New Run w\SAS....Still not impressed much

This forum is for testing I do with various security settings and tools. Infection infiltration, security lock down among other things. Currently XP Home-w\SP 2 installed

Moderators: Admin Team, Moderators

User avatar
TICTestBox
Site Admin
Site Admin
Posts: 245
Joined: Tue Apr 19, 2005 12:11 pm
Area Of Expertise: Infectcious Malware
experience: I know the functions, OS settings, registry tweaks and more
Location: TeMerc's House
Contact:

New Run w\SAS....Still not impressed much

Postby TICTestBox » Sun Sep 21, 2008 11:46 pm

Ran off and got an rogue installer, recently found and submitted, so nt included here.

File installed:

Code: Select all

C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk   2KB   A   9/21/2008 11:45:26 AM   
   
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008   1KB   D      
   
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk   2KB   A   9/21/2008 11:45:26 AM   
   
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk   2KB   A   9/21/2008 11:45:25 AM      

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk   2KB   A   9/21/2008 11:45:26 AM   
   
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk   2KB   A   9/21/2008 11:45:26 AM      

C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk   2KB   A   9/21/2008 11:45:26 AM   
   
C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk   2KB   A   9/21/2008 11:45:25 AM      
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk   2KB   A   9/21/2008 11:45:26 AM      

C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l   1KB   D
         
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine   1KB   D   
      
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun   1KB   D
         
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun\HKCU   1KB   D         
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun\HKCU\RunOnce   1KB   D         

C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun\HKLM   1KB   D   
      
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun\HKLM\RunOnce   1KB   D
         
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun\StartMenuAllUsers   1KB   D         
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Autorun\StartMenuCurrentUser   1KB   D         
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\BrowserObjects   1KB   D   
      
C:\Documents and Settings\Tom\Application Data\rhcl1sj0ee1l\Quarantine\Packages   1KB   D      

C:\Documents and Settings\Tom\Local Settings\temp\.tt2.tmp.vbs   2KB   A   9/21/2008 11:44:59 AM   
   
C:\Documents and Settings\Tom\Local Settings\temp\.tt5.tmp.exe   1,615KB   A   9/21/2008 11:45:14 AM
      
C:\Documents and Settings\Tom\Local Settings\temp\adgmwvu.exe   204KB   A   9/21/2008 11:44:45 AM   
   
C:\Documents and Settings\Tom\Local Settings\temp\e29.exe   195KB   A   9/21/2008 11:47:59 AM   
         
=============================
   
C:\Program Files\rhcl1sj0ee1l   1KB   D   
      
C:\Program Files\rhcl1sj0ee1l\database.dat   2KB   A   6/29/2008 12:42:42 AM   
   
C:\Program Files\rhcl1sj0ee1l\license.txt   20KB   A   9/19/2008 2:02:12 AM   
   
C:\Program Files\rhcl1sj0ee1l\MFC71.dll   1,061KB   A   6/29/2008 12:42:34 AM      

C:\Program Files\rhcl1sj0ee1l\MFC71ENU.DLL   58KB   A   6/29/2008 12:42:34 AM
      
C:\Program Files\rhcl1sj0ee1l\msvcp71.dll   500KB   A   6/29/2008 12:42:42 AM   
   
C:\Program Files\rhcl1sj0ee1l\msvcr71.dll   349KB   A   6/29/2008 12:42:42 AM   
   
C:\Program Files\rhcl1sj0ee1l\rhcl1sj0ee1l.exe   828KB   A   9/19/2008 2:02:20 AM   
   
C:\Program Files\rhcl1sj0ee1l\rhcl1sj0ee1l.exe.local   1KB   A   6/29/2008 12:42:34 AM   
   
C:\Program Files\rhcl1sj0ee1l\Uninstall.exe   113KB   A   9/21/2008 11:45:22 AM   

============================================
         
C:\WINDOWS\system32\blphcg1sj0ee1l.scr   119KB   A   9/21/2008 11:45:01 AM   
   
C:\WINDOWS\system32\Cpl32ver.exe   23KB   A   9/21/2008 12:08:56 AM   
   
C:\WINDOWS\system32\lphcg1sj0ee1l.exe   195KB   A   9/21/2008 11:44:58 AM   
   
C:\WINDOWS\system32\mifi.dat   4KB   A   8/23/2001 5:00:00 AM      

C:\WINDOWS\system32\mifi.dll   178KB   A   8/23/2001 5:00:00 AM   
   
C:\WINDOWS\system32\phcg1sj0ee1l.bmp   626KB   A   9/21/2008 11:45:01 AM   
   
C:\WINDOWS\system32\pphcg1sj0ee1l.exe   107KB   A   9/21/2008 11:45:27 AM      

Files found by SAS:

Code: Select all

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/21/2008 at 12:21 PM

Application Version : 4.21.1004

Core Rules Database Version : 3575
Trace Rules Database Version: 1563

Scan type       : Quick Scan
Total Scan Time : 00:04:54

Memory items scanned      : 249
Memory threats detected   : 3
Registry items scanned    : 255
Registry threats detected : 16
File items scanned        : 3350
File threats detected     : 17

