Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Botnet Infection


  • Please log in to reply

#16
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I will try the 2 bootable cd programs you have listed.

Edited by Staind, 19 January 2012 - 02:09 PM.

  • 0

Advertisements


#17
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is ComboFix log:

ComboFix 12-01-19.01 - Staind 01/19/2012 18:46:29.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8189.6963 [GMT -1:00]
Running from: c:\users\Staind\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-20 02:29 . 2012-01-19 19:37 -------- d-----w- c:\windows\Panther
2012-01-19 19:48 . 2012-01-19 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-19 19:37 . 2012-01-19 19:37 -------- d-----w- c:\users\Staind
2012-01-19 19:37 . 2012-01-19 19:37 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 24.220.0.10 24.220.0.11
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)

.
Completion time: 2012-01-19 18:52:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-19 19:52

The Floppy Drive is "fake".
There is no Floppy Drive on my PC.

This is the Trojan and it is Hidden with built in defenses to prevent it from being detected. It cannot be over written. It may very well represent a new Botnet version that has yet to be recognized, and as such no current detection/disinfection programs are as yet available. This is my fear. I am going to attempt to run Kaspersky Anti Hacker (provided it will run on 64bits OSs) and see if I get any results worth reporting.
Also; I have reported this to MicroSoft as they and the FBI took down a large Botnet operation not too long ago.

Edited by Staind, 19 January 2012 - 02:26 PM.

  • 0

#18
Staind

Staind

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
I will try the 2 bootable cd programs you have listed.


"You are using another tool I am not familiar with to look at your partitions. This one seems a bit confused as it is talking about a floppy drive rather than your hard drive:"

ACTIVE KILL DISK is well known; here is the link:

http://download.cnet...4-10073508.html

It is not confused as its functionality provides for over writing hard drives, recovering partitions, password retrieval, and image views of all drives; it is a bootable CD for DOS environment.

What it revealed is real and 100% accurate.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP