Author Topic: Undetected infection? (Read 8896 times)

DavidR · « **Reply #15 on:** April 10, 2009, 02:48:33 PM »

Would anything have to be done with the c:\winnt\system32\yayWQIaa folder and any contents found in it as the folder name looks somewhat strange for a sub-folder of system32 ?

The reason I ask, is I have no sub-folder names so remotely obscure in the system32 folder.

oldman · « **Reply #16 on:** April 10, 2009, 05:23:12 PM »

Hi DavidR,

I don't see that folder or file in the DDS log. Maybe I misread the OP's comments about the .dll. I thought SAS removed it.

@noob123

Was yayWQIaa or yayWQIaa.dll removed by SAS?

DavidR · « **Reply #17 on:** April 10, 2009, 05:39:58 PM »

It was in the dds.txt but noob123 also mentioned it in the post (reply #11) that he attached the dds.txt file.

In the dds.txt, it was in the Pseudo HJT Report section, last line:
LSA: Authentication Packages = msv1_0 c:\winnt\system32\yayWQIaa

oldman · « **Reply #18 on:** April 10, 2009, 06:03:04 PM »

Hi DavidR,

That's a registry entry. I didn't see any files/folders in the Created in last 30 days or the 3M section.

~~The SAS log would be nice to see to confirm that file/folder was removed.~~

Interesting enough, SAS does not look at that key.

edit:

Actually he did post the SAS log way back. I would say it's gone.

Quote

Trojan.Vundo-Variant/Small-GEN
C:\WINNT\SYSTEM32\YAYWQIAA.DLL
C:\WINNT\SYSTEM32\YAYWQIAA.DLL

noob123 · « **Reply #19 on:** April 13, 2009, 11:05:46 AM »

David, oldman,

Thanks again for following up with me! :-)

There never was a yayWQIaa directory (it was a DLL). oldman is right, SAS did quarantine that file. It was the first thing I checked.

noob123 · « **Reply #20 on:** April 13, 2009, 11:25:09 AM »

oldman,

Your regedit script targets [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa].
However, in my registry, the infected entry is [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa].

The "Authentication Packages" entry has type REG_MULTI_SZ (every character is followed by a NUL character).
Do regedit scripts need to discriminate REG_MULTI_SZ vs REG_SZ ?

oldman · « **Reply #21 on:** April 13, 2009, 06:39:29 PM »

Hi

Usually it's the current control set entry that is reported. Hex will be recognized as REG_MULTI_SZ , a text entry as REG_SZ

ControlSet00x is a like a backup copy of Current ContolSet, though it may be different.

You lost me, which Authentication Packages has the null data?

Use this tool and post the results then we will all be looking at the same thing

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

Code: [Select]

:reg
HKEY_LOCAL_MACHINE\system\ControlSet001\control\lsa

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa

Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Author Topic: Undetected infection? (Read 8896 times)

DavidR

Re: Undetected infection?

oldman

Re: Undetected infection?

DavidR

Re: Undetected infection?

oldman

Re: Undetected infection?

noob123

Re: Undetected infection?

noob123

Re: Undetected infection?

oldman

Re: Undetected infection?