Help needed please with pc on start up

  • Thread starter Thread starter Brad
  • Start date Start date
B

Brad

I have recently been hi with a backdoor.jeem virus. After cleaning up he
problem with Norton AV, I now have a major problem. Each time on Start Up, I
get an Explorer error window with a message as follows : Explorer This
program has performed an illegal operation and will shut down. Explorer
caused an invalid page fault in module SQL.DLL at 017:61c05319.

At this point I am unable to close permanently that error message, nor am I
able to peform any other operations from the Start bar selection or desktop
icons.

I have used the Norton Rescue disk to run a scan, which came up empty, and
also the Windows boot disk reinstall Windows (98 SE). The problem persists,
and I have run out of ideas to get the pc running again, short of a reformat
which is something I'd like to avoid at the present time.

Any help would be greatly appreciated. Thanks in advance.
 
I have recently been hi with a backdoor.jeem virus. After cleaning up he
problem with Norton AV, I now have a major problem. Each time on Start Up, I
get an Explorer error window with a message as follows : Explorer This
program has performed an illegal operation and will shut down. Explorer
caused an invalid page fault in module SQL.DLL at 017:61c05319.

At this point I am unable to close permanently that error message, nor am I
able to peform any other operations from the Start bar selection or desktop
icons.

I have used the Norton Rescue disk to run a scan, which came up empty, and
also the Windows boot disk reinstall Windows (98 SE). The problem persists,
and I have run out of ideas to get the pc running again, short of a reformat
which is something I'd like to avoid at the present time.

Any help would be greatly appreciated. Thanks in advance.

Would it be of any help to try starting up in Safe Mode and running
some of the trouble-shooting programs from there ? k35454.
 
Mate, you've probably already seen this. All I can suggest is that you check
out your registry and see what you can find. From what I can see, the Troj
is just another bit of graffiti to my mind. I'm only guessing here, but said
trojan has probably latched onto something you've got at start up. So the
question is, what (obvious) programs do you know are running at start up.

Regards,

Ka.

*********** CUT/PASTE FROM CA **************
Win32.Jeem
Alias: Backdoor.Jeem,
BKDR_JEEM.A,
Trojan.PSW.Jeem,
Win32/PSW.Jeem.10,
Win32/PWS.Jeem.Trojan
Category: Win32
Type: Trojan
Published Date: 11/25/2002
Last Modified: 5/22/2003
Wild:
Destructiveness:
Pervasiveness:


CHARACTERISTICS
Win32.Jeem is a backdoor which functions both as an HTTP proxy and an SMTP
server. It is normally downloaded by the trojan Win32.Maz

When the trojan is run, it makes a copy of itself in the %System% directory.
It installs itself via the registry to ensure that it is run each time
Windows is started.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\System
Service="%System%\msrexe.exe"

The following registry key is also created:

HKLM\System\CurrentControlSet\Services\Swartax\ImagePath="%System%\msrexe.ex
e"

The trojan also stores some encrypted data strings in the registry which are
used for it's scripting activities.

HKLM\Software\Microsoft\Windows\CurrentVersion\Welcome
1c3943
2340v93
398349873
4c34
4lkf83
c0948273
vk8593

The following subkeys can also be created depending on the scripting
response received.
idc3
cv093

The trojan opens 3 TCP ports by default. The value of these ports is random,
based on the Time Zone and Operating System version which the user has
installed.

For example the 3 ports which are open may be
6358 6952 7769

The lowest of the 3 ports functions as an SMTP server which allows email to
be sent. It is possible that the spamming of the Maz trojan is achieved via
this method.

Instructions to the backdoor are received on the middle numbered port. Some
of the instructions that the backdoor can receive include :
-Making an outbound connection to a specified IP address and port.
-Listening on port 9000 to receive further data.

The trojan also has the ability to function as an HTTP proxy. The data
exchange for this function is through the highest numbered port.

Note: It has been reported from several sources that Jeem is a tool used by
spammers to compromise victim's machines, with the intention of using those
machines to relay unsolicited bulk e-mail (otherwise known as 'spam').

Analysis by Scott Molenkamp
 
Back
Top