We had the same thing happen from a chinese site called something like "coolyuchen" or something like that. I will email you the full explanation of what we did. We have yet to fix it properly though and it comes back every once in a while.

Sorry Millreef3

welcome to webmasterworld.

<added>
I passed it on to our sysadmin who actually tracked the dirty little thing down and nuked it. He says it is a virus/trojan combo.
</added>

Hi

I'm not 100% positive that the virus is sircam but a quick search yields a few posts on the web concerning "funchina" and sircam keeps coming up. I would go to symantec and look at their steps for removal. They list the steps and provide a tool. If you find the files and references it mentions, driver32 sirc.exe, it's a safe bet that sircam is responsible. If you need any help with the exact steps just mail or post and I'll help if I can.

sircam removal - symantec [symantec.com]

HTH
later

good point seriesint.
The one we had wasn't sircam but yours could very well be. Symantec is a good start point, the macafee site is good too.

I've used Find in Windows 98 to search for driver32 sirc.exe but it does not show up so there's no positive identification yet. Will run a remedy if anyone can positively identify the virus/trojan/worm.

None the wiser yet but thanks so far.

I think you should better get the Norton Antivirus 2001 and scan the whole machine at once. If no virus found try once more after Live Update. Also there are several Removal tools (including one for SircWorm which is the most expected one to disturb ur machine. REMEMBER: Clear all your Temperoy Internet Files and also the Temp folders in the windows folder and make sure that there's not a single cookie left there. If you are a VB developer then i think you should take immediate steps for many reasons.
I'm giving a reply to this session after a long time coz' this is my firt time i've visited this site.
Thanks a lot to www.webmasterworld.com. I've gainded a lot of knowledge and found answers to the most questions that arise in my mind.
:) :) :)

I've gone to the Symantec site and used the online virus search of the whole drive(Norton anti-virus is also on the machine but probably out of date)- took about half an hour. It appears to show no viruses. This does not mean that there is nothing wrong - far from it, as my first post shows. If it is a trojan or a worm will it show on a virus scan?

Well, looks like that is a JS.Exception.Exploit virus. Unfortunately, that is only the beginning. Once the exploit has started, it basically gives complete access to your registry, so any number of things can be changed, transmitted across the internet, and more. It only needs to be run once, and your computer will not stay infected, but to remove it, you need to obtain a copy of the origional email and forward it to SARC, NAI, or whichever AV corp you wish.

See for the patch [microsoft.com] to Microsoft VM, as that is where the bug exists.

I hope you have a backup of your registry to restore.

-noSanity

PS: Thanks for sending this to me jatar_k

welcome to webmasterworld nosanity.

Millreef3, you should go to windows update and update everything.

I'm sorry Millreef, its driver32 and sirc.exe, Symantec didnt mention an .ext for driver32 but have you looked at the autoexec.bat file? Win.ini with the load= and run= lines are popular as well for trojans. Best answer is if its windows98 or higher go to start run type in msconfig , and look under startup for driver32 or anything out of place. (msconfig essentially shows what's in the registry run keys for startup) And from msconfig you can look for out of place lines as well. The startup tab it gets a bit hard to dicipher. So don't hesisate to ask.

As to will a trojan show on a virus scan...according to the anti virus companies, they say they will. In experience, they suck at it. The Cleaner is about the best Trojan scanner out. They have a trial version at [moosoft.com...]

HTH
later

seriesint

You are on the scent.

There's no sirc.exe (good) and the many drivers in driver32 do not, to me at least, look suspicious - but I've no programming experience.

msconfig contents similarly do not look suspicious, with the same very big proviso, except that in Start-up there is:

qww [fram363.my163.com...]

By unchecking the tick box against this 'program', MSIE6 no longer loads at start-up (good). However, it does still attempt to go to that site whatever the home page chosen and the connection with the internet is not broken by logging off. So the trojan/virus/worm is still messing up MSIE6. I could erase all traces of MSIE and reload it but I would be loath to lose the bookmarks and the trojan/virus/worm probably has embedded itself elsewhere.

Needless to say there is no program or file called qww.

I can't find load= or run= in win.ini and I don't know how to call up a DOS editor which might show it, never having been a DOS user. However, it probably won't load or run now the box has been unchecked but finding the file in which the problem trojan/virus/worm resides remains the problem as does identification.

I'm getting sloppy in my virus fighting here. But I forgot to ask if you had Windows Explorer set to show all files over the default of hiding system/hidden files. Most of the viri out will mark themselves as hidden/read-only just to hide their trail.
As for the load= and run= lines, those are locatable in msconfig under the win.ini tab, click the + beside windows and it should be the 3rd and 4th lines in the listing. load= and run= by themselves are fine, but if you have any odd characters just highlight them and click edit. And I just assumed there was a file called driver32 as it was listed as in being placed in the autoexec.bat file as an entry. So check autoexec.bat from msconfig as well.
After that I'll have to go dig up some data on how these things are infecting the homepage selection. Umm other ideas of things to cover are coming to me but I'll hold off in the hope we can positively id it.

There are no run or load lines within windows in win.ini. Nor are they any such within any other folder within win.ini.

There are none such within autoexec.bat or under any other heading in msconfig.

<<But I forgot to ask if you had Windows Explorer set to show all files over the default of hiding system/hidden files.>>

I can't determine where to go to find this out.

More positively, I have this information:

Currently, for unimpeachability, the homepage is set to msn.com. However, when Explorer connects the following message comes up as it did when [fram363.my163.com...] always imposed itself in the address line:

403
Forbidden
You were denied access because:
Access denied by access control list.

This suggests that Explorer tries to connect with that site even though it is not the homepage selection.

Secondly, logging off Explorer does not cut the connection with the internet. If there is simple action I can take on this second point, the problem is piecemeal partially remedied.

If there's nothing in win.ini, you might also try looking in the Registry if things are still starting up by themselves:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Check \Run and \RunServices for any odd entries.

Also have a look under the Internet Explorer Registry settings at

Software\Microsoft\Internet Explorer\Main

my bad, to enable "show all files" double click My Computer, from the View menu select Folder Options and then the View tab, in the scroll box look for a folder-like icon with Hidden files, select Show all files. And then you can try the file searches again. Though if autoexec.bat is missing those lines I put low odds that it is actually sircam but won't hurt to double check.

The access control list denial message has more wondering if the virus hasn't infected the content advisor in IE. Can you go to webpages normally? That is via typing the url in the address bar?

Also have you checked what programs are running before trying to log off? Just hit Control + Alt + Del and make sure what's running before you log off. Should see Explorer, systray and IExplorer; this is another place to look for odd programs running.

Everything rechecked with hidden files showing. Nothing found.

The access denial notice perplexes me most as it is a sign of something wrong.

Logging off. Quite a lot is running in the background at log off. What I haven't heard of are:
Etished
Confsvr
Rnaapp
Imigicon
(None virulent here, I presume?)

What is allowed access to the internet is shown by my firewall and programs like winamp are instructed to ask permission first. So it's just possible something bona fida is keeping the connection open but logging off was regular before the virus arrived.
Chances are it is bad or infected code (prime suspect location: MSIE) or a trojan.

<<HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Check \Run and \RunServices for any odd entries.
Also have a look under the Internet Explorer Registry settings at
Software\Microsoft\Internet Explorer\Main >>.

In which program must I be to type these in? I've tried doing it in Find (clearly the wrong place). I've never known how to get into any Registry.

(MSIE6 doesn't start of its own accord any more - because of my earlier action - but the problems mentioned in my last e-mail are still there).

hi

etished I can find nothing about it all, so its suspect.
the confsvr is for a fax modem?
rnaapp is perfectly fine, its for dial up networking
imigicon should be for an iomega product> you have a zip drive?

either way I would end task on etished, confsvr etc in order and test if you can shut down. Once you see which lets you log off, odds are you have the guilty program. But I still believe the virus has screwed with your internet settings at the least.

The parts Will mentioned are accessed via going to start run type in "regedit" , no quotes and click ok. The / represent 'hives' but will look like folders on the left hand side. Just be real careful, registry is a minefield waiting to go off. Most of the areas I would look at in the registry are viewable from msconfig (startup programs etc) I was avoiding it until we had ided the virus and had concrete steps to take. But it won't hurt to look at the keys he mentioned to double check there isn't something else starting up.

whoops

I hope that imigicon was a typo. imgicon is the iomega program, imigicon sounds like the usual trojan trick to name itself as something similiar to a common file name.

