Blín D'ñero Forums

[rditto48801]

Hello BlindNero.

It seems I am looking at computer repairs, so I wanted a second opinion while I have access to a friend's laptop.

Last night, my security suite ended up flagging and quarantining two files due to 'suspicious behavior' that my firewall blocked. One was a bunch of random number running from a temp folder (in a sub-folder in documents and settings), the second being a file called eex.exe.

Although my security suite works fine, nothing else seems to work right now. Only my security suite and internet connection icon shows up in the sys tray.

Whenever I try to run a program, one of two things happens.
1: I get the 'menu' to select a program to open the file/program with.
OR
2: I get an error stating the rundll32 file is missing,

Checking for the rundll32 file, I see it is there, but its icon is a 'blank page'.

I discovered by accident that some things that don't start up due to #1 can still be started other ways.
I can get Winamp to start if I doubleclick on a music file, even though Winamp will give me problem #1 when I try to click on its own icon.
I can also get Firefox to open by double clicking on a flash file, even though it will not start up normally.

A second problem is things that do run no longer detect the internet. The connection checks out, but when I get Firefox to work (via getting to open with a flash file) it says it cannot connect to the internet. My security suite, when I try to check for updates, also cannot detect the active internet connection.

My computer is still the same, running XP 32 bit (Home edition if I recall correctly)

On a side note, my search online via my friend's laptop turned up one possible cause of my problem, something called WORM_MYDOOM.AD seems to be the closest match to the cause and other factors, such as the eex.exe file.

Is there much I can do, or would it be best to take it to a computer shop to have the pros take care of it?

[Blín D'ñero]

Oww.. that's bad.

Which security suite?
Are you sure it's not the suite itself, misinterpreting a file with a 'suspicious' name? Security Suites themselves can cause total system freezes and all kinds of sick behaviour too.
About eex.exe, do you have these symptoms here: http://www.securelist.com/en/descriptions/6885730/Email-Worm.Win32.Mydoom.z?print_mode=1?
Could you have opened such email?

And this article suggests that a healthy well performing security suite should have taken care of it:

MyDoom: Prevention and cure
By Robert Vamosi, ZDNet.com, 28 January, 2004 10:05

COMMENT

MyDoom is a mass-mailing worm that masquerades as a test message. MyDoom (w32.mydoom@mm, also known as Novarg, Shimgapi, Shimg, and MiMail.r) takes advantage of the ZIP file format's ability to pass through email filters. It also uses Kazaa to spread. Within the first few hours, MyDoom spread quickly around the world. It affects only Windows users, not those using Macintosh, Linux, or Unix. Much of the worm's code is itself encrypted, and antivirus firms are still studying it. Because MyDoom spreads via email and could severely slow or shut down email servers with excess traffic, this worm rates a 7/10 on the ZDNet Virus Meter.

How it works
MyDoom arrives as email with the subject line "Mail Delivery System," "Test," or "Mail Transaction Failed". The body text reads: "The message contains Unicode characters and has been sent as a binary attachment." The attached files are one of the following:

document.zip
document.pif
doc.scr
message.pif
readme.exe
file.zip
message.zip
oia.zip
text.zip

When the worm is executed, MyDoom adds the following to the Windows/System subdirectory:

shimgapi.exe
taskmon.exe

If you are running the file-sharing program Kazaa, MyDoom will add a file named activation_crack.scr in this location: C:\Program files\Kazaa\My Shared Folder\.

The worm appears to install programs on infected computers, however, the programs themselves are encrypted. MyDoom is known to open Windows Notepad and display garbage text; it is also thought to be flooding Sco.com with a denial-of-service attack. In addition, the security company iDefense and McAfee are reporting that MyDoom opens port 3127 to listen for commands from a remote attacker.

Prevention
If you receive MyDoom, do not open the attached file. Delete the email.

Removal
Almost all antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, Norman, Sophos, Symantec or Trend Micro.

Source zdnet.co.uk

Apparently first version of the revised article by the same author:

By Robert Vamosi
CNET Reviews

A variation of the MyDoom virus appears to be e-mail containing photographs. MyDoom.s (w32.MyDoom.s@mm, also known as MyDoom.m (Norman), MyDoom.q (Symantec), MyDoom.r (Panda), and Ratos (Trend Micro)) is a mass-mailing worm that uses its own SMTP engine to send out copies of itself to addresses harvested from the infected PC. It spoofs the return address, making it hard to trace infected machines, and attempts to download a backdoor Trojan horse from one of two sites on the Internet. MyDoom.s does not affect Linux, Mac, or Unix systems. Because MyDoom.s spreads via e-mail, opens a remote access backdoor on infected PCs, and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.

