what in the hell is this????

ryko · May 2004

Ok, check out the little screen grabs below.....

Here's the deal, pc seems to be acting normal....except for the wierd renaming of the documents and settings folder. I only noticed it when i went to install spybot v1.3 over the old v1.2........i get an error message saying it can't be done b/c it can't find the docs and settings folder. The real folder is fine, and everything is where it is suppose to be. I can't delete the wierd renamed folders, b/c it says they are required to run windows! What a bunch of bs.....

Anyway, in an atttempt to remedy this situation, i have updated my NAV defenitions (they were only 3 days old before today) and did a full scan with nothing found. I updated definitions and ran all spyware apps, like spybot s&d v1.2, spyware blaster v3.1, ad-aware 6.0. Also ran hjt and cwsshredder. Hjt is clean and coolwwwsearch was not present. I have also run a couple of trojan/virus removers from majorgeeks.com. All with no success.

The bad thing is that i just did a restart, and the 2nd wierd folder appeared. There was only one before.....and now there are 2. System seems normal, but i know this is a trojan of some sort....what can i do?

Please help. Thanks!

ryko · May 2004

Now in the drWatson folder is this log......

Microsoft (R) DrWtsn32
Copyright (C) 1985-2001 Microsoft Corp. All rights reserved.

Application exception occurred:
App: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (pid=3172)
When: 5/16/2004 @ 15:20:00.712
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: P4-2800
User Name: rykouris
Terminal Session Id: 0
Number of Processors: 2
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows Version: 5.1
Current Build: 2600
Service Pack: 1
Current Type: Multiprocessor Free
Registered Organization:
Registered Owner: ryan kouris

*----> Task List <----*
0 System Process
4 System
472 smss.exe
532 csrss.exe
564 winlogon.exe
608 services.exe
620 lsass.exe
836 svchost.exe
892 svchost.exe
996 svchost.exe
1024 svchost.exe
1208 spoolsv.exe
1568 Explorer.EXE
1968 navapsvc.exe
436 svchost.exe
492 ULCDRSvr.exe
3700 BT1.EXE
2304 AcroTray.exe
184 NMain.exe
1548 msiexec.exe
3236 LUCOMS~1.EXE
2116 firefox.exe
3356 devldr32.exe
3172 SpybotSD.exe
3124 drwtsn32.exe

*----> Module List <----*
(0000000000400000 - 00000000007ce000: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
(0000000001190000 - 0000000001200000: C:\Program Files\Spybot - Search & Destroy\Tools.dll
(000000005ad70000 - 000000005ada4000: C:\WINDOWS\System32\uxtheme.dll
(000000005c060000 - 000000005c072000: C:\WINDOWS\System32\SrClient.dll
(000000005d300000 - 000000005d380000: C:\WINDOWS\System32\hhctrl.ocx
(000000005edd0000 - 000000005edea000: C:\WINDOWS\System32\olepro32.dll
(0000000061e00000 - 0000000061e1f000: C:\WINDOWS\System32\mapi32.dll
(0000000063000000 - 0000000063096000: C:\WINDOWS\system32\wininet.dll
(00000000692c0000 - 00000000692ee000: C:\WINDOWS\system32\WBEM\framedyn.dll
(0000000070a70000 - 0000000070ad5000: C:\WINDOWS\system32\SHLWAPI.dll
(0000000071950000 - 0000000071a34000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
(0000000071aa0000 - 0000000071aa8000: C:\WINDOWS\System32\WS2HELP.dll
(0000000071ab0000 - 0000000071ac5000: C:\WINDOWS\System32\ws2_32.dll
(0000000071b20000 - 0000000071b31000: C:\WINDOWS\system32\mpr.dll
(0000000073000000 - 0000000073023000: C:\WINDOWS\System32\winspool.drv
(00000000732e0000 - 00000000732e5000: C:\WINDOWS\System32\RICHED32.DLL
(0000000074e30000 - 0000000074e9a000: C:\WINDOWS\System32\RICHED20.dll
(0000000075f40000 - 0000000075f5f000: C:\WINDOWS\system32\Apphelp.dll
(00000000762a0000 - 00000000762b0000: C:\WINDOWS\system32\MSASN1.dll
(00000000762c0000 - 0000000076348000: C:\WINDOWS\system32\CRYPT32.dll
(00000000763b0000 - 00000000763f5000: C:\WINDOWS\system32\comdlg32.dll
(0000000076670000 - 0000000076757000: C:\WINDOWS\System32\SETUPAPI.dll
(0000000076b40000 - 0000000076b6c000: C:\WINDOWS\System32\winmm.dll
(0000000076bf0000 - 0000000076bfb000: C:\WINDOWS\System32\PSAPI.dll
(0000000076f90000 - 0000000076fa0000: C:\WINDOWS\System32\Secur32.dll
(0000000077120000 - 00000000771ab000: C:\WINDOWS\system32\oleaut32.dll
(00000000771b0000 - 00000000772d4000: C:\WINDOWS\system32\OLE32.DLL
(00000000773d0000 - 0000000077bc2000: C:\WINDOWS\system32\shell32.dll
(0000000077c00000 - 0000000077c07000: C:\WINDOWS\system32\version.dll
(0000000077c10000 - 0000000077c63000: C:\WINDOWS\system32\MSVCRT.DLL
(0000000077d40000 - 0000000077dcc000: C:\WINDOWS\system32\user32.dll
(0000000077dd0000 - 0000000077e5d000: C:\WINDOWS\system32\ADVAPI32.dll
(0000000077e60000 - 0000000077f46000: C:\WINDOWS\system32\kernel32.dll
(0000000077f50000 - 0000000077ff7000: C:\WINDOWS\System32\ntdll.dll
(0000000078000000 - 0000000078087000: C:\WINDOWS\system32\RPCRT4.dll
(000000007e090000 - 000000007e0d1000: C:\WINDOWS\system32\GDI32.dll

*----> State Dump for Thread Id 0xc48 <----*

eax=00000000 ebx=01c0bbbc ecx=01c53b90 edx=01c53bbb esi=01c0bbbc edi=01034db4
eip=005f47db esp=00bcf80c ebp=00bcf834 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

*** WARNING: Unable to verify checksum for C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
function: SpybotSD
005f47ba 45 inc ebp
005f47bb f4 hlt
005f47bc 8d55f8 lea edx,[ebp-0x8]
005f47bf e8d46ce1ff call SpybotSD+0xb498 (0040b498)
005f47c4 8d45f8 lea eax,[ebp-0x8]
005f47c7 ba70485f00 mov edx,0x5f4870
005f47cc e82f0ce1ff call SpybotSD+0x5400 (00405400)
005f47d1 8b4df8 mov ecx,[ebp-0x8]
005f47d4 a158116300 mov eax,[SpybotSD+0x231158 (00631158)]
005f47d9 8b00 mov eax,[eax]
FAULT ->005f47db 8b5054 mov edx,[eax+0x54] ds:0023:00000054=????????
005f47de 8b4304 mov eax,[ebx+0x4]
005f47e1 e8da04f8ff call SpybotSD+0x174cc0 (00574cc0)
005f47e6 8b45fc mov eax,[ebp-0x4]
005f47e9 e80a0ce1ff call SpybotSD+0x53f8 (004053f8)
005f47ee 85c0 test eax,eax
005f47f0 753b jnz SpybotSD+0x1f482d (005f482d)
005f47f2 8d45fc lea eax,[ebp-0x4]
005f47f5 50 push eax
005f47f6 8d55ec lea edx,[ebp-0x14]
005f47f9 a1b8176300 mov eax,[SpybotSD+0x2317b8 (006317b8)]

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
ChildEBP RetAddr Args to Child
00bcf834 004adf53 00bcfe20 01034db4 00000000 SpybotSD+0x1f47db
00bcf86c 004a147f 0049e45c 00499df2 0049e468 SpybotSD+0xadf53
00bcfe3c 00499ac3 01031808 01034db4 00404692 SpybotSD+0xa147f
00bcff80 004a12cc 00bcffb4 00404b0b 00bcffa4 SpybotSD+0x99ac3
00bcffa4 0060d29b 7ffdf000 77f5c294 00bcffe0 SpybotSD+0xa12cc
00bcffc0 77e814c7 70a9f1ab 80000002 7ffdf000 SpybotSD+0x20d29b
00bcfff0 00000000 0060d214 00000000 00000000 kernel32!GetCurrentDirectoryW+0x44

*----> Raw Stack Dump <----*
0000000000bcf80c 30 f8 bc 00 4c f8 bc 00 - 90 4a 40 00 34 f8 bc 00 0...L....J@.4...
0000000000bcf81c d8 06 0d 01 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000000bcf82c 00 00 00 00 00 00 00 00 - 6c f8 bc 00 53 df 4a 00 ........l...S.J.
0000000000bcf83c 20 fe bc 00 b4 4d 03 01 - 00 00 00 00 0b e6 4a 00 ....M........J.
0000000000bcf84c 20 fe bc 00 90 4a 40 00 - 6c f8 bc 00 b4 4d 03 01 ....J@.l....M..
0000000000bcf85c 08 18 03 01 1c db 06 01 - bc bb c0 01 a4 20 03 01 ............. ..
0000000000bcf86c 3c fe bc 00 7f 14 4a 00 - 5c e4 49 00 f2 9d 49 00 <.....J.\.I...I.
0000000000bcf87c 68 e4 49 00 fe 9d 49 00 - 00 00 00 00 2e ff 41 00 h.I...I.......A.
0000000000bcf88c bc bb c0 01 8c f9 bc 00 - bc f8 bc 00 c8 f8 bc 00 ................
0000000000bcf89c 00 00 00 00 00 00 00 00 - 00 00 00 00 2e 17 fb 77 ...............w
0000000000bcf8ac 8c f9 bc 00 20 fe bc 00 - bc f9 bc 00 64 f9 bc 00 .... .......d...
0000000000bcf8bc 90 fd bc 00 42 17 fb 77 - 20 fe bc 00 74 f9 bc 00 ....B..w ...t...
0000000000bcf8cc 00 17 fb 77 8c f9 bc 00 - 20 fe bc 00 bc f9 bc 00 ...w.... .......
0000000000bcf8dc 64 f9 bc 00 ed 9d 49 00 - 01 00 00 00 8c f9 bc 00 d.....I.........
0000000000bcf8ec 20 fe bc 00 0d 79 f9 77 - 8c f9 bc 00 20 fe bc 00 ....y.w.... ...
0000000000bcf8fc bc f9 bc 00 64 f9 bc 00 - ed 9d 49 00 20 00 06 01 ....d.....I. ...
0000000000bcf90c 8c f9 bc 00 10 fd bc 00 - 48 f9 bc 00 00 00 05 00 ........H.......
0000000000bcf91c a8 44 f9 77 09 00 00 00 - 38 08 05 00 00 00 05 00 .D.w....8.......
0000000000bcf92c b0 1b 08 00 20 f9 bc 00 - ff ff ff ff 68 fb bc 00 .... .......h...
0000000000bcf93c f0 88 fa 77 70 38 f5 77 - ff ff ff ff a8 44 f9 77 ...wp8.w.....D.w

Application exception occurred:
App: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (pid=2824)
When: 5/16/2004 @ 15:20:13.619
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: P4-2800
User Name: rykouris
Terminal Session Id: 0
Number of Processors: 2
Processor Type: x86 Family 15 Model 2 Stepping 9
Windows Version: 5.1
Current Build: 2600
Service Pack: 1
Current Type: Multiprocessor Free
Registered Organization:
Registered Owner: ryan kouris

*----> Task List <----*
0 System Process
4 System
472 smss.exe
532 csrss.exe
564 winlogon.exe
608 services.exe
620 lsass.exe
836 svchost.exe
892 svchost.exe
996 svchost.exe
1024 svchost.exe
1208 spoolsv.exe
1568 Explorer.EXE
1968 navapsvc.exe
436 svchost.exe
492 ULCDRSvr.exe
3700 BT1.EXE
2304 AcroTray.exe
184 NMain.exe
1548 msiexec.exe
3236 LUCOMS~1.EXE
2116 firefox.exe
3356 devldr32.exe
2824 SpybotSD.exe
3116 drwtsn32.exe

*----> Module List <----*
(0000000000400000 - 00000000007ce000: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
(0000000001190000 - 0000000001200000: C:\Program Files\Spybot - Search & Destroy\Tools.dll
(000000005ad70000 - 000000005ada4000: C:\WINDOWS\System32\uxtheme.dll
(000000005c060000 - 000000005c072000: C:\WINDOWS\System32\SrClient.dll
(000000005d300000 - 000000005d380000: C:\WINDOWS\System32\hhctrl.ocx
(000000005edd0000 - 000000005edea000: C:\WINDOWS\System32\olepro32.dll
(0000000061e00000 - 0000000061e1f000: C:\WINDOWS\System32\mapi32.dll
(0000000063000000 - 0000000063096000: C:\WINDOWS\system32\wininet.dll
(00000000692c0000 - 00000000692ee000: C:\WINDOWS\system32\WBEM\framedyn.dll
(0000000070a70000 - 0000000070ad5000: C:\WINDOWS\system32\SHLWAPI.dll
(0000000071950000 - 0000000071a34000: C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
(0000000071aa0000 - 0000000071aa8000: C:\WINDOWS\System32\WS2HELP.dll
(0000000071ab0000 - 0000000071ac5000: C:\WINDOWS\System32\ws2_32.dll
(0000000071b20000 - 0000000071b31000: C:\WINDOWS\system32\mpr.dll
(0000000073000000 - 0000000073023000: C:\WINDOWS\System32\winspool.drv
(00000000732e0000 - 00000000732e5000: C:\WINDOWS\System32\RICHED32.DLL
(0000000074e30000 - 0000000074e9a000: C:\WINDOWS\System32\RICHED20.dll
(00000000762a0000 - 00000000762b0000: C:\WINDOWS\system32\MSASN1.dll
(00000000762c0000 - 0000000076348000: C:\WINDOWS\system32\CRYPT32.dll
(00000000763b0000 - 00000000763f5000: C:\WINDOWS\system32\comdlg32.dll
(0000000076670000 - 0000000076757000: C:\WINDOWS\System32\SETUPAPI.dll
(0000000076b40000 - 0000000076b6c000: C:\WINDOWS\System32\winmm.dll
(0000000076bf0000 - 0000000076bfb000: C:\WINDOWS\System32\PSAPI.dll
(0000000076f90000 - 0000000076fa0000: C:\WINDOWS\System32\Secur32.dll
(0000000077120000 - 00000000771ab000: C:\WINDOWS\system32\oleaut32.dll
(00000000771b0000 - 00000000772d4000: C:\WINDOWS\system32\OLE32.DLL
(00000000773d0000 - 0000000077bc2000: C:\WINDOWS\system32\shell32.dll
(0000000077c00000 - 0000000077c07000: C:\WINDOWS\system32\version.dll
(0000000077c10000 - 0000000077c63000: C:\WINDOWS\system32\MSVCRT.DLL
(0000000077d40000 - 0000000077dcc000: C:\WINDOWS\system32\user32.dll
(0000000077dd0000 - 0000000077e5d000: C:\WINDOWS\system32\ADVAPI32.dll
(0000000077e60000 - 0000000077f46000: C:\WINDOWS\system32\kernel32.dll
(0000000077f50000 - 0000000077ff7000: C:\WINDOWS\System32\ntdll.dll
(0000000078000000 - 0000000078087000: C:\WINDOWS\system32\RPCRT4.dll
(000000007e090000 - 000000007e0d1000: C:\WINDOWS\system32\GDI32.dll

*----> State Dump for Thread Id 0x184 <----*

eax=00000000 ebx=01c0bbbc ecx=01c53b90 edx=01c53bbb esi=01c0bbbc edi=01034db4
eip=005f47db esp=00bcf80c ebp=00bcf834 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206

*** WARNING: Unable to verify checksum for C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
function: SpybotSD
005f47ba 45 inc ebp
005f47bb f4 hlt
005f47bc 8d55f8 lea edx,[ebp-0x8]
005f47bf e8d46ce1ff call SpybotSD+0xb498 (0040b498)
005f47c4 8d45f8 lea eax,[ebp-0x8]
005f47c7 ba70485f00 mov edx,0x5f4870
005f47cc e82f0ce1ff call SpybotSD+0x5400 (00405400)
005f47d1 8b4df8 mov ecx,[ebp-0x8]
005f47d4 a158116300 mov eax,[SpybotSD+0x231158 (00631158)]
005f47d9 8b00 mov eax,[eax]
FAULT ->005f47db 8b5054 mov edx,[eax+0x54] ds:0023:00000054=????????
005f47de 8b4304 mov eax,[ebx+0x4]
005f47e1 e8da04f8ff call SpybotSD+0x174cc0 (00574cc0)
005f47e6 8b45fc mov eax,[ebp-0x4]
005f47e9 e80a0ce1ff call SpybotSD+0x53f8 (004053f8)
005f47ee 85c0 test eax,eax
005f47f0 753b jnz SpybotSD+0x1f482d (005f482d)
005f47f2 8d45fc lea eax,[ebp-0x4]
005f47f5 50 push eax
005f47f6 8d55ec lea edx,[ebp-0x14]
005f47f9 a1b8176300 mov eax,[SpybotSD+0x2317b8 (006317b8)]

