Please help me with Backdoor.Beasty.Family

Pieter, Here is that right click file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
@=""

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu]
@="{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG Shell Extension]
@="{1E2CDF40-419B-11D2-A5A1-002018648BA7}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3]
@="{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TrojanHunter]
@="{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\UltraEdit-32]
@="{b5eedee0-c06e-11cf-8c56-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR]
@="{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{27E11846-A7C7-4DF8-8680-63653355A754}]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}]
@=""

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}]
@="Start Menu Pin"

 

If the AV companies can find this thing on my computer, they are more than welcome to a sample of it if it will help other people from getting infected but noone as yet seems to be able to find where this thing is hiding. I probably won't be doing the reformat until Saturday so if anyone can find this thing before then they are more than welcome to a sample of it.

 

I thoroughly recommend Acronis True Image. Take a look at the links I gave you regarding security setups.

First, can you please follow Pieters instructions to see if we can find this thing.

Cheers

EDIT: have seen you have done what Pieter asked already

 

Acronis is a good all round BU program but I also use First defence from www.raxco.com which allows snapshots and is very easy to use when correcting **** ups when beta testing

Pilli

 

I had to look up these two and arrived at:

"{27E11846-A7C7-4DF8-8680-63653355A754}"="Microsoft Security Extensibility Snap-in"

"{48F45200-91E6-11CE-8A4F-0080C81A28D4}"="TMD Shell Extension"

So to the best of my knowledge all of those are accounted for.

I don't have the part in red of the first one (Win 2k):
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
@=""

I think you stated somewhere this happens for some filetypes. Can you tell us if it happens under every user account?

Regards,

Pieter

 

Thanks for the advice, i'll definitely be investing in one of those back up tools when I reinstall. It would have saved me a week of grief trying to get rid of this thing. Anyone have any luck with that right-click file?

OK, just got that response for the right clicks.

Ummm, I think i only have one user account on this computer. When i turn it on, it just goes straight into the desktop. I have no option of using a different account. I think it is called Dan and has administrator access.

Is that what you meant?

 

sorry, missed your other question. It pretty much happens when i right click any file. The only time it doesn't happen is when i right click in IE to open links in new windows etc or when i right click something down in the taskbar.

It also doesn't happen when i right click in notepad to copy/paste etc.

 

OK. So only the standard Windows accounts + your own. Then there is one more registry export I'd like to see:

Click Start > Run > type or copy&paste the part in bold:
regedit /e c:\explorun.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run" > OK

This time the file will be called (you guessed it ) c:\explorun.txt

Regards,

Pieter

 

Oh, don't worry if you can't find the explorun.txt
If the registry key is empty, no file will be created.

Regards,

Pieter

 

I was just about to say that I can't find it! Hehe. Thanks for that. Any more ideas or is it time to give up and wipe the slate clean?

 

One more idea:

• Download finditnt2000xp.zip.
• Unzip the contents of finditnt2000xp.zip to a convenient location on your active drive (usually C).
• Navigate to the Find It NT-2K-XP folder and double-click on find.bat.
• A command prompt will open and it will search your computer for malicious files.
• Once it has finished (this can take a looooooooong time) a Notepad window will pop up with output.txt.
• Copy the entire contents of output.txt into your next post.

Regards,

Pieter

 

OK, I'm off to bed so i might try that one and keep it running while i sleep if it takes a while. I'll let you know how i go and post that log.

 

No problem. I'll have a look tomorrow.

~enables email notification~

REgardS,

pieTer

 

I found another key in the registry where the rightclick-association could be hiding:

Click Start > Run > type or copy&paste the part in bold:
regedit /e c:\rightclick2.txt "HKEY_CLASSES_ROOT\AllFileSystemObjects\shellex\contextmenuhandlers" > OK

Post the content of c:\rightclick2.txt

Regards,

Pieter

 

OK, here is the first one:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\WINDOWS\system32

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0CC0-2E2E

Directory of C:\WINDOWS\System32

02/09/2005 10:24 PM 103,574 mslg.blf
02/09/2005 09:50 PM <DIR> dllcache
10/07/2004 05:09 PM <DIR> Microsoft
1 File(s) 103,574 bytes
2 Dir(s) 69,232,111,616 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 0CC0-2E2E

Directory of C:\WINDOWS\System32

02/09/2005 09:50 PM <DIR> dllcache
02/06/2005 05:11 PM 4,212 zllictbl.dat
10/07/2004 04:59 PM 488 WindowsLogon.manifest
10/07/2004 04:59 PM 488 logonui.exe.manifest
10/07/2004 04:59 PM 749 sapi.cpl.manifest
10/07/2004 04:59 PM 749 nwc.cpl.manifest
10/07/2004 04:59 PM 749 ncpa.cpl.manifest
10/07/2004 04:59 PM 749 wuaucpl.cpl.manifest
10/07/2004 04:59 PM 749 cdplayer.exe.manifest
8 File(s) 8,933 bytes
1 Dir(s) 69,232,107,520 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 0CC0-2E2E

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 0CC0-2E2E

Directory of C:\WINDOWS\System32

08/23/2001 11:00 PM 2,577 CONFIG.TMP
01/18/2000 08:04 AM 11 tscrip22.tmp
2 File(s) 2,588 bytes
0 Dir(s) 69,232,107,520 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


------------- Locate.com Results -------------

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\ntdll.dll: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"VOBRegCheck"="C:\\WINDOWS\\System32\\VOBREGCheck.exe -CheckReg"
"LaunchList"="C:\\Program Files\\Pinnacle\\Studio 9\\LaunchList.exe"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2005\\pccguide.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"




I'll just run that second one Now.

 

And here is right click 2:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AllFileSystemObjects\shellex\contextmenuhandlers]

[HKEY_CLASSES_ROOT\AllFileSystemObjects\shellex\contextmenuhandlers\Send To]
@="{7BA4C740-9E81-11CF-99D3-00AA004AE837}"

 

This is the file you will want to use Killbox on:

C:\WINDOWS\System32\mslg.blf

Make sure to check the "End Explorer Shell While Killing File" option.

Keep us posted on your progress.

Regards,

Pieter

 

And two more registry exports I´d like you to do:

Click Start > Run > type or copy&paste the part in bold:
regedit /e c:\beast.txt "HKEY_CLASSES_ROOT\BeastFile" > OK

Click Start > Run > type or copy&paste the part in bold:
regedit /e c:\beast1.txt "HKEY_CLASSES_ROOT\BeastFile1" > OK

Regards,

Pieter

 

ok,

Deleted that file using Killbox. Still have same problem. No effect.

I have tried running those registries also. No file was saved to the C drive where all the other ones went so I am assuming they don't exist. Is this correct? Or would they have saved somewhere else?

I hate to admit it but it seems like the virus has won. I wish we could have beaten this thing if not to help myself but to help others who may get this version of the virus. I also just wish AV programs did what they purport to be able to do. Oh well, looking like reformat time soon unless anyone has any fresh ideas??

 

Did you check if mslg.blf is really gone?

Also check if the folder C:\!Submit was created by Killbox.
I would very much like to get my hands on what it contains and have it compared to earlier/other versions of Backdoor.Beasty

Let us know,

Pieter

 

I checked and it looks as though that file was deleted by Killbox. It did actually create that !Submit folder as you thought.

 

One more idea.

Can you check if you have a C:\Windows\Command folder ?

If so list the files that are in it. In case there are a lot limit it to the executable files and filenames that start with ms

Regards,

Pieter

 

I don't have that folder but you are more than welcome to the !submit folder if you want it!

 

Great. Zip it up if you know how and send it to pieterATwilderssecurity.org (replace AT with @)

If I find something that might help remove this pest, I'll let you know asap.

Regards,

Pieter

 

OK,

I have mailed that folder to you. I think i have done it right. Hope it comes through OK. Hopefully you won't infect your own system!!

Dan.