Jump to content


Photo

CWS.WinRes


  • Please log in to reply
5 replies to this topic

#1 mg20170

mg20170

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2004 - 11:06 AM

I caught some spies several days ago. SpyBot, HijackThis and CWSShredder helped me in removing some of them, but they cannot cope with this one. I have been reading this forum for several hours, but couldn't find a similar case. Please help. Thanks in advance.

I use Win2k Server, so I have many services running. Some names are in Polish.

This is my hijack log:

Logfile of HijackThis v1.97.7
Scan saved at 17:22:10, on 2004-05-27
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\ntfrs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\ismserv.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\program files\u-storage tools2.1\ustorage.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\taskmgr.exe
C:\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINNT\winres.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Bankrut] C:\Program Files\Bankrut\bankrut.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UStorage] c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1
O4 - HKCU\..\Run: [Komunikator] C:\Program Files\Tlen.pl\Tlen.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Startup: Task Manager.lnk = C:\WINNT\system32\taskmgr.exe
O4 - Startup: VCool.lnk = C:\Program Files\VCool\VCool.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

OK, this one looks suspicious for me:
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINNT\winres.dll

SpyBot gives more info:

--- Search result list ---
Possible extension hijack: Default executable handler (Zmiany rejestru, nothing done)
HKEY_CLASSES_ROOT\exefile\shell\open\command\!="%1" %*

CoolWWWSearch.WinRes: Type library (Klucz rejestru, nothing done)
HKEY_CLASSES_ROOT\TypeLib\{344EE577-2027-4714-82FF-0D7538488547}

CoolWWWSearch.WinRes: Browser helper object (Klucz rejestru, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D38A51A-23C9-48a1-A33C-48675AA2B494}

CoolWWWSearch.WinRes: Class ID (Klucz rejestru, nothing done)
HKEY_CLASSES_ROOT\CLSID\{2D38A51A-23C9-48a1-A33C-48675AA2B494}

CoolWWWSearch.WinRes: Interface (Klucz rejestru, nothing done)
HKEY_CLASSES_ROOT\Interface\{5CDE145A-B6B9-408D-A8CC-F9CA040BA7A4}

CoolWWWSearch.WinRes: Root class (Klucz rejestru, nothing done)
HKEY_CLASSES_ROOT\WinRes.WindowsResources.1

CoolWWWSearch.WinRes: Root class (Klucz rejestru, nothing done)
HKEY_CLASSES_ROOT\WinRes.WindowsResources

DSO Exploit: Data source object exploit (Zmiany rejestru, nothing done)
HKEY_USERS\S-1-5-21-343818398-1708537768-1202660629-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Zmiany rejestru, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi


--- System information ---
Windows 2000 (Build: 2195) Service Pack 4
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Patch Available For XMLHTTP Vulnerability
/ DataAccess: Security Update for Microsoft Data Access Components
/ Windows 2000 / SP2: Narzędzie do usuwania wirusa Blaster systemu Windows (KB833330)
/ Windows 2000 / SP4: Windows 2000 Service Pack 4
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB329115
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 (SP5) KB820888
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB822831
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB823182
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB823559
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB823980
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB824105
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB825119
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB826232
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB828035
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB828741
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB828749
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB830352
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB835732
/ Windows 2000 / SP5: Poprawka systemu Windows 2000 - KB837001
/ Windows Media Player: Poprawka programu Windows Media Player [Aby uzyskać więcej informacji, należy zapoznać się z artykułem Q828026]
/ Windows Media Player / SP0: Poprawka programu Windows Media Player [Aby uzyskać więcej informacji, należy zapoznać się z artykułem Q828026]


--- Startup entries list ---
Located: HK_LM:Run, Bankrut
command: C:\Program Files\Bankrut\bankrut.exe
file: C:\Program Files\Bankrut\bankrut.exe
size: 101888
MD5: 5fef60bda2e96dfdc66934f3d4ba40c6

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
file: C:\WINNT\system32\RUNDLL32.EXE
size: 10000
MD5: 1276f76527cf90eb0541fe469c2b01be

Located: HK_LM:Run, nwiz
command: nwiz.exe /install
file: C:\WINNT\system32\nwiz.exe
size: 364544
MD5: 7e84f46c1205996fb1b93a590fc397ba

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: 4e165b34780ff2d1b405f29e3fa68df2

Located: HK_LM:Run, UStorage
command: c:\program files\u-storage tools2.1\ustorage.exe sys_auto_run C:\Program Files\U-Storage Tools2.1

Located: HK_CU:Run, Komunikator
command: C:\Program Files\Tlen.pl\Tlen.exe
file: C:\Program Files\Tlen.pl\Tlen.exe
size: 752128
MD5: 8dc6ece5bccc7dd21605fd651a026a83

Located: HK_CU:Run, SpybotSD TeaTimer
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1038336
MD5: 58f7e6434d285f4c98ad3621e0bd8c8d

Located: Startup (user), Service Manager.lnk
command: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
file: C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
size: 69632
MD5: 978294640062c57482bf2b65a342c266

Located: Startup (user), Task Manager.lnk
command: C:\WINNT\System32\taskmgr.exe
file: C:\WINNT\System32\taskmgr.exe
size: 89872
MD5: a8a78e349a9e6da3e36b92e542392883

Located: Startup (user), VCool.lnk
command: C:\Program Files\VCool\VCool.exe
file: C:\Program Files\VCool\VCool.exe
size: 32768
MD5: 53bc10f211bfdfd564872eac1069710d



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: ACROIEHELPER.OCX
info link: http://www.adobe.com.../readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 5.0 CE\Reader\ActiveX\
Long name: AcroIEHelper.ocx
Short name: ACROIE~1.OCX
Date (created): 2003-01-29 22:39:44
Date (last access): 2004-05-27 17:13:50
Date (last write): 2001-04-16 19:39:02
Filesize: 37808
Attributes: archive
MD5: 8394ABFC1BE196A62C9F532511936DF7
CRC32: 71D6E350
Version: 0.1.0.0

{2D38A51A-23C9-48a1-A33C-48675AA2B494} (Windows Resources)
BHO name: Windows Resources
CLSID name: WindowsResources
Path: C:\WINNT\
Long name: winres.dll
Short name:
Date (created): 2004-05-27 16:27:54
Date (last access): 2004-05-27 17:14:20
Date (last write): 2004-05-27 17:14:20
Filesize: 80896
Attributes: archive
MD5: 5965BD61127259A3C361494B71164350
CRC32: E678C44D
Version: 0.5.0.2

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDHelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 2004-05-12 01:03:00
Date (last access): 2004-05-27 17:13:50
Date (last write): 2004-05-12 01:03:00
Filesize: 744960
Attributes: archive
MD5: ABF5BA518C6A5ED104496FF42D19AD88
CRC32: 5587736E
Version: 0.1.0.3



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
description: Macromedia ShockWave Flash Player 7
classification: Unknown
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\system32\Macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 2004-04-02 03:34:18
Date (last access): 2004-05-27 16:54:18
Date (last write): 2004-03-16 17:07:54
Filesize: 49152
Attributes: archive
MD5: 188064B39FD529E960F9D821505747EA
CRC32: C6D7A014
Version: 0.10.0.0

{31564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{32564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{3334504D-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
description: Microsoft MPEG4 Video Codec
classification: Legitimate
known filename: MPEG4AX.CAB
info link:
info source: Patrick M. Kolla

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINNT\System32\Macromed\Flash\
Long name: Flash.ocx
Short name:
Date (created): 2002-11-27 11:46:46
Date (last access): 2004-05-27 16:54:18
Date (last write): 2004-04-13 16:04:38
Filesize: 917504
Attributes: archive
MD5: B414D4BA7BFB6218AE6B224B46C81D60
CRC32: 6B899A6A
Version: 0.7.0.0



--- Process list ---
Spybot - Search && Destroy process list report, 2004-05-27 17:38:51

PID: 0 ( 0) [System]
PID: 8 ( 0) System
PID: 160 ( 8) \SystemRoot\System32\smss.exe
PID: 188 ( 160) CSRSS.EXE
PID: 208 ( 160) \??\C:\WINNT\system32\winlogon.exe
PID: 236 ( 208) C:\WINNT\system32\services.exe
PID: 248 ( 208) C:\WINNT\system32\lsass.exe
PID: 276 (1700) C:\WINNT\system32\rundll32.exe
PID: 404 ( 236) C:\WINNT\system32\svchost.exe
PID: 472 ( 236) C:\WINNT\System32\svchost.exe
PID: 524 ( 236) C:\WINNT\system32\spoolsv.exe
PID: 800 ( 236) C:\WINNT\system32\Dfssvc.exe
PID: 860 ( 236) C:\WINNT\System32\llssrv.exe
PID: 888 ( 236) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
PID: 1004 ( 236) C:\WINNT\system32\ntfrs.exe
PID: 1024 ( 236) C:\WINNT\System32\nvsvc32.exe
PID: 1052 ( 236) C:\WINNT\system32\regsvc.exe
PID: 1064 ( 236) C:\WINNT\System32\locator.exe
PID: 1120 (1036) C:\Program Files\Internet Explorer\iexplore.exe
PID: 1180 ( 236) C:\WINNT\system32\MSTask.exe
PID: 1216 ( 236) C:\WINNT\System32\tcpsvcs.exe
PID: 1276 ( 236) C:\WINNT\System32\WBEM\WinMgmt.exe
PID: 1320 ( 236) C:\WINNT\System32\wins.exe
PID: 1352 ( 236) C:\WINNT\system32\svchost.exe
PID: 1368 ( 236) C:\WINNT\System32\dns.exe
PID: 1400 ( 236) C:\WINNT\System32\inetsrv\inetinfo.exe
PID: 1440 ( 236) C:\WINNT\System32\ismserv.exe
PID: 1480 ( 236) C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
PID: 1640 (2088) C:\Program Files\totalcmd\TOTALCMD.EXE
PID: 1728 (2088) C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID: 1980 ( 236) C:\WINNT\System32\svchost.exe
PID: 2088 ( 220) C:\WINNT\Explorer.EXE
PID: 2108 (2100) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PID: 2124 (1728) C:\program files\u-storage tools2.1\ustorage.exe
PID: 2188 ( 404) DLLHOST.EXE
PID: 2392 ( 236) C:\WINNT\System32\svchost.exe
PID: 2404 (1640) C:\Temp\HijackThis.exe
PID: 5452 (2108) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
PID: 5476 (2088) C:\WINNT\system32\taskmgr.exe
PID: 5480 (2404) C:\WINNT\system32\NOTEPAD.EXE


