Derbiz.com Hijacker
November 11, 2006 on 4:24 pm | In Malware analysis | 1 CommentOriginally posted Apr 30 2005, 01:09 PM
A very active variant of Dialer.Asdplug: http://www.sarc.com/avcenter/venc/data/dialer.asdplug.html
Can be recognized in a HijackThis log as:
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://
community.derbiz.com/
O4 – HKLM\..\Run: [ASDPLUGIN] C:\WINDOWS\System32\uk_nm.exe -N
Fix those entries and delete the file %System%\.exe
( In the example C:\WINDOWS\System32\uk_nm.exe)
In the registry the following changes may have to be made.
copy the part in bold below into notepad and save it as noASD.reg
Doubleclick the file and confirm you want to merge it with the registry.
REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“EnableAutodial” = “0”
[-HKEY_LOCAL_MACHINE\SOFTWARE\ASDPLUGIN]
Beware that the EnableAutodial might have had the value 1 before the infection and the user may even need it.
This one is often found in the company of EliteBar. They may be related.
EasySearch PremiumSearch
November 11, 2006 on 4:17 pm | In Malware analysis | 1 CommentOriginally posted Apr 25 2005, 09:19 PM
Found at GeeksToGo a file called bootpd.exe
Identified by kaspersky as:
bootpd.exe – infected by Trojan.Win32.StartPage.vk
The file has the attributes hidden and system file.
Once run it duplicates itself in memory (running double protecting each other probably)
Nothing much happened until I tried to kill one process.
These lines were added to my HijackThis log:
O1 – Hosts: 66.180.173.39 www.google.ae
and a lot more of those, I will add the complete hosts file at the end
O2 – BHO: (no name) – {5483427F-93B8-1470-5A89-E6B56484CDB2} – C:\DOCUME~1\Pieter\LOCALS~1\Temp\ngtmbihanct.dll
ngtmbihanct.dll – infected by Trojan.Win32.StartPage.vk
O4 – HKLM\..\Run: [bootpd.exe] C:\WINDOWS\system32\bootpd.exe
The randomly named dll which has a fixed CLSID also has the attributes hidden and system file
The following IP’s were tried to contact:
62.129.131.34
69.25.75.72
66.180.173.39
Under Add/Remove Software a entry EasySearch was added with the uninstall string “bootpd.exe –uninstall”
These files were added:
C:\Documents and Settings\Pieter\Local Settings\Temp\hwjifulqzwb.html the startpage called PremiumSearch
a file C:\WINDOWS\0.log
a folder C:\Program Files\Google
C:\Windows\System32\drivers\etc\hosts
looking like this:
66.180.173.39 www.google.ae
66.180.173.39 www.google.am
66.180.173.39 www.google.as
66.180.173.39 www.google.at
66.180.173.39 www.google.az
66.180.173.39 www.google.be
66.180.173.39 www.google.bi
66.180.173.39 www.google.ca
66.180.173.39 www.google.cd
66.180.173.39 www.google.cg
66.180.173.39 www.google.ch
66.180.173.39 www.google.ci
66.180.173.39 www.google.cl
66.180.173.39 www.google.co.cr
66.180.173.39 www.google.co.hu
66.180.173.39 www.google.co.il
66.180.173.39 www.google.co.in
66.180.173.39 www.google.co.je
66.180.173.39 www.google.co.jp
66.180.173.39 www.google.co.ke
66.180.173.39 www.google.co.kr
66.180.173.39 www.google.co.ls
66.180.173.39 www.google.co.nz
66.180.173.39 www.google.co.th
66.180.173.39 www.google.co.ug
66.180.173.39 www.google.co.uk
66.180.173.39 www.google.co.ve
66.180.173.39 www.google.com
66.180.173.39 www.google.com.ag
66.180.173.39 www.google.com.ar
66.180.173.39 www.google.com.au
66.180.173.39 www.google.com.br
66.180.173.39 www.google.com.co
66.180.173.39 www.google.com.cu
66.180.173.39 www.google.com.do
66.180.173.39 www.google.com.ec
66.180.173.39 www.google.com.fj
66.180.173.39 www.google.com.gi
66.180.173.39 www.google.com.gr
66.180.173.39 www.google.com.gt
66.180.173.39 www.google.com.hk
66.180.173.39 www.google.com.ly
66.180.173.39 www.google.com.mt
66.180.173.39 www.google.com.mx
66.180.173.39 www.google.com.my
66.180.173.39 www.google.com.na
66.180.173.39 www.google.com.nf
66.180.173.39 www.google.com.ni
66.180.173.39 www.google.com.np
66.180.173.39 www.google.com.pa
66.180.173.39 www.google.com.pe
66.180.173.39 www.google.com.ph
66.180.173.39 www.google.com.pk
66.180.173.39 www.google.com.pr
66.180.173.39 www.google.com.py
66.180.173.39 www.google.com.sa
66.180.173.39 www.google.com.sg
66.180.173.39 www.google.com.sv
66.180.173.39 www.google.com.tr
66.180.173.39 www.google.com.tw
66.180.173.39 www.google.com.ua
66.180.173.39 www.google.com.uy
66.180.173.39 www.google.com.vc
66.180.173.39 www.google.com.vn
66.180.173.39 www.google.de
66.180.173.39 www.google.dj
66.180.173.39 www.google.dk
66.180.173.39 www.google.es
66.180.173.39 www.google.fi
66.180.173.39 www.google.fm
66.180.173.39 www.google.fr
66.180.173.39 www.google.gg
66.180.173.39 www.google.gl
66.180.173.39 www.google.gm
66.180.173.39 www.google.hn
66.180.173.39 www.google.ie
66.180.173.39 www.google.it
66.180.173.39 www.google.kz
66.180.173.39 www.google.li
66.180.173.39 www.google.lt
66.180.173.39 www.google.lu
66.180.173.39 www.google.lv
66.180.173.39 www.google.mn
66.180.173.39 www.google.ms
66.180.173.39 www.google.mu
66.180.173.39 www.google.mw
66.180.173.39 www.google.nl
66.180.173.39 www.google.no
66.180.173.39 www.google.off.ai
66.180.173.39 www.google.pl
66.180.173.39 www.google.pn
66.180.173.39 www.google.pt
66.180.173.39 www.google.ro
66.180.173.39 www.google.ru
66.180.173.39 www.google.rw
66.180.173.39 www.google.se
66.180.173.39 www.google.sh
66.180.173.39 www.google.sk
66.180.173.39 www.google.sm
66.180.173.39 www.google.td
66.180.173.39 www.google.tm
66.180.173.39 www.google.tt
66.180.173.39 www.google.uz
66.180.173.39 www.google.vg
66.180.173.39 google.ae
66.180.173.39 google.am
66.180.173.39 google.as
66.180.173.39 google.at
66.180.173.39 google.az
66.180.173.39 google.be
66.180.173.39 google.bi
66.180.173.39 google.ca
66.180.173.39 google.cd
66.180.173.39 google.cg
66.180.173.39 google.ch
66.180.173.39 google.ci
66.180.173.39 google.cl
66.180.173.39 google.co.cr
66.180.173.39 google.co.hu
66.180.173.39 google.co.il
66.180.173.39 google.co.in
66.180.173.39 google.co.je
66.180.173.39 google.co.jp
66.180.173.39 google.co.ke
66.180.173.39 google.co.kr
66.180.173.39 google.co.ls
66.180.173.39 google.co.nz
66.180.173.39 google.co.th
66.180.173.39 google.co.ug
66.180.173.39 google.co.uk
66.180.173.39 google.co.ve
66.180.173.39 google.com
66.180.173.39 google.com.ag
66.180.173.39 google.com.ar
66.180.173.39 google.com.au
66.180.173.39 google.com.br
66.180.173.39 google.com.co
66.180.173.39 google.com.cu
66.180.173.39 google.com.do
66.180.173.39 google.com.ec
66.180.173.39 google.com.fj
66.180.173.39 google.com.gi
66.180.173.39 google.com.gr
66.180.173.39 google.com.gt
66.180.173.39 google.com.hk
66.180.173.39 google.com.ly
66.180.173.39 google.com.mt
66.180.173.39 google.com.mx
66.180.173.39 google.com.my
66.180.173.39 google.com.na
66.180.173.39 google.com.nf
66.180.173.39 google.com.ni
66.180.173.39 google.com.np
66.180.173.39 google.com.pa
66.180.173.39 google.com.pe
66.180.173.39 google.com.ph
66.180.173.39 google.com.pk
66.180.173.39 google.com.pr
66.180.173.39 google.com.py
66.180.173.39 google.com.sa
66.180.173.39 google.com.sg
66.180.173.39 google.com.sv
66.180.173.39 google.com.tr
66.180.173.39 google.com.tw
66.180.173.39 google.com.ua
66.180.173.39 google.com.uy
66.180.173.39 google.com.vc
66.180.173.39 google.com.vn
66.180.173.39 google.de
66.180.173.39 google.dj
66.180.173.39 google.dk
66.180.173.39 google.es
66.180.173.39 google.fi
66.180.173.39 google.fm
66.180.173.39 google.fr
66.180.173.39 google.gg
66.180.173.39 google.gl
66.180.173.39 google.gm
66.180.173.39 google.hn
66.180.173.39 google.ie
66.180.173.39 google.it
66.180.173.39 google.kz
66.180.173.39 google.li
66.180.173.39 google.lt
66.180.173.39 google.lu
66.180.173.39 google.lv
66.180.173.39 google.mn
66.180.173.39 google.ms
66.180.173.39 google.mu
66.180.173.39 google.mw
66.180.173.39 google.nl
66.180.173.39 google.no
66.180.173.39 google.off.ai
66.180.173.39 google.pl
66.180.173.39 google.pn
66.180.173.39 google.pt
66.180.173.39 google.ro
66.180.173.39 google.ru
66.180.173.39 google.rw
66.180.173.39 google.se
66.180.173.39 google.sh
66.180.173.39 google.sk
66.180.173.39 google.sm
66.180.173.39 google.td
66.180.173.39 google.tm
66.180.173.39 google.tt
66.180.173.39 google.uz
66.180.173.39 google.vg
66.180.173.39 search.yahoo.com
66.180.173.39 ar.search.yahoo.com
66.180.173.39 br.search.yahoo.com
66.180.173.39 ca.search.yahoo.com
66.180.173.39 cf.search.yahoo.com
66.180.173.39 mx.search.yahoo.com
66.180.173.39 espanol.search.yahoo.com
66.180.173.39 au.search.yahoo.com
66.180.173.39 ct.search.yahoo.com
66.180.173.39 fr.search.yahoo.com
66.180.173.39 de.search.yahoo.com
66.180.173.39 it.search.yahoo.com
66.180.173.39 uk.search.yahoo.com
66.180.173.39 search.msn.com search.msn.at search.sympatico.msn.ca search.msn.co.za search.ninemsn.com.au
66.180.173.39 search.xtramsn.co.nz search.msn.co.uk search.msn.be search.msn.dk search.msn.fi search.msn.fr
66.180.173.39 search.msn.de search.msn.it search.msn.nl search.msn.no search.msn.es uk.search.msn.com
66.180.173.39 search.msn.se search.msn.ch search.msn.co.in search.msn.com.sg toolbar.search.msn.com
66.180.173.39 beta.search.msn.com beta.search.msn.at beta.search.sympatico.msn.ca beta.search.msn.co.za
66.180.173.39 beta.search.ninemsn.com.au beta.search.xtramsn.co.nz beta.search.msn.co.uk beta.search.msn.be
66.180.173.39 beta.search.msn.dk beta.search.msn.fi beta.search.msn.fr beta.search.msn.de beta.search.msn.it
66.180.173.39 beta.search.msn.nl beta.search.msn.no beta.search.msn.es beta.search.msn.se beta.search.msn.ch
66.180.173.39 beta.search.msn.co.in beta.search.msn.com.sg auto.search.msn.com
66.180.173.39 www.alexa.com alexa.com
CWS variant wirl.dll
November 11, 2006 on 3:58 pm | In Malware analysis | No CommentsOriginally posted Apr 19 2005, 12:33 PM
Still researching this one, so changes will be made.
The main files seem to be a randomly named executable +
wirl.dll
hst32.dll
wcnl32.dll
This seems to be the complete set of dll’s:
C:\windows\system32\cidft.dll
C:\windows\system32\cidpog32.dll
C:\windows\system32\gupd.dll
C:\windows\system32\hst32.dll
C:\WINDOWS\System32\cidpoq32.dll
C:\WINDOWS\System32\nthst32.dll
C:\windows\system32\icnfe.dll
C:\windows\system32\icqrt.dll
C:\windows\system32\icvbr.dll
C:\windows\system32\sdfup.dll
C:\windows\system32\wcnl32.dll
C:\windows\system32\wecxg32.dll
C:\windows\system32\wirl.dll
C:\windows\system32\xcwer32.dll
C:\windows\system32\zxmsn.dll
C:\windows\system32\thun.dll
C:\WINDOWS\System32\thun32.dll
C:\windows\system32\rch32.dll
Since the exe files appear to be completely random it’s no use listing them.
Scanresults:
KAV found 103.exe – infected by Trojan-Downloader.Win32.Small.anx
Dr.Web found wirl.dll – infected by Trojan.Favadd
VBA32 found wirl.dll – infected by Trojan.Win32.StartPage.2 (probable variant)
The executable copies itself to the System folder and adds a Startup entry for itself callede SVCHOST:
O4 – HKCU\..\Run: [SVCHOST] C:\WINDOWS\system32\103.exe
hst32.dll holds the information for the changes to be made to the hosts file
Mine was very small:
auto.search.msn.com 127.0.0.1
wcnl32.dll holds the information for the changes to the favorites
This one said:
http://www.nowfind.net/umax10/index.php
Search the web.url
http://forbiddenconversations.com/
Forbidden Conversations.url
http://free.modernfucking.com/index.html
Forced Sex.url
http://best.teens5.com/index.html
Young Preteen Models.url
http:/www.nowfind.net/umax5/index.php
Search the web.url
Waiting for a .hta file that will probably hold the secret of how they all work together.
deskwizz
November 11, 2006 on 3:49 pm | In Malware analysis | 1 CommentOriginally posted Mar 27 2005, 09:09 PM
Received from my old friend $teve along with some other files:
jmsqvijilh.exe identified by KAV and TDS as infected by Trojan-Downloader.Win32.Small.aly
I decided to test what it gets at the moment since this changes frequently.
