Jump to content


Photo

CWS won't just curl up and die


  • This topic is locked This topic is locked
11 replies to this topic

#1 Bin

Bin

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 July 2004 - 10:11 AM

well I've managed to get my computer infected with this CoolWebSearch crap, nice ...

here is the hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 15:52:43, on 11/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\UserAccess\useraccess.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\WinDVD Tweaker Demo Version\WinDVD Tweaker.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\PrcView.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {BA0B74E4-D28C-4BDA-B005-F074E168EDCA} - C:\WINDOWS\System32\eldl.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [WinDVD Tweaker Demo] "C:\Program Files\WinDVD Tweaker Demo Version\WinDVD Tweaker.exe" /tray
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)

I have tried to remove this with CWShreader which works, and says I had CWS.Searchx, and sometimes also CWS.Jksearch.

But it comes back, and I just can't see where from.

#2 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 11 July 2004 - 03:36 PM

Click here or here to download FindnFix.exe (2K/XP only!) by freeatlast. Double-click on the FINDnFIX.exe and it will install a folder called FINDnFIX on your system. Go to that folder and double-click on !LOG!.bat. The program takes a few minutes to collect the necessary information. When done post the contents of Log.txt in this thread.
Posted Image

#3 Bin

Bin

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 11 July 2004 - 05:28 PM

ok, here is the findnfix log.txt

 
»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» 
»»»»»»»»»»»»»»»»»»*** Read this first! ***»»»»»»»»»»»»»»»» 
Due to errors on various message boards I made some changes. 
You must know how to ID the file based on the filters provided in 
the scan, as not all the files flagged are bad. 
If you make a mistake or use the wrong guidance, it is completely 
your responsibility and the helper that assists you. 
If you are not sure about the nature of the file or how 
to proceed, I suggest you research it first before attempting 
 to remove any *unknown file on your own. 
 *For Helpers and/or users that are not familiar with any of the 
items on the scan results- I recommend using an alternative, once 
you know what to look for! 
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» 
--The directory 'junkxxx' is now included as a Subfolder in the FINDnfix folder 
and is the destination for the file to be moved.. 
-*Previous directions will no longer work... 
»»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» »»»»»»»»»»»»»»»»»» 

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s) 
6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.
 
11/07/2004 
 11:13pm  up 0 days,  4:49
 
 »»»»»»»»»»»»»»»»»»***LOG!***(*modified 7/8)»»»»»»»»»»»»»»»» 
 
Scanning for file(s)... 
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» 
»»»»» (*1*) »»»»» ......... 
 »»Locked or 'Suspect' file(s) found... 
 
C:\WINDOWS\System32\MSJ.DLL +++ File read error
\\?\C:\WINDOWS\System32\MSJ.DLL +++ File read error
 
 »»»»» (*2*) »»»»»........ 
**File C:\FINDnFIX\LIST.TXT
MSJ.DLL      Can't Open!
 
 »»»»» (*3*) »»»»»........ 

C:\WINDOWS\SYSTEM32\
   msj.dll        Sun  4 Jul 2004  23:38:30   A...R         57,344    56.00 K
   stci.dll       Tue 17 Feb 2004  10:38:06   A...R          5,606     5.47 K

2 items found:  2 files, 0 directories.
   Total of file sizes:  62,950 bytes     61.47 K
 
unknown/hidden files... 

No matches found.
 
 »»»»» (*4*) »»»»»......... 
Sniffing.......... 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\MSJ.DLL
Sniffed -> C:\WINDOWS\SYSTEM32\STCI.DLL
 
 »»»»»(*5*)»»»»» 
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
¯ Access denied ® ..................... MSJ.DLL       .....57344   04.07.2004  
 
»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»»*»»» 
»»»»»Search by size... 
 

C:\WINDOWS\SYSTEM32\
   msj.dll        Sun  4 Jul 2004  23:38:30   A...R         57,344    56.00 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  57,344 bytes     56.00 K

No matches found.

No matches found.
 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\MSJ.DLL
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 
 »»Size of Windows key: 
 (*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) 
 
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 448
 
 »»Dumping Values........ 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	SZ	
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk = 
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = (*** MISSING TRAILING NULL CHARACTER ***)
 
  »»Security settings for 'Windows' key: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI)    ALLOW  Read        	BUILTIN\Users
(IO)    ALLOW  Read        	BUILTIN\Users
(NI)    ALLOW  Read        	BUILTIN\Power Users
(IO)    ALLOW  Read        	BUILTIN\Power Users
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  BUILTIN\Administrators

(NI)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(IO)    ALLOW  Full access  NT AUTHORITY\SYSTEM
(NI)    ALLOW  Full access  BUILTIN\Administrators
(IO)    ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read          	BUILTIN\Users
Read          	BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM


»»Member of...: (Admin logon required!) 
User is a member of group GYTHA\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.
 
