Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is It Still There? [display.exe]


  • Please log in to reply
13 replies to this topic

#1 12bored

12bored

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 24 October 2007 - 08:08 AM

Hi everyone, I'm new to the forum, do correct me if I post in the wrong section.

I'm using Windows XP home SP2 with Ad-aware SE and ZA Pro

Recently I encountered a display.exe after my friend sent it to me over msn.
I opened it and it spammed messages to my contacts.

Immediately i deleted all files in the folder, and emptied the recycle bin.
Rebooted and ZA Pro did'nt ask for access for that particular file, Ad-aware scan did not show anythiing.

The spam on my msn stopped, but I still see display.exe in my startup registry [I disabled it]

I tried to search for the file in Safe Mode but no hits came up, so now... I don't know if that file is still in my system.

Any help welcomed :thumbsup:
Thanks

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 24 October 2007 - 09:20 AM

Welcome to BC 12bored

display.exe can be good or bad.

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or Glarysoft Process Manager to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

You can also submit the file to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Then post back with the results.

Edited to fix my link.

Edited by quietman7, 24 October 2007 - 10:45 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 12bored

12bored
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 24 October 2007 - 10:11 AM

Thanks for the reply.
I'm still quite new on these stuff, so please forgive me if I fail to do what you suggested.

I can't seem to locate the file through the address the "location" registry provided.
It shows: "SOFTWARE\Microsoft\Windows\CurrentVersion\RUN",

right clicking the file in the registry didn't work too.

I tried searching some old threads with how to find display.exe [even for the legitimate one], but it didn't work.
C:\windows\system32\inetsrv\daemon\system32
after reaching inetserv, the folder was blank.

Could the legitimate display.exe be gone too?

Sorry for any inconvience caused.

Edited by 12bored, 24 October 2007 - 10:14 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 24 October 2007 - 10:48 AM

The legit display. exe is related to APC PowerChute Personal Edition. Do you have that software installed?

You can use Windows Search feature > More advanced options to locate files.

To do this, go to Start -> Search and click For Files or Folders....
  • Click All files and folders.
  • Type in the name of the file under "Search by...criteria."
  • Click More advanced options and check these options:
    • "Search system folders"
    • "Search hidden files and folders"
    • "Search subfolders"
  • Then click "Search" to look for the file(s).
You can also download and use the Process Explorer Tool I recommended in my previous reply. That will enable you to gather more information about the process.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 12bored

12bored
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 24 October 2007 - 06:23 PM

I do not have APC PowerChute Personal Edition installed.

I tried the followed your instructions while usung Windows Search to find the display.exe.
Still, nothing came up.

In Process Explorer, no display.exe was shown in the tab on the left hand side of the screen.
Then, i used the "Find Handle of DDL" but no file was found either.

There are no suspicous process running from what i can see in the Process Explorer.

Edited by 12bored, 24 October 2007 - 06:26 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 24 October 2007 - 08:33 PM

Sounds like the file was removed during one of your anti-malware scans but the related registry entry still exists. To remove it, download AutoRuns
  • Create a new folder on your hard drive called AutoRuns and extract (unzip) the file there. (click here if your not sure how to do this.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to display.exe.
  • Right-click on the entry and choose delete.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 12bored

12bored
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 25 October 2007 - 03:39 AM

Thanks for the help, i am almost there.

But, when i run the autoruns.exe , do i have to have display.exe to be checked in the startup registry?

Because i couldn't locate it under the " HKLM\SOFTWARE\Microsoft\CurrentVersion\Run " section.
Similarly, nerocheck in my registry is disable like display.exe, it is also not found in the autoruns.

Am I potentaily in danger of any activities such as keylogging keeping the malware disabled in the registry?

Edited by 12bored, 25 October 2007 - 05:17 AM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 25 October 2007 - 07:19 AM

do i have to have display.exe to be checked in the startup registry?

The physical file is gone. What you see in Autoruns is a registry entry for startup. In your first post you said you had disabled it. Did you do that with msconfig? Did you do the same with the nero entry at some point?

In any event you don't want to disable or enable this entry. You just need to delete it. With Autoruns, you simply right-click on the entry and choose delete. That will remove it permanently. The same page you used to download autruns, also explains how to use the tool.

Am I potentaily in danger of any activities such as keylogging keeping the malware disabled in the registry?]

Again you found no physical file on your system and your deleting the related entry, not disabling it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 12bored

12bored
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 25 October 2007 - 07:45 AM

I disabled both nerocheck and display.exe from msconfig,

but at different time.
nerocheck was disabled before display.exe came in.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 25 October 2007 - 08:00 AM

nerocheck.exe is associated with Nero Burning Rom CD writing software and is used to determine problems when running the program. If you have a problem running the program, then check it to startup again. If the program has been removed, then delete the entry with autoruns in the same manner as I advised you to do for the display entry.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 12bored

12bored
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 25 October 2007 - 08:17 AM

A huge thank you to quietman7. for your patience and guidence!

Display.exe is now off my startup registry
:thumbsup:

Edited by 12bored, 25 October 2007 - 08:17 AM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 25 October 2007 - 08:23 AM

Your welcome.

Now you should Set a New Restore Point to enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recent Restore Point.
  • Go to Start > Run and type: Cleanmgr
  • Click "OK".
  • Click the "More Options" Tab.
  • Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 12bored

12bored
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:15 PM

Posted 25 October 2007 - 08:32 AM

I don't what else to say but Thank You, for the tips.
[ so I leave the thread like tis in case other members might need to refer in the future?]

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,077 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:15 AM

Posted 25 October 2007 - 05:08 PM

To protect yourself against malware and reduce the potential for re-infection, be sure to read:
"Simple and easy ways to keep your computer safe".
"How did I get infected?, With steps so it does not happen again!".
"The Ten Most Dangerous Things Users Do Online".
"The 10 Biggest Security Risks".
"Hardening Windows Security - Part 1" and "Hardening Windows Security - Part 2".

Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users