My typo, sorry. Have Zip drive.

Checked these register folders. Nothing suspect.

Etished was a program that 'did not respond.' Ended its task and similarly for confsvr (I've now instructed the firewall to block a conference server which might be confsvr but this is unlikely to be the guilty program). Neither ending of tasks improves log off.

Etished reappeared on the list after boot-up and may need to be deleted, if located (where's best to look for it, or ignore it?). It is not in Program Files and it is not listed as a file or folder on the drive.

Exiting, closing or going to 'work offline' do not cut the connection but running Outlook 6 open at the same time, then clicking 'work offline', then clicking 'hang up modem first' in that program does cut the connection for both Outlook 6 and Explorer 6 and this is how I manage to cut the connection. Just clicking 'exit' for either does not cut the connection.

I went to the site listed and my Trend Office scan immediately detected JS Exceptions listed under the following names:

first.js
and
com.js

it also pops up 20+ screens to distract you will it tries to download. My machine also detected other downloads that network security didn't allow through.

At the same time stamp those files downloaded I found another that was placed in the WINNT\System32 folder named tmsock.tmp.tag

Ok there's about 3 ways to start a program automatically
1)registry run keys (this is checkable from msconfig)
2)the startup folder (can just drag items out of it on the programs menu)
3)autoexec.bat <it's on the C: drive and listed in msconfig as well as being accessible from start>run>sysedit
4)win.ini file in the windows subsection load= or run= line
<sysedit brings it up as well as does msconfig>
suggest doing searches through using sysedit for etished on both files.

This skips the fact there's another location for dll files to be loaded from but etished is showing in running programs list thus odds are its not a dll.

I would start doing the trial by error test and uncheck everything in msconfig's startup until it's not listed.
But I'm still drawing blanks on how its sabatoging outlook or IE. Seems its Outlook that has more control, perhaps its keeping a connection active? Not sure,I'll do some searching down that ave.

Because the system blocks access to that site a connection has never been established to it, fortunately. Any damage sustained has been only as a consequence of the identical e-mails, during the opening of which only a lttle code could have been transmitted. There is no malfunctioning other than of MSIE and Outlook.

Probably the e-mail mainly serves the function of placing instructions in MSIE to contact the site. If this takes place further damage may ensue.

Someone who knows the correct procedure should report the site.

Is there a bookmarks file for MSIE which I can copy? If so, an option might exist to erase MSIE and Outlook and download fresh copies from Microsoft.

It's not an option I'm considering for immediate use, just a final fallback if MSIE operation becomes very irritating. Let's combat the virus first.

Just so you know, all your favorites from IE are in this folder
C:\windows\favorites
replace C:\ with whatever drive you installed Windows to but C:\'s
the default. Will be a slew of .url files each of those corresponds
to a single link. And you can copy them ,zip them up do whatever you
want and then just drop them back in and IE will pick them up
automatically.

Sad to say but I doubt even going back to fresh copies of IE and Outlook (which really isn't possible with anything past IE5) would
remove the problem. The virus/trojan whatever has to be removed. Or
its format windows and reinstall from complete scratch :( Not what I would say is a good option. From a complete security point of view, everything you have installed on the computer is a liability, if you formatted and put saved files from the pcs current state it would run
the chance of reinfection. So the best course of action is to find out
what's screwing up IE and Outlook and fixing it. Have you updated your anti-virus software since this occurred? Maybe they have released
updates in the last few days that can catch this. Small hope but worthwhile.

<edited dumb spelling mistakes -series>

Latest anti-virus sweep shows no known virus.

When Netscape is used instead of MSIE no attempt is made to connect to the virulent site.

Browsers and Outlook do not break the internet connection when 'exit' or 'work offline' is selected and I am now pretty much convinced that a simple bit of code saying the equivalent of 'do not hang up modem' or negativing the usual command to hang up the modem on exit is in the Registry or wherever. If someone can tell me where to look for this it could doubtless be countermanded.

It should be noted that AOL, when used as an alternative way to access the internet, does hang up the modem because an instruction to do so is built into the proprietary software.

