extreme-virgins.com writes in registry?

Hi,

We used Ad-Aware 6.0 but it did not found anything related to extreme-virgins.com.

We have several citrix servers which now have extreme-virgins.com/anyname.php as default search page. In the log you can clearly see a program has written to the HKEY_LOCAL_MACHINE, which I find very strange because only admin's and the system have write access to these keys. No admin of ours every went to the mention site or something, but on the other hand we can not imagine a user has done this (as he has no rights)

When a user now opens the default search page, a page with a random name (secure.php, main.php, etc) at extreme-virgins.com is opened with the same text (Detected SPYware! System error #384 bla bla bla) This search page also tries to copy/start load.exe to the c:\. This fails because the user has no write access in the root. If an admin does the same, the copy process of load.exe succeeds.

How do we get rid of this anoying sh#t? Delete/reset the registrykeys?

<start of log>
Logfile of HijackThis v1.97.7
Scan saved at 9:49:40, on 2-3-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Trend\SProtect\SpntSvc.exe
C:\Program Files\Trend\SProtect\StWatchDog.exe
C:\Program Files\Trend\SProtect\StOPP.exe
C:\WINNT\System32\msdtc.exe
d:\dlc\dlc9.1d\bin\AdmSrvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
d:\dlc\dlc9.1d\jre\bin\java.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\System32\ctxxmlss.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\compaq\survey\Surveyor.EXE
c:\progra~1\respow~1\cpushld.exe
C:\Program Files\uphclean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\System32\encsvc.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINNT\System32\sysdown.exe
C:\Program Files\Citrix\Installer\AgentSVC.exe
C:\WINNT\System32\cdmsvc.exe
C:\Program Files\Citrix\Installer\saginst.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\wfshell.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
\hk-bia-test-pc\d$\_tools\Anti SpyWare\Hijack This\1.9.7.7\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nt_intra/wbaintra/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/cgi-bin/warning.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/cgi-bin/warning.cgi
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/cgi-bin/warning.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/cgi-bin/warning.cgi
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/cgi-bin/warning.cgi
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'h:\windows\system32\rnr20.dll' missing
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
O17 - HKLM\System\CCS\Services\Tcpip\..\{653D9467-641C-4A41-8970-92E0FAFDDF43}: NameServer = 10.10.3.1,10.10.3.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
<eof>

 

Hi

Keep Hijackthis in a folder of its own.

then check the following entries and press FIX CHECKED

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/cgi-bin/warning.cgi

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/cgi-bin/warning.cgi

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/cgi-bin/warning.cgi

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/cgi-bin/warning.cgi

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/cgi-bin/warning.cgi

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

reboot and post a fresh Hijack log

 

Hi,

Thanks for the fast reply!

We also found another permanent solution!

It appears that extreme-virgins.com uses a flaw in the Microsoft VM succesfully compromise the system.
Ref: Flaw in the Microsoft VM Could Enable System Compromise

We removed/fixed the registry values and we have installed the patch and the flaw is succesfully removed. The site cannot write to/change the registry anymore.

One thing still bothers me though, the site is still able to download and save a file, loader.exe, to the root (c:\), if we are logged in as admin. Logged in as user this copy fails. Let's see if I can find a patch for this....

Thanks anyway!

 

Hi ThePrutser,

Its nice to see you registered

ok here what I found about loader

Process File: loader or loader.exe
Process Name: Loader
Description: Application that hijacks a user?s home page and redirects the browser to coolwwwsearch.com.
Company: N/A
System Process: No
Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
Common Errors: N/A

will you please download CWShredder and unzip it to a folder.
Run the program, close all other windows except it and Run FIX
reboot and post a fresh log
lets see if that works

 

Hi Subratam,

I ran scan and fix and posted both those logs and a fresh log of HijackThis. Just to be sure I post the right log

<Start Of Log>
Logfile of HijackThis v1.97.7
Scan saved at 11:13:03, on 2-3-2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
H:\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Trend\SProtect\SpntSvc.exe
C:\Program Files\Trend\SProtect\StWatchDog.exe
C:\Program Files\Trend\SProtect\StOPP.exe
C:\WINNT\System32\msdtc.exe
d:\dlc\dlc9.1d\bin\AdmSrvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
d:\dlc\dlc9.1d\jre\bin\java.exe
C:\WINNT\System32\CpqRcmc.exe
C:\Compaq\vcagent\vcagent.exe
C:\WINNT\System32\ctxxmlss.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\WINNT\System32\mfcom.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
c:\progra~1\respow~1\cpushld.exe
C:\compaq\survey\Surveyor.EXE
C:\Program Files\uphclean\uphclean.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
C:\WINNT\System32\encsvc.exe
C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\WINNT\System32\sysdown.exe
C:\Program Files\Citrix\Installer\AgentSVC.exe
C:\Program Files\Citrix\Installer\saginst.exe
C:\WINNT\System32\cdmsvc.exe
C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\System32\wfshell.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Citrix\system32\icabar.exe
C:\WINNT\System32\ctfmon.exe
\hk-bia-test-pc\d$\_tools\Anti SpyWare\Hijack This\1.9.7.7\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O10 - Broken Internet access because of LSP provider 'h:\windows\system32\rnr20.dll' missing
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
O17 - HKLM\System\CCS\Services\Tcpip\..\{82FA62F3-6880-4A2C-A764-6CA1796315A6}: NameServer = 10.10.3.1,10.10.3.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{DEB659B4-A578-43EE-8A9E-F59B80959967}: NameServer = 10.10.3.1,10.10.3.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
<EOF>

<CWShredder scan only log>
CWShredder v1.52.1 scan only report

Windows 2000 (5.00.2195 SP3)
Windows dir: H:\WINDOWS
Windows system dir: H:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Administrator.WBA\Application Data
Username: administrator
Found Java ByteVerifier patch (Q816093) installed! (Hotfix)

Hosts file not present
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
Registry value: DefaultPrefix (should be http://) [] http://
Registry value: WWW Prefix (should be http://) [www] http://
Registry value: Mosaic Prefix (should be http://) [mosaic] http://
Registry value: Home Prefix (should be http://) [home] http://
Found Win.ini file: H:\WINDOWS\win.ini (450 bytes, -)
Found System.ini file: H:\WINDOWS\system.ini (439 bytes, -)
<EOF>

<CWShredder Fix Log>
Done!
Removed from your system:
- CWS.Msinfo

Windows 2000 (5.00.2195 SP3)
CWShredder v1.52.1
<EOF>

 

Hi ThePrutser,

I think you're settings for the internet zone are to low, or the site you are visiting should be in the restricted zone.
Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

Your log looks OK now. I would advise to install SP4 for Win2k as well, and all subsequent updates.

Regards,

Pieter