How it works
MyDoom.s arrives as an attachment with the following characteristics:

Subject : photos
Body : LOL!;))))
Attachment : photos_arc.exe

If the attachment is opened, MyDoom.s adds the file rasor38a.dll to the Windows folder and the file winpsd.exe to the system directory. It also makes the following system Registry changes:

Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

Once executed, MyDoom.s attempts to download a backdoor Trojan horse from either http://www.richcolour.com or zenandjuice.com.

Prevention
If you receive MyDoom.s, do not open the attached file. The best way to prevent infection is to make sure that your antivirus signature files are current. Also, a personal firewall will prevent the virus author from gaining remote access to your PC.

Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Norman, Panda, Sophos, Symantec, and Trend Micro.

Source techrepublic.com

[Blín D'ñero]

The more i re-read your post the more i agree thinking it's the virus. Try to remove it.

Since the backdoor for Mydoom uses UDP port 3127, blocking port 3127 at your firewall will close the backdoor. McAfee also offers the limited free antivirus tool, Stinger, which can detect Mydoom and some other infections. The latest version, 1.9.7, was released on 26 January, 2004 and detects 34 different versions of malware, including both Mydoom and Mimail.

Source: MyDoom: What is it? By John McCormick on January 28th, 2004 zdnet.com

You should be able to cure your PC yourself. Download and run Stinger and read this: http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx If you have it, this thing will detect it. And remove it so it seems.
Disable System Restore before you run it.

[rditto48801]

I have Frontier Security Suite.

I didn't notice the worm type my search turned up was delivered via email.
This is the only thing I can find relating to eex.exe and viruses.

http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=WORM_MYDOOM.AD


It was not an email I got it from. It was when I as checking up on a web site for a game mod by someone for the game Minecraft. The problem occured right after navigaing to another page on the mod's wiki site (which had at least a few ads on each page) when my firewall started spitting out warnings about suspicious behavior from two files, and then my anti-virus kicked in and quarintined the two files (one being eex.exe) and the firewall blocking two access things (0.81618174377604884.exe and eex.exe), and now that I think about it, Firefox did fully close on me about the time things 'fell apart'.

I tried to check my anti-virus logs, but I cannot find the right info the logs for the anti-virus (or the firewall) from the day the trouble started. (The logs might as well be in Greek and then encrypted...)

Altough my PC cannot use internet, it does at least seem to still be able to detect/use USB memory sticks.

As I said before, few things will even run. System Restore is one of the things I cannot access right now.
I get the error about rundll32 not being found.

One thing that does worry me. I was checking my firewall list to double check the file names of the blocked files/access, but both instances are no longer listed there. It makes me glad I had to write them down on paper when I went to search for things with my friend's laptop.

If it is not the MYDOOM virus, since it likely came via some banner ad (which I did not click on), then I need to figure out what it is my PC does have.

Plus getting rundll32.exe fixed so I can try to get other anti-malware/spyware programs running to see if they turn up anything, and getting it so programs will detect the internet connection in case I have to download any other anti-malware programs directly to my computer.

Quick edit 2:
I found one of the logs, my previous edit was wrong, it stated there were 0 rootkits found.

[rditto48801]

An addition, since the edit button seems gone right now on my previous post.

I checked the download date of the mod I got (since I got it a few hours before the incident), and managed to find the right timeframe to look for in the logs, and found one of the logs, which mentions the eex.exe file being up to no good.
Start at 20.43.30

