coolpics hijacker

November 12, 2006 on 10:05 pm | In Malware analysis | 4 Comments

A few victims came looking for help at WildersSecurity forums.

One of them provided me with the installer.
A trick I hadn’t seen before was to remove the Run option from the Startmenu.

I noticed this by finding this entry in a Combofix log:
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
“NoRun”=dword:00000001

Together with the victims at WildersSecurity forums a fix was thought out and tested:
http://www.geekstogo.com/forum/How_to_remove_the_coolpicscom_hijacker-t137346.html

Running the installer produced the following
Total Uninstall log

MyComputer
===============

File System
===============
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) SVCHOST32.EXE-20192F81.pf = 19:39 06/11/06 21320 bytes
(+)(FILE) SVCHOST32.EXE-2633C3EE.pf = 20:05 06/11/06 13294 bytes
(FOLDER) C:\WINDOWS\system
(+)(FILE) svchost32.exe = 19:39 06/11/06 185386 bytes
(+)(FILE) svhost.exe = 20:05 06/11/06 10752 bytes

Registry
===============

(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_buzz
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Yahoo\pager\View\YMSGR_Launchcast
(+)(REG VAL) content url = ‘http://thecoolpics.com’
(REG KEY) HKEY_USERS\S-1-5-21-839522115-1708537768-1202660629-1003\Software\Microsoft\Internet Explorer\Main
(*)(REG VAL) Start Page
‘http://www.oldhomepage.com’ ==> ‘http://thecoolpics.com’
(+)(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
(+)(REG VAL) DisableRegistryTools = 1
(+)(REG VAL) DisableTaskMgr = 1
(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
(+)(REG VAL) NoRun = 1
(+)(REG KEY) HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control Panel
(+)(REG VAL) Homepage = 1


Warning Internet Gamebox

November 11, 2006 on 9:45 pm | In Malware analysis | 18 Comments

Originally posted  Aug 11 2006, 01:10 PM

 

InternetGamebox is available from the .com site with the same name.

This so-called Totally Free software installs adware on your computer that behaves like a rootkit.
In other words it hides itself from Windows to avoid being detected.
This malware is also spread by Mailskinner and is usually called EGDAccess or NaviPromo

If you are lucky all it does is display ads in pop-unders, but if you are connected to the net by dial-up it could also “spice up” your phone-bill.

If you are infected with this adware, please follow this procedure:
Download Brute Force Uninstaller: http://www.merijn.org/files/bfu.zip
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE: http://metallica.geekstogo.com/EGDACCESS.bfu and choose “Save As” (in IE it’s “Save Target As”) in order to download EGDACCESS Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

Then reboot your computer and look for the file C:\egd.txt that was created by the script.
Post the content of that file on the Malware Removal forum explaining what you did. Also look at the content of the folder bfubackups in your System(32) folder. This folder was also created by the script. Let the helper know if any files were in that folder and if so, what they are called.

If I have some time I’ll infect a Virtual Machine shortly and post my findings here.
Done that. Results below.

Well I installed InternetGamebox and it is definitely bad news.
Besides trying to harvest email-addresses (it asks you to send a message to your friends from an online form) it also installs the NaviPromo/EGDAccess rootkit.

Here is what I found with Blacklight:

 

After renaming those files and rebooting HijackThis showed the startup entry:

Submitting the file wmjglyxr.exe to one of the online scanners confirmed what we already suspected:
File: wmjglyxr.exe
SHA-1 Digest: a124914f2ae67742e3326b2230edc10ee7447cc3
Packers: PECompact v2.00
Status: Infected or Malware

Although none of the scanners identifies it correctly. (I’ll make sure that changes shortly.)

Cleaning Alcan and some of its friends

November 11, 2006 on 9:37 pm | In Malware analysis | 3 Comments

Originally posted Mar 19 2006, 03:02 PM

This is how the HijackThis log looked before I started:

Logfile of HijackThis v1.99.1
Scan saved at 13:57:23, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\WINDOWS\system32\p2pnetworking.exe
c:\mousepad3.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\UGlldGVy\command.exe
C:\WINDOWS\newfrn.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: (no name) – {6001CDF7-6F45-471b-A203-0225615E35A7} – C:\WINDOWS\DH.dll
O4 – HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 – HKLM\..\Run: [winlog] winlog.exe
O4 – HKLM\..\Run: [newname] c:\\newname3.exe
O4 – HKLM\..\Run: [mousepad] c:\\mousepad3.exe
O4 – HKLM\..\Run: [keyboard] c:\\keyboard3.exe
O4 – HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 – HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 – HKLM\..\Run: [xp] p2pnetworking.exe
O4 – HKLM\..\RunServices: [xp] p2pnetworking.exe
O4 – HKLM\..\RunServices: [winlog] winlog.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) –
http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\UGlldGVy\command.exe
O23 – Service: Network Monitor – Unknown owner – C:\Program Files\Network Monitor\netmon.exe

The next shows how it looked after following the instructions here:
http://www.geekstogo.com/forum/index.php?showtopic=98929

Logfile of HijackThis v1.99.1
Scan saved at 13:59:30, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\UGlldGVy\command.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) –
http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\UGlldGVy\command.exe

Then fixed with HijackThis:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

Then click Start > Run type services.msc > OK
In the list of services find:
Command Service (cmdService)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: cmdService

Installed Ewido and rebooted the computer to do a full scan with Ewido in safe mode

Report:
———————————————————
ewido anti-malware – Scan rapport
———————————————————

+ Gemaakt op: 14:26:34, 19-3-2006
+ Rapport samenvatting: 7DFEA1B3

+ Scan resultaten:

C:\WINDOWS\UGlldGVy\asappsrv.dll -> Adware.CommAd : Schoongemaakt met een backup
C:\WINDOWS\UGlldGVy\command.exe -> Adware.CommAd : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@media.top-banners[1].txt -> TrackingCookie.Top-banners : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
HKU\S-1-5-21-1060284298-152049171-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Schoongemaakt met een backup
::Einde rapport

Boot back to normal mode and made the final HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:57:45, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) –
http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido anti-malware\ewidoguard.exe

All that was left to do was look in the folder C:\bintheredunthat
I found DR140306.exe which is an installer for Adware.DH
So it was safe to delete the entire folder.

PurityScan.MediaTickets

November 11, 2006 on 9:33 pm | In Malware analysis | No Comments

Originally posted Feb 11 2006, 01:42 PM 

 

Found here on GeeksToGo
C:\WINDOWS\system32\??crosoft.NET\ati2evxx.exe

Showed up in the log as:
O4 – HKCU\..\Run: [Asciprip] C:\WINDOWS\system32\??crosoft.NET\ati2evxx.exe

and returned as:
O4 – HKCU\..\Run: [Aepr] “C:\Programfiler\eooe\rwoc.exe” -vt ndrv

Running ati2evxx.exe it tries to contact one of these IP’s
63.251.135.15
66.150.193.103

It fetched a file called !update.exe and put it in the
C:\Documents and Settings\[user]\Local Settings\Temp
In turn this file also contacted those two IP’s and made a similar entry to the one we saw above:
O4 – HKCU\..\Run: [Trdc] “C:\Program Files\betw\tdso.exe” -vt ndrv
Where tdso.exe is a copy of !update.exe
It gives that file the attributes hidden, system

