Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - nania

Pages: [1]
1
Tech Clinic / All my .dat files show type "Video cd Movie"
« on: January 12, 2008, 09:26:17 PM »
It's probably just the installer version that is v1.  I just ran combofix and will try the network again. I will disable the WAN so as to stop downloads and alternative data streams and try again.

2
Tech Clinic / All my .dat files show type "Video cd Movie"
« on: January 12, 2008, 06:22:13 PM »
No can do. Windows Explorer is inoperable when I boot the network. Why does the version you linked me to claim to be v1?

3
Tech Clinic / All my .dat files show type "Video cd Movie"
« on: January 12, 2008, 09:27:53 AM »
Thanks for looking over my introduction. Here is the latest HJT log on the Barton:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:53:36 AM, on 1/12/2007
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
Boot mode: Safe mode with network support

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\dmadmin.exe
D:\WINDOWS\Explorer.EXE
D:\Documents and Settings\Administrator.TEMP-7KNDXUB9ET\Desktop\HiJackThis_v2.exe

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EPoXUSDM] "C:\Program files\EPoX\USDM\USDM.EXE" "5000"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [ShutdownEventCheck] %systemroot%\system32\dumprep 0 -s
O4 - HKCU\..\Run: [swg] D:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O15 - ESC Trusted Zone: http://www.0spam.com
O15 - ESC Trusted Zone: http://forums.######.com
O15 - ESC Trusted Zone: http://www.andale.com
O15 - ESC Trusted Zone: http://www.download.com
O15 - ESC Trusted Zone: http://www.dsldepot.com
O15 - ESC Trusted Zone: http://support.gateway.com
O15 - ESC Trusted Zone: http://search.irs.gov
O15 - ESC Trusted Zone: http://www.irs.gov
O15 - ESC Trusted Zone: http://www.learnflash.com
O15 - ESC Trusted Zone: http://www.learnoffice2003.com
O15 - ESC Trusted Zone: http://www.learnsqlserver.com
O15 - ESC Trusted Zone: http://www.learnwebdevelopment.com
O15 - ESC Trusted Zone: http://www.learnwindowsserver.com
O15 - ESC Trusted Zone: http://mail01.mail.com
O15 - ESC Trusted Zone: http://auto.search.msn.com
O15 - ESC Trusted Zone: http://by101fd.bay101.Email Removed.msn.com
O15 - ESC Trusted Zone: http://by24fd.bay24.Email Removed.msn.com
O15 - ESC Trusted Zone: http://by2fd.bay2.Email Removed.msn.com
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://webmailb.netzero.net
O15 - ESC Trusted Zone: http://loginnet.passport.com
O15 - ESC Trusted Zone: http://login.passport.net
O15 - ESC Trusted Zone: http://www.tax.state.ny.us
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://www.zinncycles.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O15 - ESC Trusted IP range: 192.168.0.1
O15 - ESC Trusted IP range: http://192.168.1.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - D:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - D:\WINDOWS\system32\browseui.dll
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 4170 bytes

I've made some progress but CWShredder informed me that I had a Coolweb variant and started with a random text. I also have rootcheck and other logs in the event you want to take this on.

4
Tech Clinic / All my .dat files show type "Video cd Movie"
« on: January 10, 2008, 06:16:15 AM »
I am running a small test network with the following three boxes:
PPC 7100/80 136MB with Yellow Dog Pomona (broken by last Gnome update)
Dual P3-500 1024MB with W2K3sp2 IE7 5730.13 and no additional security updates (control box)
NF2 Barton-2500 1024MB with W2K3sp2 IE7 5730.13 and no additional security updates (afflicted box)
I afflicted the Barton with an "h-bomb" (multiple virus, worms, trojans and adware) installation as root on the NF2. I then waited 180 seconds and forced a shutdown on it. The file was allegedly a Newsbin Pro crack in a .rar archive but we knew better http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' /> I then opened a read only share on the Dual-P3 only for registered users and rebooted the Barton. Immediately, the network started flowing packets and the outerinfo malware started the popups. I removed the outerinfo malware and some of the easier catches with the smithfraudfix but the network was still active so I tried shutting down. The response became veeeerrrrrrrry slow and after about 5 minutes of watching a dark monitor I shut off the power (soft switch). I checked the latest modification dates on the Dual-P3 and it appeared unaffected. I rebooted into safe mode on the Barton and ran the latest Vundofix. Lots of stuff came out and HiJackThis gave a nice short list with only a few problematic files:
exm.exe
superfindout.exe
wmsyspr9.pxy
swg.dll/sl.exe
and a few other Trojan variants.
I thought this be a good test of the Dual-P3 resistance on the private LAN so I restarted the Barton in safe mode with networking but didn't log on to the share. As before the packets started flowing so I tried to shutdown the Barton and once again the response became veeeerrrry slow. The one notable difference was that the network traffic seemed to stop, so I went home and left the machines running tilll morning. When I returned the following day, I discovered the wmsyspr9.prx file on the Dual-P3! I immediately tried to shutdown the Barton and again, the shutdown needed to be forced. I restarted the Barton in safe mode, did checkdisk on all the volumes (some required reboot) and went about removing the remaining files noted above. I also checked the Dual-P3 for infection and found nothing. I deleted the wmsyspr9.prx from the Dual-P3. I returned to the Barton, ran combofix and carefully removed the related keys from the registry. I then rebooted into safe mode and ran the programs again to double check. All seemed well so I rebooted the Barton normally. Things looked pretty quiet but definitely a little sluggish so I opened explorer and got the -1073741819 shutdown error message. I set my calendar back one year and moved the offensive message into a corner. I checked the processes and CPU usage in task manager and noted brief applications would appear and disappear before I could read what they were. I also noted that the CPU usage would spike the minute I went to any other task tab beside monitoring the cycles. I couldn't open a process and the search tools were either unresponsive or returning false information. I searched for files that I knew were there and was rudely told they weren't. Interesting. Okay, I changed the date back on the clock and let the machine shut down. The OS informed me it was saving my changes for quite a while. The only thing I remember changing was the clock and even that went back to where it was before I changed it (+/- one year). I rebooted the Barton in safe mode and that is where it is currently being observed. I'm writing this post from the Dual-P3 and I've just noted that all my .dat files have the "video cd movie" file type. I'm a little over my head here and would like some guidance. I want to thoroughly check the Dual-P3 with some hand holding so that I may understand what caused the file type change. The box seems to be working normally for now but I'd like more assurance http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Pages: [1]