*----> Stack Back Trace <----*
WARNING: Stack unwind information not available. Following frames may be wrong.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
ChildEBP RetAddr Args to Child
00bcf834 004adf53 00bcfe20 01034db4 00000000 SpybotSD+0x1f47db
00bcf86c 004a147f 0049e45c 00499df2 0049e468 SpybotSD+0xadf53
00bcfe3c 00499ac3 01031808 01034db4 00404692 SpybotSD+0xa147f
00bcff80 004a12cc 00bcffb4 00404b0b 00bcffa4 SpybotSD+0x99ac3
00bcffa4 0060d29b 7ffdf000 77f5c294 00bcffe0 SpybotSD+0xa12cc
00bcffc0 77e814c7 70a9f1ab 80000002 7ffdf000 SpybotSD+0x20d29b
00bcfff0 00000000 0060d214 00000000 00000000 kernel32!GetCurrentDirectoryW+0x44

*----> Raw Stack Dump <----*
0000000000bcf80c 30 f8 bc 00 4c f8 bc 00 - 90 4a 40 00 34 f8 bc 00 0...L....J@.4...
0000000000bcf81c d8 06 0d 01 00 00 00 00 - 00 00 00 00 00 00 00 00 ................
0000000000bcf82c 00 00 00 00 00 00 00 00 - 6c f8 bc 00 53 df 4a 00 ........l...S.J.
0000000000bcf83c 20 fe bc 00 b4 4d 03 01 - 00 00 00 00 0b e6 4a 00 ....M........J.
0000000000bcf84c 20 fe bc 00 90 4a 40 00 - 6c f8 bc 00 b4 4d 03 01 ....J@.l....M..
0000000000bcf85c 08 18 03 01 1c db 06 01 - bc bb c0 01 a4 20 03 01 ............. ..
0000000000bcf86c 3c fe bc 00 7f 14 4a 00 - 5c e4 49 00 f2 9d 49 00 <.....J.\.I...I.
0000000000bcf87c 68 e4 49 00 fe 9d 49 00 - 00 00 00 00 2e ff 41 00 h.I...I.......A.
0000000000bcf88c bc bb c0 01 8c f9 bc 00 - bc f8 bc 00 c8 f8 bc 00 ................
0000000000bcf89c 00 00 00 00 00 00 00 00 - 00 00 00 00 2e 17 fb 77 ...............w
0000000000bcf8ac 8c f9 bc 00 20 fe bc 00 - bc f9 bc 00 64 f9 bc 00 .... .......d...
0000000000bcf8bc 90 fd bc 00 42 17 fb 77 - 20 fe bc 00 74 f9 bc 00 ....B..w ...t...
0000000000bcf8cc 00 17 fb 77 8c f9 bc 00 - 20 fe bc 00 bc f9 bc 00 ...w.... .......
0000000000bcf8dc 64 f9 bc 00 ed 9d 49 00 - 01 00 00 00 8c f9 bc 00 d.....I.........
0000000000bcf8ec 20 fe bc 00 0d 79 f9 77 - 8c f9 bc 00 20 fe bc 00 ....y.w.... ...
0000000000bcf8fc bc f9 bc 00 64 f9 bc 00 - ed 9d 49 00 20 00 06 01 ....d.....I. ...
0000000000bcf90c 8c f9 bc 00 10 fd bc 00 - 48 f9 bc 00 00 00 05 00 ........H.......
0000000000bcf91c a8 44 f9 77 09 00 00 00 - 38 08 05 00 00 00 05 00 .D.w....8.......
0000000000bcf92c b0 1b 08 00 20 f9 bc 00 - ff ff ff ff 68 fb bc 00 .... .......h...
0000000000bcf93c f0 88 fa 77 70 38 f5 77 - ff ff ff ff a8 44 f9 77 ...wp8.w.....D.w

ryko · May 2004

The other folder (user account pictures) is empty in both wierd docs and settings folders.....

sorry about the multiple posts, but this is a lot of info....

what in the hell is this????

Comments