• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
mg20170

CWS.WinRes

6 posts in this topic

I caught some spies several days ago. SpyBot, HijackThis and CWSShredder helped me in removing some of them, but they cannot cope with this one. I have been reading this forum for several hours, but couldn't find a similar case. Please help. Thanks in advance.

 

I use Win2k Server, so I have many services running. Some names are in Polish.

 

This is my hijack log:

 

Logfile of HijackThis v1.97.7

Scan saved at 17:22:10, on 2004-05-27

Platform: Windows 2000 SP4 (WinNT 5.00.2195)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\system32\Dfssvc.exe

C:\WINNT\System32\llssrv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINNT\system32\ntfrs.exe

C:\WINNT\System32\nvsvc32.exe

C:\WINNT\system32\regsvc.exe

C:\WINNT\System32\locator.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINNT\system32\MSTask.exe

C:\WINNT\System32\tcpsvcs.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\System32\wins.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\dns.exe

C:\WINNT\System32\inetsrv\inetinfo.exe

C:\WINNT\System32\ismserv.exe

C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\Explorer.EXE

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\program files\u-storage tools2.1\ustorage.exe

C:\WINNT\system32\rundll32.exe

C:\WINNT\System32\svchost.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINNT\system32\taskmgr.exe

C:\Temp\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINNT\winres.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bankrut] C:\Program Files\Bankrut\bankrut.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [uStorage] c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1

O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\Tlen.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O4 - Startup: Task Manager.lnk = C:\WINNT\system32\taskmgr.exe

O4 - Startup: VCool.lnk = C:\Program Files\VCool\VCool.exe

O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

O9 - Extra button: ICQ Lite (HKLM)

O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

OK, this one looks suspicious for me:

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINNT\winres.dll

 

SpyBot gives more info:

 

--- Search result list ---

Possible extension hijack: Default executable handler (Zmiany rejestru, nothing done)

HKEY_CLASSES_ROOT\exefile\shell\open\command\!="%1" %*

 

CoolWWWSearch.WinRes: Type library (Klucz rejestru, nothing done)

HKEY_CLASSES_ROOT\TypeLib\{344EE577-2027-4714-82FF-0D7538488547}

 

CoolWWWSearch.WinRes: Browser helper object (Klucz rejestru, nothing done)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D38A51A-23C9-48a1-A33C-48675AA2B494}

 

CoolWWWSearch.WinRes: Class ID (Klucz rejestru, nothing done)

HKEY_CLASSES_ROOT\CLSID\{2D38A51A-23C9-48a1-A33C-48675AA2B494}

 

CoolWWWSearch.WinRes: Interface (Klucz rejestru, nothing done)

HKEY_CLASSES_ROOT\Interface\{5CDE145A-B6B9-408D-A8CC-F9CA040BA7A4}

 

CoolWWWSearch.WinRes: Root class (Klucz rejestru, nothing done)

HKEY_CLASSES_ROOT\WinRes.WindowsResources.1

 

CoolWWWSearch.WinRes: Root class (Klucz rejestru, nothing done)

HKEY_CLASSES_ROOT\WinRes.WindowsResources

 

DSO Exploit: Data source object exploit (Zmiany rejestru, nothing done)

HKEY_USERS\S-1-5-21-343818398-1708537768-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

DSO Exploit: Data source object exploit (Zmiany rejestru, nothing done)

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

 

 

--- Spybot - Search && Destroy version: 1.3 ---

2004-05-12 Includes\Cookies.sbi

2004-05-12 Includes\Dialer.sbi

2004-05-12 Includes\Hijackers.sbi

2004-05-12 Includes\Keyloggers.sbi

2004-05-12 Includes\LSP.sbi

2004-05-12 Includes\Malware.sbi

2004-05-12 Includes\Revision.sbi

2004-05-12 Includes\Security.sbi

2004-05-12 Includes\Spybots.sbi

2004-05-12 Includes\Tracks.uti

2004-05-12 Includes\Trojans.sbi

 

 

