Cleaning Alcan and some of its friends

November 11, 2006 on 9:37 pm | In Malware analysis | 3 Comments

Originally posted Mar 19 2006, 03:02 PM

This is how the HijackThis log looked before I started:

Logfile of HijackThis v1.99.1
Scan saved at 13:57:23, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\system32\winlog.exe
C:\Program Files\wmplayer\wmplayer.exe
C:\WINDOWS\system32\p2pnetworking.exe
c:\mousepad3.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\UGlldGVy\command.exe
C:\WINDOWS\newfrn.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 – BHO: (no name) – {6001CDF7-6F45-471b-A203-0225615E35A7} – C:\WINDOWS\DH.dll
O4 – HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 – HKLM\..\Run: [winlog] winlog.exe
O4 – HKLM\..\Run: [newname] c:\\newname3.exe
O4 – HKLM\..\Run: [mousepad] c:\\mousepad3.exe
O4 – HKLM\..\Run: [keyboard] c:\\keyboard3.exe
O4 – HKLM\..\Run: [NewFrn] C:\WINDOWS\newfrn.exe
O4 – HKLM\..\Run: [wmplayer] C:\Program Files\wmplayer\wmplayer.exe /auto
O4 – HKLM\..\Run: [xp] p2pnetworking.exe
O4 – HKLM\..\RunServices: [xp] p2pnetworking.exe
O4 – HKLM\..\RunServices: [winlog] winlog.exe
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) –
http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\UGlldGVy\command.exe
O23 – Service: Network Monitor – Unknown owner – C:\Program Files\Network Monitor\netmon.exe

The next shows how it looked after following the instructions here:
http://www.geekstogo.com/forum/index.php?showtopic=98929

Logfile of HijackThis v1.99.1
Scan saved at 13:59:30, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\UGlldGVy\command.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe

R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) –
http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: Command Service (cmdService) – Unknown owner – C:\WINDOWS\UGlldGVy\command.exe

Then fixed with HijackThis:
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 – HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 – HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

Then click Start > Run type services.msc > OK
In the list of services find:
Command Service (cmdService)
Rightclick that line and choose Properties.
On the General tab Stop and set the service to disabled.
In HijackThis click Config > Misc Tools > Delete an NT service
In the dialog box paste: cmdService

Installed Ewido and rebooted the computer to do a full scan with Ewido in safe mode

Report:
———————————————————
ewido anti-malware – Scan rapport
———————————————————

+ Gemaakt op: 14:26:34, 19-3-2006
+ Rapport samenvatting: 7DFEA1B3

+ Scan resultaten:

C:\WINDOWS\UGlldGVy\asappsrv.dll -> Adware.CommAd : Schoongemaakt met een backup
C:\WINDOWS\UGlldGVy\command.exe -> Adware.CommAd : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@media.top-banners[1].txt -> TrackingCookie.Top-banners : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Schoongemaakt met een backup
C:\Documents and Settings\Pieter\Cookies\pieter@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Schoongemaakt met een backup
HKU\S-1-5-21-1060284298-152049171-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6001CDF7-6F45-471B-A203-0225615E35A7} -> Adware.Generic : Schoongemaakt met een backup
::Einde rapport

Boot back to normal mode and made the final HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 14:57:45, on 19-3-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Pieter\Bureaublad\HijackThis1991.exe

R0 – HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 – HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Metallicas Window
R0 – HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 – HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O16 – DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) –
http://update.microsoft.com/windowsupdate/…b?1141475166942
O23 – Service: ewido security suite control – ewido networks – C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 – Service: ewido security suite guard – ewido networks – C:\Program Files\ewido anti-malware\ewidoguard.exe

All that was left to do was look in the folder C:\bintheredunthat
I found DR140306.exe which is an installer for Adware.DH
So it was safe to delete the entire folder.

3 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Originally posted Mar 19 2006, 06:16 PM

    The bfu-script has been adapted to do this part for you:
    QUOTE

    Then click Start > Run type services.msc > OK
    In the list of services find:
    Command Service (cmdService)
    Rightclick that line and choose Properties.
    On the General tab Stop and set the service to disabled.
    In HijackThis click Config > Misc Tools > Delete an NT service
    In the dialog box paste: cmdService

    Comment by metallica — November 11, 2006 #

  2. Originally posted Apr 17 2006, 12:40 PM

    cd\
    cd bintheredunthat
    dir /x > directory.txt
    start notepad directory.txt

    Copy the code above into notepad and save it as dirlong.bat
    Set Filetype to “All files”
    Start the file by doubleclicking dirlong.bat
    That will open a file called directory.txt
    Post the content of that file.

    Comment by metallica — November 11, 2006 #

  3. cake chocolate

    Trackback by cake chocolate — April 22, 2007 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

Powered by WordPress with Pool theme design by Borja Fernandez.
Entries and comments feeds. Valid XHTML and CSS. ^Top^