Trojan.Dropper/Gen-NV
   C:\WINDOWS\SYSTEM32\CPL32VER.EXE
   C:\WINDOWS\SYSTEM32\CPL32VER.EXE
   [Cpl32ver] C:\WINDOWS\SYSTEM32\CPL32VER.EXE
   C:\WINDOWS\Prefetch\CPL32VER.EXE-0DF2D69B.pf

NotHarmful.Sysinternals Bluescreen Screen Saver
   C:\WINDOWS\SYSTEM32\BLPHCG1SJ0EE1L.SCR
   C:\WINDOWS\SYSTEM32\BLPHCG1SJ0EE1L.SCR

Rogue.MalwareProtector/Variant
   C:\WINDOWS\SYSTEM32\PPHCG1SJ0EE1L.EXE
   C:\WINDOWS\SYSTEM32\PPHCG1SJ0EE1L.EXE

Rogue.Dropper/Gen
   [lphcg1sj0ee1l] C:\WINDOWS\SYSTEM32\LPHCG1SJ0EE1L.EXE
   C:\WINDOWS\SYSTEM32\LPHCG1SJ0EE1L.EXE

Rogue.AntiVirus XP 2008
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP2008.lnk
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008
   C:\Documents and Settings\All Users\Start Menu\Programs\Antivirus XP 2008.lnk
   C:\Documents and Settings\All Users\Desktop\Antivirus XP 2008.lnk

Trojan.FakeAlert/Desktop
   HKU\S-1-5-21-1960408961-1677128483-854245398-1004\CONTROL PANEL\DESKTOP#WALLPAPER
   HKU\S-1-5-21-1960408961-1677128483-854245398-1004\CONTROL PANEL\DESKTOP#ORIGINALWALLPAPER
   HKU\S-1-5-21-1960408961-1677128483-854245398-1004\CONTROL PANEL\DESKTOP#CONVERTEDWALLPAPER

Rogue.AntiVirus 2008
   C:\Documents and Settings\Tom\Application Data\RHCL1SJ0EE1L
   C:\WINDOWS\SYSTEM32\PHCG1SJ0EE1L.BMP
   C:\Program Files\RHCL1SJ0EE1L

Rogue.SecureExpertCleaner
   HKU\S-1-5-21-1960408961-1677128483-854245398-1004\Software\SEC
   HKU\S-1-5-21-1960408961-1677128483-854245398-1004\Software\SEC#ProductTid
   HKLM\Software\SEC
   HKLM\Software\SEC#ProductTid
   HKLM\Software\SEC#frun
   HKLM\Software\SEC#aid
   HKLM\Software\SEC#lid
   HKLM\Software\SEC#affid
   HKLM\Software\SEC#p
   HKLM\Software\SEC#addt
   HKLM\Software\SEC#up_t

Trojan.Unknown Origin
   C:\DOCUMENTS AND SETTINGS\TOM\LOCAL SETTINGS\TEMP\.TT5.TMP.EXE

Missed a couple:
    C:\WINDOWS\System32\mifi.dll
    C:\WINDOWS\System32\Cpl32ver.exe
    C:\Documents and Settings\Tom\Local Settings\temp\.ttB.tmp
    C:\Documents and Settings\Tom\Local Settings\temp\.tt15.tmp
    C:\Documents and Settings\Tom\Local Settings\temp\.tt2.tmp
    C:\Documents and Settings\Tom\Local Settings\temp\.tt2.tmp.vbs
Adding to that, upon a reboot, my display tabs were missing a couple, so decided to run MBAM to see if it'd fix it and it did.

But MBAM got 'em and then some:

Code: Select all

Malwarebytes' Anti-Malware 1.28
Database version: 1184
Windows 5.1.2600

9/21/2008 12:39:48 PM
mbam-log-2008-09-21 (12-39-48).txt

Scan type: Quick Scan
Objects scanned: 34537
Time elapsed: 2 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 11
Registry Values Infected: 2
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\test_mime_filter.htmlmimefilter (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d52f9703-53ee-4794-af7b-1577257bb31b} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a8981db9-b2b3-47d7-a890-9c9d9f4c5552} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c9b1327a-4616-434c-af46-c2315539c19c} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\rhcl1sj0ee1l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcl1sj0ee1l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{422145bf-986b-4d14-bd6a-30a5babcac90} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{6f95c6a3-fbe0-4295-b0ab-771f9396d09f} (Trojan.Hijacker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\test_mime_filter.DLL (Trojan.Hijacker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\test_mime_filter.htmlmimefilter.1 (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhcl1sj0ee1l (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Tom\Local Settings\temp\.ttB.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mifi.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Local Settings\temp\.tt15.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Local Settings\temp\.tt2.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Local Settings\temp\.tt2.tmp.vbs (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Tom\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.


Next up AVG Anti-Malware.

Return to “TeMerc Test Box”

Who is online

Users browsing this forum: No registered users and 1 guest