--- System information ---

Windows 2000 (Build: 2195) Service Pack 4

/ DataAccess: Patch Available For XMLHTTP Vulnerability

/ DataAccess: Patch Available For XMLHTTP Vulnerability

/ DataAccess: Security Update for Microsoft Data Access Components

/ Windows 2000 / SP2: Narzędzie do usuwania wirusa Blaster systemu Windows (KB833330)

/ Windows 2000 / SP4: Windows 2000 Service Pack 4

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB329115

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 (SP5) KB820888

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB822831

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB823182

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB823559

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB823980

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB824105

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB825119

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB826232

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB828035

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB828741

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB828749

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB830352

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB835732

/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB837001

/ Windows Media Player: Poprawka programu Windows Media Player [Aby uzyskać więcej informacji, należy zapoznać się z artykułem Q828026]

/ Windows Media Player / SP0: Poprawka programu Windows Media Player [Aby uzyskać więcej informacji, należy zapoznać się z artykułem Q828026]

 

 

--- Startup entries list ---

Located: HK_LM:Run, Bankrut

command: C:\Program Files\Bankrut\bankrut.exe

file: C:\Program Files\Bankrut\bankrut.exe

size: 101888

MD5: 5fef60bda2e96dfdc66934f3d4ba40c6

 

Located: HK_LM:Run, NvCplDaemon

command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize

file: C:\WINNT\system32\RUNDLL32.EXE

size: 10000

MD5: 1276f76527cf90eb0541fe469c2b01be

 

Located: HK_LM:Run, nwiz

command: nwiz.exe /install

file: C:\WINNT\system32\nwiz.exe

size: 364544

MD5: 7e84f46c1205996fb1b93a590fc397ba

 

Located: HK_LM:Run, QuickTime Task

command: "C:\Program Files\QuickTime\qttask.exe" -atboottime

file: C:\Program Files\QuickTime\qttask.exe

size: 77824

MD5: 4e165b34780ff2d1b405f29e3fa68df2

 

Located: HK_LM:Run, UStorage

command: c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1

 

Located: HK_CU:Run, Komunikator

command: C:\Program Files\Tlen.pl\Tlen.exe

file: C:\Program Files\Tlen.pl\Tlen.exe

size: 752128

MD5: 8dc6ece5bccc7dd21605fd651a026a83

 

Located: HK_CU:Run, SpybotSD TeaTimer

command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

size: 1038336

MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

 

Located: Startup (user), Service Manager.lnk

command: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

file: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

size: 69632

MD5: 978294640062c57482bf2b65a342c266

 

Located: Startup (user), Task Manager.lnk

command: C:\WINNT\System32\taskmgr.exe

file: C:\WINNT\System32\taskmgr.exe

size: 89872

MD5: a8a78e349a9e6da3e36b92e542392883

 

Located: Startup (user), VCool.lnk

command: C:\Program Files\VCool\VCool.exe

file: C:\Program Files\VCool\VCool.exe

size: 32768

MD5: 53bc10f211bfdfd564872eac1069710d

 

 

 

--- Browser helper object list ---

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)

BHO name:

CLSID name: AcroIEHlprObj Class

description: Adobe Acrobat reader

classification: Legitimate

known filename: ACROIEHELPER.OCX

info link: http://www.adobe.com/products/acrobat/readstep2.html

info source: TonyKlein

Path: C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\

Long name: AcroIEHelper.ocx

Short name: ACROIE~1.OCX

Date (created): 2003-01-29 22:39:44

Date (last access): 2004-05-27 17:13:50

Date (last write): 2001-04-16 19:39:02

Filesize: 37808

Attributes: archive

MD5: 8394ABFC1BE196A62C9F532511936DF7

CRC32: 71D6E350

Version: 0.1.0.0

 

{2D38A51A-23C9-48a1-A33C-48675AA2B494} (Windows Resources)

BHO name: Windows Resources

CLSID name: WindowsResources

Path: C:\WINNT\

Long name: winres.dll

Short name:

