[gameprogrammer] Re: Victory! deleting porn

From: grant hallman <unilogic@xxxxxxxxx>
To: gameprogrammer@xxxxxxxxxxxxx
Date: Sun, 29 Aug 2004 03:10:47 -0400

At 08:49 PM 28-08-04 -0700, you wrote:
>that you have defeated spyware/addware/a virus gives us all hope, i woulda
>just reformated.
>
>fight on good sir knight (:

You'e right, re-installing Windoze would have been easier and faster. But
this way, i found out about filemon and the other great tools :) Plus two
other reasons:

(1) This reduces my eventual stay in purgatory by 3 days - the standard
karmic debt incurred by installing /any/ M$ o/s. Well, that's for a re-in,
a new instal is a full week ;)

(2) They put porn in front of my daughter. She's 26 and can certainly
handle the crap herself. But it _pisses_me_off_. Think of it as Revenge of
the Dad  - not something to trifle with. <sound of blade honing on Arkansas
whetstone>...

cheers - grant


>----- Original Message ----- 
>From: "grant hallman" <unilogic@xxxxxxxxx>
>To: <gameprogrammer@xxxxxxxxxxxxx>
>Sent: Saturday, August 28, 2004 8:24 PM
>Subject: [gameprogrammer] Victory! deleting porn
>
>
>> HAH! _GOT_ the SOB! :>
>>
>> Its real name is "winproc32.exe" - there was a character missing in the
>> log, likely field too narrow, doh! It's the "coolwebsearch" trojan that
>> takes over your home page.
>>
>> After i had the big fat flag from filemon, i started comparing registry
>> entries on my daughter's computer with entries on mine, and systematically
>> Googling every name she had that i didn't. When i Googled winproc32, i
>> found this:
>>
>>
><http://www.securemost.com/articles/trou_3_remove_coolwebsearch_winproc32.ht
>m>
>>
>> I deleted its registry entry, but i had to reboot in safe mode to delete
>> the exe file itself. "Access Denied" is not something an o/s should _ever_
>> tell its administrator. BTW, does anyone know an easier way to delete a
>> protected file?
>>
>> Anyway, i also deleted all the offending crap, and rebooted, clean. Thanks
>> one and all, i'm declaring victory (until the next time).
>>
>> carpe lucem - grant :)
>>
>>
>> At 07:35 PM 28-08-04 -0400, you wrote:
>> >At 05:54 PM 28-08-04 +0100, you wrote:
>> >
>> >>And getting back to Grant's original enquiry, he may find FileMon
>> >>(http://www.sysinternals.com/ntw2k/source/filemon.shtml) useful - it
>> >>shows all file accesses. Take a look at their other tools, RegMon is
>> >>also incredibly useful. Finally, Pest Patrol
>> >>(http://www.pestpatrol.com/) is currently the best spyware/adware/trojan
>> >>remover. It even uses Heuristics and will identify things that _may_
>> >>be dubious. It is, however, not free... You may try the free online
>> >>scanner (http://www.pestscan.com/) to see what it finds...
>> >>
>> >>Neil.
>> >
>> >"Filemon" is a wonderful tool :)  Using it, i was able to watch the porn
>> >entries placed into the c:\windows\favorites folder a few minutes after i
>> >deleted them - by something called "winproc3". I /think/ that's a generic
>> >name for a batch-file thingy, i /think/ what's doing this is some script
>> >using explorer or some standard tool. Can anyone familiar with Filemon,
>> >please interpret this log entry:
>> >
>> >process=WINPROC3
>> >req=DIRECTORY
>> >path=C:\WINDOWS\FAVORITES\FREE ADULT...
>> >result=CREATE
>> >
>> >Here's the raw log (excuse the linewrap, i added "==" ar the real
>> >start-of-line):
>> >
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Attributes C:\WINDOWS\USER.DAT SUCCESS
>> >SetAttributes
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Open C:\WINDOWS\USER.DAT SUCCESS
>> >OPENEXISTING WRITEONLY COMPATIBILITY
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Write C:\WINDOWS\USER.DAT SUCCESS Offset:
>0
>> >Length: 32
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Commit C:\WINDOWS\USER.DAT SUCCESS
>> >NOACCESSUPDATE
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Seek C:\WINDOWS\USER.DAT SUCCESS Beginning
>> >Offset: 540704 / New offset: 540704
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Write C:\WINDOWS\USER.DAT SUCCESS Offset:
>> >540704 Length: 45056
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Commit C:\WINDOWS\USER.DAT SUCCESS
>> >NOACCESSUPDATE
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Seek C:\WINDOWS\USER.DAT SUCCESS Beginning
>> >Offset: 0 / New offset: 0
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Write C:\WINDOWS\USER.DAT SUCCESS Offset:
>0
>> >Length: 32
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Close C:\WINDOWS\USER.DAT SUCCESS
>CLOSE_FINAL
>> >==5:46:29 PM MSGSRV32:FFFF1C5B Attributes C:\WINDOWS\USER.DAT SUCCESS
>> >SetAttributes
>> >==5:46:29 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:46:34 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:46:39 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:46:44 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:46:49 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:46:54 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==0.00099440 Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==0.00099680 Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:47:10 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>> >==5:47:10 PM Winproc3:FFFD0DD3 Directory C:\WINDOWS\FAVORITES SUCCESS
>QUERY
>> >==5:47:10 PM Winproc3:FFFD0DD3 Directory C:\WINDOWS\FAVORITES\FREE ADULT
>> >PICS AND MOVIES SUCCESS CREATE
>> >==5:47:10 PM Winproc3:FFFD0DD3 Open C:\WINDOWS\FAVORITES\FREE ADULT PICS
>> >AND MOVIES\ZOO.URL SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
>> DENYREADWRITE
>> >==5:47:10 PM Winproc3:FFFD0DD3 Write C:\WINDOWS\FAVORITES\FREE ADULT PICS
>> >AND MOVIES\ZOO.URL SUCCESS Offset: 0 Length: 69
>> >==5:47:10 PM Winproc3:FFFD0DD3 Close C:\WINDOWS\FAVORITES\FREE ADULT PICS
>> >AND MOVIES\ZOO.URL SUCCESS CLOSE_FINAL
>> >==5:47:10 PM Winproc3:FFFD0DD3 Open C:\WINDOWS\FAVORITES\FREE ADULT PICS
>> >AND MOVIES\INCEST.URL SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
>> >DENYREADWRITE
>> >==5:47:10 PM Winproc3:FFFD0DD3 Write C:\WINDOWS\FAVORITES\FREE ADULT PICS
>> >AND MOVIES\INCEST.URL SUCCESS Offset: 0 Length: 72
>> >==5:47:10 PM Winproc3:FFFD0DD3 Close C:\WINDOWS\FAVORITES\FREE ADULT PICS
>> >AND MOVIES\INCEST.URL SUCCESS CLOSE_FINAL
>> >==
>> >
>> >
>> >I can also see traces of explorer checking frequently for the existence
>of
>> >that path. Something is not only telling Windows to make these folders,
>> >that something also must have a copy, somewhere, of the contents it wants
>> >/in/ the folders, including their names. Perhaps i could find that copy?
>If
>> >i do a Windows Seach for "files containing" the string "ADULT", i get
>> nothing.
>> >
>> >But there must be at least 3 places to attack this thing:
>> >- it must sit in a timer list somewhere to be activated
>> >- it must have instructions to a legitimate Windows proces
>> >- it must have a copy of what it wants created.
>> >
>> >So: if u wanted to make some harmless app in Windows create folders if
>they
>> >were missing, and do it every 5-10 minutes, where would u hide commands
>to
>> >do it? The only processes running at the time of the creation were:
>> >
>> >WINPROC3 - creating the junk
>> >MSGSRVR32 - writing to C\WINDOWS\USER.DAT, a litte earlier
>> >"Incd" - doing a "loctl" to D:, often
>> >
>> >Does any of this suggest anything?
>> >
>> >Also i have been looking at registry entries. Chris's ref
>> >(http://newdata.box.sk/2001/may/auto.txt) says:
>> >"By setting it to anything other than C:\windows\start
>> >menu\programs\startup will lead to execution of ALL and EVERY executable
>> >inside set directory."
>> >
>> >So, i am looking for an AUTOSTART folder entry other than
>"C:\windows\start
>> >menu\programs\startup", yes? Right off, i find something in:
>> >
>>
>>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
>> >Folders]
>> >
>> >It has an entry for:
>> > c:\windoes\start menu\programs\administrative tools
>> >
>> >But there is no folder or program with that name (and i /do/ have hidden
>> >files display ON). So i think i'm missing something in the instructions
>here?
>> >
>> >My problem tracking this !@#$%er down is, i have no idea what it's
>called,
>> >i'm sure it will have an ordinary-sounding name. So i may be looking
>right
>> >at it and not recognizing it. Itwill be found by its actions, not its
>name.
>> >
>> >Any further assistance gratefully received. I know i've passed the point
>of
>> >"Just reinstal Windows and declare victory", i /want/ this SOB, i want to
>> >know where u can hide and still create folders and content in Favorites
>> >every few minutes.
>> >
>> >regards - grant
>> >
>> >
>> >
>> >---------------------
>> >To unsubscribe go to http://gameprogrammer.com/mailinglist.html
>> >
>> >
>> >
>> >
>>
>>
>>
>> ---------------------
>> To unsubscribe go to http://gameprogrammer.com/mailinglist.html
>>
>>
>
>
>
>---------------------
>To unsubscribe go to http://gameprogrammer.com/mailinglist.html
>
>
>
>



---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

Follow-Ups:

[gameprogrammer] Re: Victory! deleting porn
From: Chris Schnurr

References:
- [gameprogrammer] Re: OTP: deleting porn
  - From: Neil Griffiths
- [gameprogrammer] Re: OTP: deleting porn
  - From: Adilson Oliveira
- [gameprogrammer] Re: OTP: deleting porn
  - From: Paul Smith
- [gameprogrammer] OTP: deleting porn
  - From: grant hallman
- [gameprogrammer] Re: "Pacman" in Turbo C++
  - From: Bob Pendleton
- [gameprogrammer] "Pacman" in Turbo C++
  - From: Ritika Mathur
- [gameprogrammer] Re: OTP: deleting porn
  - From: grant hallman
- [gameprogrammer] Re: OTP: deleting porn
  - From: grant hallman
- [gameprogrammer] Re: OTP: deleting porn
  - From: Rob Quill
- [gameprogrammer] Re: OTP: deleting porn
  - From: Kevin Jenkins
- [gameprogrammer] Re: OTP: deleting porn
  - From: Adilson Oliveira
- [gameprogrammer] Re: OTP: deleting porn
  - From: Dave Slutzkin
- [gameprogrammer] Victory! deleting porn
  - From: grant hallman
- [gameprogrammer] Re: Victory! deleting porn
  - From: Alan Wolfe

[gameprogrammer] Re: Victory! deleting porn

Other related posts: