Jump to content


Photo

CWS.SearchX


  • Please log in to reply
8 replies to this topic

#1 Aaangel

Aaangel

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 June 2004 - 05:22 PM

I've been using CWShredder for like 3 months now ... and it does a pretty nice job, both for some reason this thing keeps coming back.

From time to time, it even recreates itself after I've cleaned with CWShredder and only been using delphi for a couple of hours and never even open my browser and now I'm really beginning to be irritated, it has also set my Norton antivirus out of play, since it doesn't detect it's stealth download, it did so before my system reinstallment. (or atleast it detected a wide number of trojan hijacks, now it never does)

I've even created a small application myself to track and remove unwanted BHO and toolbars in internet explorer. IE Button manager

Anyway I tried the remove my Microsoft VM (as suggested by CWShredder) and it kept me free for about 2 days (longest ever), but then it came back at what appeared to be renewed strengh.

Please help,
Aaangel

Ps. I'm not sure what you need to know, so please post and I shall be more than happy to supply it.
Visit CoolMon

#2 Aaangel

Aaangel

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 06 June 2004 - 07:15 PM

ups forgot this - Hijack This log:
-----------
Logfile of HijackThis v1.97.7
Scan saved at 02:12:56, on 07-06-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\D-Tools\daemon.exe
E:\eMule\emule.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\AcroTray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\DnloadMage\DnloadMage.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\explorer.exe
D:\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://scheo.com/srchasst/srchcust.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Upload\start - internet.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [NetStat Live] C:\Program Files\AnalogX\NetStat Live\nsl.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Ad-aware] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe" +c
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [RegKillTray] C:\Program Files\Elaborate Bytes\DVD Region Killer\RegKillTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Download Mage.lnk = C:\Program Files\DnloadMage\DnloadMage.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: eMule.lnk = E:\eMule\emule.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download Links As... - file://C:\WINDOWS\System32\page.htm
O8 - Extra context menu item: Download Target(s) As... - file://C:\WINDOWS\System32\link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: RoBOT Smart link (HKLM)
O9 - Extra 'Tools' menuitem: RoBOT Smart link (HKLM)
O9 - Extra button: IE Alter (HKLM)
O9 - Extra 'Tools' menuitem: IE Alter (HKLM)
O9 - Extra button: CoolMon Forum (HKLM)
O9 - Extra 'Tools' menuitem: The CoolMon Forum (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8072.4631712963
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
Visit CoolMon

#3 Aaangel

Aaangel

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 07 June 2004 - 04:00 PM

^bump
Visit CoolMon

#4 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 07 June 2004 - 04:22 PM

In hijackthis fix checked:

*O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-downlo...tsInstaller.cab

Then download and install: "Find-All.exe" from any
of the links in my signature.
Run the 'Find-all.cmd' file, post the output here!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#5 Aaangel

Aaangel

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 08 June 2004 - 03:50 PM

--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--


Tue Jun 08 22:48:44 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (A461:46F3) - FS:NTFS clusters:4k
Total: 12 584 644 608 [12G] - Free: 3 033 948 160 [2.8G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-23-2004 googletoolbar1.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
10:48pm up 16 days, 5:37

»»Locked or 'Suspect' file(s) found...
One or more CON code pages invalid for given keyboard code
\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error


»»Tasks (services):
0 System Process
4 System
468 smss.exe
524 csrss.exe Title:
548 winlogon.exe Title: NetDDE Agent
592 services.exe Svcs: Eventlog,PlugPlay
604 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
780 svchost.exe Svcs: RpcSs
832 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec
ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,Wmdm
964 svchost.exe Svcs: Dnscache
988 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1384 spoolsv.exe Svcs: Spooler
1476 type32.exe Title:
1568 daemon.exe Title: Virtual DAEMON Manager V3.46
1772 emule.exe Title:
460 defwatch.exe Svcs: DefWatch
508 rtvscan.exe Svcs: Norton AntiVirus Server
724 nvsvc32.exe Svcs: NVSvc
852 svchost.exe Svcs: stisvc
1340 MSGSYS.EXE
3544 explorer.exe Title: Program Manager
3992 devldr32.exe Title: DEVLDR
3012 acrotray.exe Title: AcrobatTrayIcon
2232 msnmsgr.exe Title: Emoticon popup
1824 winamp.exe Title: 9. Da Buzz - Stay Forever Young - Winamp
2784 Skype.exe Title: Skype™ Beta - tai1992 added you to their Contact List
2400 DnloadMage.exe Title: Download Mage
3428 evntsvc.exe Title: Notification Wnd for RNAdmin
2572 mplayerc.exe Title:
2672 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
2192 ntvdm.exe
3984 regedit.exe Title: Registry Editor
364 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(NI) ALLOW Read BUILTIN\Users
(IO) ALLOW Read BUILTIN\Users
(NI) ALLOW Read BUILTIN\Power Users
(IO) ALLOW Read BUILTIN\Power Users
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access BUILTIN\Administrators
(IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
Read BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 504

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\ : AppInit_DLLs
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\ : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5308

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [LARISARULES\Aaangel], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group LARISARULES\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
LARISARULES\Aaangel:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 04-07-2004 hosts
------
»»Rehash:

»Strings found:

Tue Jun 08 22:49:25 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-08-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-08-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-07-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Visit CoolMon

#6 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 June 2004 - 11:42 AM

The hidden' file was identified here:

»»Locked or 'Suspect' file(s) found...
One or more CON code pages invalid for given keyboard code
\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error
\\?\C:\WINDOWS\System32\WDM.DLL +++ File read error


First, search for this file and be sure it's not found anywhere, as there could be legitimate file using the same name.

If found, post back details first!

Otherwise ( if not found)proceed :

follow these steps carefully:

Your Windows registry is set to open this key directly:
*My Computer\HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows*

--Go to Start/run/type:
regedit
The registry should open with the Windows Subfolder
hilited.
(*compare and be sure the path on the status
bar is same as indicated above!)

--RightClick on the Windows Subfolder,
And rename Windows as Windows1

--Locate "AppInit_DLLs" value on the right
pane, RightClick it and select -> 'delete'

--Select the Windows1 on the left pane
again and rename it back to it's
original name, Windows

--Use top regedit's menu view->refresh once
and be sure the "AppInit_DLLs"
value is 'officially' gone from the right pane.

--Close regedit, *restart computer!

--Navigate to System32 folder, Search
for System32\ WDM.DLL file, hilite
and use the folder's top menu
option : "Edit-> Move to folder..."
Browse to and select: C:\junkxxx folder.
(It was created during first 'Find-All' run)
'ok' it.

---Re-run 'Find-All.cmd' and post new log!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#7 Aaangel

Aaangel

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 09 June 2004 - 02:32 PM

So I followed your instructions, the file didn't exists ... so I did the registry alterations and rebooted. Then at startup Norton Antivirus detected the "wdm.dll" as a trojan, but it was said that it had failed when it tried to quarentine the file. But I can't even find the damn file ...

---------------------------------------
anyway, new find-all log
---------------------------------------
--==***@@@ 'FIND-ALL' »»*Original*»» VERSION *9.3 -6/07 @@@***==--


Wed Jun 09 21:30:05 2004 -- ++Results:
»»System Info:

Microsoft Windows XP [Version 5.1.2600]
'Find-All' is running from Drive:
C: "" (A461:46F3) - FS:NTFS clusters:4k
Total: 12 584 644 608 [12G] - Free: 3 412 332 544 [3.2G]


»»IE version and Service packs:
6.0.2800.1106 C:\Program Files\Internet Explorer\Iexplore.exe
--a-- W32i APP ENU 6.0.2800.1106 shp 91,136 08-29-2002 iexplore.exe

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings
MinorVersion REG_SZ ;SP1;Q832894;Q330994;Q837009;Q831167;

»»Google:
2.0.111.0 C:\Program Files\google\googletoolbar1.dll
-ra-- W32i DLL ENU 2.0.111.0 shp 770,048 05-23-2004 googletoolbar1.dll

»»UserAgent:
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]


