Gammapedia is archived. No new edits are allowed and no new accounts can be registered.
Ikepedia is the officially decreed successor to Gammapedia concerning Gammasphere canon.
Infinitypedia is another successor.
$revenue/log2: Difference between revisions
From Gammapedia
Jump to navigationJump to search
No edit summary |
No edit summary |
||
Line 1: | Line 1: | ||
A test was done on the Abwayaxian Malware Testing Platform, which runs Windows 98. This is the results of the test. | |||
'''URLs accessed''' | '''URLs accessed''' | ||
Revision as of 03:28, 8 August 2006
A test was done on the Abwayaxian Malware Testing Platform, which runs Windows 98. This is the results of the test.
URLs accessed
http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=1 http://194.187.45.55/MTE3NDI6ODoxNg.exe http://content.dollarrevenue.com/nwnmff_7.exe http://content.dollarrevenue.com/dfndrff_7.exe http://content.dollarrevenue.com/kybrdff_7.exe http://www.onli-ne.com/app/ADDR/Installer.exe http://promo.dollarrevenue.com/webmasterexe/drsmartload45a.exe http://promo.dollarrevenue.com/webmasterexe/drsmartload46a.exe http://promo.dollarrevenue.com/webmasterexe/drsmartload849a.exe http://194.187.45.55/MTE3NDI6ODoxNg.exe http://command.adservs.o http://command.adservs.com/binaries/installer_9x.php?a=MTE3NDI6ODoxNg http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2F194%2E187%2E45%2E55%2FMTE3NDI6ODoxNg%2Eexe&id=1 http://content.dollarrevenue.com/nwnmff_7.exe http://csx.adservs.com/checkin.php?affid=MTE3NDI6ODoxNg&msg=success http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fcontent%2Edollarrevenue%2Ecom%2Fnwnmff%5F7%2Eexe&id=1 http://content.dollarrevenue.com/dfndrff_7.exe http://80gw6ry3i3x3qbrkwhxhw.032439.com/client.php?str=/yfwar6fICKBx2qrDXg9BV/fv/jVhqN8gXXOzYkEdJLFuPkpSzPhh9Qx5B/5bH4b http://command.adservs.com/binaries/relevance.dat http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fcontent%2Edollarrevenue%2Ecom%2Fdfndrff%5F7%2Eexe&id=1 http://content.dollarrevenue.com/kybrdff_7.exe http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fcontent%2Edollarrevenue%2Ecom%2Fkybrdff%5F7%2Eexe&id=1 http://www.onli-ne.com/app/ADDR/Installer.exe www.onli-ne.com http://www.nonameforthisdomain.com/data.asp?rnd=0.3843958&antisp=1 www.nonameforthisdomain.com http://content.dollarrevenue.com/kybrdff_7.exe http://www.findthewebsiteyouneed.com http://searchbar.findthewebsiteyouneed.com http://content.dollarrevenue.com/dfndrff_7.exe http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fwww%2Eonli%2Dne%2Ecom%2Fapp%2FADDR%2FInstaller%2Eexe&id=1 http://promo.dollarrevenue.com/webmasterexe/drsmartload45a.exe http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fpromo%2Edollarrevenue%2Ecom%2Fwebmasterexe%2Fdrsmartload45a%2Eexe&id=1 http://promo.dollarrevenue.com/webmasterexe/drsmartload46a.exe http://promo.dollarrevenue.com/bundle/loader.exe http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fpromo%2Edollarrevenue%2Ecom%2Fwebmasterexe%2Fdrsmartload46a%2Eexe&id=1 http://promo.dollarrevenue.com/webmasterexe/drsmartload849a.exe http://promo.dollarrevenue.com/bundle/smartload_stats.asp?a=a_n_u&exe=http%3A%2F%2Fpromo%2Edollarrevenue%2Ecom%2Fwebmasterexe%2Fdrsmartload849a%2Eexe&id=1 http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=45&rnd=0.3896601 http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=46&rnd=0.6209986 http://promo.dollarrevenue.com/bundle/smartload.asp?a=a_n_u&id=849&rnd=0.4082605
HijackThis logs
Before
Logfile of HijackThis v1.99.1 Scan saved at 1:24:17 AM, on 8/6/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\BELKIN\BELKIN WIRELESS NETWORK UTILITY\WLANCFGG.EXE C:\WINDOWS\SYSTEM\VMSRVC.EXE C:\PROGRAM FILES\OPERA\OPERA.EXE C:\PROGRAM FILES\URLSNOOPER2\URLSNOOPER.EXE C:\PROGRAM FILES\FILEMAP BY BB V405\FILEMAP.EXE C:\REGSHOT\REGSHOT.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [InvokeSvc.exe] C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe O4 - HKLM\..\Run: [VMServices] C:\WINDOWS\SYSTEM\VMSrvc.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
After
Logfile of HijackThis v1.99.1 Scan saved at 1:39:08 AM, on 8/6/06 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v5.00 (5.00.2614.3500) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\BELKIN\BELKIN WIRELESS NETWORK UTILITY\WLANCFGG.EXE C:\WINDOWS\SYSTEM\VMSRVC.EXE C:\PROGRAM FILES\OPERA\OPERA.EXE C:\PROGRAM FILES\URLSNOOPER2\URLSNOOPER.EXE C:\PROGRAM FILES\FILEMAP BY BB V405\FILEMAP.EXE C:\REGSHOT\REGSHOT.EXE C:\HIJACKTHIS\HIJACKTHIS.EXE C:\WINDOWS\QWJ3YXLHEAAA\COMMAND.EXE C:\DFNDRFF_7.EXE C:\KYBRDFF_7.EXE C:\WINDOWS\RUNDLL32.EXE O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [InvokeSvc.exe] C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe O4 - HKLM\..\Run: [VMServices] C:\WINDOWS\SYSTEM\VMSrvc.exe O4 - HKLM\..\Run: [Command] C:\WINDOWS\QWJ3YXlheAAA\command.exe O4 - HKLM\..\Run: [newname] C:\\NWNMFF_7.exe O4 - HKLM\..\Run: [defender] C:\\DFNDRFF_7.exe O4 - HKLM\..\Run: [keyboard] C:\\KYBRDFF_7.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
Changes to Windows Filesystem
***************************** COMPARING RECORDS FROM C:\ ROOT ***************************** ----------------------------- These files were present at: 06 Aug 06 at 01:37:02 but not on: 06 Aug 06 at 01:21:27 ----------------------------- dfndrff_7.exe drsmartload.exe drsmartload45a8a.exe drsmartload46a8a.exe drsmartload849a8a.exe installer3.exe kybrdff_7.exe mte3ndi6odoxng.exe nwnmff_7.exe ----------------------------- These files were present at: 06 Aug 06 at 01:21:27 but not on: 06 Aug 06 at 01:37:02 ----------------------------- ----------------------------- ***************************** ***************************** COMPARING RECORDS FROM WINDOWS ***************************** ----------------------------- These files were present at: 06 Aug 06 at 01:37:11 but not on: 06 Aug 06 at 01:21:27 ----------------------------- hosts keyboard1.dat ----------------------------- These files were present at: 06 Aug 06 at 01:21:27 but not on: 06 Aug 06 at 01:37:11 ----------------------------- ----------------------------- ***************************** ***************************** COMPARING RECORDS FROM SYSTEM ***************************** ----------------------------- These files were present at: 06 Aug 06 at 01:37:18 but not on: 06 Aug 06 at 01:21:27 ----------------------------- opgfs400.dll uldm16.dll ----------------------------- These files were present at: 06 Aug 06 at 01:21:27 but not on: 06 Aug 06 at 01:37:18 ----------------------------- ----------------------------- *****************************
Registry Changes
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\Contact: "Customer Support Department" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\DisplayName: "Command" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\DisplayVersion: "1.0.1" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\NoModify: 0x00000001 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\NoRemove: 0x00000000 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\NoRepair: 0x00000001 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\{3877C2CD-F137-4144-BDB2-0A811492F920}\UninstallString: "wscript "C:\WINDOWS\QWJ3YXlheAAA\pge0.vbs"" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\{E5F6E74B-BE35-3B3D-54D4-00F0412DEABA}: "" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Command: "C:\WINDOWS\QWJ3YXlheAAA\command.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\newname: "C:\\NWNMFF_7.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\defender: "C:\\DFNDRFF_7.exe" HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\keyboard: "C:\\KYBRDFF_7.exe"