Jump to content

Cretemonster

Members
  • Content Count

    4
  • Joined

  • Last visited

About Cretemonster

  • Rank
    Newbie
  • Birthday 01/01/1970

Profile Information

  • Interests
    SUPERANTISPYWARE
  1. Cretemonster

    SirJon??

    Jon asked for mbr craps back when grozzy showed up so i thought id point to the right place.
  2. Cretemonster

    SirJon??

    You around here,something you asked me for a while back,Ive recently come into a fresh modded version. Check in at mwr.
  3. Cretemonster

    Greets

    Words from the southside,maybe old news here but old news is sometimes new news too! For some this is old news but for me its very new and having a go at it proved most interesting. This is gonna be short and sweet. What the infection does. It writes to 2 files found deep in the All Users folder qmgr0.dat and qmgr1.dat,I havent gone in far enough to see if qmgr.dll is being modified but I did not see any obvious changes. I can actually describe everything that happens but there is enough written to each file so when Windows Automatic Updates kicks in and BITS is called,tada,the buggered dat files make internet connections to a predefined url with a predefined set of commands,connecting to Russia Buisness Network Domains to download or update malwares. It usually drops 3 files in Windows/Temp,read the link below http://forums.anandtech.com/messageview ... erthread=y BIT20DF.tmp, BIT20EF.tmp, BIT20??.tmp Only one had data stored in it,not sure what others are for. At this time,you can disable BITS and disable crash control(recovery) and this stops the infection. TellTale signs: User complains firewall keeps prompting for access from svchost If the user had allowed svchost total access through firewall,user wont complain,will just get reinfected over and over. whistling.gif Next one is: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Equal roughly 17kbs each where as they should be: C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat 5 or 6 kbs C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat 6 or 7 kbs Fix....heh....your on your own! hysterical.gif I just grabbed my good copies from clean box and replaced the files in safe mode and all is well again.
  4. Cretemonster

    Greets

    Greetings from the southside
×