[gameprogrammer] Re: Victory! deleting porn

Congrats, although I would've used "Hijack This!" to look at the registry 
entries. You should have been able to guess what ones were wrong from 
that.

Rob

----- Original Message ----- 
From: "grant hallman" <unilogic@xxxxxxxxx>
To: <gameprogrammer@xxxxxxxxxxxxx>
Sent: Sunday, August 29, 2004 4:24 AM
Subject: [gameprogrammer] Victory! deleting porn


> HAH! _GOT_ the SOB! :>
>
> Its real name is "winproc32.exe" - there was a character missing in the
> log, likely field too narrow, doh! It's the "coolwebsearch" trojan that
> takes over your home page.
>
> After i had the big fat flag from filemon, i started comparing registry
> entries on my daughter's computer with entries on mine, and 
> systematically
> Googling every name she had that i didn't. When i Googled winproc32, i
> found this:
>
> <http://www.securemost.com/articles/trou_3_remove_coolwebsearch_winproc32.htm>
>
> I deleted its registry entry, but i had to reboot in safe mode to delete
> the exe file itself. "Access Denied" is not something an o/s should 
> _ever_
> tell its administrator. BTW, does anyone know an easier way to delete a
> protected file?
>
> Anyway, i also deleted all the offending crap, and rebooted, clean. 
> Thanks
> one and all, i'm declaring victory (until the next time).
>
> carpe lucem - grant :)
>
>
> At 07:35 PM 28-08-04 -0400, you wrote:
>>At 05:54 PM 28-08-04 +0100, you wrote:
>>
>>>And getting back to Grant's original enquiry, he may find FileMon
>>>(http://www.sysinternals.com/ntw2k/source/filemon.shtml) useful - it
>>>shows all file accesses. Take a look at their other tools, RegMon is
>>>also incredibly useful. Finally, Pest Patrol
>>>(http://www.pestpatrol.com/) is currently the best 
>>>spyware/adware/trojan
>>>remover. It even uses Heuristics and will identify things that _may_
>>>be dubious. It is, however, not free... You may try the free online
>>>scanner (http://www.pestscan.com/) to see what it finds...
>>>
>>>Neil.
>>
>>"Filemon" is a wonderful tool :)  Using it, i was able to watch the porn
>>entries placed into the c:\windows\favorites folder a few minutes after 
>>i
>>deleted them - by something called "winproc3". I /think/ that's a 
>>generic
>>name for a batch-file thingy, i /think/ what's doing this is some script
>>using explorer or some standard tool. Can anyone familiar with Filemon,
>>please interpret this log entry:
>>
>>process=WINPROC3
>>req=DIRECTORY
>>path=C:\WINDOWS\FAVORITES\FREE ADULT...
>>result=CREATE
>>
>>Here's the raw log (excuse the linewrap, i added "==" ar the real
>>start-of-line):
>>
>>==5:46:29 PM MSGSRV32:FFFF1C5B Attributes C:\WINDOWS\USER.DAT SUCCESS
>>SetAttributes
>>==5:46:29 PM MSGSRV32:FFFF1C5B Open C:\WINDOWS\USER.DAT SUCCESS
>>OPENEXISTING WRITEONLY COMPATIBILITY
>>==5:46:29 PM MSGSRV32:FFFF1C5B Write C:\WINDOWS\USER.DAT SUCCESS Offset: 
>>0
>>Length: 32
>>==5:46:29 PM MSGSRV32:FFFF1C5B Commit C:\WINDOWS\USER.DAT SUCCESS
>>NOACCESSUPDATE
>>==5:46:29 PM MSGSRV32:FFFF1C5B Seek C:\WINDOWS\USER.DAT SUCCESS 
>>Beginning
>>Offset: 540704 / New offset: 540704
>>==5:46:29 PM MSGSRV32:FFFF1C5B Write C:\WINDOWS\USER.DAT SUCCESS Offset:
>>540704 Length: 45056
>>==5:46:29 PM MSGSRV32:FFFF1C5B Commit C:\WINDOWS\USER.DAT SUCCESS
>>NOACCESSUPDATE
>>==5:46:29 PM MSGSRV32:FFFF1C5B Seek C:\WINDOWS\USER.DAT SUCCESS 
>>Beginning
>>Offset: 0 / New offset: 0
>>==5:46:29 PM MSGSRV32:FFFF1C5B Write C:\WINDOWS\USER.DAT SUCCESS Offset: 
>>0
>>Length: 32
>>==5:46:29 PM MSGSRV32:FFFF1C5B Close C:\WINDOWS\USER.DAT SUCCESS 
>>CLOSE_FINAL
>>==5:46:29 PM MSGSRV32:FFFF1C5B Attributes C:\WINDOWS\USER.DAT SUCCESS
>>SetAttributes
>>==5:46:29 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:46:34 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:46:39 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:46:44 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:46:49 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:46:54 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==0.00099440 Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==0.00099680 Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:47:10 PM Incd:FFFD6943 Ioctl D: GENFAILURE Subfunction: 0Dh
