Ok What have I found this time.. - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: Ok What have I found this time..

  1. #11
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    hmm interesting...

    While I have checked for the gaobot family, and the automated scan showed nothing and a visual check of the registry has drawn a blank.. I just had an interesting event..

    I had also run another check for CooWebSearch .. yep now i have found the mscconfig varient.. missed on HJT/ cwshredder, and visual scanns.. earlier..

    While switching users on the machine Regprot poped up telling me that a startup registry item was being added a program called "eamnfed.exe" Strange I had removed it from startup as well as from the windows folder , but it seems that I didn't clear the prefetch..
    /Note to self: Clear the prefetch folder on future virus removals

    Also interesting..
    Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..

    Adaware is also comming up clean..

    Found a Reg key..
    HKLM\SOFTWARE\Microsoft\Shared Tools\ MSConfig\stsrtupreg\Microsoft Update ... and the Value "eamnfed.exe"
    While this key seems to be a listing for the disabled startup items. and would be mostly harmless . it is now a deleted entry..


    BTW no reply yet from any of the Av co's I submitted the sample file to...


    Cheers


    For those who wish to look and play.. the zipped file is the file in question.. The password is "und3rtak3r" with out the quotes.. ONLY D/L IF YOU ARE AWARE OF THE DANGERS. Do so at your own risk (pity I got rid of the original eamnfed.exe would have been interesting to look at)
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #12
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Und3ertak3r

    Thanks for the info... I always like to hear on how people clean machines...cause when I ask a user "you got backups"...they usually have that deer in the headlights look and I end up instead of formatting...trying to clean the machine


    although I have one question about the "prefetch" folder.

    I was wondering if you or someone could explain this folder to me, what it is, and where its located as I have never heard of it and lately I have alot of XP machines getting infected...I use tools to clean...but I like to confirm the infection is cleared as we all know those little buggers come back and they seem harder and harder to clean these days.

    TIA
    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #13
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications.
    from google..

    99.99999999999999999% of the virus's that I remove are known.. someone else has encountered it.. and most likley has written something to a website somewhere.. or is listed on a AV co's website.. so when I see a file I am not so sure about..www.google.com and back come a series of hints..

    And why do I mention this...(again)

    When I am working on a job.. I need answers 10 minutes ago if not sooner.. posting a help request on any forum may bring an answer up quickly.. but then to do any good you will need to post on 20 or more forums.. not good.. A good Google will find the answers from 100+ forums sites and in just a few seconds..

    /end Rant


    Cheers

    Found this in a google for another problem.. Check out this guys HJT log and the O2 entries (theBHO's) now that it is a list and 3/4's..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #14
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Got a possitive from Tds3, =Scan Control Dumped @ 15:27:56 05-06-04
    Positive identification: Worm.Welchia.b
    File: c:\documents and settings\anthony\desktop\sus-svchost\sus-svchost.exe

    Funny thing is norton didn't pick it up.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #15
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hell jinxy, you don't take prisoners do you?

    TDS3...............Trojan Defence Suite...............DiamondCS................

    Norton is crap at trojans.......yes there are reviews........check them you non-believers, it is an AV product, basically.

    Anyways, they let us win the World Cup, so be gentle on Undies will you?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #16
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Hell jinxy, you don't take prisoners do you?
    TDS3...............Trojan Defence Suite...............DiamondCS
    Best 40 i spent .
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  7. #17
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Used Spybot s&d to clear out the trash.. a series of DSO exploites 5 in total.. the little buggers came back..just edited them manualy out of the registry and restarting the machine.... yep gone ..for now..
    That is a current known bug with Spybot....they are false positives, that's why they keep coming back Hope they weren't important

    Explained here

  8. #18
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Ok Thanks for the info groovicus,

    A simple bug in Spybot 1.3 with it not corrrectly resetting the registry values in this case for how win deals with unsigned activeX controles... hmm not a good move my deleting those keys.. won't kill it but taken a little house door and changed it into a hanger door..


    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #19
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,024
    Undertaker, Please keep posting these odd ones! I am learning a lot from them. I usually get begged to help fix friends computers and always run into weird stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides