Sponsored By

shanenin

I Need Malware

Recommended Posts

I have an clean xp computer, currently unused, that I would love to infect. I would like to fill it up with as much crap as possible, then practice cleaning it. Any suggestions to where I can find some nasty stuff would be appreciated. I am to impatient to surf the web using bad practices, that is probably what I will end up having to do.

Share this post


Link to post
Share on other sites

lol hi shanenin. This is something that lots of people (including myself) face. Its even harder when you are looking for a specific infection! :wacko: Anyway, there are people/places that have access to many malware files, but they only open their databases to people they know and trust. I don't even have access to most of them. Shoot me a PM and I can give you some sites to hit that should infect you right up. ;)

Matt

Share this post


Link to post
Share on other sites

"I can give you some sites to hit that should infect you right up. "

:D LOL :D You guys are nuts.....But on behalf of the folks who need researchers like you, thank you!

Liz

Share this post


Link to post
Share on other sites

I have been installing anything and everything like a crazed mad man. I am still not getting any popups. grrr.

Share this post


Link to post
Share on other sites

I came up with a great plan. I am going to let my kids use this computer to do anything. I am going to keep IE on low security settings, and let them install whatever they like. They won't know what to do with themselves.

This will be a big treat for them. I currently donot let them use IE, firefox only. The are running on limited accounts. I pretty much do not let them install anything, even with my approval.

My only thought about not doing this is, they might forget when they are on the "good" computer.

Edited by shanenin

Share this post


Link to post
Share on other sites

:D Oh, yeah, Shanenin! Didn't know you had kids. :D That's the ticket!

And Limewire, too. But, MommaLiz says you have to tell the kids, no pron!

Sweepstakes.com comes up on a Google Search :D I've read that Poker Party is a nasty. Oh! Gator and Wild Tangent.

Liz

Share this post


Link to post
Share on other sites

yup 14 year old girl(she thinks she is an adult, this happened over the past few months)

10 year old girl

7 year old boy

Share this post


Link to post
Share on other sites

I disabled all of spysweeper shields which prevent infections. I did let spy sweeper run, but this is what I have left over. This is kind of a before hjt log.

Logfile of HijackThis v1.99.1

Scan saved at 11:23:21 PM, on 6/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

c:\progra~1\intern~1\iexplore.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exe

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware316\bin\Starware316.dll

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll

O2 - BHO: (no name) - {87D01192-9ACB-AAAB-E6F6-CCEFCCC8DFE6} - C:\DOCUME~1\Owner\APPLIC~1\TICKWM~1\defaultname.exe (file missing)

O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [itch jump] C:\DOCUME~1\Owner\APPLIC~1\4bait\Ford Grid.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm429YYUS

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Share this post


Link to post
Share on other sites

The log isn't too infected. Be careful with new.net thought, if you remove it wrong, it can kill your internet connection. It appears the file I sent you isn't in there.. :huh: One of your scans must have killed it. <_<

Share this post


Link to post
Share on other sites

spy sweeper needed to rid that one(the one you sent) at reboot. It seems to be a pretty good program.

Share this post


Link to post
Share on other sites

When I try and clean a clients computer I usually run spy sweeper first. It normally is not able to remove a lot of stuff.

For testing on my home machine it has done well. It only has not been able to remove stareware, plus a few things it did not even detect.

Share this post


Link to post
Share on other sites

I reinstalled the trojan then just did a before and after of my hjt log. I noticed this new entry

O4 - HKLM\..\Run: [oyspwe] C:\WINDOWS\system32\ziqfcw.exe r

this must be from the trojan. Would you say any 04 that is in the system32 directory would be suspicious?

Edited by shanenin

Share this post


Link to post
Share on other sites
Would you say any 04 that is in the system32 directory would be suspicious?

Suspicious, Yes. Definately bad? NO. Any legit program could drop something there - however, they usually use their own folder.

Share this post


Link to post
Share on other sites

I pretty much just used add/remove progrmas to dleete a bunch of stuff. Just curious, if epolvy always changes its name, you can you tell if you have it?

Would you what for changed 04s at reboot?

Scan saved at 12:43:39 AM, on 6/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\bcqzzkw.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\explorer.exe

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {87D01192-9ACB-AAAB-E6F6-CCEFCCC8DFE6} - C:\DOCUME~1\Owner\APPLIC~1\TICKWM~1\defaultname.exe (file missing)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by shanenin

Share this post


Link to post
Share on other sites

O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r

This is the trojan. It is a random named O4 with a random named file attached. There will also be a random process (sme name as the file) running in the process list. These all change on reboot. there is also a stary r that appears at the end of the line.

Share this post


Link to post
Share on other sites

as of now, is the preferred way to remove this trojan adaware the the vx2 plugin? Are you trying to make a simple tool that does not have the need to install adaware and the plugin?

Share this post


Link to post
Share on other sites

Actually shane, this tool is more of a learning experience for myself. As you saw, this trojan can be easily removed with SpySweeper. Ewido will also get it, and yes, AdAware with the VX2 plugin also get it. I'm just doing this to understand how the infection works, and what methods are done (whether by scan or manually) to remove it.

Share this post


Link to post
Share on other sites
Actually shane, this tool is more of a learning experience for myself. As you saw, this trojan can be easily removed with SpySweeper. Ewido will also get it, and yes, AdAware with the VX2 plugin also get it. I'm just doing this to understand how the infection works, and what methods are done (whether by scan or manually) to remove it.

I also like a project to learn. cool :-)

by the way, what method do you use to suspend a process?

Share this post


Link to post
Share on other sites

I include the file process.exe with the batch file. What this process.exe does is adds the ability to the command prompt the execute process actions. For example,

process -s wordpad.exe

would suspend the wordpad process.

Matt

Share this post


Link to post
Share on other sites
I include the file process.exe with the batch file. What this process.exe does is adds the ability to the command prompt the execute process actions. For example,
process -s wordpad.exe

would suspend the wordpad process.

Matt

that sounds easy enough

Share this post


Link to post
Share on other sites

when I try and run that command using cmd.exe(xp commmand line), it says the command "process" is not available. Are you sure that will work in a batch file?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...