Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is there some kind of database that can tell you what infections..


  • Please log in to reply
6 replies to this topic

#1 kurtgillis12

kurtgillis12

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 07 July 2016 - 10:11 PM

you can expect when you get infected with a specific type of malware? If I were to post the logs would you be able to tell me what infected files or keys were part of the same attack?



BC AdBot (Login to Remove)

 


#2 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:09:26 PM

Posted 07 July 2016 - 10:23 PM

I doubt there is a database for this, but certain malware programs, called droppers, exist purely to install other pieces of malware on a system. If we notice a dropper program, we might be able to make connections between it and other pieces of malware.
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#3 kurtgillis12

kurtgillis12
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 07 July 2016 - 10:30 PM

I doubt there is a database for this, but certain malware programs, called droppers, exist purely to install other pieces of malware on a system. If we notice a dropper program, we might be able to make connections between it and other pieces of malware.

 

I have a malwarebytes anti-rootkit scan done on an old computer I have. I am dying to know if all these infections are part of the same attack or if they are multiple attacks. (It was infected years ago) If you could look at it and see if you could make any connections, I would really appreciate it.

 

 (username1 is the admin account)
 
1. C:\WINDOWS|SYSTEM32\drives\psec.sys(Trojan.FakeAlert)
 
2. Physical Sector 312576705 on drive 0 (Rootkit.Alureon.E.VBR)
 
3. C:\Documents and Settings\username1\Local Settings\Application Data\App\vtolhexl.dll (Trojan.FakeMS.ED)
 
4. HKU\S-1-5-21-29283822-501481981-1191779827-1005\SOFTWARE\MIRCROSOFT\WINDOWS\CURRENTVERSION\RUN\vtolhexl (Trojan.FakeMS.ED)
 
5. C:\Documents and Settings\username1\Local Settings\Application Data\App\vtolhexl.dll (Trojan.FakeMS.ED)
 
6. HKU\S-1-5-21-2928383822-501481981-1191779827-501\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{A770354-581D-450C-9E44-A84C4115A6172} (Trojan.FakeAlert)
 
7. C:Documents and Settings\All Users\ Application Data\ 427B187A-EEDC-1C33-3F41-746881B4FC6D.avi (Trojan.FakeMS.ED)
 
8. C:\Documents and Settings\All Users\Application Data\BE6HKSxOYirlGO.exe (Rogue.FakeHDD)
 
9. C:\Documents and Settings\username1\Application Data\427B183A- EKDC-1C33-3F41-746881B4FC6D.avi (Trojan.FakeMS.ED)
 
10. C:\Program Files\Security Defender\Security Defender.dll(Trojan.FakeMS.ED)
 
11. C:\WINDOWS\system32\427B183A-EEDC-1C33-3F41-746881B4FC6D.avi(Trojan.FakeMS.ED)
 
12. C:\Documents and Settings\Guest\Local Settings\Temp\K1aKoDaH1wVy3d.exe.tmp(Rogue.FakeHDD)
 
13. C:Documents and Settings\username1\Local Settings\Application Data\427B183A-EEDC-1C33-3F41-746881B4FC6D.avi(Trojan.FakeMS.ED)
 
14. c:\windows\$ntuninstallkb1055$\3728945212\L\yoksnvpa(Backdoor.0Acceess)
 
15. c:\windows\$ntuninstallkb1055$\3728945212\u\00000001.@ (Backdoor.0Access)
 
16. c:\windows\$ntuninstallkb1055$\3728945212\u\00000002.@ (Backdoor.0Access)
 
17. c:\windows\$ntuninstallkb1055$\3728945212\u\00000004.@ (Backdoor.0Access)
 
18. c:\windows\$ntuninstallkb1055$\3728945212\u\80000000.@ (Backdoor.0Access)
 
19. c:\windows\$ntuninstallkb1055$\3728945212\u\80000004.@ (Backdoor.0Access)
 
20. c:\windows\$ntuninstallkb1055$\3728945212\u\80000032.@ (Backdoor.0Access)
 
21. C:\Documents and Settings\username1\Local Settings\Temporary Interent Files\Content.IE5\DJTKLB65\11[1].exe (Trojan.Dropper)
 
22. C:\Documents and Settings\username1\Local Settings\Temporary Interent Files\Content.IE5\ISOS46N9122[1].exe (Trojan.FakeMS.ED)
 
23. C:\Documents and Settings\username1\Application Data\ Security Defender\{5FE83920-7C88-4C45-6C9D-8FOEf7DD7EAA}.pst (Rogue.SecurityDefender)
 
24. C:\Documents and Settings\username1\Application Data\ Security Defender\(rogue.SecurityDefender)
 
25. C:\Documents and Settings\username1\Application Data\ Security Defender\{6B757E8f-ACAO-446C-7D8F-ODD8E3F949745}.pst(Rogue.SecurityDenfender)
 
26. C:\Documents and Settings\username1\Application Data\ Security Defender\{73A82D79--C142-4EC2-2884-9A7310C76AGB}.pst(Rogue.SecurityDefender)
 
27. C:\Documents and Settings\username1\Desktop\Security Defender.Ink(Rogue.Security Defender)
 
28. C:\Documents and Settings\username1\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Defender.Ink (Rogue.SecurityDefender)
 
29. C:\Program Files\Security Defender\Security Defender.ico(Rogue.SecurityDefender)
 
30. C:\Program Files\Security Defender(Rogue.SecurityDefender)
 
31. HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\427B183A-EEDC-IC33-3F41-74688/B4FC6D(Trojan.FakeAlert)
 
32. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\AVAPP(Rogue.PersonalAntivirus)
 
33. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\AVUNINST(Rogue.PersonalAntivirus) 
 
34. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\Software\Microsoft\Internet Explorer\MenuEXT\& Search\ (Adware.Hotbar)
 
35. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\427B183A-EEDC-IC33-3F41-74688154FC66(Trojan.FakeAlert)
 
36. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\SOFTWARE/MICROSOFT\INTERNETEXPLORER\MENUTEXT\&SEARCH\(Adware.Hotbar)
 
37. c:\windows\$ntuninstallkblo55$\3728945212\L (Backdoor.0Access)
 
38. c:\windows\$ntuninstallkblo55$\3728945212\U
 
39. c:\windows\$ntuninstallkblo55$\3728945212\12 (Backdoor.0Access)
 
40. c:\windows\$ntuninstallkblo55$\3728945212\@
 
41. c:\windows\$ntuninstallkblo55$\3728945212\bckfg.tmp
 
42. c:\windows\$ntuninstallkblo55$\3728945212\cfg.ini
 
43. c:\windows\$ntuninstallkblo55$\3728945212\desktop.ini (Backdoor.0Access)
 
44. c:\windows\$ntuninstallkblo55$\3728945212\keywords
 
45. c:\windows\$ntuninstallkblo55$\3728945212\Kwrd.dll
 
46. c:\windows\$ntuninstallkblo55$\13930054407(Backdoor.0Access)


#4 ScathEnfys

ScathEnfys

    Bleeping Butterfly


  • Members
  • 1,375 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Deep in the Surface Web
  • Local time:09:26 PM

Posted 07 July 2016 - 10:45 PM

Keep in mind that a single infection can have several associated entries that appear in a log. For example, all lines ending in "(Backdoor.0Access)" are pieces of the same infection (ZeroAccess).
Proud system builder, modder, and watercooler.

GitHub | SoundCloud | Keybase

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:26 PM

Posted 08 July 2016 - 06:09 AM

You can always submit malicious files to one of the online services that analyzes suspicious files.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 kurtgillis12

kurtgillis12
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Local time:01:26 AM

Posted 08 July 2016 - 05:03 PM

Keep in mind that a single infection can have several associated entries that appear in a log. For example, all lines ending in "(Backdoor.0Access)" are pieces of the same infection (ZeroAccess).

Okay, could all those Zero Access's be part of the alureon rootkit as well? I've read that alureon also can be associated with rouge security defender as well. It would just be nice if I knew if all these were part of the same single infection.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:26 PM

Posted 08 July 2016 - 05:08 PM

If you want a more comprehensive look at your system for possible malware by experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users