1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

the last time i was troganned

Discussion in 'BlackHat Lounge' started by proxygo, Nov 21, 2012.

  1. proxygo

    proxygo Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 2, 2008
    Messages:
    10,246
    Likes Received:
    8,704
    ahh the good old days 08-11-2008, 16:26

    some d1ck posted a file on my site yesterday
    some proxie scanner..i sent it to virus total and
    it said clean, so i opened it and got this lol
    even altered my destop pic to lol nice touch
    i felt like ide tripped acid for a month lookin at this

    [​IMG]

    Malwarebytes' Anti-Malware 1.30
    Database version: 1341
    Windows 5.1.2600 Service Pack 1

    11/8/2008 2:47:29 AM
    mbam-log-2008-11-08 (02-47-29).txt

    Scan type: Quick Scan
    Objects scanned: 40882
    Time elapsed: 2 minute(s), 29 second(s)

    Memory Processes Infected: 7
    Memory Modules Infected: 1
    Registry Keys Infected: 1
    Registry Values Infected: 18
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 31

    Memory Processes Infected:
    C:\WINDOWS\runsql.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\WINDOWS\sv.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\WINDOWS\svzip.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\WINDOWS\vlc.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\WINDOWS\svx.exe (Trojan.Downloader) -> Unloaded process successfully.
    C:\WINDOWS\svw.exe (Trojan.Downloader) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\Documents and Settings\tony\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatewin (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\updatewin (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runsql (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netsv32 (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netzip (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vlc (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdmon (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netx (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\netw (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{020487cc-fc04-4b1e-863f-d9801796230b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net64 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\UpdateWin (Backdoor.Bot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\OLE\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Lsa\UpdateWin (Worm.Sdbot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\system32\3076v.exe (Trojan.FakeAlert.H) -> Delete on reboot.
    C:\WINDOWS\runsql.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\sv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\svzip.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\vlc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\wdmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\svx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\svw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Local Settings\Temp\wndutl32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc47.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc49.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc50.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc51.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc52.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc53.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc54.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc55.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc56.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc61.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc62.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc63.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc68.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\RECYCLER\S-1-5-21-1547161642-261478967-839522115-1003\Dc48.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Desktop\sv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Desktop\svw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Desktop\svx.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Desktop\svzip.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Desktop\vlc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Desktop\wdmon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Application Data\config.cfg (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\tony\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.


    NOW PLEASE IF YA GONNA POST CRAP FILES THINK THAT
    SOME OF US HAVE THE BACKUP TOOLS TO REMOVE THEM
    5 HRS TO REMOVE, BUT REMOVED NEVER THE LESS...

    REMOVAL TOOLS USED
    mcafee / malwarebytes / smithfraud / nod / hijackthis /
    think u could own me > U WISH ..

    UPDATE
    fixed the final piece of the jigsaw the fixed destop pic problem
    now resolved..destop background is now unlocked and that
    **** is gone .. see fix below...

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\policies
    "NoChangingWallPaper", double-click the DWORD value and set it to "0". Otherwise, you need to create a new DWORD value of "NoChangingWallPaper" and set it to "0".
    my normal desktop is back..
     
  2. the_demon

    the_demon Jr. Executive VIP

    Joined:
    Nov 23, 2008
    Messages:
    3,177
    Likes Received:
    1,563
    Occupation:
    Search Engine Marketing
    Location:
    The Internet
    well, that's awfully annoying, damn hackers!
     
  3. Rapper

    Rapper Junior Member

    Joined:
    Aug 12, 2009
    Messages:
    195
    Likes Received:
    62
    Windows 98 LOL
     
  4. proxygo

    proxygo Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 2, 2008
    Messages:
    10,246
    Likes Received:
    8,704
    win xp corporate actually rapper
     
  5. antsaoo

    antsaoo Supreme Member

    Joined:
    Oct 1, 2008
    Messages:
    1,291
    Likes Received:
    637
    You need to be really carefully with those softwares. If the virus creator is good it won't be detected before infecting some people and someone reporting it i think. Hope you ran it in Virtual machine.
     
  6. proxygo

    proxygo Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 2, 2008
    Messages:
    10,246
    Likes Received:
    8,704
    read the post it was 4 yrs ago lolz
     
  7. youngguy

    youngguy Senior Member

    Joined:
    Apr 11, 2009
    Messages:
    1,053
    Likes Received:
    1,560
    Location:
    Hell
    Looks like some dicks just want to show off his skills, because if I was him, I won't make a single change to your desktop but more worst thing to your credentials and private info's
     
  8. proxygo

    proxygo Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 2, 2008
    Messages:
    10,246
    Likes Received:
    8,704
    skill is a trogan that cant be removed - i removed it all
     
  9. youngguy

    youngguy Senior Member

    Joined:
    Apr 11, 2009
    Messages:
    1,053
    Likes Received:
    1,560
    Location:
    Hell
    Nah, everything could be removed no matter how good is the coder. Also, never trust these AV's, they just can remove some popular virii's :D I'm an expert on those things.
     
  10. proxygo

    proxygo Jr. VIP Jr. VIP Premium Member

    Joined:
    Nov 2, 2008
    Messages:
    10,246
    Likes Received:
    8,704
    everyone thinks that > I'm an expert on those things. <
     
  11. youngguy

    youngguy Senior Member

    Joined:
    Apr 11, 2009
    Messages:
    1,053
    Likes Received:
    1,560
    Location:
    Hell
    Oh sure! So on you, just stop acting like an expert when you're not. And how come you argue about some BS like this? LOL We're talking about kids (script kiddies) that spread his virii's to change your desktop background and disable some fucking functions on your desktop, aren't we?
     
  12. evilman11

    evilman11 Junior Member

    Joined:
    Apr 6, 2009
    Messages:
    149
    Likes Received:
    418
    Occupation:
    chillin at bhw and internet marketing
    Location:
    on the net making my pockets fatter
    It's never a good idea to run a shady looking file on your main os, even if it passed a virus scan. Virus's can be encryped in a way that makes them undetectable to virus scanners, and it's not hard to get the tools to do it. That's why I always run shit that I get from here and other forums in a virtual machine.