Recommended Posts

I have an clean xp computer, currently unused, that I would love to infect. I would like to fill it up with as much crap as possible, then practice cleaning it. Any suggestions to where I can find some nasty stuff would be appreciated. I am to impatient to surf the web using bad practices, that is probably what I will end up having to do.

Link to post
Share on other sites

lol hi shanenin. This is something that lots of people (including myself) face. Its even harder when you are looking for a specific infection! :wacko: Anyway, there are people/places that have access to many malware files, but they only open their databases to people they know and trust. I don't even have access to most of them. Shoot me a PM and I can give you some sites to hit that should infect you right up. ;)

Matt

Link to post
Share on other sites

I came up with a great plan. I am going to let my kids use this computer to do anything. I am going to keep IE on low security settings, and let them install whatever they like. They won't know what to do with themselves.

This will be a big treat for them. I currently donot let them use IE, firefox only. The are running on limited accounts. I pretty much do not let them install anything, even with my approval.

My only thought about not doing this is, they might forget when they are on the "good" computer.

Edited by shanenin
Link to post
Share on other sites

:D Oh, yeah, Shanenin! Didn't know you had kids. :D That's the ticket!

And Limewire, too. But, MommaLiz says you have to tell the kids, no pron!

Sweepstakes.com comes up on a Google Search :D I've read that Poker Party is a nasty. Oh! Gator and Wild Tangent.

Liz

Link to post
Share on other sites

I disabled all of spysweeper shields which prevent infections. I did let spy sweeper run, but this is what I have left over. This is kind of a before hjt log.

Logfile of HijackThis v1.99.1

Scan saved at 11:23:21 PM, on 6/22/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

c:\progra~1\intern~1\iexplore.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exe

R3 - URLSearchHook: (no name) - - (no file)

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL

O2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware316\bin\Starware316.dll

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dll

O2 - BHO: (no name) - {87D01192-9ACB-AAAB-E6F6-CCEFCCC8DFE6} - C:\DOCUME~1\Owner\APPLIC~1\TICKWM~1\defaultname.exe (file missing)

O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dll

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,S

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O4 - HKCU\..\Run: [itch jump] C:\DOCUME~1\Owner\APPLIC~1\4bait\Ford Grid.exe

O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm429YYUS

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O10 - Hijacked Internet access by New.Net

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cab

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Link to post
Share on other sites

When I try and clean a clients computer I usually run spy sweeper first. It normally is not able to remove a lot of stuff.

For testing on my home machine it has done well. It only has not been able to remove stareware, plus a few things it did not even detect.

Link to post
Share on other sites

I reinstalled the trojan then just did a before and after of my hjt log. I noticed this new entry

O4 - HKLM\..\Run: [oyspwe] C:\WINDOWS\system32\ziqfcw.exe r

this must be from the trojan. Would you say any 04 that is in the system32 directory would be suspicious?

Edited by shanenin
Link to post
Share on other sites

I pretty much just used add/remove progrmas to dleete a bunch of stuff. Just curious, if epolvy always changes its name, you can you tell if you have it?

Would you what for changed 04s at reboot?

Scan saved at 12:43:39 AM, on 6/23/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\bcqzzkw.exe

C:\WINDOWS\system32\slserv.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\explorer.exe

R3 - URLSearchHook: (no name) - - (no file)

O2 - BHO: (no name) - {87D01192-9ACB-AAAB-E6F6-CCEFCCC8DFE6} - C:\DOCUME~1\Owner\APPLIC~1\TICKWM~1\defaultname.exe (file missing)

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Edited by shanenin
Link to post
Share on other sites

O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe r

This is the trojan. It is a random named O4 with a random named file attached. There will also be a random process (sme name as the file) running in the process list. These all change on reboot. there is also a stary r that appears at the end of the line.

Link to post
Share on other sites

Actually shane, this tool is more of a learning experience for myself. As you saw, this trojan can be easily removed with SpySweeper. Ewido will also get it, and yes, AdAware with the VX2 plugin also get it. I'm just doing this to understand how the infection works, and what methods are done (whether by scan or manually) to remove it.

Link to post
Share on other sites
Actually shane, this tool is more of a learning experience for myself. As you saw, this trojan can be easily removed with SpySweeper. Ewido will also get it, and yes, AdAware with the VX2 plugin also get it. I'm just doing this to understand how the infection works, and what methods are done (whether by scan or manually) to remove it.

I also like a project to learn. cool :-)

by the way, what method do you use to suspend a process?

Link to post
Share on other sites

I include the file process.exe with the batch file. What this process.exe does is adds the ability to the command prompt the execute process actions. For example,

process -s wordpad.exe

would suspend the wordpad process.

Matt

Link to post
Share on other sites
I include the file process.exe with the batch file. What this process.exe does is adds the ability to the command prompt the execute process actions. For example,
process -s wordpad.exe

would suspend the wordpad process.

Matt

that sounds easy enough

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...