Other files and changes monitored are in the

Total Uninstall log

Files
===============
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\0LEJSHUZ
(+)(FILE) !update-3395[1].0000 = 12:19 11-02-06 70144 bytes
(+)(FILE) campaigns11_3[1].bin = 12:18 11-02-06 35029 bytes
(+)(FILE) campaigns23_3[1].bin = 12:19 11-02-06 32782 bytes
(+)(FILE) campaigns7_3[1].bin = 12:19 11-02-06 30690 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\4H2ZWXQ7
(+)(FILE) campaigns10_3[1].bin = 12:19 11-02-06 33585 bytes
(+)(FILE) campaigns18_3[1].bin = 12:19 11-02-06 30781 bytes
(+)(FILE) campaigns25_3[1].bin = 12:18 11-02-06 36597 bytes
(+)(FILE) campaigns9_3[1].bin = 12:19 11-02-06 43011 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\KPUB81AN
(+)(FILE) campaigns13_3[1].bin = 12:19 11-02-06 32200 bytes
(+)(FILE) campaigns20_3[1].bin = 12:19 11-02-06 37629 bytes
(+)(FILE) campaigns3_3[1].bin = 12:19 11-02-06 38099 bytes
(+)(FILE) notify[1].htm = 12:19 11-02-06 19 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\S1Y785E3
(+)(FILE) campaigns12_3[1].bin = 12:19 11-02-06 39033 bytes
(+)(FILE) campaigns16_3[1].bin = 12:18 11-02-06 36191 bytes
(+)(FILE) campaigns4_3[1].bin = 12:19 11-02-06 34490 bytes
(+)(FILE) campaigns5_3[1].bin = 12:19 11-02-06 35972 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\SLI3W16B
(+)(FILE) campaigns_5[1].bin = 12:19 11-02-06 31138 bytes
(+)(FILE) campaigns17_3[1].bin = 12:19 11-02-06 33944 bytes
(+)(FILE) campaigns6[1].encrypted = 12:18 11-02-06 1338 bytes
(+)(FILE) campaigns8_3[1].bin = 12:19 11-02-06 37548 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\SV9F2IFH
(+)(FILE) campaigns14_3[1].bin = 12:19 11-02-06 32586 bytes
(+)(FILE) campaigns24_3[1].bin = 12:19 11-02-06 32287 bytes
(+)(FILE) campaigns6_3[1].bin = 12:19 11-02-06 37883 bytes
(+)(FILE) ver2[1].php4 = 12:18 11-02-06 3233 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\TK0JXPG1
(+)(FILE) campaigns22_3[1].bin = 12:19 11-02-06 27639 bytes
(+)(FILE) campaigns27_3[1].bin = 12:18 11-02-06 33056 bytes
(+)(FILE) campaigns28_3[1].bin = 12:19 11-02-06 54188 bytes
(+)(FILE) notify[1].htm = 12:19 11-02-06 19 bytes
(FOLDER) C:\Documents and Settings\Pieter\Local Settings\Temporary Internet Files\Content.IE5\WXY7W9YV
(+)(FILE) campaigns_f[1].bin = 12:19 11-02-06 8622 bytes
(+)(FILE) campaigns15_3[1].bin = 12:19 11-02-06 32631 bytes
(+)(FILE) campaigns26_6[1].bin = 12:19 11-02-06 30776 bytes
(+)(FILE) client_settings_3[1].bin = 12:18 11-02-06 224 bytes
(+)(FILE) notify[1].htm = 12:19 11-02-06 19 bytes
(FOLDER) C:\WINDOWS\Prefetch
(+)(FILE) !UPDATE.EXE-1E29EDD3.pf = 12:19 11-02-06 24770 bytes
(+)(FILE) ATI2EVXX.EXE-20933439.pf = 12:18 11-02-06 32890 bytes
(+)(FILE) TDSO.EXE-3A5781A3.pf = 12:19 11-02-06 47812 bytes

Registry
===============
(+)(REG KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Dlrh
(+)(REG VALUE) Cral = …#.x..
(+)(REG VALUE) Ecul = ..E`…q…+…3.o.9..|X……i.X.k…..F.E}.[2…….S.
(+)(REG VALUE) Elsu = $.E`W..q…N
(+)(REG VALUE) Etet = %.E`.M .
(+)(REG VALUE) Rrpb = …#.x..
(+)(REG VALUE) Ttoa = 1
(+)(REG KEY) HKEY_USERS\S-1-5-21-1947229034-1613120521-1437238077-1008\Software\Swhs
(+)(REG VALUE) Cabp = Er7.j..G…E.. …T.s.~…>
(+)(REG VALUE) Oate = L..#…q.{m.
(+)(REG VALUE) Romn = (..#..1.
(+)(REG KEY) HKEY_CURRENT_USER\Software\Dlrh
(+)(REG VALUE) Cral = …#.x..
(+)(REG VALUE) Ecul = ..E`…q…+…3.o.9..|X……i.X.k…..F.E}.[2…….S.
(+)(REG VALUE) Elsu = $.E`W..q…N
(+)(REG VALUE) Etet = %.E`.M .
(+)(REG VALUE) Rrpb = …#.x..
(+)(REG VALUE) Ttoa = 1
(+)(REG KEY) HKEY_CURRENT_USER\Software\Swhs
(+)(REG VALUE) Cabp = Er7.j..G…E.. …T.s.~…>
(+)(REG VALUE) Oate = L..#…q.{m.
(+)(REG VALUE) Romn = (..#..1.
(REG KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
(+)(REG VALUE) Trdc = ‘”C:\Program Files\betw\tdso.exe” -vt ndrv’

Vundo MFCOptimize

November 11, 2006 on 9:30 pm | In Malware analysis | 1 Comment

Originally posted Feb 5 2006, 10:32 PM

Just passing on some kudos here. 😎

My friend and teacher Tony Klein pointed me to this thread:
http://castlecops.com/postlite146184-.html

He does that sometimes when he finds something new and exciting and wants a copy of the files involved.
There is a lot going on in that log, but this is what got his attention:

O2 – BHO: MFCOptimizeClass Object – {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} – C:\WINDOWS\System32\ssqrs.dll

O20 – Winlogon Notify: ssqrs – C:\WINDOWS\System32\ssqrs.dll

The entries are typical for Vundo but the CLSID and the name of the BHO were new.

The victim found the file and made it available to us, so we could investigate.
Atribune, who wrote the VundoFix that helpers all over the net are using to fight these infections, immediately adapted his program so that it would tackle this variant as well.

And with success, needless to add.

Spotted, harvested and added for detection and removal in under 7 hours.
By a couple of volunteers. I thought that deserved a round of applause.  😆

Changes made by registering ssqrs.dll

==========
Filesystem
==========
    (FOLDER) C:\WINDOWS\system32
      (+)(FILE) srqss.ini = 16:09 05-02-06 418 bytes
      (+)(FILE) ssqrs.dll = 16:14 04-02-06 565300 bytes
   
=========
Registry
=========
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass Object’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass\CLSID
      (+)(REG VALUE) (Standaard) = ‘{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass\CurVer
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass.MFCOptimizeClass.1’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass Object’
    (+)(REG KEY) HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1\CLSID
      (+)(REG VALUE) (Standaard) = ‘{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass Object’
      (+)(REG VALUE) AppID = ”
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\InprocServer32
      (+)(REG VALUE) (Standaard) = ‘C:\WINDOWS\system32\ssqrs.dll’
      (+)(REG VALUE) ThreadingModel = ‘apartment’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\ProgID
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass.MFCOptimizeClass.1’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\Programmable
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\TypeLib
      (+)(REG VALUE) (Standaard) = ‘{BAD59A24-6891-417D-A041-C8FD495B77F1}’
    (+)(REG KEY) HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}\VersionIndependentProgID
      (+)(REG VALUE) (Standaard) = ‘MFCOptimizeClass.MFCOptimizeClass’
    (+)(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}
    (+)(REG KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrs
      (+)(REG VALUE) Asynchronous = 1
      (+)(REG VALUE) DllName = ‘C:\WINDOWS\system32\ssqrs.dll’
      (+)(REG VALUE) Impersonate = 0
      (+)(REG VALUE) Logoff = ‘SysLogoff’
      (+)(REG VALUE) Startup = ‘SysLogon’

The easy way ofcourse is to download and run VundoFix as advised below:

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
Put a check next to Run VundoFix as a task.
You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
When VundoFix re-opens, click the Scan for Vundo button.
Once it’s done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

This works now that the fix has been updated.

The method below describes how I got rid off it the first time.
#####################################################################
Download and install Process Explorer from:
http://www.sysinternals.com/Utilities/ProcessExplorer.html

Download Advanced Process Manipulation from:
http://www.diamondcs.com.au/index.php?page=apm

Download Killbox from:
http://www.bleepingcomputer.com/files/killbox.php

Copy the part in bold below into notepad and save it directly to the rootdirectory as vundoh.reg
Set Filetype to “All files” (the file should now be here: C:\vundoh.reg)

 

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssqrs]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}]

[-HKEY_CLASSES_ROOT\CLSID\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}]

[-HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass]

[-HKEY_CLASSES_ROOT\MFCOptimizeClass.MFCOptimizeClass.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9}]
“Compatibility Flags”=dword:00000400

Reboot into safe mode

Open Process Explorer.
Scroll down in the main window and find winlogon.exe
Right click on winlogon.exe and select Suspend
Leave Process Explorer open.
Now run HijackThis and put checkmarks in front of these two lines
O2 – BHO: MFCOptimizeClass Object – {A6CEA0E7-6B4D-4CD9-9932-D85705CBC1A9} – C:\WINDOWS\System32\ssqrs.dll

O20 – Winlogon Notify: ssqrs – C:\WINDOWS\System32\ssqrs.dll

Do NOT fix them yet

Now open Advanced Process Manipulation by doubkleclicking APM.exe.
Scroll down in the main window and find c:\windows\explorer.exe
Click on the entry and that will display a list of files in the second window.
Scroll down the list in the second window and find C:\WINDOWS\System32\ssqrs.dll
Right click on that entry and select Unload DLL
You will now lose your Start Bar and Desktop Icons. This is normal.
Leave Advanced Process Manipulation open
Go back to Process Explorer window.
Click File > Run
In the run box type regedit.exe /s C:\vundoh.reg
Back in Advanced Process Manipulation.
Scroll down in the main window and find c:\windows\system32\winlogon.exe
Click on the entry and that will display a list of files in the second window.
Scroll down the list in the second window and find C:\WINDOWS\System32\ssqrs.dll
Right click on that entry and select Unload DLL
You will have to click OK about six times
In HijackThis click Fix checked. You will be prompted you are about to remove a BHO. That’s what you want.

Go back to Process Explorer window.
Click File > Run
Enter the path to Killbox
In the killbox program, select the Delete on Reboot option.
Select this file to be deleted: C:\WINDOWS\System32\ssqrs.dll
*Click the red-and-white “Delete File” button. Click “Yes” at the Delete on Reboot prompt.

Now back in Process Explorer.
Find winlogon.exe again.
Right click on winlogon.exe and select Resume
This should reboot your computer automatically.
####################################

alibaba.com

November 11, 2006 on 9:17 pm | In Malware analysis | 1 Comment

Originally posted Jan 21 2006, 07:55 PM

 

After I figured out this hijacker I found several people complaining about a svchost.exe in the wrong directory that kept returning and about a Trojan.Downloader being detected that their AntiVirus couldn’t remove.

This malware starts using the ShellExecuteHooks key which does not show up in a HijackThis log.

The involved keys looks like this:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{00212521-4FEF-4AD3-B3AA-E0531B8DC123}”=””

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32]
@=”C:\\WINDOWS\\system32\\usbadpt32.dll”

What happens is that usbadpt32.dll downloads and runs C:\WINDOWS\System32\DirectX\svchost.exe

That file downloads WITBLOG.OCX and/or MSDATGRPS.OCX and places them in the system directory.

The cure:

Download and unzip BFUzip from http://www.merijn.org/files/bfu.zip

Download the BFU script located at this url:
http://metallica.geekstogo.com/alibaba.bfu
and place it in the same folder as BFU.exe

 

Close as many programs as possible since this script will reboot your computer.
Your taskbar will also disappear during the procedure. This is normal.

Doubleclick BFU.exe to run the program.
Use the folder symbol to find and select the alibaba.bfu you have downloaded.

