Jump to content


Photo

CWS.SearchX Variant Zombie


  • This topic is locked This topic is locked
14 replies to this topic

#1 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 27 June 2004 - 11:11 PM

I've tried as much as I could on my own and it won't go away. My HJT log is below, but the weird thing is that it looks like it may have effected notepad.exe as the date on the executable as changed to around the date/time I got infected.

BTW, I've tried the usual stuff (shredder, adaware, s&d, etc.) - nothing will permanently remove this bastard...

Logfile of HijackThis v1.97.7
Scan saved at 11:52:48 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\BacsTray.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\mdm.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whatifspo...cke/default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\tkamil\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O1 - Hosts: 172.16.151.139 wisdata
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {CF853E03-5F6C-496A-84C2-A892A1ED465A} - C:\WINDOWS\System32\nemkca.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8037.4051967593
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rackspace.we...bex/ieatgpc.cab

Any help or advice would be greatly appreciated!

#2 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 28 June 2004 - 05:04 PM

Bueller? Bueller?

#3 Bleij

Bleij

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 28 June 2004 - 05:28 PM

I have the same problem: CWSSearchX just won't go away. I checked Windows' event viewer and found out I had quite some browser events. Their info is as follows:

Event Type: Information
Event Source: BROWSER
Event Category: None
Event ID: 8033
Date: 28-6-2004
Time: 12:36:29
User: N/A
Computer: PIII-500
Description:
The browser has forced an election on network \Device\NetBT_Tcpip_{33A926D4-3518-4F5E-B1E5-4D4E4A0909D7} because a master browser was stopped.

I suspect it's related to CWS. Can anyone decipher this?

Edited by Bleij, 28 June 2004 - 05:28 PM.


#4 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 12:35 AM

I'm seeing the same thing - not sure what it is but it doesn't have anything to do with CWS - it's been in my log files for months.

#5 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 10:17 AM

Update on this variant - if I go to hotmail or msn.com, it reappears. I've confirmed by running the latest cwsshredder and the random dll in the system32 directory will be removed. As soon as I type in hotmail.com or msn.com into the address bar, I get reinfected and the random dll will reappear in my system32 directory.

Anybody have any ideas?!?

#6 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 29 June 2004 - 06:58 PM

Is there anyone out there...

#7 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 29 June 2004 - 07:05 PM

First, to repair any notepad issues, find both copies in Windows and system32 folder, check the properties and replace the corrupted/hijacked with good copy from the dllcache folder.

What is the 'dllcache' folder and how to find it

When done-
Download and install : "FINDnFIX.exe" from any of
the links in my signature.

Run the "!LOG!.bat" file, wait for the final output (log.txt)
post the results....
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#8 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 09:25 AM

Thanks for the help! Notepad.exe was set to the same date/time of infection in all 3 areas (c:\windows, c:\i386, and c:\windows\system32\dllcache) so I don't have a clean copy. I'll find one on another machine.

Here's the log file though:

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

Wed 06/30/2004
10:22am up 0 days, 0:08

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Scanning for file(s)...
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗
╗╗╗╗╗ (*1*) ╗╗╗╗╗ .........
╗╗Locked or 'Suspect' file(s) found...


C:\WINDOWS\System32\HLPM.DLL +++ File read error
\\?\C:\WINDOWS\System32\HLPM.DLL +++ File read error

╗╗╗╗╗ (*2*) ╗╗╗╗╗........
**File C:\FINDnFIX\LIST.TXT
HLPM.DLL Can't Open!

╗╗╗╗╗ (*3*) ╗╗╗╗╗........

C:\WINDOWS\SYSTEM32\
hlpm.dll Sun Jun 20 2004 5:07:44p A...R 57,344 56.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 57,344 bytes 56.00 K

unknown/hidden files...

No matches found.

╗╗╗╗╗ (*4*) ╗╗╗╗╗.........
Sniffing..........
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\HLPM.DLL
╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗*╗╗╗

╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448

╗╗Dumping Values........
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM


╗╗Member of...: (Admin logon required!)
User is a member of group INCIGNA\Domain Users.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group INCIGNA\Developers.
User is a member of group INCIGNA\Domain Admins.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

╗╗ Service search:(different variant) '"Network Security Service","__NS_Service_3"...

[SC] GetServiceKeyName FAILED 1060:

The specified service does not exist as an installed service.

[SC] GetServiceDisplayName FAILED 1060:

The specified service does not exist as an installed service.


╗╗Dir 'junkxxx' was created with the following permissions...
(FAT32=NA)
Directory "C:\junkxxx"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x INCIGNA\tkamil
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: INCIGNA\tkamil

Primary Group: INCIGNA\Domain Users



╗╗╗╗╗╗Backups created...╗╗╗╗╗╗
10:24am up 0 days, 0:10
Wed 06/30/2004

A C:\FINDnFIX\winBack.hiv
--a-- - - - - - 8,192 06-30-2004 winback.hiv
A C:\FINDnFIX\keys1\winkey.reg
--a-- - - - - - 287 06-30-2004 winkey.reg

╗╗Performing 16bit string scan....

---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG└   C
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

Windows
AppInit
UDeviceNotSelectedTimeout
zGDIProcessHandleQuota"
Spooler2
5swapdisk
TransmissionRetryTimeout
USERProcessHandleQuota3

**File C:\FINDnFIX\WIN.TXT
        ě   vk : ě   f¨AppInit_DLLsÍ?ŠG└   C : \ W I N D O W S \ S y s t e m 3 2 \ h l p m . d l l    ░ đ   vk  P   └UDeviceNotSelectedTimeout­   1 5  ( ­   9 0  Ű=t└đ   vk  Ç'   zGDIProcessHandleQuota"■Ó   vk  └   ░║Spooler2­   y e s


#9 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 11:39 AM

Well done!

*Get ready to restart your computer:
- Open the FINDnFIX\Keys1\ Subfolder
-DoubleClick on the "FIX.bat" file.
-You'll be prompted to restart.
-Wait for the popup -Alert to restart your computer in 15 seconds.
-------------------------------------------------------------------------------
On restart, navigate to System32 folder:
-Locate and select the "HLPM.DLL" file (as it will be visible)
-Use the folder's top menu>edit>
move to folder...
-Select the C:\junkxxx as destination and move
the "HLPM.DLL" there.
--------------------------------------------------------------
When done,
-Go back to the main FINDnFIX folder:
-Run the "RESTORE.bat" file.
-It'll run and produce new log (log1.txt)
-Post it into your reply!
-----------------------------------------------------------------------
In addition,
could you locate all 3 *fake copies of your
notepad files, Zip them up and submit by clicking on the "Submit" tab
in my signature!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#10 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 30 June 2004 - 01:26 PM

Thanks free, I also moved a new dll (the random one created in system32) into junkxxx, hope that was ok. Here's the log:


╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗*** freeatlast100.100free.com ***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗

Wed 06/30/2004
2:12pm up 0 days, 0:04

Microsoft Windows XP [Version 5.1.2600]
The type of the file system is NTFS.
C: is not dirty.

╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗***LOG1!***╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗╗
Scanning for file(s)...

╗╗╗╗╗╗╗ (1) ╗╗╗╗╗╗╗
* result\\?\C:\junkxxx\HLPM.DLL

╗╗╗╗╗╗╗ (2) ╗╗╗╗╗╗╗
**File C:\FINDnFIX\LIST.TXT

╗╗╗╗╗╗╗ (3) ╗╗╗╗╗╗╗

No matches found.

No matches found.

╗╗╗╗╗╗╗ (4) ╗╗╗╗╗╗╗
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.


╗╗╗*╗╗╗ Scanning for moved file... ╗╗╗*╗╗╗

C:\JUNKXXX\
hlpm.dll Sun Jun 20 2004 5:07:44p A...R 57,344 56.00 K
mnkaca.dll Wed Jun 30 2004 10:15:54a A.... 30,720 30.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 88,064 bytes 86.00 K
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\JUNKXXX\HLPM.DLL
Sniffed -> C:\JUNKXXX\MNKACA.DLL


Search text: ŢSTREAMINGDEVICESETUP2Ů «CASE Insensitive Match
Searching ==>C:\JUNKXXX\HLPM.DLL
Searching ==>C:\JUNKXXX\MNKACA.DLL
Run Time(sec) 0
**File C:\JUNKXXX\HLPM.DLL
0000DEBE: 67 44 65 76 69 63 65 00 . 00 53 74 72 65 61 6D 69 gDevice. .Streami
0000DED3: 63 65 53 65 74 75 70 00 . 32 00 00 00 00 00 E0 01 ceSetup. 2.....Ó.
**File C:\JUNKXXX\MNKACA.DLL

rem replace this text with your given command...

c:\junkxxx\hlpm.dll
-ra-- W32i - - - - 57,344 06-20-2004 hlpm.dll
c:\junkxxx\mnkaca.dll
--a-- W32i - - - - 30,720 06-30-2004 mnkaca.dll
A R C:\junkxxx\hlpm.dll
A C:\junkxxx\mnkaca.dll
File: <C:\junkxxx\hlpm.dll>

CRC-32 : D5C9FB2E

MD5 : C185B36F 9969D3A6 D2122BA7 CBC02249



File: <C:\junkxxx\mnkaca.dll>

CRC-32 : 00000000

MD5 : 85558AE5 DCF0FEA8 50761D1D BDF178F3




╗╗Permissions:
C:\junkxxx\hlpm.dll Everyone:(special access:)

SYNCHRONIZE
FILE_EXECUTE

BUILTIN\Administrators:F

C:\junkxxx\mnkaca.dll BUILTIN\Users:R
BUILTIN\Power Users:C
BUILTIN\Administrators:F
NT AUTHORITY\SYSTEM:F
INCIGNA\tkamil:F