Date (created): 2004-05-27 16:27:54

Date (last access): 2004-05-27 17:14:20

Date (last write): 2004-05-27 17:14:20

Filesize: 80896

Attributes: archive

MD5: 5965BD61127259A3C361494B71164350

CRC32: E678C44D

Version: 0.5.0.2

 

{53707962-6F74-2D53-2644-206D7942484F} ()

BHO name:

CLSID name:

description: Spybot-S&D IE Browser plugin

classification: Legitimate

known filename: SDHelper.dll

info link: http://spybot.eon.net.au/

info source: Patrick M. Kolla

Path: C:\PROGRA~1\SPYBOT~1\

Long name: SDHelper.dll

Short name:

Date (created): 2004-05-12 01:03:00

Date (last access): 2004-05-27 17:13:50

Date (last write): 2004-05-12 01:03:00

Filesize: 744960

Attributes: archive

MD5: ABF5BA518C6A5ED104496FF42D19AD88

CRC32: 5587736E

Version: 0.1.0.3

 

 

 

--- ActiveX list ---

DirectAnimation Java Classes (DirectAnimation Java Classes)

DPF name: DirectAnimation Java Classes

CLSID name:

description:

classification: Legitimate

known filename: %WINDIR%\Java\classes\dajava.cab

info link:

info source: Patrick M. Kolla

 

Microsoft XML Parser for Java (Microsoft XML Parser for Java)

DPF name: Microsoft XML Parser for Java

CLSID name:

description:

classification: Legitimate

known filename: %WINDIR%\Java\classes\xmldso.cab

info link:

info source: Patrick M. Kolla

 

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)

DPF name:

CLSID name: Shockwave ActiveX Control

description: Macromedia ShockWave Flash Player 7

classification: Unknown

known filename: SWDIR.DLL

info link:

info source: Patrick M. Kolla

Path: C:\WINNT\system32\Macromed\Director\

Long name: SwDir.dll

Short name:

Date (created): 2004-04-02 03:34:18

Date (last access): 2004-05-27 16:54:18

Date (last write): 2004-03-16 17:07:54

Filesize: 49152

Attributes: archive

MD5: 188064B39FD529E960F9D821505747EA

CRC32: C6D7A014

Version: 0.10.0.0

 

{31564D57-0000-0010-8000-00AA00389B71} ()

DPF name:

CLSID name:

 

{32564D57-0000-0010-8000-00AA00389B71} ()

DPF name:

CLSID name:

 

{3334504D-0000-0010-8000-00AA00389B71} ()

DPF name:

CLSID name:

description: Microsoft MPEG4 Video Codec

classification: Legitimate

known filename: MPEG4AX.CAB

info link:

info source: Patrick M. Kolla

 

{33564D57-0000-0010-8000-00AA00389B71} ()

DPF name:

CLSID name:

 

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)

DPF name:

CLSID name: Shockwave Flash Object

description: Macromedia Shockwave Flash Player

classification: Legitimate

known filename:

info link:

info source: Patrick M. Kolla

Path: C:\WINNT\System32\Macromed\Flash\

Long name: Flash.ocx

Short name:

Date (created): 2002-11-27 11:46:46

Date (last access): 2004-05-27 16:54:18

Date (last write): 2004-04-13 16:04:38

Filesize: 917504

Attributes: archive

MD5: B414D4BA7BFB6218AE6B224B46C81D60

CRC32: 6B899A6A

Version: 0.7.0.0

 

 

 

--- Process list ---

Spybot - Search && Destroy process list report, 2004-05-27 17:38:51

 

PID: 0 ( 0) [system]

