Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 40

Thread: ** Ok What could this Be? **

  1. #21
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    this is the log from hijack this

  2. #22
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    thing is tiger.. it's not a hijacker.. and it's not CWS..
    and undies log didn't even show that file as running..
    now hijckthis can't see hidden files unless windows explorer is set to view them.. so i think that's why is wasn't visable..

    same thing in your log, disturb.. I don't see the file (that undertaker said) running..

    these lines show evidence of mutated names..

    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\upnPtDFsHISV.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\igDwsThbSdrq.exe

    you know what I would do ? in safe mode.. use your windows/ find files and folders
    in the date tab, search for all files found created at.. and pick your time frame.
    all the files will probably be small so you can use the advanced tab to limit size to
    let's say.. less than 100k.. or even 50k

    examine and write down all files that look suspicious.. google them on another box
    if you have one.. rename them.. change the extention on them.. move them off
    onto a floppy if you want to save and examine. record what you did and found.

    a quick look at your log.. it pretty much looks clean.. you do have wildtangent
    but that ain't too big a deal..

    you certainly can delete these two files from the cleaner directory
    upnPtDFsHISV.exe
    igDwsThbSdrq.exe

    make note of their size.. see if there are any other files like that in the cleaner directory.
    do your work in safe mode.. if windows says they can't be deleted.. try changing the files attributes if they are set to hidden or system files.

  3. #23
    Would someone like me to be brave and IDA Pro this sucker?

    -Cheers-

  4. #24
    Senior Member
    Join Date
    Feb 2004
    Posts
    197
    [i]
    you certainly can delete these two files from the cleaner directory
    upnPtDFsHISV.exe
    igDwsThbSdrq.exe

    make note of their size.. see if there are any other files like that in the cleaner directory.
    do your work in safe mode.. if windows says they can't be deleted.. try changing the files attributes if they are set to hidden or system files. [/B]
    no those arent the bad guys those are the two programs that let my know what that file did

    it looks mutated because there running in stealth mode (so no trojan can kill them) the name and size change every 5 minutes.those two programs are my body gaurds

  5. #25
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    oh yeah.. my bad.. I've never use the active stuff from thecleaner.. and didn't realize that the names change.. I guess you learn something new everyday.. hehe.. I googled them, found nothing and assumed they shouldn't be there..

    so.. then hijackthis doesn't see anything in the startup/run area.. did you set windows explorer to show hidden files ? did you try searching around your drive for newly created/accessed files ?

  6. #26
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by PM8228
    Would someone like me to be brave and IDA Pro this sucker?
    I'm already working on it. As far as I know right now the .text and .data segments are XOR'ed with different values then it jumps to an address inside the .text segment. Unfortunately I cannot seem to get the correct XOR values so I don't know what exactly is does after the decode.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #27
    If some one has a space comp n hub maybe you could try see what its spitting out to the net, to determin if its a trojan or not
    Signature image is too tall!

  8. #28
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Well, I finally got my decoder working It looks alot like spyware to me. With the option of getting instructions from a website. Most of the registry strings I found referred to Internet Explorer regkeys. I didn't find anything relating to the Run keys.

    URL for instructions/logging:

    http://ussrforeva.com/wcmd.txt
    http://ussrforeva.com/ppslog.php
    http://ussrforeva.com/piplog.php?%s:...%02d:%02d:%02d

    strings referring to the name of the probable coder:
    TT coded by HT commercial version
    _timofei_tokarev_rulez4ever

    Some files that maybe interesting:
    clctk.dat
    tt32.dat
    Rtdx1????.dat (???? probably a random number)

    If anyone is interested I can create a .LST file containing a slightly sanatized disassembly.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #29
    If anyone is interested I can create a .LST file containing a slightly sanatized disassembly.
    *Raises hand.

    -Cheers-

  10. #30
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Hey got this back from Symantec:

    We have analyzed your submission. The following is a report of our
    findings for each file you have submitted:

    filename: C:\Documents and Settings\Administrator\Desktop\Kcfepaic.exe
    machine: XXXXXXXX
    result: This file is infected with Backdoor.Berbew.C

    Developer notes:
    C:\Documents and Settings\Administrator\Desktop\Kcfepaic.exe is non-repairable threat. NAV with the latest beta definition detects this. Please delete this file and replace it if neccessary. Please follow the instruction at the end of this email message to install the latest beta definitions.



    Symantec Security Response has determined that the sample(s) that you provided are infected with a virus, worm, or Trojan. We have created beta definitions that will detect this threat. Please follow the instruction at the end of this email message to download and install the latest beta definitions.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •