Please report all spam threads, posts and suspicious members. We receive spam notifications and will take immediate action!
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 30

Thread: Regedit, msconfig, task manager wont stay open




  1. #11
    Join Date
    Nov 2003
    Location
    Minnesota, United States
    Posts
    4,543

    Default

    If you can, get a screenshot of your taskman and msconfig (while not in safe mode). We should be able to tell you what belongs there and what doesn't.

  2. #12
    Join Date
    May 2003
    Location
    Chicago
    Posts
    61

    Default

    how do i post a picture?

  3. #13
    Beefy Guest

    Default

    When you reply, scroll down a bit and look at the 'Attach File' option.

  4. #14
    Join Date
    May 2003
    Location
    Chicago
    Posts
    61

    Default

    that should do it. sry didnt have time to resize im doing homework

    *screenshot edited -mb

  5. #15
    Join Date
    Mar 2004
    Location
    The Isle of 31337's
    Posts
    151

    Default

    Explorer.exe Explorer is just a system process, but in the event of a virus The trojan would modify this file and use it for its dirty deeds.

    To truly find out if you have a Virus/trojan. gohere this will check your system of all known viruses through thier database and find out for sure if you have one and any other security holes, hopefully not.


    I also use norton 2003, despite popular belief I've had no problems with it whatsoever, and it has saved my file sharing a$$ many times. Not saying that Avg is any less good, however because its free it can be very usefull in times like these if you have an expired subcription service for Norton, thus not allowing you to update, but that has not been proven yet.

    Or it could be a corrupt O.S.: I've had so wierd things go on with all windows versions and I was sure it was a virus; come to find out though that it was'nt.

    My question for you is when did you buy Norton 2003, when did you update the virus definitions last, and have you been to window's udate site recently?

    Now back on track to the possible virus. Since were talking trojans here then were talking open and active udp or tcp ports.
    As with most trojans thier whole objective is to gain remote acess to your machine. Like Subseven which used port 666(thats Irc{internet relay chat} floks), to remotely control your machine via a special Irc server or Newer Trojans that use Ftp( File transmission port) 21 to download/upload data to and from your comptuer.

    An easy way to check for this is to open a msdos prompt, but under Xp msdos is not normaly listed so you would have to Start/show all programs files/ find the msdos icon and click it, then type in

    netstat -an write down all the ip addresses you see there and check who they belong to. as you can see the ip addresses listed to the left are yours and the ones to the right are the Ip addresses connected to your computer

    as mentioned above any who is database will work but I like Id serve from Idserve click on this link then scroll down about 1/3 of the way and click download now. Its very small and very simple to use simply Dl it to any directory and after its done double click it, then type in the ip address under the query the server tab which will give you a domain name, but if you type in a website it will give you the ip addresse of that website and which O.s its using to run thier servers.

    Using this method you can find out if you have a trojan using a port to make contact with the mother ship.

  6. #16
    Beefy Guest

    Default

    I don't know wtf he just said, but the first paragraph tipped me off.

    In your startup, you have an EXPLORE.EXE. Kill that permanently, reboot, and see what happens.

  7. #17
    Join Date
    Nov 2003
    Location
    Minnesota, United States
    Posts
    4,543

    Default

    It looks like it's already unticked. However:
    http://www.liutilities.com/products/...brary/explore/
    Told you we would find the culprit if you posted a screen shot..:D

    Keep it unticked, get AVG or update your Norton and scan the *******. Actually you could probably remove it manually, but just to be safe get AVG or update Norton (AVG is in my sig).:thumb:

  8. #18
    Join Date
    Mar 2004
    Location
    The Isle of 31337's
    Posts
    151

    Default

    How do we know this is a virus?:woot:
    VVVVUpdateVVVVVVVVVVVVVVVVVVVVV

    Oh wait I searched for Explorer.exe,but his secreen shot says explore.exe hmmmmmm very tricky

    now how will we go about

    this graybird.g?

  9. #19
    Beefy Guest

    Default

    Quote Originally Posted by #Hashx#
    How do we know this is a virus?:woot:
    http://www.google.com.au/search?sour...re%2Eexe+virus

    Just read the descriptions from the first page of results...

  10. #20
    Join Date
    Mar 2004
    Location
    The Isle of 31337's
    Posts
    151

    Default

    1. Copies itself as %System%\Explore.exe. The file attributes are set to Hidden and System.

    Note: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
    2. Creates the value:

    "explore.exe"="%System%\Explore.exe"


    in the registry keys:
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
    RunServices
    * HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

    so that the Trojan runs when you start Windows.

    3. If the operating system is Windows 95/98/Me, the Trojan adds the line:

    run=%System%\explore.exe

    to the [windows] section of the Win.ini file, so that the Trojan runs when you start Windows.

    4. Attempts to access stored passwords on the computer. These passwords include modem and dial-up passwords, URL passwords, share passwords, and others.

    5. Connects to a specified server on port 8001 and sends system information to that server.

    6. Sends a notification email to the Trojan's author.

    7. Intercepts keystrokes, which could allow Backdoor.Graybird.G to steal confidential information.

    8. Waits for commands from the remote client. These commands allow the Trojan's author to perform any of the following actions:
    * Deliver system and network information to the Trojan's author, including the logon names and cached network passwords.
    * Install an FTP server, allowing the Trojan's author to use the compromised computer as a temporary storage device.
    * Open or close the CD-ROM drive and perform other actions.
    * Download and execute files.
    * Install a Socks5 proxy server.


    The following instructions pertain to all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Disable System Restore (Windows Me/XP).
    2. Update the virus definitions.
    3. Run a full system scan and delete all the files detected as Backdoor.Graybird.G.
    4. Delete the value that was added to the registry.
    5. Edit the Win.ini file.

    For specific details on each of these steps, read the following instructions.

    Removal instructions

    1. Disabling System Restore (Windows Me/XP)
    If you are running Windows Me or Windows XP, we recommend that you temporarily turn off System Restore. Windows Me/XP uses this feature, which is enabled by default, to restore the files on your computer in case they become damaged. If a virus, worm, or Trojan infects a computer, System Restore may back up the virus, worm, or Trojan on the computer.

    Windows prevents outside programs, including antivirus programs, from modifying System Restore. Therefore, antivirus programs or tools cannot remove threats in the System Restore folder. As a result, System Restore has the potential of restoring an infected file on your computer, even after you have cleaned the infected files from all the other locations.

    Also, a virus scan may detect a threat in the System Restore folder even though you have removed the threat.

    For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles:
    Disable Winxp sys restore



    Just a note: This virus is from september 15 2003 thats almost 6 months old

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •