Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

sexandpoker.com - fake Windows Security popups - nasty malwa


  • This topic is locked This topic is locked
6 replies to this topic

#1 nrussellmn

nrussellmn

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 18 June 2005 - 11:25 PM

This has been a nasty one. Just curious if anyone has completely beat it yet. Think I've got it nailed, but want to verify. I've seen a thread in this forum about this bug as well.

It is spyware/malware that none of the popular and not so popular anti-spyware products I've tried have removed. Latest HJT log was no real help.

Symptoms: Causes a lot of casino and adult popups, plus unwanted IE Favorites keep getting added (even after deletion) such as "Kill Annoying Popups", "(bleep) REAL GIRLS", "AdultGambling", "Free Online Dating", "Online Sex Poker Rooms", "Remove Toolbars", "Spyware Uninstall", "SPYWARE", "XXX Personal Photos", "Play Adult-Poker" etc... Popups can launch with no browser open. "Fake" Windows Security Center popups also occur. Some may have noticed in trying to install Windows service packs to fix problem reveals files such as wbemtest.exe, or pingtest.exe, or tcptest.exe cannot be found... turns out that any files ending in "test.exe" seem to be "invisible" (even in safe mode or safe mode with command prompt).

After pounding on this one for a while and examining numerous posts to no evail, I think I've beat it, but wanted to verify as this thing seems to have a nasty habit of coming back when you think you've got it beat.

I had to boot to NTFS from DOS (i.e. "NTFS for DOS" {freeware} or NFTSPRO for DOS) and delete the following files from c:\windows\system32:
csixi.exe
cisvvc.exe
rdsndin (was either .exe or .dll)

Also seems I had to take cisvvc*.pf file out of c:\windows\prefetch folder as well.

I also used HJT to take out some registry references to hosts beginning with .69

Seems to be gone now. I work on computers for a living and this is the nastiest bug I've ever battled. Has anyone any experience with this one to share as I'm not totally sure I've completely nailed it.

Thx

BC AdBot (Login to Remove)

 


#2 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:02:22 AM

Posted 18 June 2005 - 11:57 PM

Hello nrussellmn and welcome to Bleeping computer.
I'm working one that sounds similar here. I guess I'll be a glutton for punishment, and try a second one.


Download Silent Runners and unzip it into it's own folder.

Run SilentRunners.vbs.
If your antivirus complains, tell it to allow this script.
This script takes a while, please wait until you get an 'All Done' message.

Copy and paste the content of the Silent Runners textfile you get afterwards in your next reply.


Download http://www.bleepingcomputer.com/files/pfind.php

Create a folder C:\pfind and extract pfind-new.zip into it.

Open c:\pfind and double-click on pfind.bat. When it is done, reboot and post the contents of c:\pfind.txt as a reply to this topic.