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 2004-05-27 17:38:52

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchURL
http://www.google.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.google.com
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://www.google.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINNT\SYSTEM32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft...B_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft...er=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn...st/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn...st/srchcust.htm

Spybot fixes CWS.WinRes and the rest, but after some time it appears again, fortunately spybot-resident blocks registry changes and it cannot mess up much. Besides, something weird happens when I chose View->Source in the IE. I just see an hourglass and something happens in the background. No page source is shown.

Some more questions:
1. Does DSOExploit in spybot list mean that I have some other sh... installed or it just shows the vulnerability?
2. Is this "Possible extention hijack" a threat? I think this is somehow connected with the Run As.. command.

Thanks for your time.

#2 mg20170

mg20170

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2004 - 11:52 AM

This is the find-all log if someone finds it helpful:



--==***@@@ 'FIND-ALL' VERSION 8.2 -5/27 @@@***==--


Thu May 27 18:40:03 2004 -- ¬¬Results:
»»System Info:

Microsoft Windows 2000 [Wersja 5.00.2195]
C: "" (B8E6:BD68) - FS:NTFS clusters:4k
Total: 20 012 072 960 [19G] - Free: 1 002 102 784 [956M]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q837009;Q832894;Q831167;

»»Google Toolbar version and Attributes:
Defaults: "A" ;"R"

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe

»»M$Java version:
5.0.3810.0 C:\WINNT\System32\msjava.dll


»»PC uptime:
6:40pm up 2 days, 2:59

»»Locked or 'Suspect' file(s) found...


»»Tasks (services):
0 System Process
8 System
160 SMSS.EXE
188 CSRSS.EXE Title:
208 WINLOGON.EXE Title: NetDDE Agent
236 SERVICES.EXE Svcs: Alerter,Browser,Dhcp,dmserver,Dnscache,Eventlog,lanmanserver,lanmanworkstation,L
Hosts,Messenger,PlugPlay,ProtectedStorage,seclogon,TrkSvr,TrkWks,W32Time,Wmi
248 LSASS.EXE Svcs: kdc,Netlogon,NtLmSsp,SamSs
404 svchost.exe Svcs: RpcSs
472 svchost.exe Svcs: EventSystem,IAS,Irmon,Netman,NtmsSvc,RasMan,RemoteAccess,SENS
524 spoolsv.exe Svcs: Spooler
800 dfssvc.exe Svcs: Dfs
860 LLSSRV.EXE Svcs: LicenseService
888 mdm.exe Svcs: MDM
1004 ntfrs.exe Svcs: NtFrs
1024 nvsvc32.exe Svcs: NVSvc
1052 regsvc.exe Svcs: RemoteRegistry
1064 LOCATOR.EXE Svcs: RpcLocator
1120 IEXPLORE.EXE
1180 mstask.exe Svcs: Schedule
1216 tcpsvcs.exe Svcs: DHCPServer,SimpTcp
1276 WinMgmt.exe Svcs: WinMgmt
1320 WINS.EXE Svcs: WINS
1352 svchost.exe Svcs: wuauserv
1368 DNS.EXE Svcs: DNS
1400 inetinfo.exe Svcs: IISADMIN,LDAPSVCX,W3SVC
1440 ismserv.exe Svcs: IsmServ
1480 mssearch.exe Svcs: MSSEARCH
1980 svchost.exe Svcs: TapiSrv
2088 explorer.exe Title: Program Manager
2108 TeaTimer.exe Title:
2124 UStorage.exe Title: U-Storage 2.01
276 rundll32.exe Title: NVIDIA TwinView Window
2188 DLLHOST.EXE
2392 svchost.exe Svcs: BITS
1728 IEXPLORE.EXE Title: SWI Forums -> Malware Removal - Microsoft Internet Explorer
5476 TASKMGR.EXE Title: Menedżer zadań Windows
1640 TOTALCMD.EXE Title: Total Commander 5.50 - NOT REGISTERED
2404 HijackThis.exe Title: HijackThis
5480 notepad.exe Title: hijackthis.log - Notatnik
5452 SpybotSD.exe Title: Spybot - Search & Destroy
1820 CMD.EXE Title: C:\WINNT\system32\cmd.exe
700 NTVDM.EXE
2192 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2D38A51A-23C9-48a1-A33C-48675AA2B494}]
@="Windows Resources"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="Filtr WebView MIME"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"Network.ConnectionTray"="{7007ACCF-3202-11D1-AAD2-00805FC1270E}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read ZARZ¤DZANIE NT\Uľytkownicy uwierzytelnieni
(IO) ALLOW Read ZARZ¤DZANIE NT\Uľytkownicy uwierzytelnieni
(NI) ALLOW Read BUILTIN\Operatorzy serwer˘w
(IO) ALLOW Read BUILTIN\Operatorzy serwer˘w
(NI) ALLOW Full access BUILTIN\Administratorzy
(IO) ALLOW Full access BUILTIN\Administratorzy
(NI) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(IO) ALLOW Full access ZARZ¤DZANIE NT\SYSTEM
(NI) ALLOW Full access BUILTIN\Administratorzy
(IO) ALLOW Full access TWŕRCA WťA—CICIEL

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read ZARZ¤DZANIE NT\Uľytkownicy uwierzytelnieni
Read BUILTIN\Operatorzy serwer˘w
Full access BUILTIN\Administratorzy
Full access ZARZ¤DZANIE NT\SYSTEM



»»Group/user settings:


User: [SWIATYNIA\administrator], is a member of:

BUILTIN\Administratorzy
SWIATYNIA\Administratorzy domeny
SWIATYNIA\Administratorzy przedsiębiorstwa
SWIATYNIA\Administratorzy schematu
SWIATYNIA\Debugger Users
\Everyone
SWIATYNIA\OLAP Administrators
BUILTIN\Użytkownicy
SWIATYNIA\Użytkownicy domeny

User is a member of group SWIATYNIA\UUser is a member of group \Wszyscy.
User is a member of group SWIATYNIA\Debugger Users.
User is a member of group SWIATYNIA\OLAP Administrators.
User is a member of group BUILTIN\Administratorzy.
User is a member of group BUILTIN\UUser is a member of group ZARZUser is a member of group ZARZUser is a member of group \LOKALNY.
User is a member of group SWIATYNIA\Administratorzy domeny.
User is a member of group SWIATYNIA\Administratorzy schematu.
User is a member of group SWIATYNIA\WUser is a member of group SWIATYNIA\Administratorzy przedsi
»»ACLs list:
C:\junkxxx Wszyscy:(OI)(CI)F

ERROR: Brak dalszych plików.


»»Contents of file(s) in 'junk' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec
------
»»Rehash:

Thu May 27 18:40:09 2004 -- ¬¬Find-All 'Windows'.hiv .reg list:
A C:\Temp\Find-All\winBackup.hiv
A C:\Temp\Find-All\windows.txt
A C:\FindallwinBackup.hiv
A C:\findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

#3 mg20170

mg20170

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2004 - 02:03 PM

bump

#4 mg20170

mg20170

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 May 2004 - 03:57 AM

Today this trojan infected the hole computer. Although I blocked all new registry changes, I have a nice about:blank start page and a bunch of new desktop icons. Also my computer really slows down. Please take the look in my previous logs and help me identify the source of this infection.

#5 mg20170

mg20170

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 28 May 2004 - 04:38 AM

I found out on other posts that the main method in my case is to clean HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs, but it is clean now (no value).

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 28 May 2004 - 09:40 AM

Hi,
Do you know what this is? (it's highly suspect!)
O4 - HKLM\..\Run: [Bankrut] C:\Program Files\Bankrut\bankrut.exe
If you don't know = remove it, otherwise ignore ...

1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

C:\Program Files\Bankrut\bankrut.exe <--this file
C:\WINNT\winres.dll <--this file

While still in Safe Mode: Run CWShredder

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINNT\winres.dll
O4 - HKLM\..\Run: [Bankrut] C:\Program Files\Bankrut\bankrut.exe


Restart normally and run SpyBot again and let it "fix" everything it finds in red.
Note: CoolWWWSearch.WinRes: Browser helper object (Klucz rejestru, nothing done) "nothing done" = not selected to remove? (reboot after the scan)

In looking over the other logs you do not appear to have the "about:blank" however when you have multiple infections it's hard to tell until some of the other files are removed.
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button