[gameprogrammer] Round 1: deleting porn

• From: grant hallman <unilogic@xxxxxxxxx>
• To: gameprogrammer@xxxxxxxxxxxxx
• Date: Sat, 28 Aug 2004 19:35:48 -0400

At 05:54 PM 28-08-04 +0100, you wrote:

>And getting back to Grant's original enquiry, he may find FileMon
>(http://www.sysinternals.com/ntw2k/source/filemon.shtml) useful - it
>shows all file accesses. Take a look at their other tools, RegMon is
>also incredibly useful. Finally, Pest Patrol
>(http://www.pestpatrol.com/) is currently the best spyware/adware/trojan
>remover. It even uses Heuristics and will identify things that _may_
>be dubious. It is, however, not free... You may try the free online
>scanner (http://www.pestscan.com/) to see what it finds...
>
>Neil.

"Filemon" is a wonderful tool :)  Using it, i was able to watch the porn
entries placed into the c:\windows\favorites folder a few minutes after i
deleted them - by something called "winproc3". I /think/ that's a generic
name for a batch-file thingy, i /think/ what's doing this is some script
using explorer or some standard tool. Can anyone familiar with Filemon,
please interpret this log entry:

process=WINPROC3
req=DIRECTORY
path=C:\WINDOWS\FAVORITES\FREE ADULT...
result=CREATE

Here's the raw log (excuse the linewrap, i added "==" ar the real
start-of-line):

==5:46:29 PM    MSGSRV32:FFFF1C5B       Attributes      C:\WINDOWS\USER.DAT     
SUCCESS
SetAttributes   
==5:46:29 PM    MSGSRV32:FFFF1C5B       Open    C:\WINDOWS\USER.DAT     SUCCESS
OPENEXISTING WRITEONLY COMPATIBILITY    
==5:46:29 PM    MSGSRV32:FFFF1C5B       Write   C:\WINDOWS\USER.DAT     SUCCESS 
Offset: 0
Length: 32      
==5:46:29 PM    MSGSRV32:FFFF1C5B       Commit  C:\WINDOWS\USER.DAT     SUCCESS
NOACCESSUPDATE  
==5:46:29 PM    MSGSRV32:FFFF1C5B       Seek    C:\WINDOWS\USER.DAT     SUCCESS 
Beginning
Offset: 540704 / New offset: 540704     
==5:46:29 PM    MSGSRV32:FFFF1C5B       Write   C:\WINDOWS\USER.DAT     SUCCESS 
Offset:
540704 Length: 45056    
==5:46:29 PM    MSGSRV32:FFFF1C5B       Commit  C:\WINDOWS\USER.DAT     SUCCESS
NOACCESSUPDATE  
==5:46:29 PM    MSGSRV32:FFFF1C5B       Seek    C:\WINDOWS\USER.DAT     SUCCESS 
Beginning
Offset: 0 / New offset: 0       
==5:46:29 PM    MSGSRV32:FFFF1C5B       Write   C:\WINDOWS\USER.DAT     SUCCESS 
Offset: 0
Length: 32      
==5:46:29 PM    MSGSRV32:FFFF1C5B       Close   C:\WINDOWS\USER.DAT     SUCCESS 
CLOSE_FINAL     
==5:46:29 PM    MSGSRV32:FFFF1C5B       Attributes      C:\WINDOWS\USER.DAT     
SUCCESS
SetAttributes   
==5:46:29 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:46:34 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:46:39 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:46:44 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:46:49 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:46:54 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==0.00099440    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==0.00099680    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:47:10 PM    Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
0Dh        
==5:47:10 PM    Winproc3:FFFD0DD3       Directory       C:\WINDOWS\FAVORITES    
SUCCESS QUERY   
==5:47:10 PM    Winproc3:FFFD0DD3       Directory       
C:\WINDOWS\FAVORITES\FREE ADULT
PICS AND MOVIES SUCCESS CREATE  
==5:47:10 PM    Winproc3:FFFD0DD3       Open    C:\WINDOWS\FAVORITES\FREE ADULT 
PICS
AND MOVIES\ZOO.URL      SUCCESS CREATENEW REPLACEEXISTING WRITEONLY 
DENYREADWRITE       
==5:47:10 PM    Winproc3:FFFD0DD3       Write   C:\WINDOWS\FAVORITES\FREE ADULT 
PICS
AND MOVIES\ZOO.URL      SUCCESS Offset: 0 Length: 69    
==5:47:10 PM    Winproc3:FFFD0DD3       Close   C:\WINDOWS\FAVORITES\FREE ADULT 
PICS
AND MOVIES\ZOO.URL      SUCCESS CLOSE_FINAL     
==5:47:10 PM    Winproc3:FFFD0DD3       Open    C:\WINDOWS\FAVORITES\FREE ADULT 
PICS
AND MOVIES\INCEST.URL   SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
DENYREADWRITE   
==5:47:10 PM    Winproc3:FFFD0DD3       Write   C:\WINDOWS\FAVORITES\FREE ADULT 
PICS
AND MOVIES\INCEST.URL   SUCCESS Offset: 0 Length: 72    
==5:47:10 PM    Winproc3:FFFD0DD3       Close   C:\WINDOWS\FAVORITES\FREE ADULT 
PICS
AND MOVIES\INCEST.URL   SUCCESS CLOSE_FINAL     
==


I can also see traces of explorer checking frequently for the existence of
that path. Something is not only telling Windows to make these folders,
that something also must have a copy, somewhere, of the contents it wants
/in/ the folders, including their names. Perhaps i could find that copy? If
i do a Windows Seach for "files containing" the string "ADULT", i get nothing.

But there must be at least 3 places to attack this thing:
- it must sit in a timer list somewhere to be activated
- it must have instructions to a legitimate Windows proces
- it must have a copy of what it wants created.

So: if u wanted to make some harmless app in Windows create folders if they
were missing, and do it every 5-10 minutes, where would u hide commands to
do it? The only processes running at the time of the creation were:

WINPROC3 - creating the junk
MSGSRVR32 - writing to C\WINDOWS\USER.DAT, a litte earlier
"Incd" - doing a "loctl" to D:, often

Does any of this suggest anything?

Also i have been looking at registry entries. Chris's ref
(http://newdata.box.sk/2001/may/auto.txt) says:
"By setting it to anything other than C:\windows\start
menu\programs\startup will lead to execution of ALL and EVERY executable
inside set directory."

So, i am looking for an AUTOSTART folder entry other than "C:\windows\start
menu\programs\startup", yes? Right off, i find something in:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
Folders]

It has an entry for:
 c:\windoes\start menu\programs\administrative tools

But there is no folder or program with that name (and i /do/ have hidden
files display ON). So i think i'm missing something in the instructions here?

My problem tracking this !@#$%er down is, i have no idea what it's called,
i'm sure it will have an ordinary-sounding name. So i may be looking right
at it and not recognizing it. Itwill be found by its actions, not its name.

Any further assistance gratefully received. I know i've passed the point of
"Just reinstal Windows and declare victory", i /want/ this SOB, i want to
know where u can hide and still create folders and content in Favorites
every few minutes. 

regards - grant



---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

• Follow-Ups:
  • [gameprogrammer] Victory! deleting porn
    • From: grant hallman

• References:
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Adilson Oliveira
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Paul Smith
  • [gameprogrammer] OTP: deleting porn
    • From: grant hallman
  • [gameprogrammer] Re: "Pacman" in Turbo C++
    • From: Bob Pendleton
  • [gameprogrammer] "Pacman" in Turbo C++
    • From: Ritika Mathur
  • [gameprogrammer] Re: OTP: deleting porn
    • From: grant hallman
  • [gameprogrammer] Re: OTP: deleting porn
    • From: grant hallman
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Rob Quill
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Kevin Jenkins
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Adilson Oliveira
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Dave Slutzkin
  • [gameprogrammer] Re: OTP: deleting porn
    • From: Neil Griffiths

Other related posts:

• » [gameprogrammer] Round 1: deleting porn
• » [gameprogrammer] Re: Round 1: deleting porn
• » [gameprogrammer] Re: Round 1: deleting porn
• » [gameprogrammer] Re: Round 1: deleting porn
• » [gameprogrammer] Re: Round 1: deleting porn
• » [gameprogrammer] Re: Round 1: deleting porn
• » [gameprogrammer] Re: Round 1: deleting porn

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription