Computers| Computers |
|
04-04-2007, 11:36 PM
| #1 (permalink) |
| Security/Hacking Mod  Join Date: Jan 2005 Location: USA
Posts: 25,416
|  Recognizing Some Current Infections Recognizing Some Current Infections The purpose of this page is to help you recognize some infections that may be present on your machine. To do this. you'll first need to properly download/run HijackThis! (see my homepage for links and instructions) and make a logfile for you to compare to. You should always consult the experts about removing any infection from your system!!! SpyAxe SpyAxe (and "family") can be recognized by their "trademark" "O2" entry: O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\system32\hpxxxx.tmp The "bold" items are usually common to all infections. The "xxxx" will be replaced with 3 or 4 random alphanumeric characters. Titan Shield, a new "Spyaxe" variant can be recognized by this entry: O2 - BHO: adobepnl.ADOBE_PANEL - {5E8FA924-DEF0-4E71-8A82-A11CA0C1413B} - C:\WINDOWS\system32\adobepnl.dll These may show in your list of "Running processes" ismon.exe issearch.exe isnotify.exe ishost.exe These "O21"'s may show: O21 - SSODL: coursings - {f8d02387-789a-4c0f-a1d8-8a93f33ee4df} - C:\WINDOWS\System32\yephk.dll (file missing) O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing) O21 - SSODL: cinnamomum - {93ac7c30-3878-4eaa-9420-7977285df5b1} - (no file) Several programs may show up running from this folder: C:\Program Files\IntCodec\ For a comprehensive list of possible entries, visit this link: SmitFraudFix If you have been a victim of this infection... FIGHT BACK!!! Take action!!! Read this. Description added: 06/08/06 Updated: 08/12/06 Look2Me "Look2Me" is recognized by their long, randomly named "O20" entry: Examples: O20 - Winlogon Notify: BITS - C:\WINDOWS\system32\s288lclu1fq8.dll O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\r4p80e7ueh.dll O20 - Winlogon Notify: Internet Settings - C:\WINDOWS\system32\ir22l5fo1.dll O20 - Winlogon Notify: URL - C:\WINNT\system32\s4pule791h.dll O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\l8l60i3se8.dll O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\lv0809due.dll O20 - Winlogon Notify: Extensions - C:\WINDOWS\system32\fpj6031se.dll O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\k862lijo18oc.dll O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\ktnml7511.dll O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\ir24l5fq1.dll Nothing "common" you can really "pin it down" to. Just a long randomly named DLL. Description added: 06/08/06 Updated: Qoologic Trojan "Qoologic" is recognized by the "F2" entry hijacks: Examples: F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\escny.exe F2 - REG:system.ini: UserInit=userinit.exe,oniqjxa.exe F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\kevun.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vadyxyr. exe F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ndmlu.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,xxtpfck. exe F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\nsbvb.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,xnhalct. exe F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uhgvc.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gcnanes. exe There will usually be two (2) "F2" hijacks in the log. The first is usually a five letter random EXE. The second, a seven letter random EXE. Description added: 06/08/06 Updated: Wareout Trojan "Wareout" is recognized by the "O17" entry hijacks: O17 - HKLM\System\CCS\Services\Tcpip\..\{3FEBF950-7A92-45EA-8796-9B122685000A}: NameServer = 85.255.116.46,85.255.112.187 Look at the IP address entries. If they are in this range: 85.255.112.0 - 85.255.127.255 It's a hijack. Those IP addresses are registered to: Inhoster hosting company OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine, Russia There are many other "O4" entries that may, or may not, accompany this infection as well. Description added: 06/08/06 Updated: Winfixer (A.K.A. "Vundo", "Winantivirus") Trojan "Winfixer" (or "Vundo") is normally recognized by an "O2" entry and and "O20" entry with the same DLL name. There may even be more than one on an infected system. They are normally five character, randomly named, DLL files. The description in the "O2" entry is usually like one of the following examples: O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\system\xmlcr.dll O2 - BHO: DPCUpdater Object - {E291663A-2D6F-4B56-B9DF-AE239AEF6A5B} - C:\WINDOWS\system32\ssqpq.dll O2 - BHO: ATLDistrib Object - {2353FCBC-012D-487B-8BF3-865C0929FBEB} - C:\WINDOWS\system32\vtstu.dll O2 - BHO: RawExecAction Object - {18898424-E3AB-4BA9-8E8D-5434B1CECA75} - C:\WINDOWS\system32\pmnli.dll O2 - BHO: DosSpecFolder Object - {1AE6D7D5-0C28-4DB6-9FD1-33B870A4C5F2} - C:\WINDOWS\system32\ssqpn.dll O2 - BHO: InfoDocReader Object - {A5B00A5B-073E-4246-AFF0-CCAE0D5BF6D1} - D:\WINNT\system32\qomnk.dll O2 - BHO: WTLHelper Object - {BD6CD737-34E1-4864-8697-83EC081F1989} - C:\WINDOWS\system32\qomki.dll If some attempt has been made at removal, it may look like this: O2 - BHO: (no name) - {A8536A74-C18A-44CE-945D-1F1BE7E2EDD2} - C:\WINDOWS\system32\vturs.dll There's a new "Vundo" variant loose. This one "hides" itself from HijackThis! The "O2" and "O20" entries won't appear until you rename Hijackthis.exe to something else (like hjt.exe) Description added: 06/08/06 Updated: 06/28/06 Dollar Revenue DollarRevenue is usually installed without the users consent or notice through via a security exploit and is accompanied by additional adware. DollarRevenue files can access the internet and download so much adware that the computer may become unusable. DollarRevenue has been known to have been installed from the same site as a password stealing trojan. Some of the files known to have been deposited by this "adware": (Note: "%Windows%" is your "Windows" folder, typically "C:\Windows\", "%profile%" would be "C:\Documents and settings\<INSERT YOUR USER NAME HERE>", "%DESKTOPDIRECTORY%" would typically be "C:\Documents and Settings\<INSERT YOUR USER NAME HERE>\Desktop") %DESKTOPDIRECTORY%\harvesting\defender.exe %profile%\local settings\temp\drsmartload183a.exe %windows%\aqehgef.exe %windows%\aqehgefa.exe %windows%\banmanpro.exe %windows%\defender1.exe %windows%\dollar.exe %windows%\drsmartload45a.exe %windows%\drsmartload46a.exe %windows%\drsmartload849a.exe %Windows%\drsmartload95a.exe %windows%\enewsletterpro.exe %windows%\gimmygames.exe %windows%\gimmygames10a.exe %windows%\gimmygames9.exe %windows%\keyboard10.exe %windows%\keyboard11.exe %windows%\keyboard12.exe %windows%\keyboard13.exe %windows%\keyboard14.exe %windows%\keyboard15.exe %windows%\keyboard18.exe %windows%\keyboard4.exe %windows%\keyboard5.exe %windows%\keyboard6.exe %windows%\keyboard8.exe %windows%\keyboard9.exe %windows%\money.exe %windows%\mousepad11.exe %windows%\mousepad12.exe %windows%\mousepad13.exe %windows%\mousepad14.exe %windows%\mousepad15.exe %windows%\mousepad4.exe %windows%\mousepad5.exe %windows%\mousepad6.exe %windows%\mousepad8.exe %windows%\mousepad9.exe %windows%\myupdates.exe %windows%\newname10.exe %windows%\newname11.exe %windows%\newname12.exe %windows%\newname13.exe %windows%\newname14.exe %windows%\newname15.exe %windows%\newname18.exe %windows%\newname4.exe %windows%\newname5.exe %windows%\newname6.exe %windows%\newname8.exe %windows%\newname9.exe %windows%\nxmuma.exe %windows%\puygb.dll %windows%\stup3.exe %windows%\temp\drsmartload482a.exe %windows%\toolbar.exe %windows%\winsysban3.exe 3631382d2d2d.exe c:\defender1.exe c:\defender19a.exe c:\defender20.exe c:\defender24.exe c:\docume~1\etgtest\locals~1\temp\drsmartload183a. exe c:\dr140306.exe c:\drsmartload1.exe c:\drsmartload45a.exe c:\drsmartload46a.exe c:\drsmartload849a.exe C:\drsmartloadb.exe c:\gimmygames.exe c:\gimmygames9.exe c:\keyboard.exe c:\keyboard1.exe c:\keyboard18.exe c:\keyboard19.exe c:\keyboard20.exe c:\keyboard24.exe c:\keyboard25.exe c:\keyboard3.exe c:\mousepad1.exe c:\mousepad2.exe c:\mousepad3.exe c:\newname18.exe c:\newname19.exe c:\newname2.exe c:\newname20.exe c:\newname24.exe c:\newname25.exe c:\newname3.exe c:\t\ad318b.exe c:\winsysupd12.exe defender.exe defender19.exe defender20.exe defender21.exe defender22.exe defender23.exe defender25.exe defender26.exe drsmartload.exe drsmartload1.exe drsmartload185a.exe drsmartload197a.exe drsmartload45a.exe drsmartload464a.exe drsmartload95a.exe gimmygames.exe gimmysmileys.exe keyboard14.exe keyboard16.exe keyboard17.exe keyboard19.exe keyboard21.exe keyboard22.exe keyboard23.exe keyboard7.exe mousepad10.exe mousepad14.exe mousepad16.exe mousepad17.exe mousepad18.exe mousepad7.exe newname14.exe newname16.exe newname17.exe newname21.exe newname22.exe newname23.exe newname3.exe newname7.exe toolbar.exe Some new file names have started appearing, presumably because of this infection: C:\kybrd_1.exe C:\nwnm_1.exe C:\dfndra_1.exe C:\kybrdb_2.exe C:\dfndrb_2.exe C:\nwnmb_2.exe TomCoyote (Slaying Spyware Since 2002)
__________________  www.MasterB365.com www.Tech-Dump.com "On 10-3-08 Obama Supporters Vandalized-Tresspassed and STOLE My Palin-McCain Sign Violating My First Amendment Right To Free Speech. Do It Again And You Will Find Out What The 2nd Amendment Is All ABOUT!" |
|  |
Linear Mode