PID: 8 ( 0) System

PID: 160 ( 8) \SystemRoot\System32\smss.exe

PID: 188 ( 160) CSRSS.EXE

PID: 208 ( 160) \??\C:\WINNT\system32\winlogon.exe

PID: 236 ( 208) C:\WINNT\system32\services.exe

PID: 248 ( 208) C:\WINNT\system32\lsass.exe

PID: 276 (1700) C:\WINNT\system32\rundll32.exe

PID: 404 ( 236) C:\WINNT\system32\svchost.exe

PID: 472 ( 236) C:\WINNT\System32\svchost.exe

PID: 524 ( 236) C:\WINNT\system32\spoolsv.exe

PID: 800 ( 236) C:\WINNT\system32\Dfssvc.exe

PID: 860 ( 236) C:\WINNT\System32\llssrv.exe

PID: 888 ( 236) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

PID: 1004 ( 236) C:\WINNT\system32\ntfrs.exe

PID: 1024 ( 236) C:\WINNT\System32\nvsvc32.exe

PID: 1052 ( 236) C:\WINNT\system32\regsvc.exe

PID: 1064 ( 236) C:\WINNT\System32\locator.exe

PID: 1120 (1036) C:\Program Files\Internet Explorer\iexplore.exe

PID: 1180 ( 236) C:\WINNT\system32\MSTask.exe

PID: 1216 ( 236) C:\WINNT\System32\tcpsvcs.exe

PID: 1276 ( 236) C:\WINNT\System32\WBEM\WinMgmt.exe

PID: 1320 ( 236) C:\WINNT\System32\wins.exe

PID: 1352 ( 236) C:\WINNT\system32\svchost.exe

PID: 1368 ( 236) C:\WINNT\System32\dns.exe

PID: 1400 ( 236) C:\WINNT\System32\inetsrv\inetinfo.exe

PID: 1440 ( 236) C:\WINNT\System32\ismserv.exe

PID: 1480 ( 236) C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe

PID: 1640 (2088) C:\Program Files\totalcmd\TOTALCMD.EXE

PID: 1728 (2088) C:\Program Files\Internet Explorer\IEXPLORE.EXE

PID: 1980 ( 236) C:\WINNT\System32\svchost.exe

PID: 2088 ( 220) C:\WINNT\Explorer.EXE

PID: 2108 (2100) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

PID: 2124 (1728) C:\program files\u-storage tools2.1\ustorage.exe

PID: 2188 ( 404) DLLHOST.EXE

PID: 2392 ( 236) C:\WINNT\System32\svchost.exe

PID: 2404 (1640) C:\Temp\HijackThis.exe

PID: 5452 (2108) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe

PID: 5476 (2088) C:\WINNT\system32\taskmgr.exe

PID: 5480 (2404) C:\WINNT\system32\NOTEPAD.EXE

 

 

--- Browser start & search pages list ---

Spybot - Search && Destroy browser pages report, 2004-05-27 17:38:52

 

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL

http://www.google.com/

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page

C:\WINNT\SYSTEM32\blank.htm

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page

about:blank

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

http://www.google.com

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://www.google.com

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page

C:\WINNT\SYSTEM32\blank.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page

http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL

http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch

http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

 

Spybot fixes CWS.WinRes and the rest, but after some time it appears again, fortunately spybot-resident blocks registry changes and it cannot mess up much. Besides, something weird happens when I chose View->Source in the IE. I just see an hourglass and something happens in the background. No page source is shown.

 

Some more questions:

1. Does DSOExploit in spybot list mean that I have some other sh... installed or it just shows the vulnerability?

2. Is this "Possible extention hijack" a threat? I think this is somehow connected with the Run As.. command.

 

Thanks for your time.

Share this post


Link to post
Share on other sites

This is the find-all log if someone finds it helpful:

 

 

 

--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--

 

 

Thu May 27 18:40:03 2004 -- ¬¬Results:

»»System Info:

 

Microsoft Windows 2000 [Wersja 5.00.2195]

C: "" (B8E6:BD68) - FS:NTFS clusters:4k

Total: 20 012 072 960 [19G] - Free: 1 002 102 784 [956M]

 

 

»»IE version and Service packs:

6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

 

! REG.EXE VERSION 2.0

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings

MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

 

»»Google Toolbar version and Attributes:

Defaults: "A" ;"R"

 

»»UserAgent:

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

 

 

»»Wmplayer version:

6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

 

»»M$Java version:

5.0.3810.0 C:\WINNT\System32\msjava.dll

 

 

»»PC uptime:

6:40pm up 2 days, 2:59

 

»»Locked or 'Suspect' file(s) found...

