you can expect when you get infected with a specific type of malware? If I were to post the logs would you be able to tell me what infected files or keys were part of the same attack?
Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.
Is there some kind of database that can tell you what infections..
Started by
kurtgillis12
, Jul 07 2016 10:11 PM
6 replies to this topic
#1
kurtgillis12
-
- Members
- 116 posts
- OFFLINE
- Local time:12:53 AM
Back to top
#2
ScathEnfys
-
- Members
- 1,375 posts
- OFFLINE
Bleeping Butterfly
- Gender:Not Telling
- Location:Deep in the Surface Web
- Local time:08:53 PM
Posted 07 July 2016 - 10:23 PM
I doubt there is a database for this, but certain malware programs, called droppers, exist purely to install other pieces of malware on a system. If we notice a dropper program, we might be able to make connections between it and other pieces of malware.
#3
kurtgillis12
- Topic Starter
-
- Members
- 116 posts
- OFFLINE
- Local time:12:53 AM
Posted 07 July 2016 - 10:30 PM
I doubt there is a database for this, but certain malware programs, called droppers, exist purely to install other pieces of malware on a system. If we notice a dropper program, we might be able to make connections between it and other pieces of malware.
I have a malwarebytes anti-rootkit scan done on an old computer I have. I am dying to know if all these infections are part of the same attack or if they are multiple attacks. (It was infected years ago) If you could look at it and see if you could make any connections, I would really appreciate it.
(username1 is the admin account)
1. C:\WINDOWS|SYSTEM32\drives\psec.sys(Trojan.FakeAlert)
2. Physical Sector 312576705 on drive 0 (Rootkit.Alureon.E.VBR)
3. C:\Documents and Settings\username1\Local Settings\Application Data\App\vtolhexl.dll (Trojan.FakeMS.ED)
4. HKU\S-1-5-21-29283822-501481981-1191779827-1005\SOFTWARE\MIRCROSOFT\WINDOWS\CURRENTVERSION\RUN\vtolhexl (Trojan.FakeMS.ED)
5. C:\Documents and Settings\username1\Local Settings\Application Data\App\vtolhexl.dll (Trojan.FakeMS.ED)
6. HKU\S-1-5-21-2928383822-501481981-1191779827-501\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{A770354-581D-450C-9E44-A84C4115A6172} (Trojan.FakeAlert)
7. C:Documents and Settings\All Users\ Application Data\ 427B187A-EEDC-1C33-3F41-746881B4FC6D.avi (Trojan.FakeMS.ED)
8. C:\Documents and Settings\All Users\Application Data\BE6HKSxOYirlGO.exe (Rogue.FakeHDD)
9. C:\Documents and Settings\username1\Application Data\427B183A- EKDC-1C33-3F41-746881B4FC6D.avi (Trojan.FakeMS.ED)
10. C:\Program Files\Security Defender\Security Defender.dll(Trojan.FakeMS.ED)
11. C:\WINDOWS\system32\427B183A-EEDC-1C33-3F41-746881B4FC6D.avi(Trojan.FakeMS.ED)
12. C:\Documents and Settings\Guest\Local Settings\Temp\K1aKoDaH1wVy3d.exe.tmp(Rogue.FakeHDD)
13. C:Documents and Settings\username1\Local Settings\Application Data\427B183A-EEDC-1C33-3F41-746881B4FC6D.avi(Trojan.FakeMS.ED)
14. c:\windows\$ntuninstallkb1055$\3728945212\L\yoksnvpa(Backdoor.0Acceess)
15. c:\windows\$ntuninstallkb1055$\3728945212\u\00000001.@ (Backdoor.0Access)
16. c:\windows\$ntuninstallkb1055$\3728945212\u\00000002.@ (Backdoor.0Access)
17. c:\windows\$ntuninstallkb1055$\3728945212\u\00000004.@ (Backdoor.0Access)
18. c:\windows\$ntuninstallkb1055$\3728945212\u\80000000.@ (Backdoor.0Access)
19. c:\windows\$ntuninstallkb1055$\3728945212\u\80000004.@ (Backdoor.0Access)
20. c:\windows\$ntuninstallkb1055$\3728945212\u\80000032.@ (Backdoor.0Access)
21. C:\Documents and Settings\username1\Local Settings\Temporary Interent Files\Content.IE5\DJTKLB65\11[1].exe (Trojan.Dropper)
22. C:\Documents and Settings\username1\Local Settings\Temporary Interent Files\Content.IE5\ISOS46N9122[1].exe (Trojan.FakeMS.ED)
23. C:\Documents and Settings\username1\Application Data\ Security Defender\{5FE83920-7C88-4C45-6C9D-8FOEf7DD7EAA}.pst (Rogue.SecurityDefender)
24. C:\Documents and Settings\username1\Application Data\ Security Defender\(rogue.SecurityDefender)
25. C:\Documents and Settings\username1\Application Data\ Security Defender\{6B757E8f-ACAO-446C-7D8F-ODD8E3F949745}.pst(Rogue.SecurityDenfender)
26. C:\Documents and Settings\username1\Application Data\ Security Defender\{73A82D79--C142-4EC2-2884-9A7310C76AGB}.pst(Rogue.SecurityDefender)
27. C:\Documents and Settings\username1\Desktop\Security Defender.Ink(Rogue.Security Defender)
28. C:\Documents and Settings\username1\Application Data\Microsoft\Internet Explorer\Quick Launch\Security Defender.Ink (Rogue.SecurityDefender)
29. C:\Program Files\Security Defender\Security Defender.ico(Rogue.SecurityDefender)
30. C:\Program Files\Security Defender(Rogue.SecurityDefender)
31. HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\427B183A-EEDC-IC33-3F41-74688/B4FC6D(Trojan.FakeAlert)
32. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\AVAPP(Rogue.PersonalAntivirus)
33. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\AVUNINST(Rogue.PersonalAntivirus)
34. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\Software\Microsoft\Internet Explorer\MenuEXT\& Search\ (Adware.Hotbar)
35. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\427B183A-EEDC-IC33-3F41-74688154FC66(Trojan.FakeAlert)
36. HKU\S-1-5-21-2928383822-501481981-1191779827-1005\ENVIORNMENT\SOFTWARE/MICROSOFT\INTERNETEXPLORER\MENUTEXT\&SEARCH\(Adware.Hotbar)
37. c:\windows\$ntuninstallkblo55$\3728945212\L (Backdoor.0Access)
38. c:\windows\$ntuninstallkblo55$\3728945212\U
39. c:\windows\$ntuninstallkblo55$\3728945212\12 (Backdoor.0Access)
40. c:\windows\$ntuninstallkblo55$\3728945212\@
41. c:\windows\$ntuninstallkblo55$\3728945212\bckfg.tmp
42. c:\windows\$ntuninstallkblo55$\3728945212\cfg.ini
43. c:\windows\$ntuninstallkblo55$\3728945212\desktop.ini (Backdoor.0Access)
44. c:\windows\$ntuninstallkblo55$\3728945212\keywords
45. c:\windows\$ntuninstallkblo55$\3728945212\Kwrd.dll
46. c:\windows\$ntuninstallkblo55$\13930054407(Backdoor.0Access)
#4
ScathEnfys
-
- Members
- 1,375 posts
- OFFLINE
Bleeping Butterfly
- Gender:Not Telling
- Location:Deep in the Surface Web
- Local time:08:53 PM
Posted 07 July 2016 - 10:45 PM
Keep in mind that a single infection can have several associated entries that appear in a log. For example, all lines ending in "(Backdoor.0Access)" are pieces of the same infection (ZeroAccess).
#5
quietman7
-
- Global Moderator
- 51,897 posts
- ONLINE
Bleepin' Janitor
- Gender:Male
- Location:Virginia, USA
- Local time:07:53 PM
Posted 08 July 2016 - 06:09 AM
You can always submit malicious files to one of the online services that analyzes suspicious files.
- Comprehensive List of Online File/URL analyzers & services
- Comprehensive list of Online Malware Scanners with maximum file size limit
- Online Malware Scanners Using Multiple Antivirus Engines with maximum file size limit
- Malware Sandbox Services and Software
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
If I have been helpful & you'd like to consider a donation, click
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
If I have been helpful & you'd like to consider a donation, click
#6
kurtgillis12
- Topic Starter
-
- Members
- 116 posts
- OFFLINE
- Local time:12:53 AM
Posted 08 July 2016 - 05:03 PM
Keep in mind that a single infection can have several associated entries that appear in a log. For example, all lines ending in "(Backdoor.0Access)" are pieces of the same infection (ZeroAccess).
Okay, could all those Zero Access's be part of the alureon rootkit as well? I've read that alureon also can be associated with rouge security defender as well. It would just be nice if I knew if all these were part of the same single infection.
#7
quietman7
-
- Global Moderator
- 51,897 posts
- ONLINE
Bleepin' Janitor
- Gender:Male
- Location:Virginia, USA
- Local time:07:53 PM
Posted 08 July 2016 - 05:08 PM
If you want a more comprehensive look at your system for possible malware by experts, there are advanced tools which can be used to investigate but they are not permitted in this forum. Please follow the instructions in the Malware Removal and Log Section Preparation Guide. When you have done that, post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team. If you choose to post a log, please reply back in this thread with a link to the new topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
If I have been helpful & you'd like to consider a donation, click
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
If I have been helpful & you'd like to consider a donation, click
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