»»Wmplayer version:
8.0.0.4490 C:\Program Files\Windows Media Player\wmplayer.exe
--a-- W32i APP ENU 8.0.0.4490 shp 520,192 04-11-2003 wmplayer.exe
6.4.9.1125 C:\Program Files\Windows Media Player\mplayer2.exe
--a-- W32i APP ENU 6.4.9.1125 shp 4,639 08-29-2002 mplayer2.exe

»»M$Java version:

»»NotePad(s) version(s)... Tnx,shadoWWWW ;)
5.1.2600.0 C:\WINDOWS\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe
5.1.2600.0 C:\WINDOWS\System32\notepad.exe
--a-- W32i APP ENU 5.1.2600.0 shp 66,048 08-23-2001 notepad.exe

»» Regedit* version(s):
5.1.2600.1106 C:\WINDOWS\regedit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 134,144 08-29-2002 regedit.exe
5.1.2600.0 C:\WINDOWS\System32\regedt32.exe
--a-- W32i APP ENU 5.1.2600.0 shp 3,584 08-23-2001 regedt32.exe


»»PC uptime:
9:30pm up 0 days, 0:04

»»Locked or 'Suspect' file(s) found...
One or more CON code pages invalid for given keyboard code


»»Tasks (services):
0 System Process
4 System
468 smss.exe
524 csrss.exe Title:
548 winlogon.exe Title: NetDDE Agent
592 services.exe Svcs: Eventlog,PlugPlay
604 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
780 svchost.exe Svcs: RpcSs
832 svchost.exe Svcs: AudioSrv,Browser,CryptSvc,Dhcp,dmserver,ERSvc,EventSystem,FastUserSwitchingCompa
ibility,helpsvc,lanmanserver,lanmanworkstation,Messenger,Netman,Nla,Schedule,sec
ogon,SENS,ShellHWDetection,srservice,TermService,Themes,TrkWks,uploadmgr,W32Time
winmgmt,Wmdm
856 StyleXPService.eOleMainThreadWndNameSvcs: StyleXPService
984 svchost.exe Svcs: Dnscache
1032 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
1192 spoolsv.exe Svcs: Spooler
1476 explorer.exe Title: Program Manager
1700 type32.exe Title:
1708 nsl.exe Title: AnalogX NetStat Live
1724 daemon.exe Title: Virtual DAEMON Manager V3.46
1752 vptray.exe Title: Norton AntiVirus Corporate Edition
1784 jusched.exe Title: OleMainThreadWndName
1820 defwatch.exe Svcs: DefWatch
1868 rtvscan.exe Svcs: Norton AntiVirus Server
1880 rundll32.exe Title: MediaCenter
1896 winampa.exe Title:
1904 RegKillTray.exe Title: ElbyTrayWindow
1916 msnmsgr.exe Title:
1940 Skype.exe Title: Skype™ Beta
1956 nvsvc32.exe Svcs: NVSvc
2012 acrotray.exe Title: AcrobatTrayIcon
180 svchost.exe Svcs: stisvc
360 emule.exe Title:
508 DnloadMage.exe Title:
1808 devldr32.exe Title: DEVLDR
2520 MSGSYS.EXE
3980 explorer.exe Title: Find-All
268 cmd.exe Title: C:\WINDOWS\System32\cmd.exe
3768 winamp.exe Title: 6. Da buzz - Stop, Look, Listen - Winamp
896 ntvdm.exe
1656 tlist.exe
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

»»Security settings for 'Windows' key:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-IO) ALLOW QWCEN-DS-- BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Full access LARISARULES\Aaangel
(ID-IO) ALLOW Full access CREATOR OWNER

Effective permissions for Registry key hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows:
Read BUILTIN\Users
QWCEN-DS-- BUILTIN\Power Users
Full access BUILTIN\Administrators
Full access NT AUTHORITY\SYSTEM
Full access LARISARULES\Aaangel




»»Size of 'Windows' key: (Default-450;No'AppInit'-398;*Fake-~448!)
Size of HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Windows: 398

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\win.ini\Windows\SYS:Microsoft\Windows NT\CurrentVersion\Windows : AppInit_DLLs

»»Winlogon\notify:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
Size of HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify: 5308

»»UserInit value:

! REG.EXE VERSION 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit REG_SZ C:\WINDOWS\system32\userinit.exe,

5.1.2600.1106 C:\WINDOWS\System32\userinit.exe
--a-- W32i APP ENU 5.1.2600.1106 shp 22,016 08-29-2002 userinit.exe

»»Group/user settings:


User: [LARISARULES\Aaangel], is a member of:

BUILTIN\Administrators
\Everyone

User is a member of group LARISARULES\None.
User is a member of group \Everyone.
User is a member of group BUILTIN\Administrators.
User is a member of group BUILTIN\Users.
User is a member of group \LOCAL.
User is a member of group NT AUTHORITY\INTERACTIVE.
User is a member of group NT AUTHORITY\Authenticated Users.