 
»»»»»»Backups created...»»»»»» 
 11:14pm  up 0 days,  4:50
11/07/2004 
 
A          C:\FINDnFIX\keyback.hiv
--a--    -   -   -               -   -          0 07-11-2004 keyback.hiv
A          C:\FINDnFIX\keys1\winkey.reg
--a--    -   -   -               -   -        287 07-11-2004 winkey.reg

C:\FINDNFIX\
   JUNKXXX        Sun 11 Jul 2004  15:33:10   .D...         <Dir>

1 item found:  0 files, 1 directory.
 
»»Performing string scan.... 

---------- WIN.TXT
-------------- 
-------------- 
No strings found.

-------------- 
-------------- 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

A handle was successfully obtained for the 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows key.
This key has 0 subkeys.
The AppInitDLLs value exists and reports as 56 bytes, including the 2 for string termination.

[AppInitDLLs]
Ansi string : "C:\WINDOWS\System32\msj.dll"
0000    43 00 3a 00 5c 00 57 00 49 00 4e 00 44 00 4f 00   |  C.:.\.W.I.N.D.O.
0010    57 00 53 00 5c 00 53 00 79 00 73 00 74 00 65 00   |  W.S.\.S.y.s.t.e.
0020    6d 00 33 00 32 00 5c 00 6d 00 73 00 6a 00 2e 00   |  m.3.2.\.m.s.j...
0030    64 00 6c 00 6c 00 00 00                           |  d.l.l...

I also noticed a newer version of HijackThis was out, when I ran that it found text/plain and text/html filters installed, which I had it remove.

I presume I need to do something with this AppInitDLLs and that msj.dll?

#4 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 July 2004 - 01:24 AM

Yes you do. In the keys1 folder, double click on FIX.bat. You will get an alert of about 15 seconds before reboot - allow it to reboot. On restart, open Explorer and navigate to C:\Windows\System32 folder, find the MSJ.DLL file (it should be visible now). Highlight the file and using top menu, click Edit>Move to folder...

Select C:\Findnfix\junkxxx as destination. Move the file.

Open the FINDnFIX folder again and double-click on RESTORE.bat. When it is finished, in FINDnFIX folder, there will be a file called Log1.txt - post it's contents in your next reply.
Posted Image

#5 Bin

Bin

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 July 2004 - 11:02 AM

Ok, here you go:

»»»»»»»»»»»»»»»»»»*** freeatlast100.100free.com ***»»»»»»»»»»»»»»»» 
 
12/07/2004 
  4:58pm  up 0 days,  0:02

Microsoft Windows XP [Version 5.1.2600]
»»»IE build and last SP(s) 
6.0.2800.1106 SP1-Q828750-Q330994-Q824145-Q832894-Q837009-Q831167
The type of the file system is NTFS.
C: is not dirty.
 
 »»»»»»»»»»»»»»»»»»***LOG1!***»»»»»»»»»»»»»»»» 
Scanning for file(s) in System32... 
 
»»»»»»» (1) »»»»»»» 
 
»»»»»»» (2) »»»»»»» 
**File C:\FINDnFIX\LIST.TXT
 
»»»»»»» (3) »»»»»»» 

C:\WINDOWS\SYSTEM32\
   stci.dll       Tue 17 Feb 2004  10:38:06   A...R          5,606     5.47 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  5,606 bytes      5.47 K
Unknown/hidden files... 

No matches found.
 
»»»»»»» (4) »»»»»»» 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\WINDOWS\SYSTEM32\STCI.DLL
 
 »»»»»(5)»»»»» 
**File C:\WINDOWS\SYSTEM32\DLLXXX.TXT
 
»»»»»»» Search by size... 
 

No matches found.

No matches found.

No matches found.
 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

 
»»»*»»» Scanning for moved file... »»»*»»» 
 
\\?\C:\FINDnFIX\junkxxx\MSJ.222 +++ File read error
C:\FINDnFIX\junkxxx\MSJ.222 +++ File read error
 

C:\FINDNFIX\JUNKXXX\
   msj.222        Sun  4 Jul 2004  23:38:30   A...R         57,344    56.00 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  57,344 bytes     56.00 K
 
Power SNiF 1.34 - The Ultimate File Snifferdog. Created Mar 16 1992, 21:09:15.