Likewise, I can cut the connection in Outlook by choosing 'work offline' because Outlook, unlike browsers, specifically flags up an option to hang up the modem before going offline.

My conclusions are:

1) The 'virus' instructed Explorer to load at start-up. I've countermanded this although the code with the instruction has not been located for destruction.

2) The 'virus' instructed Explorer to default always to the suspect site when a connection is established but as the system blocks this it fortunately never goes there to initiate extensive damage. The 'virus' has not given the same instruction to other browsers.

3) The 'virus' placed an instruction not to close connections by default on exit.
This instruction can probably be countermanded.

My firewall shows that although the connection may stay open, there is no data traffic on it either way.

If a) the abovementioned instruction is countermanded; b) Netscape is used instead of MSIE - then no practical ill effects are being suffered any more.

I will then eventually find someone to come on site to hunt down and erase the 'virus' - if no one on this board has already found the answer or indentified the 'virus' and its patch.

A javascript virus does not have to remain dormant on a host system. What you are seeing is the aftermath of it coming and going. It *IS* gone. Install all updates from [windowsupdate.microsoft.com...] then proceed with sweeping the registry. You may actually have to check every single key to find it. Once you do though, post it here. You are looking for things out of the ordinary, especially that homepage.

noSanity

I would contend that the effects have not ended since the command to hang up modem upon exiting that should be inherent with the Explorer and Navigator browsers remains disabled, missing, dysfunctional, whatever.

I'd apreciate any advice as to how to restore it. If I can be guided where to look this may also identify where any viral code remains, details of which I can report back to this board.

I too suffered from the funchina/fram363 problem. I contracted it via email and was able to get rid fo the homepage, bookmark, and reference in the title bar (the latter by reinstalling), but still had the problem of my computer trying to go to fram363 on startup. I'm not connected at startup, so it wasn't much of an issue. One way around this is to rename IEXPLORE.EXE something like IEXPLORE2.EXE so your computer can find it and run in "compatibility mode," but the startup cannot find it.

I searched my computer for any files containing "fram363" in them, and found it in the USER.DAT file of MusicMatch Jukebox and USER.DAT and SYSTEM.DAT of Windows. I could delete the MusicMatch file and have it create a new one, but the fram363 reference would always be in there (specifically, <<qww[[http://fram363.my163.com]]>> ). I attempted to remove the references from the Windows files, but in classic fashion for Microsoft's Daddy-Knows-Best attitude, I could not modify USER.DAT even after unchecking it as a read-only file.

Before I go on, you may want to try www.centralcommand.com's online virus scan. My fiancee's father had a problem with a virus that even Norton couldn't detect, but their site did. I didn't know about this site before taking more drastic measures.

I don't know if the funchina problem is any more sinister than simply trying to go to this fram363 page, but I think most agree any unwanted function on your computer put there by an outsider is something that will make you uncomfortable, and has to be dealt with. Try going to the following:

Start> Programs> Accessories> System Information> Software Environment> Startup Programs

When I looked there, I saw a program "qww" and a command "http://fram363.my163.com." I don't know of any way to remove this, though. Those of you more savvy with messing with the startup may, but I could not locate anything that actually contained that in the startup folders. SYSTEM.DAT and USER.DAT were the only ones. So, taking a strongarm approach, I deleted SYSTEM.DAT and USER.DAT from the Windows directory and did a reinstall of Windows.

I've used a reinstall to fix lots of things in the past, and typically felt little reprocussions from it. LET ME WARN YOU NOW! If you have Windows ME, back up ANYTHING you think might be affected. I lost all of my email folders and address books and, because this was the first time since messing with the system myself since purchasing it a year earlier from Dell, I had to reinstall a lot of programs to reforge links because my "user profile" didn't match what Dell had set up. So stuff like MS Word wouldn't start from the program menu because of this profile caca.

Anyway, it appears to have worked, but I'm still looking up fixes and scans that can detect the problem to see if anything lingers. If you go this route though with anything higher than Win98, based on my experience with ME, back up like crazy and get ready for about 2 hours worth of reinstallation.

Hopefully this helps some of you, even if the approach may be using an elephant gun to kill a fly.