Directory "C:\junkxxx\."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000001B -co- 101F01FF ---A DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000001B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x INCIGNA\tkamil
Allow 0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000001B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

Owner: INCIGNA\tkamil

Primary Group: INCIGNA\Domain Users

Directory "C:\junkxxx\.."
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 0000000B -co- 10000000 ---A ---- ---- BUILTIN\Administrators
Allow 00000000 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- NT AUTHORITY\SYSTEM
Allow 0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
Allow 00000000 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 0000000B -co- A0000000 R-X- ---- ---- BUILTIN\Users
Allow 00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
Allow 0000000A -c-- 00000002 ---- ---- -w-- BUILTIN\Users
Allow 00000000 t--- 001200A9 ---- -S-- r--x \Everyone

Owner: BUILTIN\Administrators

Primary Group: BUILTIN\Administrators

File "C:\junkxxx\hlpm.dll"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000000 t--- 00100020 ---- ---- ---x \Everyone
Allow 00000000 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators

Owner: INCIGNA\tkamil

Primary Group: INCIGNA\Domain Users

File "C:\junkxxx\mnkaca.dll"
Permissions:
Type Flags Inh. Mask Gen. Std. File Group or User
======= ======== ==== ======== ==== ==== ==== ================
Allow 00000010 t--- 001200A9 ---- -S-- r--x BUILTIN\Users
Allow 00000010 t--- 001301BF ---- DS-- rw+x BUILTIN\Power Users
Allow 00000010 t--- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
Allow 00000010 t--- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
Allow 00000010 t--- 001F01FF ---- DSPO rw+x INCIGNA\tkamil

Owner: INCIGNA\tkamil

Primary Group: INCIGNA\Domain Users


╗╗Size of Windows key:
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...)

Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450

╗╗Dumping Values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout SZ 15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler SZ yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout SZ 90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota DWORD 00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs SZ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
DeviceNotSelectedTimeout = 15
GDIProcessHandleQuota = REG_DWORD 0x00002710
Spooler = yes
swapdisk =
TransmissionRetryTimeout = 90
USERProcessHandleQuota = REG_DWORD 0x00002710
AppInit_DLLs =

╗╗Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM



---------- WIN.TXT
f¨AppInit_DLLsÍ?ŠG└   C

---------- NEWWIN.TXT
AppInit_DLLsł
**File C:\FINDnFIX\NEWWIN.TXT
Đ_ňÓ   vk  Ç   5swapdisk ░
**File C:\FINDnFIX\NEWWIN.TXT
00001338: 01 00 00 00 01 00 45 00 . 5F 44 4C 4C 73 10 88 00 ......E. _DLLs.ł.
**File C:\FINDnFIX\NEWWIN.TXT
Đ_ňÓ   vk  Ç   5swapdisk ░ ° 8 h  đ   vk  (   . TransmissionRetryTimeoutđ   vk  Ç'   b USERProcessHandleQuota3 Ó   ░ ° 8 h  đ  ě   vk  Ç   E AppInit_DLLsł Ş

#11 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 01:52 PM

Well done! :D (good results )

-Last step(s):


-Open the FINDnFIX\Files2< Subfolder:
Run the -> "ZIPZAP.bat" file.
It will quickly clean the rest and
will make a copy of the bad file(s) in the same
folder (junkxxx.zip) and open your email client with instructions:
Simply drag and drop the 'junkxxx.zip' file from
the folder into the mail message and submit
to the specified addresses! Thanks!

When done, restart your computer and
Delete and entire 'FINDnFIX' file+folder(s)
From C:\, and be sure the C:\junkxxx folder
was deleted (as part of the cleanup process)


As for the remains, run any and all
removal tools once again as they should work properly now!
In particular,
Latest CWShredder.exe and fully updated Ad-Aware!

Feel free to post follow up hijackthis log when done! :cool:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#12 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 30 June 2004 - 02:34 PM

Re: notpads files.
They are actually fine!
All all originall by M$ and just the fact that the date is different makes no difference, it could be that WFP (Windows file protection)
replaced the bad copies.

I'm using them now on
my Win2K and actually like the icon better, thanks for the treat! :weee:
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#13 tbone513

tbone513

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 01 July 2004 - 06:53 AM

Free, I believe you have finally killed it. Thanks so much! Here's the (hopefully) final HJT log:


Logfile of HijackThis v1.97.7
Scan saved at 7:51:51 AM, on 7/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.whatifspo...ker/default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.whatifspo...ker/default.asp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
O1 - Hosts: 172.16.151.139 wisdata
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - http://install.wildt...uncherSetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8037.4051967593
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://rackspace.we...bex/ieatgpc.cab

#14 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 01 July 2004 - 07:36 AM

All's well!
Just snip these in hijackthis:

O1 - *Hosts: 172.16.151.139 wisdata(*Unless was set by you for some reason...)
-O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
-O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
-O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Stay out of trouble ;)
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#15 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 03 July 2004 - 05:31 PM

Glad we could help :D


As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button