Whats Wrong here ?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Whats Wrong here ?

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Whats Wring here ?

    Greeting's

    Pardon me for not saying much about this but I was unable to go through logs and other important stuff related to security for about 3 weeks now... I found this when going through some of the regulars "HOT SPOTS".

    Let me know if someone needs more information... Anyone heard or seen this before... or should i fear the worst
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #2
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Nothing in the search engines on "gseopzohgghar", which is surprising. Can you disable the service? What's an AV scan telling you?
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  3. #3
    Probably wouldn't show up on a query if the service was randomly named by the infecting program. My guess is that it's some form of nasty malware...

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    Instead of showing us the service / dependancy view, how about the application that it runs? I've seen random services appear before, sometimes during my own messing around from stuff that's my fault... Knowing what the service launches will give a better idea of what it does... and what it is.

    Peac,e
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    I have one more picture of the same "THING"... Some more help guys ??? Nothing found in any scans till now.. I will keep you guys updated.

    Thank you to everyone.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Even the displayname doesn't say anything. It's just a randomly created name..

    Fire up regedit. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
    Look for the random name. What does the ImagePath key tell you?

    An active piece of malware could prevent the detection when scanning.
    So also have a look at your running processes.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I find this a useful resource, but your beastie is not listed

    http://www.sysinfo.org/startuplist.php?filter=GSEOP

    Another approach, albeit crude, would be to search for executables loaded in the last 4 weeks......as this is a user machine (hopefully NOT a developer) there should not be that many?

    I was thinking of the multiple payload scenario where the Registry entry fires off one thing that triggers others?

    Just a thought?

  8. #8
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Whatever it is, it's new. I'd try an online scan, either Panda or TrendMicro.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    If you find any strange files, particularly executables then this might help:

    http://virusscan.jotti.org/

    http://www.virustotal.com/en/indexf.html

    They are a couple of online multiple AV scanning sites that I use, just submit the suspect item and they come back in a few minutes with the results of running it through most of the top AVs.


  10. #10
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Here I have got the pics of the same piece of "THING" in the registry... the next post will have the second picture file.

    Thanks for the help.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •