extreme-virgins.com writes in registry?

Discussion in 'adware, spyware & hijack cleaning' started by Erik Nettekoven, Mar 2, 2004.

Thread Status:
Not open for further replies.
  1. Hi,

    We used Ad-Aware 6.0 but it did not found anything related to extreme-virgins.com.

    We have several citrix servers which now have extreme-virgins.com/anyname.php as default search page. In the log you can clearly see a program has written to the HKEY_LOCAL_MACHINE, which I find very strange because only admin's and the system have write access to these keys. No admin of ours every went to the mention site or something, but on the other hand we can not imagine a user has done this (as he has no rights)

    When a user now opens the default search page, a page with a random name (secure.php, main.php, etc) at extreme-virgins.com is opened with the same text (Detected SPYware! System error #384 bla bla bla) This search page also tries to copy/start load.exe to the c:\. This fails because the user has no write access in the root. If an admin does the same, the copy process of load.exe succeeds.

    How do we get rid of this anoying sh#t? Delete/reset the registrykeys?

    <start of log>
    Logfile of HijackThis v1.97.7
    Scan saved at 9:49:40, on 2-3-2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    H:\WINDOWS\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Trend\SProtect\SpntSvc.exe
    C:\Program Files\Trend\SProtect\StWatchDog.exe
    C:\Program Files\Trend\SProtect\StOPP.exe
    C:\WINNT\System32\msdtc.exe
    d:\dlc\dlc9.1d\bin\AdmSrvc.exe
    C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
    d:\dlc\dlc9.1d\jre\bin\java.exe
    C:\WINNT\System32\CpqRcmc.exe
    C:\Compaq\vcagent\vcagent.exe
    C:\WINNT\System32\ctxxmlss.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\mfcom.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    C:\compaq\survey\Surveyor.EXE
    c:\progra~1\respow~1\cpushld.exe
    C:\Program Files\uphclean\uphclean.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
    C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
    C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
    C:\WINNT\System32\encsvc.exe
    C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
    C:\Program Files\Exchsrvr\bin\exmgmt.exe
    C:\WINNT\System32\sysdown.exe
    C:\Program Files\Citrix\Installer\AgentSVC.exe
    C:\WINNT\System32\cdmsvc.exe
    C:\Program Files\Citrix\Installer\saginst.exe
    C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
    C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\System32\wfshell.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Citrix\system32\icabar.exe
    \hk-bia-test-pc\d$\_tools\Anti SpyWare\Hijack This\1.9.7.7\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://nt_intra/wbaintra/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/cgi-bin/warning.cgi
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/cgi-bin/warning.cgi
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/cgi-bin/warning.cgi
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/cgi-bin/warning.cgi
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/cgi-bin/warning.cgi
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'h:\windows\system32\rnr20.dll' missing
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
    O17 - HKLM\System\CCS\Services\Tcpip\..\{653D9467-641C-4A41-8970-92E0FAFDDF43}: NameServer = 10.10.3.1,10.10.3.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
    <eof>
     
  2. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi

    Keep Hijackthis in a folder of its own.

    then check the following entries and press FIX CHECKED

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://images.only-virgins.com/cgi-bin/warning.cgi

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://images.only-virgins.com/cgi-bin/warning.cgi

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://images.only-virgins.com/cgi-bin/warning.cgi

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://images.only-virgins.com/cgi-bin/warning.cgi

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://images.only-virgins.com/cgi-bin/warning.cgi

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    reboot and post a fresh Hijack log
     
  3. enettekoven

    enettekoven Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    Location:
    Amsterdam
    Hi,

    Thanks for the fast reply!

    We also found another permanent solution! :D

    It appears that extreme-virgins.com uses a flaw in the Microsoft VM succesfully compromise the system.
    Ref: Flaw in the Microsoft VM Could Enable System Compromise

    We removed/fixed the registry values and we have installed the patch and the flaw is succesfully removed. The site cannot write to/change the registry anymore.

    One thing still bothers :doubt: me though, the site is still able to download and save a file, loader.exe, to the root (c:\), if we are logged in as admin. Logged in as user this copy fails. Let's see if I can find a patch for this....

    Thanks anyway!
     
  4. subratam

    subratam Registered Member

    Joined:
    Nov 14, 2003
    Posts:
    1,310
    Location:
    Issaquah, WA
    Hi ThePrutser,

    Its nice to see you registered :)

    ok here what I found about loader

    Process File: loader or loader.exe
    Process Name: Loader
    Description: Application that hijacks a user?s home page and redirects the browser to coolwwwsearch.com.
    Company: N/A
    System Process: No
    Security Risk ( Virus/Trojan/Worm/Adware/Spyware ): Yes
    Common Errors: N/A

    will you please download CWShredder and unzip it to a folder.
    Run the program, close all other windows except it and Run FIX
    reboot and post a fresh log
    lets see if that works
     
  5. enettekoven

    enettekoven Registered Member

    Joined:
    Mar 2, 2004
    Posts:
    3
    Location:
    Amsterdam
    Hi Subratam,

    I ran scan and fix :eek: and posted both those logs and a fresh log of HijackThis. Just to be sure I post the right log :D

    <Start Of Log>
    Logfile of HijackThis v1.97.7
    Scan saved at 11:13:03, on 2-3-2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    H:\WINDOWS\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\System32\termsrv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Trend\SProtect\SpntSvc.exe
    C:\Program Files\Trend\SProtect\StWatchDog.exe
    C:\Program Files\Trend\SProtect\StOPP.exe
    C:\WINNT\System32\msdtc.exe
    d:\dlc\dlc9.1d\bin\AdmSrvc.exe
    C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
    d:\dlc\dlc9.1d\jre\bin\java.exe
    C:\WINNT\System32\CpqRcmc.exe
    C:\Compaq\vcagent\vcagent.exe
    C:\WINNT\System32\ctxxmlss.exe
    C:\WINNT\system32\Dfssvc.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\llssrv.exe
    C:\WINNT\System32\mfcom.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\snmp.exe
    c:\progra~1\respow~1\cpushld.exe
    C:\compaq\survey\Surveyor.EXE
    C:\Program Files\uphclean\uphclean.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\CPQNiMgt\CPQNIMGT.EXE
    C:\WINNT\system32\cpqmgmt\CqMgServ\CqMgServ.EXE
    C:\WINNT\system32\cpqmgmt\cqmgstor\cqmgstor.exe
    C:\WINNT\System32\encsvc.exe
    C:\Program Files\Citrix\System32\Citrix\Ima\ImaSrv.exe
    C:\Program Files\Exchsrvr\bin\exmgmt.exe
    C:\WINNT\System32\sysdown.exe
    C:\Program Files\Citrix\Installer\AgentSVC.exe
    C:\Program Files\Citrix\Installer\saginst.exe
    C:\WINNT\System32\cdmsvc.exe
    C:\WINNT\system32\cpqmgmt\CqMgHost\CQMGHOST.EXE
    C:\WINNT\System32\CPQMGMT\CPQWMGMT.EXE
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\System32\wfshell.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Citrix\system32\icabar.exe
    C:\WINNT\System32\ctfmon.exe
    \hk-bia-test-pc\d$\_tools\Anti SpyWare\Hijack This\1.9.7.7\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:80
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IcaBar] icabar.exe /adminonly
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O10 - Broken Internet access because of LSP provider 'h:\windows\system32\rnr20.dll' missing
    O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
    O17 - HKLM\System\CCS\Services\Tcpip\..\{82FA62F3-6880-4A2C-A764-6CA1796315A6}: NameServer = 10.10.3.1,10.10.3.2
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DEB659B4-A578-43EE-8A9E-F59B80959967}: NameServer = 10.10.3.1,10.10.3.2
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Woningbedrijf-Amsterdam.nl
    <EOF>

    <CWShredder scan only log>
    CWShredder v1.52.1 scan only report

    Windows 2000 (5.00.2195 SP3)
    Windows dir: H:\WINDOWS
    Windows system dir: H:\WINDOWS\system32
    AppData folder: C:\Documents and Settings\Administrator.WBA\Application Data
    Username: administrator
    Found Java ByteVerifier patch (Q816093) installed! (Hotfix)

    Hosts file not present
    Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
    UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,
    Registry value: DefaultPrefix (should be http://) [] http://
    Registry value: WWW Prefix (should be http://) [www] http://
    Registry value: Mosaic Prefix (should be http://) [mosaic] http://
    Registry value: Home Prefix (should be http://) [home] http://
    Found Win.ini file: H:\WINDOWS\win.ini (450 bytes, -)
    Found System.ini file: H:\WINDOWS\system.ini (439 bytes, -)
    <EOF>

    <CWShredder Fix Log>
    Done!
    Removed from your system:
    - CWS.Msinfo

    Windows 2000 (5.00.2195 SP3)
    CWShredder v1.52.1
    <EOF>
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Hi ThePrutser,

    I think you're settings for the internet zone are to low, or the site you are visiting should be in the restricted zone.
    Read this on how to minimize the risk of infection: http://boards.cexx.org/viewtopic.php?t=957.

    Your log looks OK now. I would advise to install SP4 for Win2k as well, and all subsequent updates.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.