Code: Select all

16.31.38  Wednesday June-01-11 16.31.38
16.31.38  CBehaveEngine::Init(): _wpgmptr is [C:\Documents and Settings\All Users.WINDOWS\Application Data\Frontier\Frontier Security Services\Logs\]
16.31.38  CBehaveEngine::Init(), sanaagent already running, everything is green
16.31.45  CBehaveEngine::InitializeSDK(), new SafeConnectAgent() servicename : [RadialpointIDSAgent]
16.31.45  CBehaveEngine::InitializeSDK(), m_safeConnectAgent->initInstance() OK
16.31.45  CBehaveEngine::onServiceStatus[SERVICE_RUNNING]
16.31.45  CBehaveEngine::put_Enable(), engine already in desired state [-1]
16.31.45  CBehaveEngine::onAgentReady [true]
16.48.08  CBehaveEngine::get_ConfigVersion [257]
16.48.08  CBehaveEngine::get_ProductVersion [9.0.0.921]
19.48.10  CBehaveEngine::get_ConfigVersion [257]
19.48.10  CBehaveEngine::get_ProductVersion [9.0.0.921]
20.43.30  CBehaveEngine::onMalwareDetected(), path [C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\EEX.EXE] classification [Unknown] category [Unknown]
20.43.31  CBehaveEngine::onMalwareDetected(), name [WRITES_TO_REGISTRY_STARTUP] severity [2] desc [Registers executable to survive reboot]
20.43.31  CBehaveEngine::onMalwareDetected(), name [HIDDEN_EXE_WITH_FILE_ATTRIBUTE] severity [3] desc [Hidden on filesystem]
20.43.31  CBehaveEngine::onMalwareDetected(), name [WINDOW_NOT_VISIBLE] severity [1] desc [Window not visible]
20.43.31  CBehaveEngine::onMalwareDetected(), name [PROCESS_WITH_NETWORK_FACING_STDIO] severity [1] desc [Network Facing Stdio]
20.43.31  CBehaveEngine::onMalwareDetected(), name [TERMINATE_PROCESS] severity [2] desc [Terminates processes]
20.43.31  CBehaveEngine::onMalwareDetected(), name [OTHER_PATH] severity [1] desc [Executes from the filesystem]
20.43.31  CBehaveEngine::onMalwareDetected(), name [ALERTED_MALWARE] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [MALWARE_NO_P2P] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [FIRST_PROCESS] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [ALERT_BEFORE_MEM_COMPROMISE] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [VISIBILITY_KNOWN] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [TRUSTED_KNOWN] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [IS_PE_FILE] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [IS_PROCESS] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [CHECK_COMPLETE] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [CHECK_REQUIRED] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [SCORE_GREATER_THAN_ZERO] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [FIREWALL_BLOCK] severity [3] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), name [PRE_FIREWALL_BLOCK] severity [0] desc []
20.43.31  CBehaveEngine::onMalwareDetected(), the characteristics list size is [19]
20.43.37  CBehaveEngine::get_ConfigVersion [257]
20.43.37  CBehaveEngine::get_ProductVersion [9.0.0.921]
20.43.37  CBehaveEngine::onMalwareDetected(), quarantineMalware() returned [0]
20.43.37  CBehaveEngine::onRemovalStarted()
20.43.42  CBehaveEngine::onRemovalCompleted(), path [C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\EEX.EXE] files [1]
20.43.42  CBehaveEngine::ConvertQB(), RID : [b7bef518-ffff-ffff-8000-000000000000] : path [C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\EEX.EXE] , MD5 [0abc5dca3fb0ce7ce63fb1c6ae1a03f6]
20.43.43  CBehaveEngine::ConvertQB(), RID : [b7bef518-ffff-ffff-8000-000000000000] : path [C:\DOCUMENTS AND SETTINGS\OWNER\LOCAL SETTINGS\APPLICATION DATA\EEX.EXE] , MD5 []
20.43.58  CBehaveEngine::GetQuarantineList(), the list size is [2]
07.13.31  CBehaveEngine::UninitializeSDK()
07.13.38  CBehaveEngine::Term


Oddly enough, I cannot find the malware, anti-virus or firewall logs for the timeframe, with exception of a manual scan I did afterward. That later log does list 'errors' for several files, mainly log files that are not there anymore, including the firewall block log I cannot find now.

[Blín D'ñero]

Yes but could you try this tool:

You should be able to cure your PC yourself. Download and run Stinger and read this: http://www.mcafee.com/us/downloads/free-tools/how-to-use-stinger.aspx If you have it, this thing will detect it. And remove it so it seems.
Disable System Restore before you run it.

It has a current database:

Build Number: 10.1.0.1629
Build Date: 27-May-2011

[rditto48801]

A quick question.
Will this folowing thing fix my problem with rundll32, and apparently anything ending with .exe not runing?

Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Code: Select allWindows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"

Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

I found the above when searching for fixes to my rundll32.exe problems, when searching find the following.
http://myantispyware.com/forum/rundll32-exe-application-not-found-t1761.html

[Blín D'ñero]

Apparently, yes. You can find more similar here: http://filext.com/faq/broken_exe_association.php

But you still have to check whether your pc is infected with that or another virus, or not. Have you tried the mcafee tool? Or is it impossible to run it at all?

[rditto48801]

I ran my anti-virus after the initial problem, since my Frontier Security Suite was still running after the initial problem. It cleaned up some sort of other virus, I recall the in progress scanning status at one point stating it found 2 'infections', but I don't know what (or if there was more after I had checked) since the infected files were deleted, and I can't find the log for some reason for that particular scan.

All I need to do is get my computer to run exe files again and I can hopefully get other things going with other stuff I have access to (spybot, malwarebyte's Anti-Malware, etc)

I do see in the logs that one of the things my Security Suite includes is something called BitDefender.

For now, the one fix via File Types does not work. It won't save the changes for some reason.

[rditto48801]

A quick update. (Edit not possible on my previous post)
The regedit option shown in your link was not possible, since regedit would not work (the exe problem), so I tried the fix.reg thing since I have seen it on two different sites so far with multiple replies saying it worked.

After applying it and reooting, my computer seems to be booting up normally, and everything seems to be showing up in the systray, not just the icon for Frontier Security Suite.

A quick check also shows Firefox is opening now (aside from no connection since it is plugged into my friend's laptop right now)
After I post this, I will hook my PC back up to my modem and see if the exe fix also gets stuff detecting my net connection again.