shanenin Posted June 21, 2006 Report Share Posted June 21, 2006 I have an clean xp computer, currently unused, that I would love to infect. I would like to fill it up with as much crap as possible, then practice cleaning it. Any suggestions to where I can find some nasty stuff would be appreciated. I am to impatient to surf the web using bad practices, that is probably what I will end up having to do. Quote Link to post Share on other sites
Matt Posted June 21, 2006 Report Share Posted June 21, 2006 lol hi shanenin. This is something that lots of people (including myself) face. Its even harder when you are looking for a specific infection! Anyway, there are people/places that have access to many malware files, but they only open their databases to people they know and trust. I don't even have access to most of them. Shoot me a PM and I can give you some sites to hit that should infect you right up. Matt Quote Link to post Share on other sites
blim Posted June 21, 2006 Report Share Posted June 21, 2006 "I can give you some sites to hit that should infect you right up. " LOL You guys are nuts.....But on behalf of the folks who need researchers like you, thank you!Liz Quote Link to post Share on other sites
shanenin Posted June 21, 2006 Author Report Share Posted June 21, 2006 I have been installing anything and everything like a crazed mad man. I am still not getting any popups. grrr. Quote Link to post Share on other sites
shanenin Posted June 21, 2006 Author Report Share Posted June 21, 2006 (edited) I came up with a great plan. I am going to let my kids use this computer to do anything. I am going to keep IE on low security settings, and let them install whatever they like. They won't know what to do with themselves.This will be a big treat for them. I currently donot let them use IE, firefox only. The are running on limited accounts. I pretty much do not let them install anything, even with my approval. My only thought about not doing this is, they might forget when they are on the "good" computer. Edited June 22, 2006 by shanenin Quote Link to post Share on other sites
Pierce Posted June 21, 2006 Report Share Posted June 21, 2006 p2p, thats all you need or kazaaNot to forget smilecentral, yim, and any other fun loving crap you can think of Pierce Quote Link to post Share on other sites
blim Posted June 22, 2006 Report Share Posted June 22, 2006 Oh, yeah, Shanenin! Didn't know you had kids. That's the ticket! And Limewire, too. But, MommaLiz says you have to tell the kids, no pron!Sweepstakes.com comes up on a Google Search I've read that Poker Party is a nasty. Oh! Gator and Wild Tangent.Liz Quote Link to post Share on other sites
shanenin Posted June 22, 2006 Author Report Share Posted June 22, 2006 yup 14 year old girl(she thinks she is an adult, this happened over the past few months)10 year old girl7 year old boy Quote Link to post Share on other sites
medab1 Posted June 22, 2006 Report Share Posted June 22, 2006 (edited) See the picture--http://i6.tinypic.com/1570qoo.jpgOf course,remove all protection first.A Google search for warez would work. Edited June 22, 2006 by medab1 Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 I disabled all of spysweeper shields which prevent infections. I did let spy sweeper run, but this is what I have left over. This is kind of a before hjt log.Logfile of HijackThis v1.99.1Scan saved at 11:23:21 PM, on 6/22/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exec:\progra~1\intern~1\iexplore.exeC:\WINDOWS\system32\slserv.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\WINDOWS\system32\wscntfy.exeC:\Program Files\Webroot\Spy Sweeper\SpySweeper.exeC:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exeR3 - URLSearchHook: (no name) - - (no file)R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLLO2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLLO2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLLO2 - BHO: (no name) - {45A4902E-4479-4EAE-A186-8D0F7E4C78DE} - C:\Program Files\Starware316\bin\Starware316.dllO2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22.dllO2 - BHO: (no name) - {87D01192-9ACB-AAAB-E6F6-CCEFCCC8DFE6} - C:\DOCUME~1\Owner\APPLIC~1\TICKWM~1\defaultname.exe (file missing)O3 - Toolbar: Starware316 - {9FB3908C-6565-4CB0-95F8-E9F85258723C} - C:\Program Files\Starware316\bin\Starware316.dllO4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -sO4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\2.bin\MWSBAR.DLL,SO4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exeO4 - HKCU\..\Run: [itch jump] C:\DOCUME~1\Owner\APPLIC~1\4bait\Ford Grid.exeO4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exeO8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm429YYUSO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exeO9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO10 - Hijacked Internet access by New.NetO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/f...tup1.0.0.15.cabO20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dllO23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exeO23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 The log isn't too infected. Be careful with new.net thought, if you remove it wrong, it can kill your internet connection. It appears the file I sent you isn't in there.. One of your scans must have killed it. Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 spy sweeper needed to rid that one(the one you sent) at reboot. It seems to be a pretty good program. Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 Yep, SpySweeper is great! Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 When I try and clean a clients computer I usually run spy sweeper first. It normally is not able to remove a lot of stuff. For testing on my home machine it has done well. It only has not been able to remove stareware, plus a few things it did not even detect. Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 (edited) I reinstalled the trojan then just did a before and after of my hjt log. I noticed this new entryO4 - HKLM\..\Run: [oyspwe] C:\WINDOWS\system32\ziqfcw.exe rthis must be from the trojan. Would you say any 04 that is in the system32 directory would be suspicious? Edited June 23, 2006 by shanenin Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 Would you say any 04 that is in the system32 directory would be suspicious?Suspicious, Yes. Definately bad? NO. Any legit program could drop something there - however, they usually use their own folder. Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 (edited) I pretty much just used add/remove progrmas to dleete a bunch of stuff. Just curious, if epolvy always changes its name, you can you tell if you have it?Would you what for changed 04s at reboot?Scan saved at 12:43:39 AM, on 6/23/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\WINDOWS\system32\bcqzzkw.exeC:\WINDOWS\system32\slserv.exeC:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exeC:\WINDOWS\system32\wscntfy.exeC:\Documents and Settings\Owner\Desktop\hjt\HijackThis.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\explorer.exeC:\WINDOWS\explorer.exeC:\WINDOWS\explorer.exeR3 - URLSearchHook: (no name) - - (no file)O2 - BHO: (no name) - {87D01192-9ACB-AAAB-E6F6-CCEFCCC8DFE6} - C:\DOCUME~1\Owner\APPLIC~1\TICKWM~1\defaultname.exe (file missing)O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe rO9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dllO23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exeO23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe Edited June 23, 2006 by shanenin Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 O4 - HKLM\..\Run: [zdkyzf] C:\WINDOWS\system32\bcqzzkw.exe rThis is the trojan. It is a random named O4 with a random named file attached. There will also be a random process (sme name as the file) running in the process list. These all change on reboot. there is also a stary r that appears at the end of the line. Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 as of now, is the preferred way to remove this trojan adaware the the vx2 plugin? Are you trying to make a simple tool that does not have the need to install adaware and the plugin? Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 Actually shane, this tool is more of a learning experience for myself. As you saw, this trojan can be easily removed with SpySweeper. Ewido will also get it, and yes, AdAware with the VX2 plugin also get it. I'm just doing this to understand how the infection works, and what methods are done (whether by scan or manually) to remove it. Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 Actually shane, this tool is more of a learning experience for myself. As you saw, this trojan can be easily removed with SpySweeper. Ewido will also get it, and yes, AdAware with the VX2 plugin also get it. I'm just doing this to understand how the infection works, and what methods are done (whether by scan or manually) to remove it.I also like a project to learn. cool :-)by the way, what method do you use to suspend a process? Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 I include the file process.exe with the batch file. What this process.exe does is adds the ability to the command prompt the execute process actions. For example, process -s wordpad.exe would suspend the wordpad process.Matt Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 I include the file process.exe with the batch file. What this process.exe does is adds the ability to the command prompt the execute process actions. For example, process -s wordpad.exe would suspend the wordpad process.Mattthat sounds easy enough Quote Link to post Share on other sites
shanenin Posted June 23, 2006 Author Report Share Posted June 23, 2006 when I try and run that command using cmd.exe(xp commmand line), it says the command "process" is not available. Are you sure that will work in a batch file? Quote Link to post Share on other sites
Matt Posted June 23, 2006 Report Share Posted June 23, 2006 you need process.exe for it to work, I can send it to you if youd like Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.