Custom Search

Friday, March 28, 2008

regsvr.exe / rundll.exe / ‘Microsoft CorpAration’ virus details & heal uploaded

I recently had to face the problem of a particular virus on my PC. This virus was quite a survivor even with it being detected on every scan that i performed. It had made some changes into the registries because of which all my antivirus was able to do was to give me a message that a special removal technique is required to remove this virus and it would be removed at the next reboot. However it was not to be the case and the virus survived every action taken by my anti-virus software. So i thought i have to gear up myself to bring an end to this menace.So i googled the name of the virus and found a very interesting article upon the virus, which i am posting here hoping that it would be of use to someone who might be troubled by its presence as well....

This virus creates a lot of files and make a lot of registry changes. Finding the solution was really challenging. It is built with AutoIt , version unknown. Latest update of kaspersky do not detect this virus, unless it is scanned thoroughly.

not-a-virus:Monitor.Win32.007SpySoft.q -> rundll.exe
Worm.Win32.AutoIt.s -> regsvr.exe

The “Microsoft Corparation” tag is really confusing. Mind it, its Corp’a'ration, not Corp’o'ration … he he

I wont say the heal is totally complete, but still some more work is supposed to be done with it, probably to fix some more registries. But overall this heal will end task the virus files and restore most of the registries.

This virus/Trojan keeps complete look on the system, by taking snap shots every 30 seconds. Suppose u have this virus for 30 days, just think how much space it will eat. lol

Like the recent coming viruses, even this virus makes exe file inside every folder with the name of the parent folder. (BUT only in the removable drives,this is one of its peculiarity). It spreads via pen drives, leaving regsvr.exe, New Folder.exe, autorun.inf files in the root directory of pen drive and other files inside.

So here is the solution…

regsvr.exe / Winhelp.exe / rundll.exe
===========================

File names

———–

Name : regsvr.exe
Name : winhelp.exe
Type of File : Application
Icon : Folder icon
size : 1.06 MB (1,114,588 bytes)
size on disk : 1.07 MB (1,122,304 bytes)
File version : 1.1.2.2
Description : Microsoft Corparation (its Microsoft Corp’a'ration not Microsoft Corporation)
Copyright :
Compiled Script : Microsoft Corporation
File Verion : 1,1,2,2
Language : English (United Kingdom)

Name : rundll.exe
Type of File : Application
Description : Generic Host Process for Win32 Services
Size : 161 KB (164,864 bytes)
size on disk : 168 KB (172,032 bytes)
File version : 3.8.0.7400
Company : Microsoft Corporation
Internal name : svchost-full-org
Language : English (United States)
Original name : svchost-full-org.exe

Other supporting files, created during installation of virus:

Name: MSINET.OCX
Type: ActiveX Control
Size: 60.5 KB (61,952 bytes)
Size on disk: 64.0 KB (65,536 bytes)
File version: 5.1.45.11
Description: Microsoft Internet Transfer Control DLL
Copyright: Copyright © 1987-1997 Microsoft Corp.
Comments: September 11, 1997
Company: Microsoft Corporation
File version: 5.01.4511
Internal name: MSINET.OCX

Name: ijl11pro.dll
Type: Application Extension
Size: 70.0 KB (71,680 bytes)
size on disk : 72.0 KB (73,728 bytes)
File version : 1.1.2.16
Description : Intel® JPEG Library - Retail Version
Copyright : Copyright © 1999
Comments : Intel® JPEG Library
Company : Intel Corporation
File version : 1.1.2
Internal name : Intel® JPEG Library
Original name : ijl11.dll

x—x—x

Recognized by KAV
—————–
not-a-virus:Monitor.Win32.007SpySoft.q rundll.exe
Worm.Win32.AutoIt.s regsvr.exe
x—x—x