>>==5:47:10 PM Winproc3:FFFD0DD3 Directory C:\WINDOWS\FAVORITES SUCCESS 
>>QUERY
>>==5:47:10 PM Winproc3:FFFD0DD3 Directory C:\WINDOWS\FAVORITES\FREE ADULT
>>PICS AND MOVIES SUCCESS CREATE
>>==5:47:10 PM Winproc3:FFFD0DD3 Open C:\WINDOWS\FAVORITES\FREE ADULT PICS
>>AND MOVIES\ZOO.URL SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
> DENYREADWRITE
>>==5:47:10 PM Winproc3:FFFD0DD3 Write C:\WINDOWS\FAVORITES\FREE ADULT 
>>PICS
>>AND MOVIES\ZOO.URL SUCCESS Offset: 0 Length: 69
>>==5:47:10 PM Winproc3:FFFD0DD3 Close C:\WINDOWS\FAVORITES\FREE ADULT 
>>PICS
>>AND MOVIES\ZOO.URL SUCCESS CLOSE_FINAL
>>==5:47:10 PM Winproc3:FFFD0DD3 Open C:\WINDOWS\FAVORITES\FREE ADULT PICS
>>AND MOVIES\INCEST.URL SUCCESS CREATENEW REPLACEEXISTING WRITEONLY
>>DENYREADWRITE
>>==5:47:10 PM Winproc3:FFFD0DD3 Write C:\WINDOWS\FAVORITES\FREE ADULT 
>>PICS
>>AND MOVIES\INCEST.URL SUCCESS Offset: 0 Length: 72
>>==5:47:10 PM Winproc3:FFFD0DD3 Close C:\WINDOWS\FAVORITES\FREE ADULT 
>>PICS
>>AND MOVIES\INCEST.URL SUCCESS CLOSE_FINAL
>>==
>>
>>
>>I can also see traces of explorer checking frequently for the existence 
>>of
>>that path. Something is not only telling Windows to make these folders,
>>that something also must have a copy, somewhere, of the contents it 
>>wants
>>/in/ the folders, including their names. Perhaps i could find that copy? 
>>If
>>i do a Windows Seach for "files containing" the string "ADULT", i get
> nothing.
>>
>>But there must be at least 3 places to attack this thing:
>>- it must sit in a timer list somewhere to be activated
>>- it must have instructions to a legitimate Windows proces
>>- it must have a copy of what it wants created.
>>
>>So: if u wanted to make some harmless app in Windows create folders if 
>>they
>>were missing, and do it every 5-10 minutes, where would u hide commands 
>>to
>>do it? The only processes running at the time of the creation were:
>>
>>WINPROC3 - creating the junk
>>MSGSRVR32 - writing to C\WINDOWS\USER.DAT, a litte earlier
>>"Incd" - doing a "loctl" to D:, often
>>
>>Does any of this suggest anything?
>>
>>Also i have been looking at registry entries. Chris's ref
>>(http://newdata.box.sk/2001/may/auto.txt) says:
>>"By setting it to anything other than C:\windows\start
>>menu\programs\startup will lead to execution of ALL and EVERY executable
>>inside set directory."
>>
>>So, i am looking for an AUTOSTART folder entry other than 
>>"C:\windows\start
>>menu\programs\startup", yes? Right off, i find something in:
>>
>>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell
>>Folders]
>>
>>It has an entry for:
>> c:\windoes\start menu\programs\administrative tools
>>
>>But there is no folder or program with that name (and i /do/ have hidden
>>files display ON). So i think i'm missing something in the instructions 
>>here?
>>
>>My problem tracking this !@#$%er down is, i have no idea what it's 
>>called,
>>i'm sure it will have an ordinary-sounding name. So i may be looking 
>>right
>>at it and not recognizing it. Itwill be found by its actions, not its 
>>name.
>>
>>Any further assistance gratefully received. I know i've passed the point 
>>of
>>"Just reinstal Windows and declare victory", i /want/ this SOB, i want 
>>to
>>know where u can hide and still create folders and content in Favorites
>>every few minutes.
>>
>>regards - grant
>>
>>
>>
>>---------------------
>>To unsubscribe go to http://gameprogrammer.com/mailinglist.html
>>
>>
>>
>>
>
>
>
> ---------------------
> To unsubscribe go to http://gameprogrammer.com/mailinglist.html
>
>
> 




---------------------
To unsubscribe go to http://gameprogrammer.com/mailinglist.html

Other related posts: