Cleaning Alcan and some of its friends
November 11, 2006 on 9:37 pm | In Malware analysis | 3 CommentsOriginally posted Mar 19 2006, 03:02 PM
This is how the HijackThis log looked before I started:
Logfile of HijackThis v1.99.1
Scan saved at 13:57:23, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\WINDOWS\system32\p2pnetworking.exe
c:\mousepad3.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\UGlldGVy\command.exe
C:\WINDOWS\newfrn.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: (no name) – {6001CDF7-6F45-471b-A203-0225615E35A7} – C:\WINDOWS\DH.dll
O4 – HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 – HKLM\..\Run: [winlog] winlog.exe
O4 – HKLM\..\Run: [newname] c:\\newname3.exe
O4 – HKLM\..\Run: [mousepad] c:\\mousepad3.exe
O4 – HKLM\..\Run: [keyboard] c:\\keyboard3.exe
O4 – HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 – HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 – HKLM\..\Run: [xp] p2pnetworking.exe
O4 – HKLM\..\RunServices: [xp] p2pnetworking.exe
O4 – HKLM\..\RunServices: [winlog] winlog.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\UGlldGVy\command.exe
O23 – Service: Network Monitor – Unknown owner – C:\Program Files\Network Monitor\netmon.exe
The next shows how it looked after following the instructions here:
http://www.geekstogo.com/forum/index.php?showtopic=98929
Logfile of HijackThis v1.99.1
Scan saved at 13:59:30, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\UGlldGVy\command.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\UGlldGVy\command.exe
Then fixed with HijackThis:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
Then click Start > Run type services.msc > OK
In the list of services find:
Command Service (cmdService)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: cmdService
Installed Ewido and rebooted the computer to do a full scan with Ewido in safe mode
Report:
———————————————————
ewido anti-malware – Scan rapport
———————————————————
+ Gemaakt op: 14:26:34, 19-3-2006
+ Rapport samenvatting: 7DFEA1B3
+ Scan resultaten:
C:\WINDOWS\UGlldGVy\asappsrv.dll -> Adware.CommAd : Schoongemaakt met een backup
C:\WINDOWS\UGlldGVy\command.exe -> Adware.CommAd : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@media.top-banners[1].txt -> TrackingCookie.Top-banners : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
HKU\S-1-5-21-1060284298-152049171-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Schoongemaakt met een backup
::Einde rapport
Boot back to normal mode and made the final HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 14:57:45, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) – http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido anti-malware\ewidoguard.exe
All that was left to do was look in the folder C:\bintheredunthat
I found DR140306.exe which is an installer for Adware.DH
So it was safe to delete the entire folder.
3 Comments »
RSS feed for comments on this post. TrackBack URI
Leave a comment
Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds.
Valid XHTML and CSS. ^Top^
Originally posted Mar 19 2006, 06:16 PM
The bfu-script has been adapted to do this part for you:
QUOTE
Then click Start > Run type services.msc > OK
In the list of services find:
Command Service (cmdService)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: cmdService
Comment by metallica — November 11, 2006 #
Originally posted Apr 17 2006, 12:40 PM
cd\
cd bintheredunthat
dir /x > directory.txt
start notepad directory.txt
Copy the code above into notepad and save it as dirlong.bat
Set Filetype to “All files”
Start the file by doubleclicking dirlong.bat
That will open a file called directory.txt
Post the content of that file.
Comment by metallica — November 11, 2006 #
cake chocolate
Trackback by cake chocolate — April 22, 2007 #