»»ACLs list:
C:\junkxxx BUILTIN\Administrators:(OI)(CI)F
NT AUTHORITY\SYSTEM:(OI)(CI)F
LARISARULES\Aaangel:F
CREATOR OWNER:(OI)(CI)(IO)F
BUILTIN\Users:(OI)(CI)R
BUILTIN\Users:(CI)(special access:)

FILE_APPEND_DATA

BUILTIN\Users:(CI)(special access:)

FILE_WRITE_DATA


ERROR: There are no more files.


»»File(s) in 'junkxxx' folder:

»»Md5sums

MD5sums 1.1 freeware for Win9x/ME/NT/2000/XP+
Copyright © 2001-2002 Jem Berkes - http://www.pc-tools.net/


0 bytes, 0 ms = 0.00 MB/sec

»»hosts file:
R C:\WINDOWS\System32\Drivers\etc\hosts
-r--- - - - - - 0 04-07-2004 hosts
------
»»Rehash:

»Strings found:

Wed Jun 09 21:30:22 2004 -- ++Find-All backups:
c:\find-all\find-all\winBackup.hiv
--a-- - - - - - 8,192 06-09-2004 winbackup.hiv
c:\find-all\find-all\windows.txt
--a-- - - - - - 8,192 06-09-2004 windows.txt
A C:\FindallwinBackup.hiv
--a-- - - - - - 8,192 06-07-2004 findallwinbackup.hiv
A C:\findallappinit.reg
--a-- - - - - - 632 06-07-2004 findallappinit.reg

***Next Registry run should open this key directly:

! REG.EXE VERSION 2.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
LastKey REG_SZ My Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows


Visit CoolMon

#8 freeatlast

freeatlast

    E x p l o r e r

  • Retired Staff
  • PipPipPipPipPip
  • 833 posts

Posted 09 June 2004 - 02:39 PM

Norton deleted the file as soon as it came out from hiding ;)

You need to follow these steps, next (just ignore the N/A parts)

------------------------------------------------------------------------------
We can wrap up the hijacker following these steps:

--Open the 'Find-All'\Tools Subfolder.
DoubleClick once on: "ZIPZAP.bat" file!

It will quickly/Silently do this:
-*Restore your key &Security back to defaults
-*Reset permissions on the junkxxx\*.dll moved file
-*Create zipped copy in the same folder: "junkxxx.zip"
-*Open your email client with given addresses for submission!

--Drag the 'junkxxx.zip' and submit the
attachment to the specified addresses, ! , thanks


When done, Delete the "junkxxx.zip"
as well as the "junkxxx" folder in C:\ And the 'Find-All' folder(s).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next, you need to clear all the elements the hijacker
downloaded!
Run these tools (whether used before or not!), as
they should work properly now.
have them fix all problems:
*Ad-Aware 6 Build 181:
http://www.lavasoftu...ftware/adaware/

*Latest reference file :
http://www.lavasofts...showtopic=28310

How To: Perform a "Full Scan" With Ad-aware 6 Build 181
http://www.lavahelp....scan/index.html

http://www.spywarein.../CWShredder.exe

Feel free to post follow up hijackthis log when done!
Good luck

P.S: ignore the 'submission' part, you're all set otherwise!
Submit Files: Posted Image
----------------------------------------------------------------------
Posted ImagePosted ImagePosted Image

#9 Aaangel

Aaangel

    Member

  • Full Member
  • Pip
  • 6 posts

Posted 09 June 2004 - 03:44 PM

Thank you SO much ...

Now I can start growing my hair back again ... :cool:
Visit CoolMon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button