• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
    • Budfred

      PLEASE READ - Reversing upgrade   02/23/2017

      We have found that this new upgrade is somewhat of a disaster.  We are finding lots of glitches in being able to post and administer the forum.  Additionally, there are new costs associated with the upgrade that we simply cannot afford.  As a result, we have decided to reverse course and go back to the previous version of our software.  Since this will involve restoring it from a backup, we will lose posts that have been added since January 30 or possibly even some before that.    If you started a topic during that time, we urge you to make backups of your posts and you will need to start the topics over again after the change.  You can simply paste the copies of your posts that you created at that point.    If you joined the forum this month, you will need to re-register since your membership will be lost along with the posts.  Since you have a concealed password, we cannot simply restore your membership for you.   We are going to backup as much as we can so that it will reduce inconvenience for our members.  Unfortunately we cannot back everything up since much will be incompatible with the old version of our software.  We apologize for the confusion and regret the need to do this even though it is not viable to continue with this version of the software.   We plan to begin the process tomorrow evening and, if it goes smoothly, we shouldn't be offline for very long.  However, since we have not done this before, we are not sure how smoothly it will go.  We ask your patience as we proceed.
Sign in to follow this  
Followers 0
Psykel

Psykel analysis of new CSW

4 posts in this topic

This is in connection with http://forums.spywareinfo.com/index.php?showtopic=14238

Some line breaks added to prevent horizontal scroll. cnm

 

Here ya go...! Hope it helps!

 

God Bless Virtual Drives!

 

 

___________________________________________________________

 

Installation Report: zz2yu

Generated by InCtrl5, version 1.0.0.0

Install program: C:\Documents and Settings\Harte-Hanks\Desktop\zz2yu.exe

7/13/2004 10:54 PM

 

------------------------------------------------------------

Registry

********

 

Keys ignored: 0

---------------

* (none)

 

Keys added: 4

-------------

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}

 

Values added: 8

---------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

"HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Unegr-Unaxf\Qrfxgbc\mm2lh.rkr"

Type: REG_BINARY

Data: 00, 00, 00, 00, 06, 00, 00, 00, 20, 89, 83, BD, 54, 69, C4, 01

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce "9umef.exe"

Type: REG_SZ

Data: C:\WINNT\system32\9umef.exe

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849} "(Default)"

Type: REG_SZ

Data:

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "(Default)"

Type: REG_SZ

Data: C:\WINNT\system32\b0y.dll

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "ThreadingModel"

Type: REG_SZ

Data: Apartment

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce "9umef.exe"

Type: REG_SZ

Data: C:\WINNT\system32\9umef.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\KnownDLLs "b0y.dll"

Type: REG_SZ

Data: b0y.dll

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs "b0y.dll"

Type: REG_SZ

Data: b0y.dll

 

Values changed: 2

-----------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer

\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

Old type: REG_BINARY

New type: REG_BINARY

Old data: 00, 00, 00, 00, 17, 00, 00, 00, 80, 18, 90, 44, 54, 69, C4, 01

New data: 00, 00, 00, 00, 18, 00, 00, 00, 20, 89, 83, BD, 54, 69, C4, 01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"

Old type: REG_BINARY

New type: REG_BINARY

Old data: AE, 73, 38, C9, 2A, 25, 06, 15, 9D, DC, 0F, 22, FF, 6B, AA, 93,

4E, E5, FD, 6A, BA, 44, C8, 6D, AD, CC, 2F, AA, E7, 45, 54, 65, 5C, 25, 6F, 88, 8D,

2C, CD, B4, 47, A2, DA, 21, 25, 13, 5C, 9B, F5, D0, 43, 50, 99, 15, 12, 23, 56, 37,

59, 91, 95, 79, E2, 03, FF, 73, 1A, B6, 04, A5, 40, BE, 8B, 43, FF, 31, C6, 2D, 1F, 29

 

New data: F0, 30, 30, 91, D5, 16, 48, 7D, 99, 1F, CD, 17, 1C, 8E, 77, 01,

82, 29, 34, 17, 20, 58, 6D, 55, 7E, 27, 1A, 09, A7, B5, 57, 75, C7, 3B, B4, 8B, 6D,

2F, E2, 58, 27, 5A, 3B, 9B, 09, CE, 61, 2A, EA, 96, AC, 78, 23, DD, DA, 3A, 2E, 83,

D5, CA, FC, 19, D2, A1, 22, E7, 78, AB, 04, AB, 24, FE, CD, 08, DB, B9, D5, C2, 38,

2B

------------------------------------------------------------

Disk contents

*************

 

Drives tracked: 1

-----------------

* c:\

 

Files added: 7

--------------

c:\Documents and Settings\Harte-Hanks\Local Settings\Temp\54r3j1.sys

Date: 7/13/2004 10:58 AM

Size: 338,285 bytes

c:\Documents and Settings\Harte-Hanks\Local Settings\Temp\sres32a.tmp

Date: 7/13/2004 10:58 AM

Size: 338,285 bytes

c:\Documents and Settings\Harte-Hanks\Local Settings\Temp\sres32b.tmp

Date: 7/13/2004 10:58 AM

Size: 338,285 bytes

c:\WINNT\54r3j1.sys

Date: 7/13/2004 10:58 AM

Size: 338,285 bytes

c:\WINNT\system32\54r3j1.sys

Date: 7/13/2004 10:58 AM

Size: 338,285 bytes

c:\WINNT\system32\9umef.exe

Date: 7/13/2004 10:58 AM

Size: 338,285 bytes

c:\WINNT\system32\b0y.dll

Date: 7/13/2004 10:43 PM

Size: 384,580 bytes

 

Files changed: 9

----------------

c:\Documents and Settings\Harte-Hanks\NTUSER.DAT

Old date: 7/13/2004 10:40 PM

New date: 7/13/2004 10:43 PM

Old size: 282,624 bytes

New size: 282,624 bytes

c:\Documents and Settings\Harte-Hanks\ntuser.dat.LOG

Old date: 7/13/2004 10:40 PM

New date: 7/13/2004 10:43 PM

Old size: 1,024 bytes

New size: 1,024 bytes

c:\WINNT\system32\config\SECURITY

Old date: 7/13/2004 10:43 PM

New date: 7/13/2004 10:43 PM

Old size: 24,576 bytes

New size: 24,576 bytes

c:\WINNT\system32\config\SECURITY.LOG

Old date: 7/13/2004 10:43 PM

New date: 7/13/2004 10:43 PM

Old size: 12,288 bytes

New size: 1,024 bytes

c:\WINNT\system32\config\software

Old date: 7/13/2004 10:40 PM

New date: 7/13/2004 10:43 PM

Old size: 7,278,592 bytes

New size: 7,282,688 bytes

c:\WINNT\system32\config\software.LOG

Old date: 7/13/2004 10:40 PM

New date: 7/13/2004 10:43 PM

Old size: 1,024 bytes

New size: 1,024 bytes

c:\WINNT\system32\config\system

Old date: 7/13/2004 10:40 PM

New date: 7/13/2004 10:43 PM

Old size: 2,113,536 bytes

New size: 2,113,536 bytes

c:\WINNT\system32\config\SYSTEM.ALT

Old date: 7/13/2004 10:40 PM

New date: 7/13/2004 10:43 PM

Old size: 2,113,536 bytes

New size: 2,113,536 bytes

c:\WINNT\system32\wbem\Logs\wbemcore.log

Old date: 5/20/2004 12:49 PM

New date: 7/13/2004 10:46 PM

Old size: 21,063 bytes

New size: 21,119 bytes

------------------------------------------------------------

INI file

********

 

Ini files tracked: 4

--------------------

* C:\boot.ini

* c:\winnt\control.ini

* c:\winnt\system.ini

* c:\winnt\win.ini

------------------------------------------------------------

Text file

*********

 

Text files tracked: 2

---------------------

* c:\winnt\system32\autoexec.nt

* c:\winnt\system32\config.nt

------------------------------------------------------------

InCtrl5, Copyright © 2000 by Ziff Davis Media, Inc.

Written by Neil J. Rubenking

First published in PC Magazine, December 5, 2000.

________________________________________________________________

 

And the HijackLog to go with it after I inctrl5ed it....

 

Logfile of HijackThis v1.98.0

Scan saved at 11:10:44 PM, on 7/13/2004

Platform: Windows 2000 SP3 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\Explorer.EXE

C:\PROGRA~1\WINZIP\wzqkpick.exe

C:\WINNT\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Harte-Hanks\Desktop\HijackThis.exe

 

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,

O2 - BHO: (no name) - {81D66134-ADC3-4C6D-B0A9-03D4EE35B849} - C:\WINNT\system32\b0y.dll

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logon

O4 - HKLM\..\RunOnce: [9umef.exe] C:\WINNT\system32\9umef.exe

O4 - HKCU\..\RunOnce: [9umef.exe] C:\WINNT\system32\9umef.exe

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

 

 

Was unable to find the b0y.dll or 9umef.exe on the Drive, but I didn't check through dos yet.... if I find them I will submit them....

 

 

Cheers!

 

Hope you get your problem fixed man! (cause I got it now :) it's just my VD though, I can easily wipe it, but have keeped it that way till something surfaces)

Share this post


Link to post
Share on other sites

Got the analysis of the b0y.dll, the other exe is just a copy of the first with another random name.... will post it shortly...

plus I think I got it down. will test fix tomarrow... **UPDATE** Errgghh... no go yet, doing further analysis, discussing the possablity of this being another HackerDefender WDM Driv0r

Edited by Psykel

Share this post


Link to post
Share on other sites

mmkay, here is the analysis of the b0y.dll, From what I have noted so far, I reset my Virtual drive and reran the installer, the dll name stayed but exe randomized, I think that the actions of the exe it references my be slightly diffrent... doing an analysis of it... also trying to decode whats going on in the sys file, but not having much luck, if anyone has any suggestions on that or anything else fill free to give em... or if you would like copies of all files and reports so far just email me....

 

 

 

Installation Report: Microsoft© Register Server

Generated by InCtrl5, version 1.0.0.0

Install program: C:\WINNT\system32\regsvr32.exe c:\winnt\system32\b0y.dll

7/14/2004 3:02 AM

 

------------------------------------------------------------

Registry

********

 

Keys ignored: 0

---------------

* (none)

 

Keys added: 3

-------------

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}

 

Values added: 4

---------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU:P:\JVAAG\flfgrz32\ertfie32.rkr"

Type: REG_BINARY

Data: 00, 00, 00, 00, 06, 00, 00, 00, 80, A7, 47, 4E, 77, 69, C4, 01

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849} "(Default)"

Type: REG_SZ

Data:

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "(Default)"

Type: REG_SZ

Data: c:\WINNT\system32\b0y.dll

HKEY_CLASSES_ROOT\CLSID\{81D66134-ADC3-4C6D-B0A9-03D4EE35B849}\InprocServer32 "ThreadingModel"

Type: REG_SZ

Data: Apartment

 

Values changed: 2

-----------------

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count "HRZR_EHACNGU"

Old type: REG_BINARY

New type: REG_BINARY

Old data: 00, 00, 00, 00, 38, 00, 00, 00, B0, DD, 91, BC, 76, 69, C4, 01

New data: 00, 00, 00, 00, 39, 00, 00, 00, A0, 13, 43, 4E, 77, 69, C4, 01

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\RNG "Seed"

Old type: REG_BINARY

New type: REG_BINARY

Old data: D9, B3, 57, 7E, 48, DB, 84, 9D, 2A, DA, A3, 08, 00, D9, FC, 00, 5F, 32, 33, A6, 5F, 3C, 7A, A9, B0, 36, 8A, 68, 9B, CC, 40, 1D, 8C, AF, DF, C5, 37, 35, 23, CA, 78, 21, 72, 7A, F2, 54, 0E, 79, 80, A9, 8F, B8, 20, 70, 93, 1C, 21, E8, A3, 92, 55, A7, 3E, A6, E5, 69, EB, 56, 10, 47, B0, C9, B7, 88, 1C, 73, C3, 9F, 67, FD

New data: 90, 8B, AB, 91, F1, 08, 21, C9, C4, BB, 8A, 00, 9A, F1, 6D, 1A, 50, E1, 34, 1F, 75, 91, 5C, 22, 5B, 91, 4D, 2C, 9F, 9C, 36, FA, 42, D9, 3C, D6, A5, E0, ED, 3C, 96, 33, 38, EB, 65, DF, 6F, E8, 5B, FF, 0E, 62, 1C, 62, 12, AC, B9, 78, E9, 9C, D6, 18, 6E, EB, F2, 54, EA, 77, C6, 40, 16, F3, 48, CF, F9, D1, 08, 35, 5F, 94

------------------------------------------------------------

Disk contents

*************

 

Drives tracked: 1

-----------------

* c:\

 

Files changed: 5

----------------

c:\Documents and Settings\Harte-Hanks\NTUSER.DAT

Old date: 7/14/2004 2:48 AM

New date: 7/14/2004 2:51 AM

Old size: 323,584 bytes

New size: 323,584 bytes

c:\Documents and Settings\Harte-Hanks\ntuser.dat.LOG

Old date: 7/14/2004 2:48 AM

New date: 7/14/2004 2:51 AM

Old size: 1,024 bytes

New size: 1,024 bytes

c:\WINNT\system32\config\software

Old date: 7/14/2004 2:47 AM

New date: 7/14/2004 2:51 AM

Old size: 7,282,688 bytes

New size: 7,282,688 bytes

c:\WINNT\system32\config\software.LOG

Old date: 7/14/2004 2:47 AM

New date: 7/14/2004 2:51 AM

Old size: 1,024 bytes

New size: 1,024 bytes

c:\WINNT\system32\wbem\Logs\wbemcore.log

Old date: 7/14/2004 2:37 AM

New date: 7/14/2004 2:56 AM

Old size: 21,231 bytes

New size: 21,287 bytes

------------------------------------------------------------

INI file

********

 

Ini files tracked: 4

--------------------

* C:\boot.ini

* c:\winnt\control.ini

* c:\winnt\system.ini

* c:\winnt\win.ini

------------------------------------------------------------

Text file

*********

 

Text files tracked: 2

---------------------

* c:\winnt\system32\autoexec.nt

* c:\winnt\system32\config.nt

------------------------------------------------------------

InCtrl5, Copyright © 2000 by Ziff Davis Media, Inc.

Written by Neil J. Rubenking

First published in PC Magazine, December 5, 2000.

Share this post


Link to post
Share on other sites

Running a quick analyisys but I think I got a fix.... post soon

 

 

Supposedly TrendMicro fixes this as of today... I have just been told but I haven't tested it yet...

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0