Security Basics mailing list archives
RE: Idiot_self+trojans+administrative privs = Disaster
From: "Wheeler, Eric" <EWheeler2 () zebra com>
Date: Tue, 5 Dec 2006 15:25:45 -0600
Use CACLS to get access to the system volume folder to delete the specific file. Syntax is as follows: Displays or modifies access control lists (ACLs) of files CACLS filename [/T] [/E] [/C] [/G user:perm] [/R user [...]] [/P user:perm [...]] [/D user [...]] filename Displays ACLs. /T Changes ACLs of specified files in the current directory and all subdirectories. /E Edit ACL instead of replacing it. /C Continue on access denied errors. /G user:perm Grant specified user access rights. Perm can be: R Read W Write C Change (write) F Full control /R user Revoke specified user's access rights (only valid with /E). /P user:perm Replace specified user's access rights. Perm can be: N None R Read W Write C Change (write) F Full control /D user Deny specified user access. Wildcards can be used to specify more that one file in a command. You can specify more than one user in a command. Use the the /G to grant and when finished remove the permissions with /R Example: Cacls /E /G username:F Delete the bad file Cacls /E /R username -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of wymerzp () sbu edu Sent: Friday, December 01, 2006 3:07 PM To: security-basics () securityfocus com Subject: Idiot_self+trojans+administrative privs = Disaster I noticed that my OS (WinXP Media Center Ed. SP2) was acting extrodinarily buggy and throwing several different errors. I had used bittorent and Limewire while running as Administrator (I know,I know, I don't need a lecture of how stupid this was... I was a moron). I wasn't being my usual careful self because I'm going to wipe my comp and install linux. And a new version of WinXP. Anyway, I have a Trojan that I can't seem to get rid of: Trojan.Popuper.Downloader. This is the result of a Scan by Spyware Doctor Scan Results: (edited to just show location) C:\Program Files\BitTorrent\uninstall.exe C:\Program Files\CCleaner\uninst.exe C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP233\A042765 4.exe I attempted to access the C:\System Volume Information... file but it would not allow me to access this; I attepted this because it seemed to continue to instantiate itself after removal and reboot. I was considering running as System permissions to manually uninstall the restore loction, but didn't want to give the Trojan any more power (Administrator is bad enough). On the third time of removing and rebooting the infection is no longer being picked up by Spyware Doctor... My question that I pose to the online community is this: Do you think the infection is actually gone? It seemed to continue to instantiate itself each time, and then suddenly dissapeared. Here is my HijackThis! scan: Logfile of HijackThis v1.99.1 Scan saved at 3:32:46 PM, on 12/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0011) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\ehome\ehtray.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\SPYWAR~1\swdoctor.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe C:\WINDOWS\ehome\RMSvc.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\ehome\McrdSvc.exe C:\Program Files\Windows Media Connect 2\wmccds.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\alg.exe C:\Program Files\CCleaner\ccleaner.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\AIM95\aim.exe C:\Documents and Settings\Owner.ZachW34EF3E735\Desktop\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/mpfplus/en-us/mpfplus7/default.asp?affid=370-9 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: (no name) - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file) O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\RunOnce: [NoIE4StubProcessing] C:\WINDOWS\system32\reg.exe DELETE "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components" /v "NoIE4StubProcessing" /f O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe O4 - HKCU\..\Run: [Eraser] C:\Documents and Settings\Owner.ZachW34EF3E735\Desktop\Eraser\eraser.exe -hide O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [INTERNATIONAL] International* O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1159142629587 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MSHOME O17 - HKLM\Software\..\Telephony: DomainName = MSHOME O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MSHOME O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = MSHOME O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Abel - oxid.it - C:\Program Files\Cain\Abel.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe O23 - Service: stunnel - Unknown owner - C:\Program Files\stunnel\stunnel.exe" -service -install (file missing) O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Program Files\VMware\VMware Server\vmserverdWin32.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe Any help will be greatly appreciated. Thanks to all who will respond! Peace, Zach - CONFIDENTIAL- This email and any files transmitted with it are confidential, and may also be legally privileged. If you are not the intended recipient, you may not review, use, copy, or distribute this message. If you receive this email in error, please notify the sender immediately by reply email and then delete this email. --------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- Idiot_self+trojans+administrative privs = Disaster wymerzp (Dec 04)
- RE: Idiot_self+trojans+administrative privs = Disaster Murda Mcloud (Dec 06)
- Re: Idiot_self+trojans+administrative privs = Disaster Ansgar -59cobalt- Wiechers (Dec 06)
- Re: Idiot_self+trojans+administrative privs = Disaster Bob Jones (Dec 06)
- RE: Idiot_self+trojans+administrative privs = Disaster Wheeler, Eric (Dec 06)
- RE: Idiot_self+trojans+administrative privs = Disaster Wheeler, Eric (Dec 06)
- <Possible follow-ups>
- Re: Idiot_self+trojans+administrative privs = Disaster mrigor (Dec 06)