When run it contacted:
195.137.236.117 (deskwizz.com)
195.137.237.103
216.150.6.75 (adpowerzone.advertserve.com)
During these connections it downloaded and installed:
IEXPLOR.EXE
setup.ini
IEXPLOR.exe was flagged by TDS as Possible WebDownloader File: iexplor.exe
setup.ini contains
MainWindowURL=http://ads.deskwizz.com/to.php?id=atix
BackupWindowURL1=http://www.aqwerlib.ruuu/
BackupWindowURL2=http://www.waa4rty.inf/
AfterInstall=http://media.deskwizz.com/gate.php?id=AtixAfterInstall
The short version of the Total Uninstall report:
Filesystem
===============
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temp
(+)(FILE) ~DF1052.tmp = 21:27 27-03-05 16384 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5
(*)(FILE) index.dat
21:14 27-03-05 8552448 bytes ==> 21:26 27-03-05 8552448 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0BR3MW91
(+)(FILE) setupAtx[1].ini = 21:27 27-03-05 339 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\JJ9JRDSW
(+)(FILE) IEXPLOR[1].EXE = 21:26 27-03-05 49152 bytes
(FOLDER) C:\WINDOWS
(+)(FILE) IEXPLOR.EXE = 21:26 27-03-05 49152 bytes
(+)(FILE) setup.ini = 21:27 27-03-05 339 bytes
Registry
===============
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(+)(REGISTRY VALUE) AtxBrw = ‘C:\WINDOWS\IEXPLOR.exe’
(+)(REGISTRY VALUE) C:\WINDOWS\IEXPLOR.EXE = ‘C:\WINDOWS\IEXPLOR.EXE’
EliteSideBar installer
November 11, 2006 on 3:45 pm | In Malware analysis | No CommentsOriginally posted Feb 28 2005, 01:53 PM
Found by OrphanAnnie
Version 8 of this one: http://securityresponse.symantec.com/avcenter/venc/data/adware.elitebar.b.html
Below I listed the (significant) changes made to the filesystem and registry made by the installer (filename sb.exe)
Filesystem
===============
(+)(FOLDER) C:\WINDOWS\EliteSideBar
(+)(FILE) EliteSideBar 08.dll = 22:03 27-02-05 46592 bytes
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) SB.EXE-01BF0FF5.pf = 22:03 27-02-05 15048 bytes
Register
===============
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0A1D22C3-37BE-470C-9C29-E3074EE0574B}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0A1D22C3-37BE-470C-9C29-E3074EE0574B}\InprocServer32
(+)((REGISTRY VALUE)) (Standaard) = ‘C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}
(+)((REGISTRY VALUE)) (Standaard) = ‘Elite SideBar’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Control
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Implemented Categories
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\InprocServer32
(+)((REGISTRY VALUE)) (Standaard) = ‘C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll’
(+)((REGISTRY VALUE)) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Insertable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus
(+)((REGISTRY VALUE)) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\MiscStatus\1
(+)((REGISTRY VALUE)) (Standaard) = ‘131473’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\ProgID
(+)((REGISTRY VALUE)) (Standaard) = ‘CGBand.CGBandObj.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\TypeLib
(+)((REGISTRY VALUE)) (Standaard) = ‘{8AA59E15-6E81-415C-B299-1ADFB50C8E1A}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\Version
(+)((REGISTRY VALUE)) (Standaard) = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-99F4A2203647}\VersionIndependentProgID
(+)((REGISTRY VALUE)) (Standaard) = ‘CGBand.CGBandObj’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
(+)((REGISTRY VALUE)) (Standaard) = ‘&EliteSideBar’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\InprocServer32
(+)((REGISTRY VALUE)) (Standaard) = ‘C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll’
(+)((REGISTRY VALUE)) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Insertable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Instance
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Instance\InitPropertyBag
(+)((REGISTRY VALUE)) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus
(+)((REGISTRY VALUE)) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\MiscStatus\1
(+)((REGISTRY VALUE)) (Standaard) = ‘131473’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\Programmable
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Elitum
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Elitum\EliteSideBar
(+)((REGISTRY VALUE)) excluded = ‘google.com,yahoo.com,searchmiracle.com’
(+)((REGISTRY VALUE)) FirstTimeStarted = 1
(+)((REGISTRY VALUE)) maxshow = ‘6’
(+)((REGISTRY VALUE)) path = ‘C:\WINDOWS\EliteSideBar\’
(+)((REGISTRY VALUE)) UpdateAttempt = ‘27020522’
(+)((REGISTRY VALUE)) UpdateDate = ‘27020501’
(+)((REGISTRY VALUE)) url = ‘http://yupsearch.com/sb.php?qq=’
(+)((REGISTRY VALUE)) version = ’08’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
(+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
(+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\iexplore
(+)((REGISTRY VALUE)) Count = 3
(+)((REGISTRY VALUE)) Time = …………,…
(+)((REGISTRY VALUE)) Type = 3
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{ED103D9F-3070-4580-AB1E-E5C179C1AE41}\iexplore
(+)((REGISTRY VALUE)) Count = 3
(+)((REGISTRY VALUE)) Time = …………,…
(+)((REGISTRY VALUE)) Type = 3
Back to .hta
November 9, 2006 on 9:00 pm | In Malware analysis | No CommentsOriginally posted Jan 16 2005, 04:56 PM
Received from my friend again. 🙂
A file that starts from the All Users Startup folder.
Microsoft Windows.hta
When run it fetches a file called msupdate.cmd
This one in return selfdestructs when run and creates two files in the
Local Settings\Temp folder
One called win**.tmp.js and one called win**.tmp (** are random digits)
The latter one tries to contact three sites
IPs: 209.66.122.49 195.225.176.12 216.195.32.198
Then it hijacks several IE URL’s to the lookfor.cc domain
Total Uninstall log made 16-1-2005 16:33:43
Files & Folders
===============
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) EXPLORER.EXE-082F38A9.pf = 16:27 16-01-05 12818 bytes
(+)(FILE) MSHTA.EXE-331DF029.pf = 16:27 16-01-05 41564 bytes
(+)(FILE) MSUPDATE.CMD-33F3EB1A.pf = 16:27 16-01-05 20168 bytes
(+)(FILE) TASKMGR.EXE-20256C55.pf = 16:29 16-01-05 16898 bytes
(+)(FILE) WIN3F.TMP-05DFD68D.pf = 16:27 16-01-05 31558 bytes
(+)(FILE) WSCRIPT.EXE-32960AB9.pf = 16:29 16-01-05 23302 bytes
Registry
===============
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://lookfor.cc/sp.php?pin=10001’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Default_Page_URL
‘http://www.google.com’ ==> ‘http://lookfor.cc?pin=10001’
(*)(REG VALUE) Default_Search_URL
‘http://home.microsoft.com/search/search.asp’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Start Page
‘http://home01.wxs.nl/~kleyn080/’ ==> ‘http://lookfor.cc?pin=10001’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://lookfor.cc/sp.php?pin=10001’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Start Page
‘http://home01.wxs.nl/~kleyn080/’ ==> ‘http://lookfor.cc?pin=10001’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\Bags\108\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
789 ==> 629
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\Bags\109\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) ScrollPos800x600(1).y
151 ==> 213
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://lookfor.cc/sp.php?pin=10001’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://lookfor.cc/sp.php?pin=10001’
(*)(REG VALUE) Start Page
‘http://home01.wxs.nl/~kleyn080/’ ==> ‘http://lookfor.cc?pin=10001’
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\108\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
789 ==> 629
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags\109\Shell
(*)(REG VALUE) MinPos800x600(1).x
-32000 ==> -1
(*)(REG VALUE) MinPos800x600(1).y
-32000 ==> -1
(*)(REG VALUE) ScrollPos800x600(1).y
151 ==> 213
(*)(REG VALUE) WinPos800x600(1).left
189 ==> 29
(*)(REG VALUE) WinPos800x600(1).right
789 ==> 629
Scheduled Tasks
November 7, 2006 on 9:29 pm | In Malware analysis | 6 CommentsOriginally posted Jan 14 2005, 08:19 PM
A while ago Bobbi Flekman found that recent LOP versions use the Task Scheduler to add to the burden.
The variants that do this can be recognized by the completely random and idiotic named SearchBars
( example: http://www.ffbmcrgzoflssg.com/uVY4pfXrBF4B9Rsh073xVcCkhrcDs5DvBdJ1KbjS7hLALyLQ/rLN23C6NhVXySGN.html )
Usually they will have .exe files as a BHO as opposed to the normal .dll
After encountering a victim here http://www.geekstogo.com/forum/index.php?showtopic=6609 that could not find the Tasks that showed up in the StartUpList I went looking for another way to get the tasks in the Scheduler.
Which I found at JSI: http://www.jsiinc.com/SUBF/TIP2600/rh2621.htm
That made it easy. All you need is a tiny batch
@echo off
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt
I uploaded the package for that to http://metallica.geekstogo.com/findlop.zip
Canned speech:
Download and unzip to one folder:
http://metallica.geekstogo.com/findlop.zip
Inside the folder find findlop.bat
Doubleclick it and it will create the file C:\findlop.txt
Find that file and copy the content into your next post.
Once you have the tasks you can remove them by putting another batch in the same folder:
@echo off
jt /sd randomlopname123.job
jt /sd randomlopname456.job
jt /sd randomlopname789.job
if exist c:\tasks.txt del c:\tasks.txt
jt /se >>c:\tasks.txt
Or tell the victim which ones to delete manually. 🙂
Admillie service
November 6, 2006 on 8:18 pm | In Malware analysis | 2 CommentsOriginally posted Jan 13 2005, 10:54 PM
Received from a dear friend. 😎
It gets installed by ActiveX:
O16 – DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} – http://static.windupdates.com/cab/C…e/bridge-c3.cab
Scanned file: AdmilliService.zip
~gram Files/Admilli Service/AdmilliComm.dll – infected by not-a-virus:AdWare.WinAD.k
~gram Files/Admilli Service/AdmilliKeep.exe – infected by not-a-virus:AdWare.WinAD.k
~gram Files/Admilli Service/AdmilliServ.exe – infected by not-a-virus:AdWare.WinAD.k
~/Downloaded Program Files/AdmilliServX.dll – infected by not-a-virus:AdWare.WinAD.j
Removal
Since the two executables protect each other and even run in Safe Mode they will have to be removed on reboot..
Download and unzip: [url=http://www.downloads.subratam.org/KillBox.zip]Killbox[/url]
Run killbox and paste each of these lines into the box, select delete on reboot then press the red X button, when it says reboot now, say no and continue to paste the lines into the box in turn and follow the above procedure every time, after the last line has been pasted let it reboot.
%SystemDrive%\Program Files\Admilli Service\AdmilliKeep.exe
%SystemDrive%\Program Files\Admilli Service\AdmillliServ.exe
Total Uninstall log
Files and Folders
===============
(FOLDER) C:\WINDOWS\system32
(+)(FILE) ide21201.vxd = 22:22 13-01-05 4720 bytes
Registry
===============
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\AdmilliServX.Installer
(+)(REG VALUE) (Standaard) = ‘AdmilliServX.Installer’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\AdmilliServX.Installer\CLSID
(+)(REG VALUE) (Standaard) = ‘{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\blazefind admilli\AdmilliServX.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Admilli Service
(+)(REG VALUE) LastUpdate = 1105651340
(+)(REG VALUE) reqcount = 1
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
(+)(REG VALUE) Admilli Service = ‘M:\Manege\blazefind admilli\AdmilliServ.exe’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Admilli Service
(+)(REG VALUE) DisplayName = ‘Admilli Service’
(+)(REG VALUE) UninstallString = ‘M:\Manege\blazefind admilli\AdmilliServ.exe /Remove’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\MUICache
(+)(REG VALUE) C:\WINDOWS\system32\regsvr32.exe = ‘Microsoft© Register Server’
(+)(REG VALUE) M:\Manege\blazefind admilli\AdmilliKeep.exe = ‘AdmilliKeep’
(+)(REG VALUE) M:\Manege\blazefind admilli\AdmilliServ.exe = ‘AdmilliServ’
Shopnav
November 5, 2006 on 3:53 pm | In Malware analysis | No Comments
Originally posted Jan 12 2005, 09:12 PM
Found at CastleCops
O2 – BHO: Band Class – {0007522A-2297-43C1-8EB1-C90B0FF20DA5} – C:\WINDOWS\enhtb.dll
No scanner I could get a hold off recognized this file.
It made these changes to my HijackThis log
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0
R1 – HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.shopnav.com/q.cgi?q=
O2 – BHO: Band Class – {0007522A-2297-43C1-8EB1-C90B0FF20DA5} – M:\Manege\oneclicksrch\enhtb.dll
O3 – Toolbar: (no name) – {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} – (no file)
Total Uninstall log:
FILES
===============
(FOLDER) C:\WINDOWS
(+)(FILE) enhtb.dll = 14:35 20-10-04 290816 bytes
(+)(FILE) kwv2.dat = 17:01 12-01-05 5460 bytes
(+)(FILE) lu.dat = 17:01 12-01-05 53 bytes
(+)(FILE) redir.txt = 17:01 12-01-05 0 bytes
Registry
==============
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame
(+)(REG VALUE) (Standaard) = ‘BottomFrame Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame\CLSID
(+)(REG VALUE) (Standaard) = ‘{1FF215BC-3906-4915-B5C5-E5D363CF0439}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame\CurVer
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.BottomFrame.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame.1
(+)(REG VALUE) (Standaard) = ‘BottomFrame Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.BottomFrame.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{1FF215BC-3906-4915-B5C5-E5D363CF0439}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame
(+)(REG VALUE) (Standaard) = ‘LeftFrame Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame\CLSID
(+)(REG VALUE) (Standaard) = ‘{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame\CurVer
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.LeftFrame.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame.1
(+)(REG VALUE) (Standaard) = ‘LeftFrame Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.LeftFrame.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser
(+)(REG VALUE) (Standaard) = ‘PopupBrowser Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser\CLSID
(+)(REG VALUE) (Standaard) = ‘{0007CC61-BEE5-4DE7-B0F0-34B47B621972}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser\CurVer
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.PopupBrowser.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser.1
(+)(REG VALUE) (Standaard) = ‘PopupBrowser Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupBrowser.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{0007CC61-BEE5-4DE7-B0F0-34B47B621972}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow
(+)(REG VALUE) (Standaard) = ‘PopupWindow Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow\CLSID
(+)(REG VALUE) (Standaard) = ‘{59B92425-FCA5-4576-AE8D-288A819DC29E}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow\CurVer
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.PopupWindow.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow.1
(+)(REG VALUE) (Standaard) = ‘PopupWindow Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IMIToolbar.PopupWindow.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{59B92425-FCA5-4576-AE8D-288A819DC29E}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Remove
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Wbho.Band
(+)(REG VALUE) (Standaard) = ‘Band Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Wbho.Band\CLSID
(+)(REG VALUE) (Standaard) = ‘{0007522A-2297-43C1-8EB1-C90B0FF20DA5}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Wbho.Band\CurVer
(+)(REG VALUE) (Standaard) = ‘Wbho.Band.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Wbho.Band.1
(+)(REG VALUE) (Standaard) = ‘Band Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Wbho.Band.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{0007522A-2297-43C1-8EB1-C90B0FF20DA5}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
(+)(REG VALUE) (Standaard) = ‘Band Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\enhtb.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\ProgID
(+)(REG VALUE) (Standaard) = ‘Wbho.Band.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454c-B2F4-FF964DE43E4C}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘Wbho.Band’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007CC61-BEE5-4DE7-B0F0-34B47B621972}
(+)(REG VALUE) (Standaard) = ‘PopupBrowser Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007CC61-BEE5-4DE7-B0F0-34B47B621972}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\enhtb.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007CC61-BEE5-4DE7-B0F0-34B47B621972}\ProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.PopupBrowser.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007CC61-BEE5-4DE7-B0F0-34B47B621972}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007CC61-BEE5-4DE7-B0F0-34B47B621972}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{0007CC61-BEE5-4DE7-B0F0-34B47B621972}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.PopupBrowser’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}
(+)(REG VALUE) (Standaard) = ‘LeftFrame Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\Implemented Categories
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\enhtb.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\ProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.LeftFrame.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{000D2CC0-2F6F-4FCF-A839-0921BCC7AA04}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.LeftFrame’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}
(+)(REG VALUE) (Standaard) = ‘BottomFrame Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\Implemented Categories
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\Implemented Categories\{00021494-0000-0000-C000-000000000046}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\enhtb.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\ProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.BottomFrame.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{1FF215BC-3906-4915-B5C5-E5D363CF0439}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.BottomFrame’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{59B92425-FCA5-4576-AE8D-288A819DC29E}
(+)(REG VALUE) (Standaard) = ‘PopupWindow Class’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{59B92425-FCA5-4576-AE8D-288A819DC29E}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\enhtb.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{59B92425-FCA5-4576-AE8D-288A819DC29E}\ProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.PopupWindow.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{59B92425-FCA5-4576-AE8D-288A819DC29E}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{59B92425-FCA5-4576-AE8D-288A819DC29E}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{58D419E8-1321-4DD2-A6FC-7B41C14DCD79}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{59B92425-FCA5-4576-AE8D-288A819DC29E}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘IMIToolbar.PopupWindow’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{16148DA8-9325-47C9-9BE2-B7D4075C4DF7}
(+)(REG VALUE) (Standaard) = ‘IBottom’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{16148DA8-9325-47C9-9BE2-B7D4075C4DF7}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{16148DA8-9325-47C9-9BE2-B7D4075C4DF7}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{16148DA8-9325-47C9-9BE2-B7D4075C4DF7}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454C-B2F4-FF964DE43E4C}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{467A7046-2972-4CD3-A8B8-39F2887F78C1}
(+)(REG VALUE) (Standaard) = ‘IBottomFrame’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{467A7046-2972-4CD3-A8B8-39F2887F78C1}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{467A7046-2972-4CD3-A8B8-39F2887F78C1}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{467A7046-2972-4CD3-A8B8-39F2887F78C1}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454C-B2F4-FF964DE43E4C}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{870FC053-EAD2-43D0-931A-17C5FB077C70}
(+)(REG VALUE) (Standaard) = ‘ILeftFrame’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{870FC053-EAD2-43D0-931A-17C5FB077C70}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{870FC053-EAD2-43D0-931A-17C5FB077C70}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{870FC053-EAD2-43D0-931A-17C5FB077C70}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454C-B2F4-FF964DE43E4C}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{B303BE97-4932-44FD-8C8F-CE529890B421}
(+)(REG VALUE) (Standaard) = ‘IBand’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{B303BE97-4932-44FD-8C8F-CE529890B421}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{B303BE97-4932-44FD-8C8F-CE529890B421}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{B303BE97-4932-44FD-8C8F-CE529890B421}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454C-B2F4-FF964DE43E4C}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{D1E2293C-3F18-4A2C-82C9-EBBD0BB098A6}
(+)(REG VALUE) (Standaard) = ‘IPopupWindow’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{D1E2293C-3F18-4A2C-82C9-EBBD0BB098A6}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{D1E2293C-3F18-4A2C-82C9-EBBD0BB098A6}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{D1E2293C-3F18-4A2C-82C9-EBBD0BB098A6}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454C-B2F4-FF964DE43E4C}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{DF005296-164C-4819-B316-07F1F38F2760}
(+)(REG VALUE) (Standaard) = ‘IPopupBrowser’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{DF005296-164C-4819-B316-07F1F38F2760}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{DF005296-164C-4819-B316-07F1F38F2760}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{DF005296-164C-4819-B316-07F1F38F2760}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{074A9743-0517-454C-B2F4-FF964DE43E4C}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{074A9743-0517-454C-B2F4-FF964DE43E4C}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{074A9743-0517-454C-B2F4-FF964DE43E4C}\1.0
(+)(REG VALUE) (Standaard) = ‘wbho 1.0 Type Library’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{074A9743-0517-454C-B2F4-FF964DE43E4C}\1.0\0
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{074A9743-0517-454C-B2F4-FF964DE43E4C}\1.0\0\win32
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\enhtb.dll’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{074A9743-0517-454C-B2F4-FF964DE43E4C}\1.0\FLAGS
(+)(REG VALUE) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{074A9743-0517-454C-B2F4-FF964DE43E4C}\1.0\HELPDIR
(+)(REG VALUE) (Standaard) = ‘M:\Manege\oneclicksrch\’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
(+)(REG VALUE) CustomizeSearch = ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(+)(REG VALUE) SearchAssistant = ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
(*)(REG VALUE) iexplore.exe
1 ==> 0
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar
(+)(REG VALUE) {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} = (lege data)
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0007522A-2297-43C1-8EB1-C90B0FF20DA5}
(+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\enhsrch
(+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\enhsrch\Config
(+)(REG VALUE) InstallDay = ‘3.836467E+004′
(+)(REG VALUE) KeywordMatch = 1
(+)(REG VALUE) LogUrl = 0
(+)(REG VALUE) SystemDate = ’01/12/05’
(+)(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\enhsrch\MyFileSystem2
(+)(REG VALUE) SystemID = 134858107
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Internet Explorer\SearchUrl
(+)(REG VALUE) (Standaard) = ‘websearch.shopnav.com/q.cgi?q=’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Search Assistant
(+)(REG VALUE) DefaultSearchURL = ‘http://websearch.drsnsrch.com/q.cgi?q=’
(REGISTRY KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Microsoft\Windows\ShellNoRoam\MUICache
(+)(REG VALUE) M:\Manege\oneclicksrch\enhtb.exe = ‘Emissary’
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\enhsrch
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\enhsrch\Config
(+)(REG VALUE) InstallDay = ‘3.836467E+004′
(+)(REG VALUE) KeywordMatch = 1
(+)(REG VALUE) LogUrl = 0
(+)(REG VALUE) SystemDate = ’01/12/05’
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\enhsrch\MyFileSystem2
(+)(REG VALUE) SystemID = 134858107
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
(+)(REG VALUE) Search Bar = ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(+)(REG VALUE) Use Search Asst = ‘no’
(*)(REG VALUE) Search Page
‘http://www.google.com’ ==> ‘http://websearch.drsnsrch.com/sidesearch.cgi?uid=&id=0’
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
(+)(REG VALUE) (Standaard) = ‘websearch.shopnav.com/q.cgi?q=’
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Search Assistant
(+)(REG VALUE) DefaultSearchURL = ‘http://websearch.drsnsrch.com/q.cgi?q=’
A happy couple
November 4, 2006 on 8:33 pm | In Malware analysis | 2 CommentsOriginally posted Jan 9 2005, 11:02 PM
Found on GeeksToGo :
O4 – HKLM\..\Run: [ntsmod] C:\WINDOWS\system32\ntsmod.exe
Requested the file and found another file mentioned inside called:
msts32.exe
Requested a copy for that as well and scanned online (KAV):
msts32.exe – archived by NSIS
msts32.exe/data0001 – OK
msts32.exe/data0002 – OK
msts32.exe/data0003 – OK
msts32.exe/data0004 – infected by Trojan.Win32.VB.rl
msts32.exe/data0005 – packed with UPX
msts32.exe/data0005 – OK
msts32.exe/data0005 – OK
Both files were written in Visual Basic and are under investigation.
