Edited by Staind, 19 January 2012 - 02:09 PM.
Botnet Infection
Started by
Staind
, Jan 12 2012 09:10 AM
#16
Posted 19 January 2012 - 02:01 PM
#17
Posted 19 January 2012 - 02:03 PM
Here is ComboFix log:
ComboFix 12-01-19.01 - Staind 01/19/2012 18:46:29.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8189.6963 [GMT -1:00]
Running from: c:\users\Staind\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-20 02:29 . 2012-01-19 19:37 -------- d-----w- c:\windows\Panther
2012-01-19 19:48 . 2012-01-19 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-19 19:37 . 2012-01-19 19:37 -------- d-----w- c:\users\Staind
2012-01-19 19:37 . 2012-01-19 19:37 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 24.220.0.10 24.220.0.11
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-19 18:52:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-19 19:52
The Floppy Drive is "fake".
There is no Floppy Drive on my PC.
This is the Trojan and it is Hidden with built in defenses to prevent it from being detected. It cannot be over written. It may very well represent a new Botnet version that has yet to be recognized, and as such no current detection/disinfection programs are as yet available. This is my fear. I am going to attempt to run Kaspersky Anti Hacker (provided it will run on 64bits OSs) and see if I get any results worth reporting.
Also; I have reported this to MicroSoft as they and the FBI took down a large Botnet operation not too long ago.
ComboFix 12-01-19.01 - Staind 01/19/2012 18:46:29.1.4 - x64 NETWORK
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.8189.6963 [GMT -1:00]
Running from: c:\users\Staind\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-12-19 to 2012-01-19 )))))))))))))))))))))))))))))))
.
.
2012-01-20 02:29 . 2012-01-19 19:37 -------- d-----w- c:\windows\Panther
2012-01-19 19:48 . 2012-01-19 19:48 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-01-19 19:37 . 2012-01-19 19:37 -------- d-----w- c:\users\Staind
2012-01-19 19:37 . 2012-01-19 19:37 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 24.220.0.10 24.220.0.11
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-01-19 18:52:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-19 19:52
The Floppy Drive is "fake".
There is no Floppy Drive on my PC.
This is the Trojan and it is Hidden with built in defenses to prevent it from being detected. It cannot be over written. It may very well represent a new Botnet version that has yet to be recognized, and as such no current detection/disinfection programs are as yet available. This is my fear. I am going to attempt to run Kaspersky Anti Hacker (provided it will run on 64bits OSs) and see if I get any results worth reporting.
Also; I have reported this to MicroSoft as they and the FBI took down a large Botnet operation not too long ago.
Edited by Staind, 19 January 2012 - 02:26 PM.
#18
Posted 19 January 2012 - 02:17 PM
I will try the 2 bootable cd programs you have listed.
"You are using another tool I am not familiar with to look at your partitions. This one seems a bit confused as it is talking about a floppy drive rather than your hard drive:"
ACTIVE KILL DISK is well known; here is the link:
http://download.cnet...4-10073508.html
It is not confused as its functionality provides for over writing hard drives, recovering partitions, password retrieval, and image views of all drives; it is a bootable CD for DOS environment.
What it revealed is real and 100% accurate.
"You are using another tool I am not familiar with to look at your partitions. This one seems a bit confused as it is talking about a floppy drive rather than your hard drive:"
ACTIVE KILL DISK is well known; here is the link:
http://download.cnet...4-10073508.html
It is not confused as its functionality provides for over writing hard drives, recovering partitions, password retrieval, and image views of all drives; it is a bootable CD for DOS environment.
What it revealed is real and 100% accurate.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users