FProps.vbs.vir

[Blade81]

Hi


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

Code:

REGEDIT4

[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"001"=-

[HKEY_USERS\S-1-5-21-1060284298-1336601894-839522115-1003\Software\Microsoft\Search Assistant\ACMru\5603]
"000"=-

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

• Download Registrar Lite from here and install it.
• Start Registrar Lite.
• Type in to Address field this and click ok: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL\0000
• Right-click that key and choose Properties. Click "Take ownership".
• Right-click that key again and choose Delete.
• Repeat process for these key(s):
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TFKNYKL
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL\0000
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_TFKNYKL
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL\0000
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TFKNYKL
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW\0000
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PEXWYXYBWW
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW\0000
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PEXWYXYBWW
  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW\0000
  KEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_PEXWYXYBWW

After that run registry search tool in the same way as two previous times. Post back the results.

[Enemyboat]

I installed and ran the registry program you told me to. Just looking around my HKLM I saw the security section in red.... its locked. I can't export it, or change it, or view permissions.

I decided to right click on properties of HKLM and this is where the first incite to my problem is. The computer has been programmed to enumerate the HKLM/security when anyone tries to alter it.

When I pressed the 'contents' tab, my computer started enumerating the content amounts, and wouldn't stop. Then I closed the tab, and reopened it again, and it started from low number again, enumerating how many contents were in HKLM.

Here is a list of services that are on my computer.

lol.

WZCSVC
Workstation
WindowsMedia
Windows Update Agent
Windows Script Host
Windows Installer 3.1
Windows File Protection
Win32k
W32Time
viaide
VgaSave
USER32
ultra
udfs
toside
TermServSessDir
TermService
TermServDevices
TermDD
tdi
TCPMon
Tcpip
System Error
sym_u3
sym_hi
symc8xx
symc810
StillImage
SSDPSRV
Srv
srservice
sr
sparrow
sndblst
Simbad
SideBySide
sfloppy
Setup
Service Control Manager
Server
serial
scsiport
Schedule
Schannel
SCardSvr
Save Dump
SAM
RSVP
Removable Storage Service
RemoteAccess
redbook
Rdbss
RasMan
RasAuto
ql1280
ql1240
ql12160
ql10wnt
ql1080
PSched
Processor
Print
PptpMiniport
PolicyAgent
PlugPlayManager
perc2
pcmcia
pciide
pci
parvdm
partmgr
parport
OSPFMib
OSPF
NVENETFD
nvata
nv
null
NtServicePack
ntfs
npfs
Nla
Netlogon
NetDDE
NetBT
NetBIOS
NdisWan
ndis
Mup
msfs
msadlib
MrxSmb
MRxDAV
mraid35x
mouhid
mouclass
Modem
LsaSrv
LmHosts
LDMS
LDM
lbrtfdc
Kerberos
kbdclass
isapnp
IPXSAP
IPXRouterManager
IPXRIP
IPXCP
IPSec
IPRouterManager
IPRIP2
IPNATHLP
IPMGM
IPBOOTP
intelide
ini910u
IGMPv2
i8042prt
i2omp
i2omgmt
Http
hpn
ftdisk
fs_rec
flpydisk
Fips
fdc
fastfat
eventlog
efs
dpti2o
Dnscache
Dnsapi
dmio
dmboot
Distributed Link Tracking Client
disk
Dhcp
DfsSvc
DfsDriver
DCOM
dac960nt
dac2w2k
cpqarray
cmdide
changer
cdrom
Cdm
cdfs
cdaudio
cd20xrnt
cbidf2k
Browser
BITS
avgntflt
Atmarpc
atdisk
atapi
AsyncMac
asc3550
asc3350p
asc
Application Popup
apphelp
amsint
ami0nt
AmdK8
aliide
aic78xx
aic78u2
aha154x
adpu160m
acpiec
acpi
abp480n5
abiosdsk
System

alot of bad ones......

I think that you are right. There is no rootkit on this computer. I believe that all that I have now is a script that is constantly running (doesn't except shutdowns) and this script does a checks and balances system by putting a little piece of itself in lots of places on the hard drive so it doesn't get taken down.

I was reading about such Kernel attacks on Nvidia motherboard systems. That is were I get the idea above.

[Enemyboat]

That registry program had the "Take ownership" button grayed out. So, I used regedit to take ownership and then delete the keys manually.
_________________________________________


Registry search results for string "TFKNYKL" 10/1/2007 5:53:08 PM

"HKU\\S-1-5-18"="address=HKU\\S-1-5-18[::]category=SIDS[::]description=User profile for NT AUTHORITY\\SYSTEM[::]color=1"
@="description=HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_TFKNYKL"

And

0 PEXWYXYBWW found

[Blade81]

Hi

Could you run Registry search tool again?

[Enemyboat]

; Registry search results for string "TFKNYKL" 10/2/2007 12:49:51 PM

"HKU\\S-1-5-18"="address=HKU\\S-1-5-18[::]category=SIDS[::]description=User profile for NT AUTHORITY\\SYSTEM[::]color=1"
@="description=HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Enum\\Root\\LEGACY_TFKNYKL"
______________________________________

No instances of PEXWYXYBWW found.

[Blade81]

Hi

That's ok now. To comment that service list you posted earlier.. those are legal

[Enemyboat]

Hey Blade.

I restarted my computer yesterday, and it wouldn't startup.

I re-installed windows, and I think I am glad I did so.

I decided to use the following programs for protection this time around:

Spybot
F-Secure Internet Security 2008
AdawareSE Personal

_______________________________________

Right at the windows installation blue screen, my computer started auditing again, just like it had never blinked.

I do have something on my computer.

I found a program called Flister from

http://www.invisiblethings.org/tools.html

I had ran a gmer scan while I was in the middle of an F-Secure scan, and I found something very hidden.

(This is from the gmer log)

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\System32\wiascr.dll

The Flister program allowed me to navigate in dos to:

C:\Program Files\Windows NT>flister c:\progra~1\window~4
ZwQueryDirFile at addr 0x7c90df5e
directory dump:
---------------------
.
..
installer
Messenger

those 2 directories are hidden. and I have all hidden files showing.

So, here are the 2 directories, and their contents:

C:\Program Files\Windows NT>flister c:\progra~1\window~4\messen~1\
ZwQueryDirFile at addr 0x7c90df5e
directory dump:
---------------------
.
..
abssm.dll
contact.dll
contactsUX.dll
custsat.dll
Device Manager
dfsr.dll
ErrorResponse.xml
fsshext.8.5.1288.0816.dll
highcont.thm
htc.dll
lcapi.dll
lcres.dll
license.rtf
livecall.exe
lmcdata.dll
MessengerClient.dll
msgrapp.8.5.1288.0816.dll
msgrvsta.thm
msgsc.8.5.1288.0816.dll
msgslang.8.5.1288.0816.dll
msgsres.dll
msgswcam.dll
msidcrl40.dll
msncore.dll
msnmsgr.exe
msvs.exe
msvsConfig2.xml
msvsui.dll
newalert.wma
newemail.wma
nudge.wma
online.wma
outgoing.wma
pcsexeps.dll
phone.wma
psmsong.8.5.1288.0816.dll
RTMPLTFM.dll
softphone.dll
softphoneps.dll
softphoneres.dll
type.wma
usnsvc.exe
usnsvcps.dll
vimdone.wma
wmaecdmort.dll
wmp8stub.dll
wmv9vcm.dll

C:\Program Files\Windows NT>flister c:\progra~1\window~4\instal~1\
ZwQueryDirFile at addr 0x7c90df5e
directory dump:
---------------------
.
..
Dashboard.exe
DashboardLoc.dll
DashboardRes.dll
Dashboard_en.cat
hc.thm
Microsoft.VC80.CRT.manifest
msvcr80.dll
SqmApi.dll
UXCore.dll
WLSetupSvc.exe

Some of those files have come up as bad in google search.

What do you think?

[Blade81]

Hi

As I've tried to tell you there isn't any malware in your system. Of course can't say if there's some other problems but anyway it's out of our scope. We concentrate only on malware removing here. You could ask at PCPitstop.

[Enemyboat]

Ok, thanks blade.

I'll come back and give you an update when I find this rootkit/virus/whatever.

[tashi]

This topic has been moved to archives.

Regards.