Potential Virus

Printable View

07-26-2005, 09:20 AM
Black Mage

Potential Virus

Hey everyone. Just earlier this morning, I downloaded a file that I thought was a plug in. I was skeptical, but alas, I ran the darned thing.

Anyways, I can supply a link to the file, but for the love of God, don't run it unless you know what you're doing. It may or may not have a virus in it.

I will repeat this again, DO NOT RUN THIS FILE, OR EVEN DOWNLOAD IT, AS IT MAY BE A VIRUS. Unless you know what you're doing.

THIS IS THE EXE I RAN.

DO NOT RUN THIS FILE, OR EVEN DOWNLOAD IT, AS IT MAY BE A VIRUS. Unless you know what you're doing.

Anyways, I'm making this topic, and supplying the link to that file in hopes that someone can help me identify what virus/worm/trojan, if any, it is and how to remove it.

I scaned it before running it and nothing came up. However, upon running it, I couldn't open my task manager. A pop up showed up saying the administrator disabled it.

Well, I ran a system restore and that didn't solve the problem. So, I looked up a fix for it, and it worked. A line placed in Run to edit the registry got my Task Manager back.

A .pf file was placed in my Windows/Prefetch and I promptly removed that and the exe itself.

There was a key in the registry by the name of the exe, and I removed that, however, when I ran msconfig, I looked at the start up tab and found that file, pointing the file which no longer is on my harddrive, and the registry key I removed.

I verified that the key is gone, and the file. However, I still don't know what else has been changed.

I ran Norton antivirus since, with updated definitions, but nothing was found.

Can anyone offer up any solutions, ideas, anything?

Thanks.
07-26-2005, 09:26 AM
Meat Puppet

do wnloaded + ran it. what i do now :confused:
07-26-2005, 09:30 AM
Black Mage

Though I'd normally appreciate your humor, I can't say I'm much in the mood.

If someone with something constructive to add could reply, that'd be great.
07-26-2005, 07:47 PM
crono_logical

Try deleting HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\System\DisableTaskMgr
07-26-2005, 09:08 PM
Black Mage

Thanks cl_out, but I managed to get the Task Manager working again.

I ran this command:

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Which instead of removing the key, just made my task manager usable again. I apprecaite the response.

My problem lies more in that I don't know what other damage, if any, was done.

I found the key that was in SOFTWARE\Microsoft\Windows\CurrentVersion\Run and removed it, but aside from that, I can't seem to find anything else.

Norton Antivirus did not pick anything up, but then again, it didn't pick anything up before I ran the file.

And lastly, I've found this in the registry:

pmlzjxgec = C:\WINDOWS\System32\bmulalme.exe

I'm to understand that bmulalame.exe is for Quicktime, and auto-updater of sorts, but what looks suspicious to me is the "pmlzjxgec", which I have no idea what it is.
07-26-2005, 10:16 PM
crono_logical

Quote:

Originally Posted by Black Mage

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Which instead of removing the key, just made my task manager usable again. I apprecaite the response.

That's basically the same as deleting the key, except you're setting it's value to the default as if it didn't exist in the first place instead.

Quote:

Norton Antivirus did not pick anything up, but then again, it didn't pick anything up before I ran the file.

I looked at the file in a hex editor, and it looks like the program was written by whoever owns the site you got it off, and just edits the registry and is effectively a nuisance and not actually a virus, so I wouldn't expect a virus scanner to pick it up. If a virus scanner picked up any program that edited the registry, you'd have a hard time running a lot of program installers :p

Quote:

And lastly, I've found this in the registry:

pmlzjxgec = C:\WINDOWS\System32\bmulalme.exe

I'm to understand that bmulalame.exe is for Quicktime, and auto-updater of sorts, but what looks suspicious to me is the "pmlzjxgec", which I have no idea what it is.

With such a crappy name like that for both the entry and the program, it doesn't deserve to stay on the system even if it is clean :D
07-26-2005, 10:59 PM
Dr Unne

strings (in Linux) spit out all kinds of nice things from that file, like

Zombie_GetTypeInfo
Zombie_GetTypeInfoCount
RemoteHostIP
RemoteHost
LocalHostName
gethostbyaddr
gethostbyname
gethostname
WSAAsyncGetHostByAddr
WSAAsyncGetHostByName
strRemoteHost

Anything with variables/procedures called Zombie probably isn't too good. It also looks like it attempts to connect remotely to somewhere for some reason. You don't have any way of knowing what the program did (or is still doing). I'd reformat if I were you, but I'm not you.
07-27-2005, 12:23 AM
Endless

The two zombie strings are part of standard vb5 dlls. I'll try to remember tomorrow to set up a test virtual machine to see what that exe does exactly.
07-27-2005, 08:19 PM
Black Mage

Thank you, all three of you. I appreciate the input.

I can't thank you guys enough for helping out.

Final Edit: I apologize. The last two edits have been sorted out. The resetting was due to the lack of cooling. I apologize, I've been rather jumpy lately, and I had jumped to conclusions. Sorry about that.