 

 

»»Tasks (services):

0 System Process

8 System

160 SMSS.EXE

188 CSRSS.EXE Title:

208 WINLOGON.EXE Title: NetDDE Agent

236 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,L

Hosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkSvr,TrkWks,W32Time,Wmi

248 LSASS.EXE Svcs: kdc,Netlogon,NtLmSsp,SamSs

404 svchost.exe Svcs: RpcSs

472 svchost.exe Svcs: EventSystem,IAS,Irmon,Netman,NtmsSvc,RasMan,RemoteAccess,SENS

524 spoolsv.exe Svcs: Spooler

800 dfssvc.exe Svcs: Dfs

860 LLSSRV.EXE Svcs: LicenseService

888 mdm.exe Svcs: MDM

1004 ntfrs.exe Svcs: NtFrs

1024 nvsvc32.exe Svcs: NVSvc

1052 regsvc.exe Svcs: RemoteRegistry

1064 LOCATOR.EXE Svcs: RpcLocator

1120 IEXPLORE.EXE

1180 mstask.exe Svcs: Schedule

1216 tcpsvcs.exe Svcs: DHCPServer,SimpTcp

1276 WinMgmt.exe Svcs: WinMgmt

1320 WINS.EXE Svcs: WINS

1352 svchost.exe Svcs: wuauserv

1368 DNS.EXE Svcs: DNS

1400 inetinfo.exe Svcs: IISADMIN,LDAPSVCX,W3SVC

1440 ismserv.exe Svcs: IsmServ

1480 mssearch.exe Svcs: MSSEARCH

1980 svchost.exe Svcs: TapiSrv

2088 explorer.exe Title: Program Manager

2108 TeaTimer.exe Title:

2124 UStorage.exe Title: U-Storage 2.01

276 rundll32.exe Title: NVIDIA TwinView Window

2188 DLLHOST.EXE

2392 svchost.exe Svcs: BITS

1728 IEXPLORE.EXE Title: SWI Forums -> Malware Removal - Microsoft Internet Explorer

5476 TASKMGR.EXE Title: Menedżer zadań Windows

1640 TOTALCMD.EXE Title: Total Commander 5.50 - NOT REGISTERED

2404 HijackThis.exe Title: HijackThis

5480 notepad.exe Title: hijackthis.log - Notatnik

5452 SpybotSD.exe Title: Spybot - Search & Destroy

1820 CMD.EXE Title: C:\WINNT\system32\cmd.exe

700 NTVDM.EXE

2192 tlist.exe

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"=""

"DeviceNotSelectedTimeout"="15"

"GDIProcessHandleQuota"=dword:00002710

"Spooler"="yes"

"swapdisk"=""

"TransmissionRetryTimeout"="90"

"USERProcessHandleQuota"=dword:00002710

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D38A51A-23C9-48a1-A33C-48675AA2B494}]

@="Windows Resources"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

 

REGEDIT4

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]

"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]

@="AP Class Install Handler filter"

"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]

@="AP Deflate Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]

@="AP GZIP Encoding/Decoding Filter "

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]

@="AP lzdhtml encoding/decoding Filter"

"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

 

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]

@="Filtr WebView MIME"

"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

 

REGEDIT4

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"

"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"

"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

 

»»Security settings for 'Windows' key:

 

 

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above

Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)

This program is Freeware, use it on your own risk!

 

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

(NI) ALLOW Read ZARZ¤DZANIE NT\Uľytkownicy uwierzytelnieni

(IO) ALLOW Read ZARZ¤DZANIE NT\Uľytkownicy uwierzytelnieni

(NI) ALLOW Read BUILTIN\Operatorzy serwer˘w

(IO) ALLOW Read BUILTIN\Operatorzy serwer˘w

(NI) ALLOW Full access BUILTIN\Administratorzy

(IO) ALLOW Full access BUILTIN\Administratorzy

(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM

(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM

(NI) ALLOW Full access BUILTIN\Administratorzy

(IO) ALLOW Full access TWŕRCA WťA—CICIEL

 

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:

Read ZARZ¤DZANIE NT\Uľytkownicy uwierzytelnieni

Read BUILTIN\Operatorzy serwer˘w

Full access BUILTIN\Administratorzy

Full access ZARZ¤DZANIE NT\SYSTEM

 

 

 

»»Group/user settings:

 

 

User: [sWIATYNIA\administrator], is a member of:

 

BUILTIN\Administratorzy

SWIATYNIA\Administratorzy domeny

SWIATYNIA\Administratorzy przedsiębiorstwa

SWIATYNIA\Administratorzy schematu

SWIATYNIA\Debugger Users

\Everyone

SWIATYNIA\OLAP Administrators

BUILTIN\Użytkownicy

SWIATYNIA\Użytkownicy domeny

 

User is a member of group SWIATYNIA\UUser is a member of group \Wszyscy.

User is a member of group SWIATYNIA\Debugger Users.

User is a member of group SWIATYNIA\OLAP Administrators.

User is a member of group BUILTIN\Administratorzy.

User is a member of group BUILTIN\UUser is a member of group ZARZUser is a member of group ZARZUser is a member of group \LOKALNY.

User is a member of group SWIATYNIA\Administratorzy domeny.

User is a member of group SWIATYNIA\Administratorzy schematu.

User is a member of group SWIATYNIA\WUser is a member of group SWIATYNIA\Administratorzy przedsi

»»ACLs list:

C:\junkxxx Wszyscy:(OI)(CI)F

 

ERROR: Brak dalszych plików.

 

 

»»Contents of file(s) in 'junk' folder:

 

»»Md5sums

 

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+

Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/

 

 

0 bytes, 0 ms = 0.00 MB/sec

------

»»Rehash:

 

Thu May 27 18:40:09 2004 -- ¬¬Find-All 'Windows'.hiv .reg list:

A C:\Temp\Find-All\winBackup.hiv

A C:\Temp\Find-All\windows.txt

A C:\FindallwinBackup.hiv

A C:\findallappinit.reg

 

***Next Registry run should open this key directly:

 

! REG.EXE VERSION 2.0

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit

LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Share this post


Link to post
Share on other sites

Today this trojan infected the hole computer. Although I blocked all new registry changes, I have a nice about:blank start page and a bunch of new desktop icons. Also my computer really slows down. Please take the look in my previous logs and help me identify the source of this infection.

Share this post


Link to post
Share on other sites

I found out on other posts that the main method in my case is to clean HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs, but it is clean now (no value).

Share this post


Link to post
Share on other sites

Hi,

Do you know what this is? (it's highly suspect!)

O4 - HKLM\..\Run: [bankrut] C:\Program Files\Bankrut\bankrut.exe

If you don't know = remove it, otherwise ignore ...

 

1) Restart in Safe Mode (see "How To:" below)

2) Enable Hidden Files (see "How To:" below)

 

Locate and delete the following:

 

C:\Program Files\Bankrut\bankrut.exe <--this file

C:\WINNT\winres.dll <--this file

 

While still in Safe Mode: Run CWShredder

 

While still in Safe Mode:

Close all open windows, rescan with HijackThis and "Fix checked" the following:

 

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINNT\winres.dll

O4 - HKLM\..\Run: [bankrut] C:\Program Files\Bankrut\bankrut.exe

 

Restart normally and run SpyBot again and let it "fix" everything it finds in red.

Note: CoolWWWSearch.WinRes: Browser helper object (Klucz rejestru, nothing done) "nothing done" = not selected to remove? (reboot after the scan)

 

In looking over the other logs you do not appear to have the "about:blank" however when you have multiple infections it's hard to tell until some of the other files are removed.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0