Execute the script by clicking the Execute button.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

For those unable to download the script, copy the code in the block below into notepad and save it as alibaba.bfu in the same folder as BFU.exe
Set Filetype to “all files”

 

RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks|{00212521-4FEF-4AD3-B3AA-E0531B8DC123}

OptionUnloadShell
FileDelete %SYSDIR%\usbadpt32.dll
FileDelete %SYSDIR%\DirectX\svchost.exe
FileDelete %SYSDIR%\WITBLOG.OCX
FileDelete %SYSDIR%\MSDATGRPS.OCX

RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{0C588F7D-A2B3-4001-B59B-D856C1BF3AD7}
RegDeleteKey HKLM\SOFTWARE\Classes\CLSID\{850B69E4-90DB-4F45-8621-891BF35A5B53}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{42CB709C-A1D6-4C3A-9F9C-B077FF86A760}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{63C8AF31-AD6E-417C-BF8B-48B96E95DC25}
RegDeleteKey HKLM\SOFTWARE\Classes\Interface\{AB44756F-FCE0-454D-AF29-930B89BB44D2}
RegDeleteKey HKLM\SOFTWARE\Classes\TypeLib\{448F1BD5-C41A-4551-83CF-8CD2309ABC66}
RegDeleteKey HKLM\Classes\AlibabaIEToolBar.AlibabaButton
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaButton.1
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.AlibabaSearchBar.1
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject
RegDeleteKey HKLM\SOFTWARE\Classes\AlibabaIEToolBar.ShowBarObject.1
RegDeleteKey HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{09F59435-7814-48ED-A73A-96FF861A91EB}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{13b0c05c-ef05-4bf6-b0ea-f6111af25544}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850B69E4-90DB-4F45-8621-891BF35A5B53}
RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alibaba Toolbar
RegDeleteKey HKLM\SOFTWARE\Ablibaba

FolderDelete %SYSDIR%\alitb
FolderDelete %SYSDIR%\alitb1
FolderDelete %SYSDIR%\alitb2
FolderDelete %SYSDIR%\alitb3

SystemRestart Let the computer reboot now|1

Mystery popup

November 11, 2006 on 9:13 pm | In Malware analysis | No Comments

Originally posted Dec 18 2005, 02:46 PM

Maybe not spyware, but we can’t be sure at the moment.

Recently a lot of people started experiencing this error when they try to run IE:

The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
I found a fix posted on several forums and groups.

Basically it comes down to:

Click Start > Run > and copy this command:
regedit.exe /e C:\RPCKDM.txt “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCKDM”
> then click OK to execute.

This should create the file:
C:\RPCKDM.txt
Save that file as a backup for what we are about to remove.

Open notepad and and copy and paste next bold in it:
(don’t forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RPCKDM]


Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards: regfile
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Reboot and open your Internet Explorer.
Let me know if that solved the problem.
What I have gathered sofar is that most (if not all) of the users were running Windows 2000 and IE 6 SP1
Some report receiving a popup that might have been the cause.
After they had closed that popup they were unable to get IE back up again.

If anyone reads this who knows where we can find this popup or what is causing this behavior, please let me know.

I’d like to find out if it does anything else and how we can stop it.

surfya dialer

November 11, 2006 on 4:35 pm | In Malware analysis | 1 Comment

Originally posted Aug 17 2005, 09:03 PM

ActiveX dialer. When installed it makes these:

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\SAMPLE.EXE.

[ Changes to registry ]
* Creates key “HKLM\Software\IEACCESS”.
* Sets value “title”=”SurfYa.com” in key “HKLM\Software\IEACCESS”.
* Creates key “HKLM\Software\IEACCESS\restore”.
* Creates key “HKLM\Software\IEACCESS\restore\Start Page”.
* Sets value “value”=”about:blank” in key “HKLM\Software\IEACCESS\restore\Start Page”.
* Sets value “key”=”Software\Microsoft\Internet Explorer\Main” in key “HKLM\Software\IEACCESS\restore\Start Page”.
* Sets value “hkey”=”” in key “HKLM\Software\IEACCESS\restore\Start Page”.
* Modifies value “Start Page”=”http://community.surfya.com/” in key “HKCU\Software\Microsoft\Internet Explorer\Main”.
* Creates key “HKLM\Software\IEACCESS\restore\DefaultInternet”.
* Creates key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Sets value “value”=”MyProfile” in key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Sets value “key”=”RemoteAccess” in key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Sets value “hkey”=”” in key “HKLM\Software\IEACCESS\restore\InternetProfile”.
* Creates key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Sets value “value”=”” in key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Sets value “key”=”Software\Microsoft\Windows\CurrentVersion\Internet Settings” in key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Sets value “hkey”=”” in key “HKLM\Software\IEACCESS\restore\EnableAutodial”.
* Creates value “IEACCESS”=”C:\WINDOWS\SYSTEM\SAMPLE.EXE -N” in key “HKLM\Software\Microsoft\Windows\CurrentVersion\Run”.

[ Changes to system settings ]
* Enumerates RAS connections.
* Set dialer properties to dial () 08718731247.

Entries in log
O4 – HKLM\..\Run: [IEACCESS] C:\WINDOWS\System32\surfya.exe -N
O16 – DPF: {30CE93AE-4987-483C-9ABE-F2BD5301AB70} – 64.158.165.49/output/1…surfya.exe

This looks like a mix of the old IEAccess dialers from eGroup and the Derbiz Hijacker I blogged about earlier: http://www.pieter-arntz.info/wordpressblog/?p=21

Dialer hiding from HijackThis

November 11, 2006 on 4:32 pm | In Malware analysis | No Comments

Originally posted Aug 3 2005, 07:29 PM

EGDAccess aka InstantAccess (pusher of p0rn-dialers) have found a way to hide from HijackThis.

I am not yet exactly sure how they do it, but these lines in the log disappeared as soon as the Scan is run with the HijackThis window open, but they do show up if you run HijackThis from the command line (or from a batch)

O4 – HKLM\..\Run: [bvmgarjxy] c:\windows\system32\bvmgarjxy.exe -start

O4 – HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1061.dll,InstantAccess

O16 – DPF: {FA83E942-B796-46DE-9155-1632ECC5473B} – http://akamai.downloadv3.com/binaries/EGDA…ESS_1061_XP.cab

The filename for the Startup is random.

The easiest way of removal is to click Start > Run > type %Windir%\system32\random name once you found it.exe -uninstall > OK
In our example that command would be:

c:\windows\system32\bvmgarjxy.exe -uninstall


Tested the process and ran it from the system32 folder. The file copied itself and started it’s clone. I did not alllow any of the two dll’s it created as well to do anything and the process and startup remained visible for HijackThis.

You have sto start the process from the command prompt with the -start switch to run the executable. Doubleclicking it makes it vanish (except when it is running)
Mosaic1 wrote a script to find the name of the running executable and put that to use together with the -uninstall switch. We are testing a method of removal with this now. Hopefully this will work out.

The uninstall followed by running a BFU script I wrote seems to take care of the infection.

We have reason to believe that a program called Mailskinner is bundling this dialer now.

Thanks to dvk01 for spotting the connection

Investigation reports to follow …

VX2 plugin.dll aka 2search

November 11, 2006 on 4:28 pm | In Malware analysis | 1 Comment

Originally posted May 21 2005, 02:45 PM

Found by flrman1 here: http://forums.techguy.org/security/362582-solved-loads-rubbish.html#post2613176

Shows in a HijackThis log as:
O1 – Hosts: 69.20.16.183 auto.search.msn.com
O1 – Hosts: 69.20.16.183 search.netscape.com
O1 – Hosts: 69.20.16.183 ieautosearch

O2 – BHO: GoogleCatch.clsIESpy – {4508E20C-ACAD-11D2-9FC0-00550076E06F} – C:\Program Files\2search\plugin.dll
or
O2 – BHO: IEsearch.clsIESpy – {4508E20C-ACAD-11D2-9FC0-00550076E06F} – C:\PROGRAM FILES\2SEARCH\PLUGIN.DLL

Related files:
date.dat = 13 bytes
getst.exe = 28672 bytes
main.exe = 32768 bytes
msnnames.cab = 21634 bytes
this cab holds msnnames.ocx = 43544 bytes
plugin.dll = 53248 bytes
uninstall.exe = 32768 bytes

Uninstall.exe works exceptionally well if you let it connect to the internet
Only leaves the hosts file Hijack behind.

Total Uninstall log

Files
===============
(+)(FOLDER) C:\Program Files\2search
(+)(FOLDER) C:\WINDOWS\system32\feeds
(FOLDER) C:\WINDOWS\system32\drivers\etc
(*)(FILE) hosts
21:17 28-11-04 27748 bytes ==> 14:26 21-05-05 27760 bytes

Registry
===============
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IEsearch.clsIESpy
(+)(REGISTRY VALUE) (Standaard) = ‘IEsearch.clsIESpy’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\IEsearch.clsIESpy\Clsid
(+)(REGISTRY VALUE) (Standaard) = ‘{4508E20C-ACAD-11D2-9FC0-00550076E06F}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}
(+)(REGISTRY VALUE) (Standaard) = ‘IEsearch.clsIESpy’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\Implemented Categories
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\InprocServer32
(+)(REGISTRY VALUE) (Standaard) = ‘c:\progra~1\2search\plugin.dll’
(+)(REGISTRY VALUE) ThreadingModel = ‘Apartment’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\ProgID
(+)(REGISTRY VALUE) (Standaard) = ‘IEsearch.clsIESpy’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\Programmable
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\TypeLib
(+)(REGISTRY VALUE) (Standaard) = ‘{68E774CB-72D1-4A52-B55B-C0B1011E013B}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\CLSID\{4508E20C-ACAD-11D2-9FC0-00550076E06F}\VERSION
(+)(REGISTRY VALUE) (Standaard) = ‘3.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{0EB61AF8-0B15-48B6-A971-1F206F2E3D5E}
(+)(REGISTRY VALUE) (Standaard) = ‘clsIESpy’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{0EB61AF8-0B15-48B6-A971-1F206F2E3D5E}\ProxyStubClsid
(+)(REGISTRY VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{0EB61AF8-0B15-48B6-A971-1F206F2E3D5E}\ProxyStubClsid32
(+)(REGISTRY VALUE) (Standaard) = ‘{00020424-0000-0000-C000-000000000046}’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\Interface\{0EB61AF8-0B15-48B6-A971-1F206F2E3D5E}\TypeLib
(+)(REGISTRY VALUE) (Standaard) = ‘{68E774CB-72D1-4A52-B55B-C0B1011E013B}’
(+)(REGISTRY VALUE) Version = ‘3.0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}\3.0
(+)(REGISTRY VALUE) (Standaard) = ‘IEsearch’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}\3.0\0
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}\3.0\0\win32
(+)(REGISTRY VALUE) (Standaard) = ‘c:\progra~1\2search\plugin.dll’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}\3.0\FLAGS
(+)(REGISTRY VALUE) (Standaard) = ‘0’
(+)(REGISTRY KEY) HKEY_CLASSES_ROOT\TypeLib\{68E774CB-72D1-4A52-B55B-C0B1011E013B}\3.0\HELPDIR
(+)(REGISTRY VALUE) (Standaard) = ‘c:\progra~1\2search’
(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Assembly Developers\TaskGuardian
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4508E20C-ACAD-11D2-9FC0-00550076E06F}
(+)(REGISTRY VALUE) k = ‘k’
(+)(REGISTRY KEY) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2search
(+)(REGISTRY VALUE) DisplayName = ‘Uninstall 2search’
(+)(REGISTRY VALUE) UninstallString = ‘C:\Program Files\2search\uninstall.exe’
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
(+)(REGISTRY KEY) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4508E20C-ACAD-11D2-9FC0-00550076E06F}
(+)(REGISTRY VALUE) M:\Manege\2search\getst.exe = ‘GetWebFile’
(+)(REGISTRY VALUE) M:\Manege\2search\main.exe = ‘GetWebFile’

 

Next Page »

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^