need to figure out if an .scr file contains a security threat

[David H. Lipman]

From: "name" <[email protected]>


|
| Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
| file... bit late though after my computer had already been infected.

OK then

1. Delete from the Registry..

HKCR\CLSID\{CA4896E7-EE32-4899-8950-9E7126515E48}

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\syshelps

2. Logoff then logon again.

3. Delete;
%windir%\photos.zip
%windir%\system32\syshelps.dll

4. Completely scan the PC starting at %windir%

 

[David H. Lipman]

From: "name" <[email protected]>


|
| Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
| file... bit late though after my computer had already been infected.

Complete scanning result of "syshelps.dll", processed in VirusTotal at 06/16/2007 04:52:30
(CET).

[ file data ]
* name: syshelps.dll
* size: 23016
* md5.: aacb24330feafef87101314b4195cb8f
* sha1: 772f20be59f6377cbad014f388b8334c820c8457

[ scan result ]
AhnLab-V3 2007.6.16.0/20070615 found [Win-Trojan/ShadoBot.22016.B]
AntiVir 7.4.0.32/20070615 found [Worm/IRCBot.23016]
Authentium 4.93.8/20070616 found nothing
Avast 4.7.997.0/20070615 found nothing
AVG 7.5.0.467/20070615 found [BackDoor.Generic7.EAK]
BitDefender 7.2/20070616 found [Backdoor.IRCBot.ABDD]
CAT-QuickHeal 9.00/20070615 found [Backdoor.IRCBot.acd]
ClamAV devel-20070416/20070616 found nothing
DrWeb 4.33/20070615 found [Win32.HLLW.Sodoku]
eSafe 7.0.15.0/20070614 found [Win32.Mubla]
eTrust-Vet 30.7.3721/20070615 found nothing
Ewido 4.0/20070615 found [Backdoor.IRCBot.acd]
F-Prot 4.3.2.48/20070615 found nothing
F-Secure 6.70.13030.0/20070615 found [Backdoor.Win32.IRCBot.acd]
FileAdvisor 1/20070616 found [Not analyzed yet]
Fortinet 2.85.0.0/20070616 found [W32/IRCBot.ACD!tr.bdr]
Ikarus T3.1.1.8/20070615 found [Backdoor.Win32.IRCBot.acd]
Kaspersky 4.0.2.24/20070616 found [Backdoor.Win32.IRCBot.acd]
McAfee 5054/20070615 found nothing
Microsoft 1.2607/20070616 found nothing
Norman 5.80.02/20070615 found nothing
Panda 9.0.0.4/20070616 found [Malware Generic]
Prevx1 V2/20070616 found nothing
Sophos 4.18.0/20070612 found nothing
Sunbelt 2.2.907.0/20070614 found [W32.Mubla]
TheHacker 6.1.6.133/20070615 found [Backdoor/IRCBot.acd]
VBA32 3.12.0.2/20070615 found [Win32.HLLW.Sodoku]
VirusBuster 4.3.23:9/20070615 found [Backdoor.IRCBot.AYW]
Webwasher-Gateway 6.0.1/20070616 found nothing

[ notes ]
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=aacb24330feafef87101314b4195cb8f

 

[name]

From: "David H. Lipman" <[email protected]>

|
| It doesn't mean they are one in the same.
|
| It could be the same BUT... a different variant.
|

Jen is correct.
It is a new variant of what Symantec calls "W32.Mubla"

This variant uses:

HKCR\CLSID\{CA4896E7-EE32-4899-8950-9E7126515E48}\InProcServer32
"(Default)" = "syshelps.dll"
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
"syshelps" = "{CA4896E7-EE32-4899-8950-9E7126515E48}

When searching for files with "syshelps" in the filename, I find no
such files on my local drives.
So I assume BitDefender got rid of the 'syshelps.dll' file.

When searching for "syshelps" in the registry, I find:

HKCR\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}\InProcServer32
"(Default)" = "syshelps.dll"

HKCR\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}\InProcServer32
"(Default)" = "syshelps.dll"

HKLM\SOFTWARE\Classes\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}
\InProcServer32
"(Default)" = "syshelps.dll"

HKLM\SOFTWARE\Classes\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}
\InProcServer32
"(Default)" = "syshelps.dll"

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
\ShellServiceObjectDelayLoad
"syshelps" = "{0152B523-362B-4503-AB66-B42EB774206D}"


Should I get rid of all these suspicious entries in the registry?

 

[David H. Lipman]

From: "name" <[email protected]>

|>> It doesn't mean they are one in the same.
|>>
|>> It could be the same BUT... a different variant.
|>>|
| When searching for files with "syshelps" in the filename, I find no
| such files on my local drives.
| So I assume BitDefender got rid of the 'syshelps.dll' file.
|
| When searching for "syshelps" in the registry, I find:
|
| HKCR\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}\InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKCR\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}\InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Classes\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}
| \InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Classes\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}
| \InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
| \ShellServiceObjectDelayLoad
| "syshelps" = "{0152B523-362B-4503-AB66-B42EB774206D}"
|
| Should I get rid of all these suspicious entries in the registry?

Delete the following...

HKCR\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}\InProcServer32
HKCR\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}
HKLM\SOFTWARE\Classes\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ShellServiceObjectDelayLoad\syshelps

 

[name]

From: "name" <[email protected]>

|
| Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
| file... bit late though after my computer had already been infected.

OK then

1. Delete from the Registry..

HKCR\CLSID\{CA4896E7-EE32-4899-8950-9E7126515E48}

I can't find "CA4896E7" when searching the registry, so I guess that
key is missing from the registry.

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\­syshelps

This is one of the keys I found that are associated with 'syshelps'.
I've found 5 of such keys and listed them in my other posting.

2. Logoff then logon again.

3. Delete;
%windir%\photos.zip
%windir%\system32\syshelps.dll

I'm pretty sure these files are already deleted.

 

[David H. Lipman]

From: "name" <[email protected]>

|>> Ah, that explains why AVG gave me an allert about a 'syshelps.dll'
|>> file... bit late though after my computer had already been infected.|
| I can't find "CA4896E7" when searching the registry, so I guess that
| key is missing from the registry.
|

It may randomize the CLSID value. Thus what I obtained was different from what you found.
However, it still created the same file and that was the "key".

I think you have a handle on this now and I doubt you need to reformat your PC.

Both the DLL and SCR file were submitted to numerous anti-malware companies.

McAfee came back on the SCR as "w32/sdbot.worm.gen.ca" and provided an interim EXTRA.DAT
file.

 

[name]

From: "name" <[email protected]>



|>> It doesn't mean they are one in the same.
|>>
|>> It could be the same BUT... a different variant.
|>>>> Jen is correct.

|
| When searching for files with "syshelps" in the filename, I find no
| such files on my local drives.
| So I assume BitDefender got rid of the 'syshelps.dll' file.
|
| When searching for "syshelps" in the registry, I find:
|
| HKCR\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}\InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKCR\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}\InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Classes\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}
| \InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Classes\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}
| \InProcServer32
| "(Default)" = "syshelps.dll"
|
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
| \ShellServiceObjectDelayLoad
| "syshelps" = "{0152B523-362B-4503-AB66-B42EB774206D}"
|
| Should I get rid of all these suspicious entries in the registry?

Delete the following...

HKCR\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}\InProcServer32
HKCR\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}\InProcServer32
HKLM\SOFTWARE\Classes\CLSID\{0152B523-362B-4503-AB66-B42EB774206D}
HKLM\SOFTWARE\Classes\CLSID\{736F6774-C373-46FD-B748-1A24D7C7E71A}

Ok, let me just get this exactly right... these four keys all seem
similar and I have a screenshot of the first one:

http://www.ibbu.nl/~nsprakel/regedit1.jpg

I assume I can right-click the selected item (visible in the
screenshot) on the left pane and pick 'delete' from the pop-up menu,
right?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ShellServiceObjectDelayLoad­\syshelps

This key is different... I have another screenshot:

http://www.ibbu.nl/~nsprakel/regedit2.jpg

I assume in this case, I right-click the selected item (visible in the
screenshot) on the right pane and pick 'delete' from the pop-up menu,
right?

 

[David H. Lipman]

From: "name" <[email protected]>


|
| Ok, let me just get this exactly right... these four keys all seem
| similar and I have a screenshot of the first one:
|
| http://www.ibbu.nl/~nsprakel/regedit1.jpg
|
| I assume I can right-click the selected item (visible in the
| screenshot) on the left pane and pick 'delete' from the pop-up menu,
| right?
||
| This key is different... I have another screenshot:
|
| http://www.ibbu.nl/~nsprakel/regedit2.jpg
|
| I assume in this case, I right-click the selected item (visible in the
| screenshot) on the right pane and pick 'delete' from the pop-up menu,
| right?
|

Bingo !

 

[name]

From: "name" <[email protected]>

|
| Ok, let me just get this exactly right... these four keys all seem
| similar and I have a screenshot of the first one:
|
|http://www.ibbu.nl/~nsprakel/regedit1.jpg
|
| I assume I can right-click the selected item (visible in the
| screenshot) on the left pane and pick 'delete' from the pop-up menu,
| right?
|>> HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\\ShellServiceObjectDelayLoad­­\syshelps

|
| This key is different... I have another screenshot:
|
|http://www.ibbu.nl/~nsprakel/regedit2.jpg
|
| I assume in this case, I right-click the selected item (visible in the
| screenshot) on the right pane and pick 'delete' from the pop-up menu,
| right?
|

Bingo !

Ok, thanks a lot for the extensive help (also muchos gracias to all
other people in this thread)!
I'm sure glad I won't have to format my entire HD.
I'll scan my computer once more with BitDefender and Kaspersky to be
sure it's clean and I'll report back if anything suspicious turns up.

 

[Bart Bailey]

Should I get rid of all these suspicious entries in the registry?

If they are pointing to a nonexistent file,
any reg cleaner should flag and remove them for you.

 

[Larry Sabo]

I'm sure glad I won't have to format my entire HD.
I'll scan my computer once more with BitDefender and Kaspersky to be
sure it's clean and I'll report back if anything suspicious turns up.

If I may butt in, after doing the above, image your hard drive to a
USB drive, from which you could burn it to DVDs. Repeat weekly, making
incremental backups weekly and full backups monthly, to avoid future
anguish. The probability of getting screwed by malware or a bad
install is proportional to the time since last image. I also back up
critical files to a slave drive hourly, using Cobiam Backup.

Larry

 

[name]

If I may butt in, after doing the above, image your hard drive to a
USB drive, from which you could burn it to DVDs. Repeat weekly, making
incremental backups weekly and full backups monthly, to avoid future
anguish. The probability of getting screwed by malware or a bad
install is proportional to the time since last image. I also back up
critical files to a slave drive hourly, using Cobiam Backup.

Larry

Most of the stuff that I've spend a lot of time on, like various stuff
collected on p2p, is backed up on external drives and I can (and
should) put sensitive stuff on a second computer. But it's such a
hassle to reinstall and reconfigure all programs (hence the anguish)
and an image would indeed offer a good backup of the system in that
respect.