[gameprogrammer] Victory! deleting porn

HAH! _GOT_ the SOB! :>

Its real name is "winproc32.exe" - there was a character missing in the
log, likely field too narrow, doh! It's the "coolwebsearch" trojan that
takes over your home page.

After i had the big fat flag from filemon, i started comparing registry
entries on my daughter's computer with entries on mine, and systematically
Googling every name she had that i didn't. When i Googled winproc32, i
found this:

<http://www.securemost.com/articles/trou_3_remove_coolwebsearch_winproc32.htm>

I deleted its registry entry, but i had to reboot in safe mode to delete
the exe file itself. "Access Denied" is not something an o/s should _ever_
tell its administrator. BTW, does anyone know an easier way to delete a
protected file?

Anyway, i also deleted all the offending crap, and rebooted, clean. Thanks
one and all, i'm declaring victory (until the next time).

carpe lucem - grant :)


At 07:35 PM 28-08-04 -0400, you wrote:
>At 05:54 PM 28-08-04 +0100, you wrote:
>
>>And getting back to Grant's original enquiry, he may find FileMon
>>(http://www.sysinternals.com/ntw2k/source/filemon.shtml) useful - it
>>shows all file accesses. Take a look at their other tools, RegMon is
>>also incredibly useful. Finally, Pest Patrol
>>(http://www.pestpatrol.com/) is currently the best spyware/adware/trojan
>>remover. It even uses Heuristics and will identify things that _may_
>>be dubious. It is, however, not free... You may try the free online
>>scanner (http://www.pestscan.com/) to see what it finds...
>>
>>Neil.
>
>"Filemon" is a wonderful tool :)  Using it, i was able to watch the porn
>entries placed into the c:\windows\favorites folder a few minutes after i
>deleted them - by something called "winproc3". I /think/ that's a generic
>name for a batch-file thingy, i /think/ what's doing this is some script
>using explorer or some standard tool. Can anyone familiar with Filemon,
>please interpret this log entry:
>
>process=WINPROC3
>req=DIRECTORY
>path=C:\WINDOWS\FAVORITES\FREE ADULT...
>result=CREATE
>
>Here's the raw log (excuse the linewrap, i added "==" ar the real
>start-of-line):
>
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Attributes      C:\WINDOWS\USER.DAT     
>SUCCESS
>SetAttributes  
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Open    C:\WINDOWS\USER.DAT     SUCCESS
>OPENEXISTING WRITEONLY COMPATIBILITY   
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Write   C:\WINDOWS\USER.DAT     SUCCESS 
>Offset: 0
>Length: 32     
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Commit  C:\WINDOWS\USER.DAT     SUCCESS
>NOACCESSUPDATE 
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Seek    C:\WINDOWS\USER.DAT     SUCCESS 
>Beginning
>Offset: 540704 / New offset: 540704    
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Write   C:\WINDOWS\USER.DAT     SUCCESS 
>Offset:
>540704 Length: 45056   
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Commit  C:\WINDOWS\USER.DAT     SUCCESS
>NOACCESSUPDATE 
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Seek    C:\WINDOWS\USER.DAT     SUCCESS 
>Beginning
>Offset: 0 / New offset: 0      
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Write   C:\WINDOWS\USER.DAT     SUCCESS 
>Offset: 0
>Length: 32     
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Close   C:\WINDOWS\USER.DAT     SUCCESS 
>CLOSE_FINAL     
>==5:46:29 PM   MSGSRV32:FFFF1C5B       Attributes      C:\WINDOWS\USER.DAT     
>SUCCESS
>SetAttributes  
>==5:46:29 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:46:34 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:46:39 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:46:44 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:46:49 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:46:54 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==0.00099440   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==0.00099680   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:47:10 PM   Incd:FFFD6943   Ioctl   D:      GENFAILURE      Subfunction: 
>0Dh        
>==5:47:10 PM   Winproc3:FFFD0DD3       Directory       C:\WINDOWS\FAVORITES    
>SUCCESS QUERY   
>==5:47:10 PM   Winproc3:FFFD0DD3       Directory       
>C:\WINDOWS\FAVORITES\FREE ADULT
>PICS AND MOVIES        SUCCESS CREATE  
>==5:47:10 PM   Winproc3:FFFD0DD3       Open    C:\WINDOWS\FAVORITES\FREE ADULT 
>PICS
>AND MOVIES\ZOO.URL     SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
DENYREADWRITE   
>==5:47:10 PM   Winproc3:FFFD0DD3       Write   C:\WINDOWS\FAVORITES\FREE ADULT 
>PICS
>AND MOVIES\ZOO.URL     SUCCESS Offset: 0 Length: 69    
>==5:47:10 PM   Winproc3:FFFD0DD3       Close   C:\WINDOWS\FAVORITES\FREE ADULT 
>PICS
>AND MOVIES\ZOO.URL     SUCCESS CLOSE_FINAL     
>==5:47:10 PM   Winproc3:FFFD0DD3       Open    C:\WINDOWS\FAVORITES\FREE ADULT 
>PICS
>AND MOVIES\INCEST.URL  SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
>DENYREADWRITE  
>==5:47:10 PM   Winproc3:FFFD0DD3       Write   C:\WINDOWS\FAVORITES\FREE ADULT 
>PICS
>AND MOVIES\INCEST.URL  SUCCESS Offset: 0 Length: 72    
>==5:47:10 PM   Winproc3:FFFD0DD3       Close   C:\WINDOWS\FAVORITES\FREE ADULT 
>PICS
>AND MOVIES\INCEST.URL  SUCCESS CLOSE_FINAL     
>==
>
>
>I can also see traces of explorer checking frequently for the existence of
>that path. Something is not only telling Windows to make these folders,
>that something also must have a copy, somewhere, of the contents it wants
>/in/ the folders, including their names. Perhaps i could find that copy? If
>i do a Windows Seach for "files containing" the string "ADULT", i get
nothing.
>
>But there must be at least 3 places to attack this thing:
>- it must sit in a timer list somewhere to be activated
>- it must have instructions to a legitimate Windows proces
>- it must have a copy of what it wants created.
>
>So: if u wanted to make some harmless app in Windows create folders if they
>were missing, and do it every 5-10 minutes, where would u hide commands to
>do it? The only processes running at the time of the creation were:
>
>WINPROC3 - creating the junk
>MSGSRVR32 - writing to C\WINDOWS\USER.DAT, a litte earlier
>"Incd" - doing a "loctl" to D:, often
>
>Does any of this suggest anything?
>
>Also i have been looking at registry entries. Chris's ref
>(http://newdata.box.sk/2001/may/auto.txt) says:
>"By setting it to anything other than C:\windows\start
>menu\programs\startup will lead to execution of ALL and EVERY executable
>inside set directory."
>
>So, i am looking for an AUTOSTART folder entry other than "C:\windows\start
>menu\programs\startup", yes? Right off, i find something in:
>
>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
>Folders]
>
>It has an entry for:
> c:\windoes\start menu\programs\administrative tools
>
>But there is no folder or program with that name (and i /do/ have hidden
>files display ON). So i think i'm missing something in the instructions here?
>
>My problem tracking this !@#$%er down is, i have no idea what it's called,
>i'm sure it will have an ordinary-sounding name. So i may be looking right
>at it and not recognizing it. Itwill be found by its actions, not its name.
>
>Any further assistance gratefully received. I know i've passed the point of
>"Just reinstal Windows and declare victory", i /want/ this SOB, i want to
>know where u can hide and still create folders and content in Favorites
>every few minutes. 
>
>regards - grant
>
>
>
>---------------------
>To unsubscribe go to http://gameprogrammer.com/mailinglist.html
>
>
>
>



---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

Other related posts: