Partial Listing)
    -====================-

    (Please see the StubPath.txt on your desktop for complete listing)

    HKLM\Software\Microsoft\Active Setup\Installed Components


    "OldStubPath"="C:\\WINDOWS\\SYSTEM\\ie4uinit.exe"
    "RealStubPath"="C:\\WINDOWS\\SYSTEM\\IE4UINIT.EXE"
    "StubPath"="C:\\WINDOWS\\COMMAND\\sulfnbk.exe /L"

    -=================-
    DOSSTART.BAT File - (c:\windows\dosstart.bat)
    -=================-

    C:\WINDOWS\COMMAND\MSCDEX.EXE /D:MTMIDE01 /M:10

    -=====================-
    Screen Saver Settings (Possible system.ini start-up)
    -=====================-


    ==========================================================================
    __________________________________________________________________________

    - Supplemental Environment Information -

    TMP=C:\WINDOWS\TEMP
    TEMP=C:\WINDOWS\TEMP
    winbootdir=C:\WINDOWS
    PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
    COMSPEC=C:\WINDOWS\COMMAND.COM
    windir=C:\WINDOWS


    ==========================================================================
    __________________________________________________________________________

    - End -
    And how do i remove CIH from DirectX as u mentioned.
    Thanks
    AK
     
  7. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
    Hiya

    well, reading up on CIH, it looks like when its there, its there.

    Looking at Symantec's site, there is a program that you can download called KILL_CIH.

    http://www.symantec.com/avcenter/kill_cih.html

    Also, what I did notice in your startup, was some spyware programs. Gator and New.net. You may want to try to remove these manually but if no joy, and even if you do uninstall, go here and download AddAware www.lavasoftusa.com

    Install and run, ensuring that deep registry scan is enabled. remove all except any references to Web3000. You can post the list here.

    Back to the problem in hand.

    Use the CIH tool before you run a virus scan with your own Antivirus program.

    Regards

    eddie
     
  8. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    HI EDDIE:
    RAN KILL_CIH.EXE. THEN LAVASOFT. IT FOUND 102 SPYWARE COMPONENTS .I REMOVED ALL ACCEPT WEB3000.
    NOW I GUESS I WILL RUN THE ANTI VIRUS TO CLEAR CIH OUT OF THE SYSTEM ONCE AND FOR ALL.
    ONE DRAWBACK THOUGH. I LOST GATOR WHICH HAD ALL MY PASSWORD INFO FOR ALL THE FORMS AND WEB BANKING AND VARIOUS OTHER WEB-SITES.
    ANYWAY BETTER BE SAFE THAN SORRY.
    CAN'T THANK YOU ENOUGH. AND YA! WINZIP IS INSTALLED AND RUNS FINE.
    IT'S HEARTENING TO KNOW THAT THERE ARE GOOD SAMARITANS LIKE YOU WHO VOLUNTEER THIER TIME AND RESOURCES TO HELP PEOPLE THEY DON'T EVEN KNOW.
    HATS OFF TO YOU SIR!! MY PC IS ONCE AGAIN HEALTHY.
    REGARDS ALWAYS,
    AKHIL
     
  9. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
    Hiya

    Glad its working again. Did you have Web3000? I asume not, its just that you mentioned it on your reply.

    Anyway, at least you've got rid of CIH.

    See Ya

    eddie
     
  10. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    HI EDDIE:
    I DO HAVE THREE COMPONENTS OF WEB3000. I THOUGHT YOU SAID REMOVE EVERY SPYWARE COMPONENT BESIDES WEB3000.
    SO THAT'S WHAT I DID.
    AS OF NOW I STILL HAVE 3 COMP. OF WEB3000. IS IT A PROBLEM?
    PLEASE ADVISE.
    THANKS
    AKHIL
     
  11. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
    Hiya

    Sorry about that. Its just that I put about Web3000 as standard as its one of the little sods that you need to manually remove. When I say it in your reply, it got me thinking.

    Here it is:

    http://www.uninet.net/~blaisdel/web3000.htm#Removing Web3000

    And here's a snippet

    If you have any problems, let us know.

    Regards

    eddie
     
  12. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    HI EDDIE:
    HOW DO I FIND OUT WHICH PROGRAM OR SOFTWARE IS USING WEB3000??
    REGARDS
    AKHIL
     
  13. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
    Hiya

    Do you have may programs on your machine? It may be something that you downloaded from the web, so if you can think of any, post them here and we'll find out for you.
    If not, you could try listing all your programs, except Microsoft stuff.

    Regards

    eddie
     
  14. AKHIL

    AKHIL Thread Starter

    Joined:
    Oct 28, 2001
    Messages:
    9
    here's the list:
    ADAPTEC
    KAAZA
    LAVASOFT
    DIRECTX
    WINAMP
    WINZIP
    WINMX
    MESSENGER
    REST ARE ALL MS PROGRAMS.

    THANKS
    AK
     
  15. eddie5659

    eddie5659 Moderator Malware Specialist

    Joined:
    Mar 19, 2001
    Messages:
    33,667
    Hiya

    Off the top of my head, I can see that you have Kazaa. That is a major piece of Spyware software. This could be the one. I know its good for files, etc, but its still spyware.

    Lavasoft is your AddAware. I don't have my bookmarks here at work, but remove Kazaa for now. I'll doublecheck the others when I get home but I think this is the only one.

    Regards

    eddie
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/56968

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice