Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Sep 30th, 2008, 6:47pm
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Warning msg, "Unable to unpack upx-packed file"		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Warning msg, "Unable to unpack upx-packed file"  (Read 2072 times)
HankK
Newbie
*



I love YaBB 1G - SP1!

   


Gender: male
 Posts: 5
Warning msg, "Unable to unpack upx-packed file"
« on: May 6th, 2003, 12:06am »		 Quote Quote  Modify Modify
During a full system scan I encountered a warning during the file scan portion which read, "Warning: Unable to unpack upx-packed file C:\DOCUME~1\HENRYF~1.KUU\LOCALS~1\Temp\E1K5a.exe". I don't have such a directory on my C: drive. My system has four drives, C:, D:, E:, and F:. After scanning each drive individually, I find the message pops up when I scan the F: drive. Another strange anamoly: each time I run TrojanHunter: the executable name changes to what looks like  a random series of characters.
 
I then started Netscape and ran another scan. This time I got a message saying, "Port 5180/TCP is open (matches Peeper.120)".
 
Internet Explorer seems to be clean.
 
Are these connected or am I dealing with two separate problems...and  what do I do about it? Anyone got the answer?
HankK
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #1 on: May 6th, 2003, 9:13pm »		 Quote Quote  Modify Modify
That strange pathname is using the 'truncated' MS-DOS-comatible 8.3 format for all of the folder names - they have been given the '~1' bits because they are longer than eight letters. Two options - look for folders that start with the first six letters, (plus that have any 'extensions' - the first is 'henryf[something].kuu', and I'll bet the second is something like 'local scan'). You could also try to 'Find Files' called E1K5a.exe (or whatever it now calls itself) directly after running the scan (best check all local hard drives).
 
Check the properties of that file - if it's 134,144 bytes long, it'll be the TrojanHunter Guard program.
 
Peeper's been discussed before - check out http://www.misec.net/forum/?board=TrojanHunter;action=display;num=104941 7118
 
HTH!
IP Logged
... but crap arrives pretty much straight away.
acheton
Original Gangster
******





   


Gender: male
 Posts: 1162
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #2 on: May 6th, 2003, 9:23pm »		 Quote Quote  Modify Modify
on May 6th, 2003, 12:06am, HankK wrote:

I then started Netscape and ran another scan. This time I got a message saying, "Port 5180/TCP is open (matches Peeper.120)".
 
Internet Explorer seems to be clean.
 
Are these connected or am I dealing with two separate problems...and  what do I do about it? Anyone got the answer?
HankK

 
I think you are probably dealing with two different issues. Another useful link on the port alert is this one http://www.misec.net/forum/?board=TrojanHunter;action=display;num=103823 2097
IP Logged
"What success a man builds from his gifting can be destoyed in a moment because of his character."
HankK
Newbie
*



I love YaBB 1G - SP1!

   


Gender: male
 Posts: 5
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #3 on: May 7th, 2003, 1:15am »		 Quote Quote  Modify Modify
Ian, I tried finding the current filename, to no avail. Then I ran "Find" looking for text matching the path up to the executable name. I found three instances on my F: drive with files containing the path, "C:\DOCUME~1\HENRYF~1.KUU\LOCALS~1\Temp\", a zipped download of PKZip from PKWARE, a .dat file in a program called RegShot, which I downloaded, and an install log from Quicken Turbotax.
I removed the first two and reran the TH scan.  
Now I got THREE "unable to unpack" warning messages!!
Same path, different executable names.
 
I fired up Netscape to see if port 5180 was active. It was, and it now had company - "Port 2332/TCP is open (matches SilentSpy.202)"!!
 
I checked out the  link you provided about Peeper. Joel in reply#3 of that thread suggested to run Netstat Viewer and kill the connection. I tried to kill both ports but they just wouldn't die!! And when I ran Autostart Explorer to look at the Registry items, it wouldn't start - I got the message, "Autostart Explor.exe has generated errors and will be closed by Windows....An error log is being generated"...somewhere. I haven't found it yet.
 
Hank    Cry
 
IP Logged
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #4 on: May 7th, 2003, 8:40pm »		 Quote Quote  Modify Modify
Okay - in the words of the Hitchhiker's Guide, "Don't Panic"...
 
Do a search for the error log by trying to find *.log in the 'Find Files' dialogue - again, all hard drives. You could also limit it to finding files created or modified in the last day, to narrow down the reesults. It should be a regular text file (without the '.txt' ending) so double-clicking will open it.
 
If, by some chance, Windows is using this folder for all it's temporary files (which would need specifying in either the Registry or the Autoexec.bat file [Win9x]), then those unpacked files could be the result of trying to open another packed archive (zip file or similar) stored elsewhere. I've watched my TEMP folder contents come and go as TH unpacks and scans archives - this may be why you cannot find them after a scan in your case.
 
If that is true, then it's normal behaviour for TH (it's just an abnormal folder to use for the job Grin).
 
An alternative is that this is the folder set in WinZip as the default unpacking folder. Can you find the folder anywhere on the system? Do a search for all files or folders called HENRYF*.kuu to see what turns up.
 
As for the ports, get a decent firewall and specifically block them. Free ones to try: ZoneAlarm ( www.zonelabs.com ), Sygate ( www.sygate.com ) or Agnitum Outpost (Anyone? Grin). All very useable, strong and capable of stopping anything getting out without you spotting it. The Sygate offering includes packet sniffing (reading exactly what is going out) and can have customised rules written to deal with any port on any service (TCP/IP, UDP, etc) in either direction. At the very least, they will tell you what is trying to use the Internet connection. Another thing worth trying is TCPView Pro (d/l a demo from www.winternals.com) which can show actual live ports and where they're going to in a more accurate way than the Windows Netstat command.
 
Keep going!
« Last Edit: May 7th, 2003, 8:40pm by Ian » IP Logged
... but crap arrives pretty much straight away.
acheton
Original Gangster
******





   


Gender: male
 Posts: 1162
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #5 on: May 7th, 2003, 8:52pm »		 Quote Quote  Modify Modify
A couple of other points which may help...
 
on May 7th, 2003, 8:40pm, Ian wrote:

If, by some chance, Windows is using this folder for all it's temporary files (which would need specifying in either the Registry or the Autoexec.bat file [Win9x])
 
If that is true, then it's normal behaviour for TH (it's just an abnormal folder to use for the job Grin).

 
I think Ian is right on this one, the TEMP environment variable is set to something weird. By the look of your directory names you are running either Windows 2000 or XP. If you go to the control panel and open the System settings. Then go to the Advanced tab and select Environment variables. You should then see some environment variables listed under both User variables and System variables the ones to look for are:
 
        TMP
        TEMP
        TMPDIR
 
these control where temporary files will be stored. Simply check if these point to the location of the iffy files. If they do then Ian's right. You can also change them here if you have the appropriate rights.
 
Quote:
Agnitum Outpost (Anyone? Grin).

 
I've used Outpost (www.agnitum.com for about two years now and it's great and V2 for which I am a beta tester is even better! You might call me biased!  Smiley Wink
 
Quote:
Keep going!

 
Yes, absolutely, it's a great product stick with it.
 
 
Ach  Grin Cheesy Wink Smiley
« Last Edit: May 7th, 2003, 8:53pm by acheton » IP Logged
"What success a man builds from his gifting can be destoyed in a moment because of his character."
Joel
Newbie
*






   


Gender: male
 Posts: 34
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #6 on: May 7th, 2003, 9:22pm »		 Quote Quote  Modify Modify
Hank,
 
You've stumbled on a complicated one here.
 
I'm going to give you a tiny bit of background that will help you to understand what is happening.  It may help you to find out why it is happening.
 
When TH goes to scan a compressed file, like a ZIP or an RAR or these UPX things, it needs to un-compress the file or extract it, in order to look at the actual files that are inside it.  It has to put these un-compressed files somewhere while it is scanning them, so it asks Windows where to put temporary files.  That is where it is getting that long directory string from.  The one with the ~1 stuff in it.
 
The reason you can't usually find the file by the part just at the end is that when Windows looks for files, it doesn't try to un-compress and extract them all to see what it inside them, so it isn't seeing the individual file(s) that TH is complaining about.
 
Now, all TH is saying is that it can't figure out how to unpack that particular file.  It isn't actually saying that there is anything bad with the file, because it can't even get far enough to see what the file really says.
 
If you had a trojan running, it would need to be sitting in memory while it is running, and TH scans your memory for nasties, and it isn't finding anything nasty running.  So while you still need to try to figure out what the source of this file that can't be unpacked is, and send it in to Magnus so he can take a look at it, in case it is a new trojan, you don't have exidence of anything running in memory that TH is aware of at this time.
 
The port issue may be unconnected.
 
I think the only way you may be able to find the offending file is to continue what you started.  You isolated it to a scan on your F drive, if I remember from above.  Next, try scanning one folder at a time on your F drive.  When you find the folder that gives the unpack warning, scan each subfolder or file.  Etc.
 
NOTE TO MAGNUS:  Could you add a feature that would indicate the original file name that contains the file TH can not unpack?  As you can see, the literal name of the unpackable file doesn't help anyone if it is in some sort of larger compressed file, etc.
IP Logged
acheton
Original Gangster
******





   


Gender: male
 Posts: 1162
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #7 on: May 7th, 2003, 11:06pm »		 Quote Quote  Modify Modify
Excellent explanation Joel, well done! Wink
 
on May 7th, 2003, 9:22pm, Joel wrote:

NOTE TO MAGNUS:  Could you add a feature that would indicate the original file name that contains the file TH can not unpack?  As you can see, the literal name of the unpackable file doesn't help anyone if it is in some sort of larger compressed file, etc.