Sniffed -> C:\FINDNFIX\JUNKXXX\MSJ.222
 
fgrep: can't open input C:\FINDNFIX\JUNKXXX\MSJ.222
 
A----R MSJ     .222 0000E000 23:38.30 04/07/2004
 
-ra--    -   -   -               -   -     57,344 07-04-2004 msj.222
A    R     C:\FINDnFIX\junkxxx\msj.222

CHK-SAFE.EXE Ver 2.51 by Bill Lambdin Don Peters and Robert Bullock.
MD5 Message Digest Algorithm by RSA Data Security, Inc.

  File name     Size     Date    Time        MD5 Hash
________________________________________________________________________C:\FINDnFIX\junkxxx\MSJ.222 can't be opened.
File: <C:\FINDnFIX\junkxxx\msj.222>



 
»»Permissions: 
C:\FINDnFIX\junkxxx\msj.222
Directory "C:\FINDnFIX\junkxxx\."
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
        Allow   00000009 --o- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000002 tc-- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000009 --o- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
        Allow   00000002 tc-- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
        Allow   00000013 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
        Allow   00000013 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000010 t--- 001F01FF ---- DSPO rw+x GYTHA\bpaj
        Allow   0000001B -co- 10000000 ---A ---- ---- \CREATOR OWNER
        Allow   00000013 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
        Allow   00000012 tc-- 00000004 ---- ---- --+- BUILTIN\Users
        Allow   00000012 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: GYTHA\bpaj

    Primary Group: GYTHA\None

Directory "C:\FINDnFIX\junkxxx\.."
    Permissions:
        Type    Flags    Inh. Mask     Gen. Std. File Group or User
        ======= ======== ==== ======== ==== ==== ==== ================
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x BUILTIN\Administrators
        Allow   00000003 tco- 001F01FF ---- DSPO rw+x NT AUTHORITY\SYSTEM
        Allow   00000000 t--- 001F01FF ---- DSPO rw+x GYTHA\bpaj
        Allow   0000000B -co- 10000000 ---A ---- ---- \CREATOR OWNER
        Allow   00000003 tco- 001200A9 ---- -S-- r--x BUILTIN\Users
        Allow   00000002 tc-- 00000004 ---- ---- --+- BUILTIN\Users
        Allow   00000002 tc-- 00000002 ---- ---- -w-- BUILTIN\Users

    Owner: GYTHA\bpaj

    Primary Group: GYTHA\None

File "C:\FINDnFIX\junkxxx\msj.222"
Access is denied.

erreur dans ListAccessRights sur C:\FINDnFIX\junkxxx\msj.222 
 
 »»Size of Windows key: 
(*Default-450 *No AppInit-398 *fake(infected)-448,504,512...) 
 
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 450
 
 »»Dumping Values: 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\DeviceNotSelectedTimeout	SZ	15
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\GDIProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Spooler	SZ	yes
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\swapdisk	SZ	
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\TransmissionRetryTimeout	SZ	90
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\USERProcessHandleQuota	DWORD	00002710
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs	SZ	
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
    DeviceNotSelectedTimeout = 15
    GDIProcessHandleQuota = REG_DWORD 0x00002710
    Spooler = yes
    swapdisk = 
    TransmissionRetryTimeout = 90
    USERProcessHandleQuota = REG_DWORD 0x00002710
    AppInit_DLLs = 
 
  »»Security settings for 'Windows' key: 
 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright (c) 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW  Read        	BUILTIN\Users
(ID-IO) ALLOW  Read        	BUILTIN\Users
(ID-NI) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-IO) ALLOW  QWCEN-DS--    BUILTIN\Power Users
(ID-NI) ALLOW  Full access  BUILTIN\Administrators
(ID-IO) ALLOW  Full access  BUILTIN\Administrators
(ID-NI) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-IO) ALLOW  Full access  NT AUTHORITY\SYSTEM
(ID-NI) ALLOW  Full access  GYTHA\Administrator
(ID-IO) ALLOW  Full access  CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read          	BUILTIN\Users
QWCEN-DS--      BUILTIN\Power Users
Full access    BUILTIN\Administrators
Full access    NT AUTHORITY\SYSTEM
Full access    GYTHA\Administrator


