-
July 31st, 2006, 10:54 PM
#1
Whats Wring here ?
Greeting's
Pardon me for not saying much about this but I was unable to go through logs and other important stuff related to security for about 3 weeks now... I found this when going through some of the regulars "HOT SPOTS".
Let me know if someone needs more information... Anyone heard or seen this before... or should i fear the worst
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
July 31st, 2006, 11:41 PM
#2
Nothing in the search engines on "gseopzohgghar", which is surprising. Can you disable the service? What's an AV scan telling you?
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
August 1st, 2006, 02:04 AM
#3
Probably wouldn't show up on a query if the service was randomly named by the infecting program. My guess is that it's some form of nasty malware...
-
August 1st, 2006, 03:54 AM
#4
Hey Hey,
Instead of showing us the service / dependancy view, how about the application that it runs? I've seen random services appear before, sometimes during my own messing around from stuff that's my fault... Knowing what the service launches will give a better idea of what it does... and what it is.
Peac,e
HT
-
August 1st, 2006, 07:51 AM
#5
Greeting's
I have one more picture of the same "THING"... Some more help guys ??? Nothing found in any scans till now.. I will keep you guys updated.
Thank you to everyone.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 1st, 2006, 09:07 AM
#6
Even the displayname doesn't say anything. It's just a randomly created name..
Fire up regedit. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
Look for the random name. What does the ImagePath key tell you?
An active piece of malware could prevent the detection when scanning.
So also have a look at your running processes.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
August 1st, 2006, 11:53 AM
#7
I find this a useful resource, but your beastie is not listed
http://www.sysinfo.org/startuplist.php?filter=GSEOP
Another approach, albeit crude, would be to search for executables loaded in the last 4 weeks......as this is a user machine (hopefully NOT a developer) there should not be that many?
I was thinking of the multiple payload scenario where the Registry entry fires off one thing that triggers others?
Just a thought?
-
August 1st, 2006, 01:08 PM
#8
Whatever it is, it's new. I'd try an online scan, either Panda or TrendMicro.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
August 1st, 2006, 03:42 PM
#9
If you find any strange files, particularly executables then this might help:
http://virusscan.jotti.org/
http://www.virustotal.com/en/indexf.html
They are a couple of online multiple AV scanning sites that I use, just submit the suspect item and they come back in a few minutes with the results of running it through most of the top AVs.
-
August 1st, 2006, 06:31 PM
#10
Greeting's
Here I have got the pics of the same piece of "THING" in the registry... the next post will have the second picture file.
Thanks for the help.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|