Ok What have I found this time..

***Und3ertak3r*** · June 2nd, 2004, 03:24 PM

hmm interesting...

While I have checked for the gaobot family, and the automated scan showed nothing and a visual check of the registry has drawn a blank.. I just had an interesting event..

I had also run another check for CooWebSearch .. yep now i have found the mscconfig varient.. missed on HJT/ cwshredder, and visual scanns.. earlier..

While switching users on the machine Regprot poped up telling me that a startup registry item was being added a program called "eamnfed.exe" Strange I had removed it from startup as well as from the windows folder , but it seems that I didn't clear the prefetch..
/Note to self: Clear the prefetch folder on future virus removals

Also interesting..
Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..

Adaware is also comming up clean..

Found a Reg key..
HKLM\SOFTWARE\Microsoft\Shared Tools\ MSConfig\stsrtupreg\Microsoft Update ... and the Value "eamnfed.exe"
While this key seems to be a listing for the disabled startup items. and would be mostly harmless . it is now a deleted entry..

BTW no reply yet from any of the Av co's I submitted the sample file to...

Cheers

For those who wish to look and play.. the zipped file is the file in question.. The password is "und3rtak3r" with out the quotes.. ONLY D/L IF YOU ARE AWARE OF THE DANGERS. Do so at your own risk (pity I got rid of the original eamnfed.exe would have been interesting to look at)

***morganlefay*** · June 2nd, 2004, 05:19 PM

Und3ertak3r

Thanks for the info... I always like to hear on how people clean machines...cause when I ask a user "you got backups"...they usually have that deer in the headlights look and I end up instead of formatting...trying to clean the machine

although I have one question about the "prefetch" folder.

I was wondering if you or someone could explain this folder to me, what it is, and where its located as I have never heard of it and lately I have alot of XP machines getting infected...I use tools to clean...but I like to confirm the infection is cleared as we all know those little buggers come back and they seem harder and harder to clean these days.

TIA
MLF

***Und3ertak3r*** · June 5th, 2004, 02:28 PM

Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications.

from google..

99.99999999999999999% of the virus's that I remove are known.. someone else has encountered it.. and most likley has written something to a website somewhere.. or is listed on a AV co's website.. so when I see a file I am not so sure about..www.google.com and back come a series of hints..

And why do I mention this...(again)

When I am working on a job.. I need answers 10 minutes ago if not sooner.. posting a help request on any forum may bring an answer up quickly.. but then to do any good you will need to post on 20 or more forums.. not good.. A good Google will find the answers from 100+ forums sites and in just a few seconds..

/end Rant

Cheers

Found this in a google for another problem.. Check out this guys HJT log and the O2 entries (theBHO's) now that it is a list and 3/4's..

***jinxy*** · June 5th, 2004, 03:21 PM

Got a possitive from Tds3, =Scan Control Dumped @ 15:27:56 05-06-04
Positive identification: Worm.Welchia.b
File: c:\documents and settings\anthony\desktop\sus-svchost\sus-svchost.exe

Funny thing is norton didn't pick it up.

**nihil** · June 5th, 2004, 03:43 PM

Hell jinxy, you don't take prisoners do you?

TDS3...............Trojan Defence Suite...............DiamondCS................

Norton is crap at trojans.......yes there are reviews........check them you non-believers, it is an AV product, basically.

Anyways, they let us win the World Cup, so be gentle on Undies will you?

***jinxy*** · June 5th, 2004, 04:25 PM

Hell jinxy, you don't take prisoners do you?

TDS3...............Trojan Defence Suite...............DiamondCS

Best £40 i spent .

***groovicus*** · June 5th, 2004, 05:19 PM

Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..

That is a current known bug with Spybot....they are false positives, that's why they keep coming back

Hope they weren't important

Explained here

***Und3ertak3r*** · June 5th, 2004, 10:35 PM

Ok Thanks for the info groovicus,

A simple bug in Spybot 1.3 with it not corrrectly resetting the registry values in this case for how win deals with unsigned activeX controles... hmm not a good move my deleting those keys.. won't kill it but taken a little house door and changed it into a hanger door..

cheers

***The Grunt*** · June 6th, 2004, 06:20 PM

Undertaker, Please keep posting these odd ones! I am learning a lot from them. I usually get begged to help fix friends computers and always run into weird stuff.

Thread: Ok What have I found this time..

Thread Tools

Display

Posting Permissions