Running Process
—————

regsvr.exe 1-30% 2 threads
rundll.exe 0% 4 threads
Winhelp.exe SYSTEM 1-40% 1 thread

x—x—x

Behind the Screen
—————–

Files Created:
…………..
C:\DOCUME~1\JAYDEV\LOCALS~1\Temp\aut3.tmp
C:\DOCUME~1\JAYDEV\LOCALS~1\Temp\aut4.tmp
C:\DOCUME~1\ JAYDEV \LOCALS~1\Temp\aut5.tmp
C:\DOCUME~1\ JAYDEV \LOCALS~1\Temp\aut6.tmp
C:\WINDOWS\winhelp.ini
C:\WINDOWS\system32\rundll.exe
C:\WINDOWS\system32\ijl11pro.dll
C:\WINDOWS\system32\MSINET.OCX
C:\WINDOWS\system32\regsvr.exe
C:\WINDOWS\regsvr.exe
C:\WINDOWS\system32\winhelp.exe
C:\Documents and Settings\Piyush Chandra\Local Settings\Temp\~DFD5E6.tmp
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9
C:\WINDOWS\system32\COMCTL32.OCX
C:\WINDOWS\system32\stdole2.tlb
ModifyFile C:\WINDOWS\winhelp.ini

Regsitries changed:
……………….
ModifyRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{79ebb8fd-f8e1-11dc-a1b1-806d6172696f}\BaseClass
etc
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messenger
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NofolderOptions
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr
CreateRegValue \REGISTRY\USER\S-1-5-21-1935655697-308236825-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools
CreateRegValue \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Schedule\AtTaskMaxHours
ModifyRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\system
CreateDir C:\WINNT\system32\ssdata\
CreateDir C:\Recycled\WinLiveUpdate32\scrdata\
CreateDir C:\Recycled\WinLiveUpdate32\
CreateRegValue \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Themes
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{48E59290-9880-11CF-9754-00AA00C00908}
etc
CreateRegKey \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{48E59293-9880-11CF-9754-00AA00C00908}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
etc
CreateRegValue HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User “I:\WINDOWS\system32\rundll.exe”

Registry access:
…………….
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\
HKLM\SOFTWARE\Microsoft\Tracing\RASAPI32
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Linkage
HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters
HKLM\SYSTEM\ControlSet001\Services\NetBT\Parameters\Interfaces
HKLM\SYSTEM\ControlSet001\Hardware Profiles001
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness

x—x—x

More behind the screen
———————-
The virus gets completely installed only after rebooting two times.

It uses cacls.exe to change some permission setting (not yet discovered)

It saves printscreen images in c:\recycled\WinLiveUpdate32\ at an interval of 30 seconds
so it eats up the space for your c:\ if u are affected by this virus for long time

It saves some processes going on the system in c: recycled\WinLiveUpdate32\scrdata\ in files namely Apps.data, Files.dat, Keys.data, scr.data, lgstat.ini

In simple words: it keeps a complete track about you computer.

Warning Messages
—————–

rundll.exe
Another program is currently using this file.

Kaspersky
Riskware: not-a-virus:Monitor.Win32.007SpySoft.q
File: I:\WINDOWS\system32\rundll.exe

x—x—x

Solution:
———

Start > Run > type the following

(if you have a lappy, then copy taskkill.exe in your c:\windows\system32\ folder)

End task
……..
taskkill /f /im regsvr.exe /t
taskkill /f /im rundll.exe /t
taskkill /f /im winhelp.exe /t

Registries
……….
at /delete /yes
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoFolderOptions /f
reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg delete HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run /v “Yahoo Messengger” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v System /t REG_SZ /d “” /f
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v shell /t REG_SZ /d “Explorer.exe” /f
reg delete “HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “User Themes” /f

Files
…..
cmd /k del “%USERPROFILE%\Local Settings\Temp\aut*” /f
cmd /k del “%USERPROFILE%\Local Settings\Temp\~*” /f
cmd /k del “%WINDIR%\System32\rundll.exe” /f
cmd /k del “%WINDIR%\winhelp.ini” /f
cmd /k del “%WINDIR%\system32\ijl11pro.dll” /f
cmd /k del “%WINDIR%\system32\MSINET.OCX” /f
cmd /k del “%WINDIR%\system32\regsvr.exe” /f
cmd /k del “%WINDIR%\regsvr.exe” /f
cmd /k del “%WINDIR%\system32\winhelp.exe” /f
cmd /k del “C:\WINNT\system32\ssdata\”
cmd /k del “C:\Recycled\WinLiveUpdate32\scrdata\” /f /q
cmd /k del “C:\Recycled\WinLiveUpdate32\” /f /q
(and delete regsvr.exe, New Folder.exe and autorun.inf from pen drives)

Download:
———
Please download the Heal for regsvr.exe from here

http://rapidshare.com/files/103081849/Heal_regsvr1.0.rar
Posted by Jedi at 10:45 PM 1 comments
Labels: ,

Monday, March 24, 2008

IIM Indore GD/PI Experience

If IIM Kozhikode experience was memorable then this would be by no means lesser important. In fact after the IIM K experience i was a bit more relaxed and confident this time around.


GD/PI on 20th Feb, 1:50 pm slot at Mumbai.


GD: A case study on some organisation appointing a Mr. GAUTAM as their Manager. Gautam was previously working with Eventus an event management firm but was appointed as the manager in this firm. He implemented several of his ideas of the utilisation of the unused areas of the company premises for several social events and implemented several work shops for the employees of the company.
However after sometime it was found that the quality of their main product has gone down drastically and requires some quick action.
A committee looks into the matter and finds out that the employees level of focus to their primary product has decreased owing to the multiple tasks they are involved into. Gautam has to attend the meeting on the falling quality of the product of the company. What should he do?


The Group consisted of 7 people. We were given 5min. to read the case, 14 min. to discuss abd 5 min. to write a summary of the GD.

I chipped in 3-4 times and overall the GD was a good experience.

They were randomly calling people for the interview and i was the 3rd person to go in for the interview.
The panel consisted of two members(I will call them P1 and P2)

When i entered the interview only P2 was sitting there.

P2:So you are from Electronics?
Me: Yes sir from the Electronics and telecommunication.

P2: Any work experience?
Me: No sir currently into my final year of engg. However i did my diploma and had a one year of inplant training integrated within the course.

P2: What is the reason behind this drastic fall in your academic scores?
Me: (My scores do have a drastic fall if you look at it.)I stated that i used to do well till the 3rd semester of degree; however after thaty the subjects went on becoming more and more theoretical and though i had a good knowledge of the subject i have one major weakness(and i had also mentioned it in the form) that my writing speed is very less because of which i can only attempt around 80-90 marks in the exam.

He seemed satisfied.

P2: Tell me abt 1G,2G,3G,4G?
Me: Explained.

(P1 enters the room)
P2: Bluetooth and Wifi and the reason for their co-existence?
Me: Explained

P2 asks P1 to take over.

P1: Names a few personalities and asks if i know something about anyone of them.
Me: No idea what names he was taking.....

P1: Finally speaks about a familiar name: Barkha Dutt
Me: Tell him tha she is a news reporte working with NDTV.

P1: Can you tell me the movie made on her?
Me: ????????

P1: Asks about me extra curricular activities.
Me: more than happy answering all these questions.

Suddenly P1 makes an entry and asks what do you mean by Culture?
Me: blah blah blah....(The question came when i stated that i was the Cultural secretary for my college events).


P1: Asks about RISC and CISC?
Me: Something related to micro controllers but cannot recall it correctly.

P2: Asks me about BRIC?
Me: Answered.

P2: Which of the BRIC countries have the highest per capita income?
Me: No idea sir.

P1: (Checks out my form and asks) So who was the first Home minister of India/
Me: (What the hell!!)NO idea sir.