After running msts32.exe the following changes were made to my HijackThis log:
R3 – Default URLSearchHook is missing
O2 – BHO: Media Player support DLL – {2DC9D850-144D-11E1-B3C9-10805E499D95} – C:\WINDOWS\system32\mplay32.dll
Other important changes:
Recycler\Desktop.ini
[CODE] [.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{5ECE0BF7-7A99-4AD5-B2A3-1C8A8FDA7D92}</IDone>
<IDtwo>VT01</IDtwo>
<VERSION>200</VERSION> [/CODE]
One of the newly created executables in my system32 folder tried to contact:
69.20.20.161 port 80
Winlogon\Notify key in the registry
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer]
“Asynchronous”=dword:00000000
“DllName”=”C:\\WINDOWS\\system32\\iGshlpr.dll”
“Impersonate”=dword:00000000
“Logon”=”WinLogon”
Total Uninstall log of 10-1-2005 15:26:05
FILES
=====
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0XQ701M3
(+)(FILE) Installer[1].exe = 15:14 10-01-05 610304 bytes
(FOLDER) C:\RECYCLER
(+)(FILE) desktop.ini = 15:14 10-01-05 165 bytes
(FOLDER) C:\WINDOWS
(*)(FILE) WindowsUpdate.log
13:30 10-01-05 377155 bytes ==> 15:14 10-01-05 377321 bytes
(FOLDER) C:\WINDOWS\system32
(+)(FILE) iGshlpr.dll = 15:14 10-01-05 223232 bytes
(+)(FILE) mplay32.dll = 13:00 31-03-01 126976 bytes
(+)(FILE) ntec32.exe = 11:58 09-12-04 26112 bytes
(+)(FILE) ntsmod.exe = 13:00 31-03-01 28672 bytes
(+)(FILE) sysdebug32.exe = 13:00 31-03-03 28672 bytes
REGISTRY
========
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp
(+)(REG VALUE) (Standaard) = ‘URL:dtdp Protocol’
(+)(REG VALUE) URL Protocol = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp\shell
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp\shell\open
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\dtdp\shell\open\command
(+)(REG VALUE) (Standaard) = ‘”C:\WINDOWS\system32\sysdebug32.exe” “%1″‘
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj
(+)(REG VALUE) (Standaard) = ‘Media Player support DLL’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj\CurVer
(+)(REG VALUE) (Standaard) = ‘MPLAYSUPObj.MPLAYSUPObj.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj.1
(+)(REG VALUE) (Standaard) = ‘Media Player support DLL’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\MPLAYSUPObj.MPLAYSUPObj.1\CLSID
(+)(REG VALUE) (Standaard) = ‘{2DC9D850-144D-11E1-B3C9-10805E499D95}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}
(+)(REG VALUE) (Standaard) = ‘Media Player support DLL’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\mplay32.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\ProgID
(+)(REG VALUE) (Standaard) = ‘MPLAYSUPObj.MPLAYSUPObj.1’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{2DC9D850-144D-11E1-B3C9-10805E499D95}\VersionIndependentProgID
(+)(REG VALUE) (Standaard) = ‘MPLAYSUPObj.MPLAYSUPObj’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}\Implemented Categories
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
(+)(REG VALUE) (Standaard) = ”
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{D869E0B1-0103-42C2-A1EB-C3A5D58787F4}\InprocServer32
(+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\iGshlpr.dll’
(+)(REG VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}
(+)(REG VALUE) (Standaard) = ‘ISTRAd32Obj’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}\ProxyStubClsid
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}\ProxyStubClsid32
(+)(REG VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{2DC9D84F-144D-11E1-B3C9-10805E499D95}\TypeLib
(+)(REG VALUE) (Standaard) = ‘{2DC9D842-144D-11E1-B3C9-10805E499D95}’
(+)(REG VALUE) Version = ‘1.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0
(+)(REG VALUE) (Standaard) = ‘STRAd32 1.0 Type Library’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\0
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\0\win32
(+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\mplay32.dll’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\FLAGS
(+)(REG VALUE) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{2DC9D842-144D-11E1-B3C9-10805E499D95}\1.0\HELPDIR
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DC9D850-144D-11E1-B3C9-10805E499D95}
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
(+)(REG VALUE) {D869E0B1-0103-42C2-A1EB-C3A5D58787F4} = ”
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Installer
(+)(REG VALUE) Asynchronous = 0
(+)(REG VALUE) DllName = ‘C:\WINDOWS\system32\iGshlpr.dll’
(+)(REG VALUE) Impersonate = 0
(+)(REG VALUE) Logoff = ‘WinLogoff’
(+)(REG VALUE) Logon = ‘WinLogon’
(+)(REG VALUE) Shutdown = ‘WinShutdown’
(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Clock
(+)(REG VALUE) sum = ‘1’
(-)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
(-)(REG VALUE) {CFBFAE00-17A6-11D0-99CB-00C04FD64497} = ”
“Logoff”=”WinLogoff”
“Shutdown”=”WinShutdown”
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^