-
April 15th, 2004, 12:08 AM
#21
Senior Member
this is the log from hijack this
-
April 15th, 2004, 02:59 AM
#22
thing is tiger.. it's not a hijacker.. and it's not CWS..
and undies log didn't even show that file as running..
now hijckthis can't see hidden files unless windows explorer is set to view them.. so i think that's why is wasn't visable..
same thing in your log, disturb.. I don't see the file (that undertaker said) running..
these lines show evidence of mutated names..
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\upnPtDFsHISV.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\igDwsThbSdrq.exe
you know what I would do ? in safe mode.. use your windows/ find files and folders
in the date tab, search for all files found created at.. and pick your time frame.
all the files will probably be small so you can use the advanced tab to limit size to
let's say.. less than 100k.. or even 50k
examine and write down all files that look suspicious.. google them on another box
if you have one.. rename them.. change the extention on them.. move them off
onto a floppy if you want to save and examine. record what you did and found.
a quick look at your log.. it pretty much looks clean.. you do have wildtangent
but that ain't too big a deal..
you certainly can delete these two files from the cleaner directory
upnPtDFsHISV.exe
igDwsThbSdrq.exe
make note of their size.. see if there are any other files like that in the cleaner directory.
do your work in safe mode.. if windows says they can't be deleted.. try changing the files attributes if they are set to hidden or system files.
-
April 15th, 2004, 03:07 AM
#23
Would someone like me to be brave and IDA Pro this sucker?
-Cheers-
-
April 15th, 2004, 04:07 AM
#24
Senior Member
[i]
you certainly can delete these two files from the cleaner directory
upnPtDFsHISV.exe
igDwsThbSdrq.exe
make note of their size.. see if there are any other files like that in the cleaner directory.
do your work in safe mode.. if windows says they can't be deleted.. try changing the files attributes if they are set to hidden or system files. [/B]
no those arent the bad guys those are the two programs that let my know what that file did
it looks mutated because there running in stealth mode (so no trojan can kill them) the name and size change every 5 minutes.those two programs are my body gaurds
-
April 15th, 2004, 04:29 AM
#25
oh yeah.. my bad.. I've never use the active stuff from thecleaner.. and didn't realize that the names change.. I guess you learn something new everyday.. hehe.. I googled them, found nothing and assumed they shouldn't be there..
so.. then hijackthis doesn't see anything in the startup/run area.. did you set windows explorer to show hidden files ? did you try searching around your drive for newly created/accessed files ?
-
April 15th, 2004, 09:06 AM
#26
Originally posted here by PM8228
Would someone like me to be brave and IDA Pro this sucker?
I'm already working on it. As far as I know right now the .text and .data segments are XOR'ed with different values then it jumps to an address inside the .text segment. Unfortunately I cannot seem to get the correct XOR values so I don't know what exactly is does after the decode.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 15th, 2004, 10:21 AM
#27
Member
If some one has a space comp n hub maybe you could try see what its spitting out to the net, to determin if its a trojan or not
Signature image is too tall!
-
April 15th, 2004, 12:37 PM
#28
Well, I finally got my decoder working It looks alot like spyware to me. With the option of getting instructions from a website. Most of the registry strings I found referred to Internet Explorer regkeys. I didn't find anything relating to the Run keys.
URL for instructions/logging:
http://ussrforeva.com/wcmd.txt
http://ussrforeva.com/ppslog.php
http://ussrforeva.com/piplog.php?%s:...%02d:%02d:%02d
strings referring to the name of the probable coder:
TT coded by HT commercial version
_timofei_tokarev_rulez4ever
Some files that maybe interesting:
clctk.dat
tt32.dat
Rtdx1????.dat (???? probably a random number)
If anyone is interested I can create a .LST file containing a slightly sanatized disassembly.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
April 15th, 2004, 01:04 PM
#29
If anyone is interested I can create a .LST file containing a slightly sanatized disassembly.
*Raises hand.
-Cheers-
-
April 15th, 2004, 02:25 PM
#30
Hey got this back from Symantec:
We have analyzed your submission. The following is a report of our
findings for each file you have submitted:
filename: C:\Documents and Settings\Administrator\Desktop\Kcfepaic.exe
machine: XXXXXXXX
result: This file is infected with Backdoor.Berbew.C
Developer notes:
C:\Documents and Settings\Administrator\Desktop\Kcfepaic.exe is non-repairable threat. NAV with the latest beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions.
Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created beta definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest beta definitions.
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|