Finally, I need a fresh HJT log.
Derfram
~~~~~~

#3 nrussellmn

nrussellmn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 19 June 2005 - 12:17 AM

HJT Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:04:42 AM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\system32\basfipm.exe
C:\WINDOWS\System32\cusrvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\Network Associates\VirusScan\mcshield.exe
c:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Dell\QuickSet\Quickset.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\DSSTAT.EXE
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
O1 - Hosts: 172.17.35.11 dm11.datacard.com dm11
O1 - Hosts: 127.0.0.2 hotgamesites.com newvirtualcasino.com sexandpoker.com *.69.50.190.131 *.69.50.182.94 searchterror.com crazy-toolbar.com *.69.50.190.131 *.69.50.166.98
O1 - Hosts: 127.0.0.3 *.69.50.184.84 *.195.225.176.37 firstvirtualcasino.com globalgamesites.com gamblingrun.com millenniumpills.com casinonowonline.com gamblingkey.com
O1 - Hosts: 127.0.0.4 *.64.159.87.100 *.69.50.175.21 *.69.50.175.* *.69.50.160.* *.69.50.164.125 *.69.50.175.27 *.esthost.com *.pirate4x4.com
O1 - Hosts: 127.0.0.5 *.69.50.176.198 *.195.225.176.153 *.cyber-spyware.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [NDPS] C:\WINDOWS\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [ShStatEXE] "c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: iPassConnect.lnk = C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe
O4 - Global Startup: United States Department Of Energy VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118811242501
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - Unknown owner - C:\WINDOWS\CWBRXD.EXE (file missing)
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - c:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - c:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)


SR:
"Silent Runners.vbs", revision 38.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Launch Datacard Status" = "C:\WINDOWS\system32\PRNATT.EXE" [null data]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
C:\WINDOWS\System32\NvCpl.dll,NvStartup" [file not found]
"PRONoMgr.exe" = "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" ["Intel® Corporation"]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"RoxioEngineUtility" = ""C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"" ["Roxio"]
"RoxioDragToDisc" = ""C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"" ["Roxio"]
"RoxioAudioCentral" = ""C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"" ["Roxio, Inc."]
"NDPS" = "C:\WINDOWS\System32\dpmw32.exe" [null data]
"NWTRAY" = "NWTRAY.EXE" ["Novell, Inc."]
"ShStatEXE" = ""c:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE" ["Network Associates, Inc."]
"McAfeeUpdaterUI" = ""C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"" ["Network Associates, Inc."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\Quickset.exe" [empty string]
"(Default)" = (empty string)
"Norton Ghost 9.0" = "rem C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe" [file not found]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\nvshell.dll" ["NVIDIA Corporation"]
"{B4579AA5-E3A0-49A1-AC0B-5112AFBD215B}" = "iSQL*Plus Servers"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\isqlext.dll" ["Oracle Corporation"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Roxio DragToDisc Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\shellex.dll" ["Roxio"]
"{A44D5ACC-3411-40DE-9AD3-214FFB2ED7AC}" = "My Media"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\MediaSX.dll" ["Roxio, Inc."]
"{AF8DE18D-9065-4102-BC40-EB294A95BB07}" = "Novell Connections"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nwshlxnt.dll" ["Novell, Inc."]
"{04c23aa0-3d34-11d2-b788-008029605ac7}" = "NDPS Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "ndpsprop.dll" ["Novell, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{EEB5B6C2-E405-11d0-9318-0004AC946C18}" = "AS/400 Shell Extensions - AS/400 IPL"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunas4.dll" ["IBM Corporation"]
"{38482e00-0ad5-11cf-bc9d-0004ac325a18}" = "AS/400 Network"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{DCA251A0-38AC-11d0-82BD-08005AA74F5C}" = "AS/400 Shell Extensions - AS/400 Network"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunshf.dll" ["IBM Corporation"]
"{5E44E520-2F69-11d1-9318-0004AC946C18}" = "AS/400 Shell Extensions - Auto Refresh"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunarf.dll" ["IBM Corporation"]
"{DCAF7D81-60C4-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Send Message"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgs.dll" ["IBM Corporation"]
"{C60EF841-2F98-11d1-A19A-08005A4F659F}" = "AS/400 Shell Extensions - NFS Server"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunnfs.dll" ["IBM Corporation"]
"{963C0C00-39B0-11d1-8743-08005AC22F32}" = "AS/400 Shell Extensions - IP Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbuntcn.dll" [file not found]
"{519CBF61-40B3-11d1-A978-08005AD17735}" = "AS/400 Shell Extensions - LDAP Publishing Services"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunldp.dll" ["IBM Corporation"]
"{870C83E1-FF73-11cf-B7F1-0004AC7609F6}" = "AS/400 Shell Extensions - File Systems Properties"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunfsf.dll" ["IBM Corporation"]
"{8D742A40-77FF-11CF-8877-444553540000}" = "AS/400 Shell Extensions - Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunsec.dll" ["IBM Corporation"]
"{C94AFD20-98C1-11d1-9E01-0004AC760C57}" = "AS/400 Shell Extensions - Drag Drop Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunddh.dll" ["IBM Corporation"]
"{1827A857-9C20-11d1-96C3-00062912C9B2}" = "AS/400 Shell Extensions - Java Components"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunjav.dll" ["IBM Corporation"]
"{F74D4C40-7862-11CF-8877-444553540000}" = "AS/400 Shell Extensions - Policies"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunpof.dll" ["IBM Corporation"]
"{040606B2-1C19-11d2-AA12-08005AD17735}" = "AS/400 Shell Extensions - Visual Basic Components"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\cwbunvba.dll" [file not found]
"{C2661801-FFE8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Messages"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunmgf.dll" ["IBM Corporation"]
"{22982561-EEC8-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Spool Files"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunouf.dll" ["IBM Corporation"]
"{8514E881-FF45-11cf-B14B-08005AA7218E}" = "AS/400 Shell Extensions - Printers"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\IBM\Client Access\Shared\cwbunprf.dll" ["IBM Corporation"]
"{506F4668-F13E-4AA1-BB04-B43203AB3CC0}" = "{506F4668-F13E-4AA1-BB04-B43203AB3CC0}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]
"{D66DC78C-4F61-447F-942B-3FB6980118CF}" = "{D66DC78C-4F61-447F-942B-3FB6980118CF}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL" [null data]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "GinaDLL" = "NWGINA.DLL" ["Novell, INC."] {nrussellmn: This is just Novell NetWare GINA that replaces standard MSGINA.DLL from Microsoft}
INFECTION WARNING! "System" = "csixi.exe" [null data] {nrussellmn: This was a key find. I have already removed this}

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! PCANotify\DLLName = "PCANotify.dll" ["Symantec Corporation"] {nrussellmn: PCAnyWhere dll)
INFECTION WARNING! Sebring\DLLName = "C:\WINDOWS\System32\LgNotify.dll" ["Intel Corporation"] {nrussellmn: NIC related}

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
{nrussellmn: did nothing with this one, but find it interesting}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Nate Russell\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\LOGON.SCR" [MS]


Startup items in "russeln" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"iPassConnect" -> shortcut to: "C:\Program Files\iPass\iPassConnect\IPassConnectGUI.exe /S" [empty string]
"United States Department Of Energy VPN Client" -> shortcut to: "C:\Program Files\Cisco Systems\VPN Client\vpngui.exe "-user_logon"" ["Cisco Systems, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE /AUTO" ["Symantec Corporation"]
"Symantec Drmc" -> launches: "C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\netware\NWWS2NDS.DLL" ["Novell, Inc."]
000000000002\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SAP.DLL" ["Novell, Inc."]
000000000003\LibraryPath = "%SystemRoot%\system32\netware\NWWS2SLP.DLL" ["Novell, Inc."]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000005\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000006\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 6 domain names to IP addresses,
5 of the IP addresses are *not* localhost!
{nrussellmn: that are intentional redirects to localhost that I mapped to shutdown popus until I could solve core issue}

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Broadcom ASF IP monitoring service v6.0.3, BAsfIpM, "C:\WINDOWS\system32\basfipm.exe" ["Broadcom Corp."]
Cisco Systems, Inc. VPN Service, CVPND, ""C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"" ["Cisco Systems, Inc."]
Client Update Service for Novell, cusrvc, "C:\WINDOWS\System32\cusrvc.exe" ["Novell, Inc."]
McAfee Framework Service, McAfeeFramework, "C:\Program Files\Network Associates\Common Framework\FrameworkService.exe /ServiceStart" ["Network Associates, Inc."]
Network Associates McShield, McShield, ""c:\Program Files\Network Associates\VirusScan\mcshield.exe"" ["Network Associates, Inc."]
Network Associates Task Manager, McTaskManager, ""c:\Program Files\Network Associates\VirusScan\vstskmgr.exe"" ["Network Associates, Inc."]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
pcAnywhere Host Service, awhost32, "C:\Program Files\Symantec\pcAnywhere\awhost32.exe" ["Symantec Corporation"]
RegSrvc, RegSrvc, "C:\WINDOWS\System32\RegSrvc.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor,
WMDM PMSP Service, WMDM PMSP Service, "C:\WINDOWS\System32\MsPMSPSv.exe" [MS]


Keyboard Driver Filters:
------------------------

HKLM\System\CurrentControlSet\Control\Class\{4D36E96B-E325-11CE-BFC1-08002BE10318}\
"UpperFilters" = INFECTION WARNING! "aw_host" [file not found]
{nrussellmn: did nothing with this one, part of PcAnywhere Host}

----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
[B]

Plist is huge.

#4 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:02:22 AM

Posted 19 June 2005 - 02:03 PM

Sorry for the delay, it's been a busy weekend for me.

Running processes:
C:\WINDOWS\system32\DSSTAT.EXE

I find no information on this item, nor do I see wherefrom it may be starting. Do you know what it might be? Perhaps pfiles will shed some light.

O1 - Hosts: 172.17.35.11 dm11.datacard.com dm11
O1 - Hosts: 127.0.0.2 hotgamesites.com newvirtualcasino.com sexandpoker.com *.69.50.190.131 *.69.50.182.94 searchterror.com crazy-toolbar.com *.69.50.190.131 *.69.50.166.98
O1 - Hosts: 127.0.0.3 *.69.50.184.84 *.195.225.176.37 firstvirtualcasino.com globalgamesites.com gamblingrun.com millenniumpills.com casinonowonline.com gamblingkey.com
O1 - Hosts: 127.0.0.4 *.64.159.87.100 *.69.50.175.21 *.69.50.175.* *.69.50.160.* *.69.50.164.125 *.69.50.175.27 *.esthost.com *.pirate4x4.com
O1 - Hosts: 127.0.0.5 *.69.50.176.198 *.195.225.176.153 *.cyber-spyware.com

I'll let you handle the HOSTS file. We do have a little utility we use to edit the HOSTS files. If you are interested, you can:

Download Hoster.zip.
- Unzip hoster.zip into it's own folder.


Unless you or an administrator have set these intentionally or used Spybot or other application to do so, then please have HijackThis fix this line:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

SR:

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Launch Datacard Status" = "C:\WINDOWS\system32\PRNATT.EXE" [null data]

I have no info on this item.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csixi.exe" [null data] {nrussellmn: This was a key find. I have already removed this}

This is the one I was looking for. It is added by the Atrivo/Netcathost DNS hijack you had. I assume you cleared the data value for "System" under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\. The file itself, csixi.exe, may or may not exist.

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]
{nrussellmn: did nothing with this one, but find it interesting}

I have no info on this one either. Normally, if we have no info indicating something is bad, we leave it alone on the first pass.

Yes, pFiles can get long. What we are primarily looking for is in the first part showing packed files. The rest most likely will be clean, but it doesn't hurt to check.

Edited by ddeerrff, 19 June 2005 - 02:03 PM.

Derfram
~~~~~~

#5 nrussellmn

nrussellmn
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:22 AM

Posted 19 June 2005 - 10:16 PM

dsstat.exe is a special printer driver monitor. no problem there...

I think I am good now. I have not seen any errors for over 24 hours.

Regarding csixi.exe, I will mention a couple things. Just like this is the core file that makes any files ending in *TEST.exe "invisible" (to everything but the type command or booting a clean NTFS for DOS type environment), it also makes itself "invisible", including the Shell= entry in the registry. Had to boot to DOS and get to NTFS to knock it out (safe mode is not good enough).

My belief is that the simplest way to handle the bug is:

1) Run normal cleanups with Spybot, etc...
2) Use HJT to cleanup entries relating to hosts with IP addresses beginning in .69
3) Boot to DOS and mount NFTS drive (i.e. NTFS for DOS) and then delete the csixi.exe, cisvvc.exe, and rdsndin.exe/dll files (get any .pf versions in \windows\prefetch folder as well)
4) Clean out unwanted IE favorites and run scans again after booting back to Windows

Hopefully you can help out others with this bug as I was about to give up and know others that already have reformatted.

Thx

#6 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:02:22 AM

Posted 19 June 2005 - 11:01 PM

Thanks for your insite nrussellmn. Glad you got things cleared up.
Derfram
~~~~~~

#7 ddeerrff

ddeerrff

    Retired


  • Malware Response Team
  • 2,725 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Upper Midwest, US
  • Local time:02:22 AM

Posted 27 June 2005 - 12:17 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
Derfram
~~~~~~




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users