 
00001150:                      $ ?               * 7\   "C  2            
00001190:                        * 7\   "C  2                * 7\   "C  2
000011D0:            vk                S DeviceNotSelectedTimeout    1 5 
00001210:                    vk       '          GDIProcessHandleQuota   
00001250:    9 0             vk                | Spooler     y e s    h( 
00001290:    vk                  swapdisk            `               vk  
000012D0:    P           TransmissionRetryTimeout    vk       '        D 
00001310:USERProcessHandleQuota.             `               H       vk  
00001350:              -4AppInit_DLLsA485                                
00001390:                                                                
000013D0:                                                                
00001410:                                                                
00001450:                                                                
00001490:                                                                
000014D0:                                                                
00001510:                                                                
00001550:                                                                

---------- NEWWIN.TXT
-4AppInit_DLLsA485?
-------------- 
-------------- 
-------------- 
No strings found.

 

Looks much better ...

Edited by Bin, 12 July 2004 - 11:03 AM.


#6 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 July 2004 - 02:43 PM

Yes it does. Nearly there, open the FINDnFIX folder again and open the Files2 folder. Double-click on the ZIPZAP.bat. It will quickly clean the rest and will make a copy of the bad file(s) in the same folder (junkxxx.zip) and open your email client with instructions. Simply drag and drop the junkxxx.zip file from the folder into the mail message and submit to the specified addresses.

Please be sure to include a link to this thread in the body of your email. Reboot when done, then delete the entire FINDnFIX folder. Could you click here to download CWShredder by Merijn Bellekom and run it, hit 'fix' as opposed to 'scan only'. If you already have CWShredder, click 'Check for update' and make sure you are running version 1.59.1 Reboot when done. Rescan with HJT and post a new log in your next reply.
Posted Image

#7 Bin

Bin

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 July 2004 - 03:36 PM

Email sent, after I configured outlook a little.

Deleting the FINDnFIX folder was interesting, specifically the renamed dll file which had no permissions on it at all...

No matter, a little work with cacls later and I can delete it. In case anyone else is interested, this will grant Administrator full privileges (and drop any other privileges; if you just want to add privileges, add the /E switch):

cacls <filename> /G Administrator:F

You might have to take ownership of the file first.

Ok, looks good, CWShreader didn't find anything, the HJT log looks clear to me ...

Logfile of HijackThis v1.98.0
Scan saved at 21:24:03, on 12/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\UserAccess\useraccess.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\Program Files\WinDVD Tweaker Demo Version\WinDVD Tweaker.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = firewall:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [RegKillElbyCheck] "C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck.exe" /L RegKill
O4 - HKLM\..\Run: [RegKillTray] "C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [WinDVD Tweaker Demo] "C:\Program Files\WinDVD Tweaker Demo Version\WinDVD Tweaker.exe" /tray
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE


Anything else I need to worry about (apart from not getting reinfected) ?

[edit] spelling [/edit]

Edited by Bin, 12 July 2004 - 03:40 PM.


#8 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 July 2004 - 03:50 PM

Looks OK - sometimes there is a problem deleting the FnF folder but it appears you can look after yourself :p

Have a look at Tony's post here for preventative measures:

So how did I get infected in the first place?

How is it running now?
Posted Image

#9 davsong

davsong

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 12 July 2004 - 04:13 PM

When I clicked on the link to FindNFix, this is what I got, and clicking again got me into a web-hosting site.


('Find-All', 'Beta-Fix' replaced with...) >>FINDnFIX.exe_N/A (2K/XP only!)<<

If you came here to look for FINDnFIX, it's off!
Read this first... >>FINDnFIX changes.htm<<

#10 Bin

Bin

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 12 July 2004 - 04:27 PM

Yes, seems good. Spywareblaster is running again (actually since I moved that dll) :), it just lost firefox after I updated to Spywareblaster 3.2.

Well many thanks

Bin

Edited by Bin, 12 July 2004 - 04:30 PM.


#11 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 July 2004 - 04:29 PM

davsong: unfortunately, it has just been withdrawn through inappropriate use. I will look at your thread to see what other approaches can be taken.
Posted Image

#12 Daemon

Daemon

    Security Expert

  • Emeritus
  • PipPipPipPipPip
  • 3,350 posts

Posted 12 July 2004 - 04:31 PM

Bin - you're welcome, glad to help :D


As this problem has been resolved the topic will be closed. If you need this topic reopened, please click here to email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button