 
This was something which I mentioned during the Beta testing as I recall. I'm not sure what Magnus said about it, I'll see if I can dig out his reply.
 
Ach  Smiley
IP Logged
"What success a man builds from his gifting can be destoyed in a moment because of his character."
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #8 on: May 7th, 2003, 11:37pm »		 Quote Quote  Modify Modify
on May 7th, 2003, 9:22pm, Joel wrote:
Hank,
 
You've stumbled on a complicated one here.
 
....

That's one explanation for the TH user guide! Well said.
 
Ach. - Win2K? XP?? Heh! I guessed Win9x, mainly because TEMP stuff (like TIF, cookies and the rest) normally goes in a sub-dir of the 'profiles' folder in an NT-based OS!!!
 
Still, I've no doubt Hank'll fill us in on which it is soon!!
 Cool
IP Logged
... but crap arrives pretty much straight away.
Walter
Veteran
*****





   


Gender: male
 Posts: 573
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #9 on: May 7th, 2003, 11:53pm »		 Quote Quote  Modify Modify
In response to Ian: "Agnitum Outpost (Anyone?  Grin)"
 
acheton wrote:
Quote:
 
I've used Outpost(www.agnitum.com for about two years now and it's great and V2 for which I am a beta tester is even better! You might call me biased!    

 
Agreed: Defnitely with Ach on this, including the admission of bias!  Shocked  Smiley
« Last Edit: May 7th, 2003, 11:56pm by Walter » IP Logged
Strange as it may seem, no amount of learning can cure stupidity, and formal education positively fortifies it. S Vizinczey
acheton
Original Gangster
******





   


Gender: male
 Posts: 1162
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #10 on: May 8th, 2003, 7:02am »		 Quote Quote  Modify Modify
on May 7th, 2003, 11:37pm, Ian wrote:

Ach. - Win2K? XP?? Heh! I guessed Win9x, mainly because TEMP stuff (like TIF, cookies and the rest) normally goes in a sub-dir of the 'profiles' folder in an NT-based OS!!!

 
You are right for NT4 but all the profiles moved under 2000 & XP to Documents and Settings\Username then subdirectories for Cookes, My Documents, Desktop, Local Settings, Favourites etc. Hence when Hankk mentioned  C:\DOCUME~1\HENRYF~1.KUU\LOCALS~1\Temp\E1K5a.exe I though it was 2000 or XP.  
 Smiley
IP Logged
"What success a man builds from his gifting can be destoyed in a moment because of his character."
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #11 on: May 8th, 2003, 9:52pm »		 Quote Quote  Modify Modify
Right, so for once MS made something a bit easier to follow then! Okay, so XP looks most likely, and it is the Windows default Temp folder... Wink
 
Outpost got a glowing write-up, plus a cover-disk freebie copy, a few issues back in Computer Shopper - kind of combines the best of the other two (ease of use and power-user features). I didn't try it, since I thought two FW's were enough for now!
« Last Edit: May 8th, 2003, 9:54pm by Ian » IP Logged
... but crap arrives pretty much straight away.
Walter
Veteran
*****





   


Gender: male
 Posts: 573
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #12 on: May 8th, 2003, 11:50pm »		 Quote Quote  Modify Modify
on May 8th, 2003, 9:52pm, Ian wrote:

Outpost got a glowing write-up, plus a cover-disk freebie copy, a few issues back in Computer Shopper - kind of combines the best of the other two (ease of use and power-user features). I didn't try it, since I thought two FW's were enough for now!

 
Ian,
 
Is there an on-line version of that mag? In what month's issue of Computer Shopper (never heard of it) did you find that article (I'd like to read it)?
IP Logged
Strange as it may seem, no amount of learning can cure stupidity, and formal education positively fortifies it. S Vizinczey
Ian
Stole All the Forum Stars
********



Good things come to those who wait ...

   


Posts: 2907
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #13 on: May 9th, 2003, 12:14am »		 Quote Quote  Modify Modify
www.computershopper.co.uk - UK publication, one of the biggest here.
 
Sept 2002 issue, gave away 1.0.1804 Free
 
Quote:
If you would like to obtain a back issue of the magazine including the following programs, please call Dennis Direct on (01789) 490215
Issues cost £5.95 each, £7.95 for overseas orders. All prices include p&p and Vat
IP Logged
... but crap arrives pretty much straight away.
Walter
Veteran
*****





   


Gender: male
 Posts: 573
Re: Warning msg, "Unable to unpack upx-packed file
« Reply #14 on: May 9th, 2003, 12:27am »		 Quote Quote  Modify Modify
Thanks, Ian!
 
Appreciate the other info too. Hey, I like that guy's name "Dennis Direct," versus for example, "Dennis Roundabout" or Dennis Indirect.  Grin
IP Logged
Strange as it may seem, no amount of learning can cure stupidity, and formal education positively fortifies it. S Vizinczey
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register