P1: Who is the Chief minister of Mumbai?
Me: Chief minister of Maharashtra?

P1: Ohh Yes of course; my mistake.
Me: It is Vilasrao Deshmukh.

P1: So you are from mumbai itself.
Me: Yes sir. Born and brought up here.

P1: Why was Bombay rechristened to Mumbai?
Me: Told

P2: Can you tell us how the Dabbawallas of Mumbai operate?
Me: Now the Interview was getting interesting. I knew the topic very well and explained the entire operations of how the Dabbas are collected; segregated and delivered and everything including that mumbai dabbawalas are six sigma certified and then i was stopped while i was further explaining the details.

P1: What is Nifty?
Me: Told

P1: Who is mohammad Azhar mehmood?
Me: No idea.

Ok; You can leave.

So that was it, Hopefully i did well.
Posted by Jedi at 6:37 PM 0 comments
Labels:

IIM Kozhikode GD/PI experience

Didnt know what to start from; so thought i would pen down(or rather type) one of my most memorable events and when i thought over it this was the first thing that came to my mind. Why not give a brief description of what i went through when i gave my first B-school interview. So here goes my GD/PI experience for IIM Kozhikode.


GD/PI on 12th Feb, 9 am slot at Mumbai

GD: Labour unions and the management should not be at loggerheads but work together for the benefit of the company. Labour unions should not just keep on going to strikes and should play an active role in the development of the company(and something related to this.... gave some 6-7 lines for reading)

9 people constituted the GD as 2 were sent to join the other panel where some 4 people were absent.

The GD was pretty decent however i felt i should have entered more often. Chipped in 3-4 times, however at the very end of the GD a great example struck me but i was unable to put it as the mods told us to stop (had an example of how a japanese shoe making company labour union who had problems with their management found a unique way to go on strike. Till the time the management would not listen to their demands the labourers just kept on producing only left leg shoes. The moment their demands were met they started producing the right leg shoes thereby not hampering the output of the company and also effectively putting their point.)


PI - I was the second to go in among my group of 9

P1 and P2 were the interviewers

Me:gud morning sir
P1:have a seat and give us ur file
P1:So where r u from?
Me:i first mistook it for my college and stated that i m from somaiya.

P1: So you came here from somaiya?
Me:No sir i stay at borivali.
P1:Tell me something about Borivali.
Me:Told in about 1.5 mins.
P1:So what is the population of Borivali?
Me:stumped....
P1:Population of Mumbai, India?
Me:told
P1:Which is the largest city in India?
Me:told
P1:which is the largest company in India?
Me:Told
P2:Asked Questions related to the CEO and CIO and hy are they only officers and not managers?
Me:Told have little idea abt it.
P2:Which company have you been recruited to?
Me:TCS
P1:Is it TCS or TCSL?
Me:TCSL
P1:What is the meaning of limited company?
Me:explained

P2:What are your hobbies?
Me:Chess and reading novels
P1:Tell me something about the sicilian defence.
Me:Stumped again
P1:How many types of chess boards are available?
Me:As far as i know there is only one type of chess board however there can be several variants of the game butthey do not come under the category of chess.
P2:Can we not have a larger or a smaller chess board?
Me:We can however i would prefer the 64 cells chess only.

P1:Which all novels do you read?
Me:told
P1:Which of the Dan Brown series have you read?
Me:stated
P1:what do you think about the controversy related to the Da vinci code?
Me:blah, blah

Now they stared asking technical Questions related to transistors, diodes, resistors, TCP/IP, OSI, Antenna theory, Boolean gates, etc
(thoroughly grilled me)
Also asked about VSAT and broadband technolgy.

Lastly P2 asks me why did i opt for a degree course after completing my diploma rather than joining afirm and now why am i opting for an MBA.



The PI lasted for around 30 minutes.

Don't know what to make of it.
Posted by Jedi at 6:15 PM 1 comments
Labels:
Subscribe to: Posts (Atom)