Register Members List Social Groups Search Today's Posts Mark Forums Read  
Computer Forums

Member Login

Remember Me? Sign Up! | Forgot Password
 
Slogan
 
Computer Forums > The World Wide Web > Virus - Spyware Protection / Detection » Recognizing Some Current Infections
Closed Thread
LinkBack Thread Tools Display Modes
 
Old 04-04-2007, 11:36 PM   #1 (permalink)
Osiris's Avatar
 

Join Date: Jan 2005

Location: Kentucky

Posts: 32,207

Osiris is a jewel in the roughOsiris is a jewel in the roughOsiris is a jewel in the rough

Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris Send a message via Skype™ to Osiris
Default Recognizing Some Current Infections
Recognizing Some Current Infections

The purpose of this page is to help you recognize some infections that may be present on your machine.
To do this. you'll first need to properly download/run HijackThis! (see my homepage for links and instructions) and make a logfile for you to compare to.
You should always consult the experts about removing any infection from your system!!!
SpyAxe

SpyAxe (and "family") can be recognized by their "trademark" "O2" entry:
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpxxxx.tmp
The "bold" items are usually common to all infections.
The "xxxx" will be replaced with 3 or 4 random alphanumeric characters.
Titan Shield, a new "Spyaxe" variant can be recognized by this entry:
O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll
These may show in your list of "Running processes"
ismon.exe
issearch.exe
isnotify.exe
ishost.exe

These "O21"'s may show:
O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINDOWS\System32\yephk.dll (file missing)
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)
O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file)
Several programs may show up running from this folder:
C:\Program Files\IntCodec\
For a comprehensive list of possible entries, visit this link:
SmitFraudFix
If you have been a victim of this infection... FIGHT BACK!!!
Take action!!! Read this.
Description added: 06/08/06
Updated: 08/12/06
Look2Me

"Look2Me" is recognized by their long, randomly named "O20" entry:
Examples:
O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\s288lclu1fq8.dll
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\r4p80e7ueh.dll
O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\ir22l5fo1.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\s4pule791h.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\l8l60i3se8.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lv0809due.dll
O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\fpj6031se.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\k862lijo18oc.dll
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ktnml7511.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\ir24l5fq1.dll
Nothing "common" you can really "pin it down" to. Just a long randomly named DLL.
Description added: 06/08/06
Updated:
Qoologic Trojan

"Qoologic" is recognized by the "F2" entry hijacks:
Examples:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe
F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kevun.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vadyxyr. exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ndmlu.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xxtpfck. exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\nsbvb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xnhalct. exe
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uhgvc.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gcnanes. exe
There will usually be two (2) "F2" hijacks in the log. The first is usually a five letter random EXE. The second, a seven letter random EXE.
Description added: 06/08/06
Updated:
Wareout Trojan

"Wareout" is recognized by the "O17" entry hijacks:
O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEBF950-7A92-45EA-8796-9B122685000A}: NameServer = 85.255.116.46,85.255.112.187
Look at the IP address entries. If they are in this range:
85.255.112.0 - 85.255.127.255
It's a hijack.
Those IP addresses are registered to:
Inhoster hosting company
OOO Inhoster,
Poltavskij Shliax 24,
Kharkiv,
61000,
Ukraine, Russia
There are many other "O4" entries that may, or may not, accompany this infection as well.
Description added: 06/08/06
Updated:
Winfixer (A.K.A. "Vundo", "Winantivirus") Trojan

"Winfixer" (or "Vundo") is normally recognized by an "O2" entry and and "O20" entry with the same DLL name. There may even be more than one on an infected system.
They are normally five character, randomly named, DLL files.
The description in the "O2" entry is usually like one of the following examples:
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system\xmlcr.dll
O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\ssqpq.dll
O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\vtstu.dll
O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\pmnli.dll
O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\ssqpn.dll
O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - D:\WINNT\system32\qomnk.dll
O2 - BHO: WTLHelper Object - {BD6CD737-34E1-4864-8697-83EC081F1989} - C:\WINDOWS\system32\qomki.dll
If some attempt has been made at removal, it may look like this:
O2 - BHO: (no name) - {A8536A74-C18A-44CE-945D-1F1BE7E2EDD2} - C:\WINDOWS\system32\vturs.dll
There's a new "Vundo" variant loose. This one "hides" itself from HijackThis! The "O2" and "O20" entries won't appear until you rename Hijackthis.exe to something else (like hjt.exe)
Description added: 06/08/06
Updated: 06/28/06
Dollar Revenue

DollarRevenue is usually installed without the users consent or notice through via a security exploit and is accompanied by additional adware. DollarRevenue files can access the internet and download so much adware that the computer may become unusable. DollarRevenue has been known to have been installed from the same site as a password stealing trojan.
Some of the files known to have been deposited by this "adware":
(Note: "%Windows%" is your "Windows" folder, typically "C:\Windows\", "%profile%" would be "C:\Documents and settings\<INSERT YOUR USER NAME HERE>", "%DESKTOPDIRECTORY%" would typically be "C:\Documents and Settings\<INSERT YOUR USER NAME HERE>\Desktop")
%DESKTOPDIRECTORY%\harvesting\defender.exe
%profile%\local settings\temp\drsmartload183a.exe
%windows%\aqehgef.exe
%windows%\aqehgefa.exe
%windows%\banmanpro.exe
%windows%\defender1.exe
%windows%\dollar.exe
%windows%\drsmartload45a.exe
%windows%\drsmartload46a.exe
%windows%\drsmartload849a.exe
%Windows%\drsmartload95a.exe
%windows%\enewsletterpro.exe
%windows%\gimmygames.exe
%windows%\gimmygames10a.exe
%windows%\gimmygames9.exe
%windows%\keyboard10.exe
%windows%\keyboard11.exe
%windows%\keyboard12.exe
%windows%\keyboard13.exe
%windows%\keyboard14.exe
%windows%\keyboard15.exe
%windows%\keyboard18.exe
%windows%\keyboard4.exe
%windows%\keyboard5.exe
%windows%\keyboard6.exe
%windows%\keyboard8.exe
%windows%\keyboard9.exe
%windows%\money.exe
%windows%\mousepad11.exe
%windows%\mousepad12.exe
%windows%\mousepad13.exe
%windows%\mousepad14.exe
%windows%\mousepad15.exe
%windows%\mousepad4.exe
%windows%\mousepad5.exe
%windows%\mousepad6.exe
%windows%\mousepad8.exe
%windows%\mousepad9.exe
%windows%\myupdates.exe
%windows%\newname10.exe
%windows%\newname11.exe
%windows%\newname12.exe
%windows%\newname13.exe
%windows%\newname14.exe
%windows%\newname15.exe
%windows%\newname18.exe
%windows%\newname4.exe
%windows%\newname5.exe
%windows%\newname6.exe
%windows%\newname8.exe
%windows%\newname9.exe
%windows%\nxmuma.exe
%windows%\puygb.dll
%windows%\stup3.exe
%windows%\temp\drsmartload482a.exe
%windows%\toolbar.exe
%windows%\winsysban3.exe
3631382d2d2d.exe
c:\defender1.exe
c:\defender19a.exe
c:\defender20.exe
c:\defender24.exe
c:\docume~1\etgtest\locals~1\temp\drsmartload183a. exe
c:\dr140306.exe
c:\drsmartload1.exe
c:\drsmartload45a.exe
c:\drsmartload46a.exe
c:\drsmartload849a.exe
C:\drsmartloadb.exe
c:\gimmygames.exe
c:\gimmygames9.exe
c:\keyboard.exe
c:\keyboard1.exe
c:\keyboard18.exe
c:\keyboard19.exe
c:\keyboard20.exe
c:\keyboard24.exe
c:\keyboard25.exe
c:\keyboard3.exe
c:\mousepad1.exe
c:\mousepad2.exe
c:\mousepad3.exe
c:\newname18.exe
c:\newname19.exe
c:\newname2.exe
c:\newname20.exe
c:\newname24.exe
c:\newname25.exe
c:\newname3.exe
c:\t\ad318b.exe
c:\winsysupd12.exe
defender.exe
defender19.exe
defender20.exe
defender21.exe
defender22.exe
defender23.exe
defender25.exe
defender26.exe
drsmartload.exe
drsmartload1.exe
drsmartload185a.exe
drsmartload197a.exe
drsmartload45a.exe
drsmartload464a.exe
drsmartload95a.exe
gimmygames.exe
gimmysmileys.exe
keyboard14.exe
keyboard16.exe
keyboard17.exe
keyboard19.exe
keyboard21.exe
keyboard22.exe
keyboard23.exe
keyboard7.exe
mousepad10.exe
mousepad14.exe
mousepad16.exe
mousepad17.exe
mousepad18.exe
mousepad7.exe
newname14.exe
newname16.exe
newname17.exe
newname21.exe
newname22.exe
newname23.exe
newname3.exe
newname7.exe
toolbar.exe

Some new file names have started appearing, presumably because of this infection:
C:\kybrd_1.exe
C:\nwnm_1.exe
C:\dfndra_1.exe
C:\kybrdb_2.exe
C:\dfndrb_2.exe
C:\nwnmb_2.exe


TomCoyote (Slaying Spyware Since 2002)
__________________
Osiris is offline  
 
Closed Thread

« JavaScript Botnet Code Leaked To Internet | keyloggers? »
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Contact Us - Computer Technology Forums - Archive - Top

 

All times are GMT -5. The time now is 02:00 AM.
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.3.2 Copyright ©2002-2009, Tech-Forums.net
vBulletin skin created by Baez & Baez Computers Inc.   |   Contact Management Software and AAOutlook 		Log Out Unregistered