Sign In
Create Account
2
This one is totally, bogus.
http://www.search-and-destroy.com/
Chaslang at Major Geeks found this one and did the initial analysis.
Whois Information: http://whois.domaint...and-destroy.com
Domains by Proxy
HijackTHis:
O4 - HKCU\..\Run: [SearchAndDestroyMFC] C:\Program Files\Search And Destroy\Search And Destroy.exe
Once I get my test box up and running, I'll post some forensics. Spyberus isn't working right suddenly for some reason.
#1
Posted 02 March 2008 - 11:43 PM
-
- Experts
-
- 82 posts
Regular Member
- Gender:Male
- Location:Northern, NY
Kevin Zoll
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Back to top
#2
Posted 03 March 2008 - 12:47 AM
-
- Experts
-
- 82 posts
Regular Member
- Gender:Male
- Location:Northern, NY
VirusTotal results: http://www.virustotal.com/analisis/ea0f435...33257f038b2a51b
File SearchAndDestroy.exe received on 03.03.2008 01:34:45 (CET)
Result: 1/32 (3.13%)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.03.02 -
Authentium 4.93.8 2008.03.02 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 -
BitDefender 7.2 2008.03.03 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.02 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.02 -
FileAdvisor 1 2008.03.03 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.01 -
Ikarus T3.1.1.20 2008.03.03 -
Kaspersky 7.0.0.125 2008.03.03 not-a-virus:FraudTool.Win32.MalwarePro.b
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.03 -
NOD32v2 2914 2008.03.02 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.02 -
Prevx1 V2 2008.03.03 -
Rising 20.33.62.00 2008.03.02 -
Sophos 4.27.0 2008.03.03 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.02 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 -
Additional information
File size: 3753322 bytes
MD5: 2fd5dd83086983559a444451cc06b255
SHA1: 34b1a884aedba8e01aa6716550084d4c94264ae1
PEiD: Armadillo v1.71
Forensics to follow. Got the problem with SpyBerus resolved.
File SearchAndDestroy.exe received on 03.03.2008 01:34:45 (CET)
Result: 1/32 (3.13%)
Antivirus Version Last Update Result
AhnLab-V3 2008.2.29.1 2008.02.29 -
AntiVir 7.6.0.73 2008.03.02 -
Authentium 4.93.8 2008.03.02 -
Avast 4.7.1098.0 2008.03.02 -
AVG 7.5.0.516 2008.03.02 -
BitDefender 7.2 2008.03.03 -
CAT-QuickHeal 9.50 2008.03.01 -
ClamAV 0.92.1 2008.03.02 -
DrWeb 4.44.0.09170 2008.03.02 -
eSafe 7.0.15.0 2008.02.28 -
eTrust-Vet 31.3.5574 2008.02.29 -
Ewido 4.0 2008.03.02 -
FileAdvisor 1 2008.03.03 -
Fortinet 3.14.0.0 2008.03.02 -
F-Prot 4.4.2.54 2008.03.02 -
F-Secure 6.70.13260.0 2008.03.01 -
Ikarus T3.1.1.20 2008.03.03 -
Kaspersky 7.0.0.125 2008.03.03 not-a-virus:FraudTool.Win32.MalwarePro.b
McAfee 5242 2008.02.29 -
Microsoft 1.3301 2008.03.03 -
NOD32v2 2914 2008.03.02 -
Norman 5.80.02 2008.02.29 -
Panda 9.0.0.4 2008.03.02 -
Prevx1 V2 2008.03.03 -
Rising 20.33.62.00 2008.03.02 -
Sophos 4.27.0 2008.03.03 -
Sunbelt 3.0.906.0 2008.02.28 -
Symantec 10 2008.03.02 -
TheHacker 6.2.92.231 2008.03.02 -
VBA32 3.12.6.2 2008.02.27 -
VirusBuster 4.3.26:9 2008.03.02 -
Webwasher-Gateway 6.6.2 2008.03.02 -
Additional information
File size: 3753322 bytes
MD5: 2fd5dd83086983559a444451cc06b255
SHA1: 34b1a884aedba8e01aa6716550084d4c94264ae1
PEiD: Armadillo v1.71
Forensics to follow. Got the problem with SpyBerus resolved.
Kevin Zoll
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
#3
Posted 03 March 2008 - 01:27 AM
-
- Experts
-
- 82 posts
Regular Member
- Gender:Male
- Location:Northern, NY
C:\Documents and Settings\%UserProfile%\Desktop\SearchAndDestroy.exe
[indent]C:\Documents and Settings\%UserProfile%\Local Settings\Temp\_ir_sf7_temp_0\irsetup.exe <DELETED>
[indent]Registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\DisplayIcon[/indent]C:\WINDOWS\Search And Destroy Setup Log.txt
C:\Program Files\Search And Destroy
C:\Program Files\Search And Destroy\Uninstall
C:\Program Files\Search And Destroy\Uninstall\uninstall.dat
C:\WINDOWS\Search And Destroy
C:\WINDOWS\Search And Destroy\uninstall.exe
C:\Program Files\Search And Destroy\Search And Destroy.exe
[indent]Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\SearchAndDestroyMFC
HKCU\Software\MPMFC1
HKCU\Software\MPMFC1\\NumBugs
HKCU\Software\MPMFC1\\StartAtWindowsStartup
HKCU\Software\MPMFC1\\Scanned[/indent]C:\Documents and Settings\%UserProfile%\Start Menu\Programs\Search And Destroy
C:\Documents and Settings\All Users\Start Menu\Programs\Search And Destroy
C:\Documents and Settings\%UserProfile%\Desktop\Search And Destroy.lnk
C:\Documents and Settings\All Users\Desktop\Search And Destroy.lnk
C:\Documents and Settings\%UserProfile%\Start Menu\Programs\Search And Destroy\Search And Destroy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Search And Destroy\Search And Destroy.lnk
C:\Program Files\Search And Destroy\Uninstall\IRIMG1.JPG
C:\Program Files\Search And Destroy\Uninstall\IRIMG2.JPG
C:\Program Files\Search And Destroy\Uninstall\IRIMG3.JPG
C:\Documents and Settings\%UserProfile%\Start Menu\Programs\Search And Destroy\Uninstall Search And Destroy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Search And Destroy\Uninstall Search And Destroy.lnk
C:\Program Files\Search And Destroy\Uninstall\uninstall.xml[/indent]NOTES: Shortcuts are made available to either "Current User" or "All Users" based on user input during installation.
EDIT: Left a shortcut off. Corrected
[indent]
[indent]Registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\URLInfoAbout
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Search And Destroy5.2\\DisplayIcon[/indent]C:\WINDOWS\Search And Destroy Setup Log.txt
C:\Program Files\Search And Destroy
C:\Program Files\Search And Destroy\Uninstall
C:\Program Files\Search And Destroy\Uninstall\uninstall.dat
C:\WINDOWS\Search And Destroy
C:\WINDOWS\Search And Destroy\uninstall.exe
C:\Program Files\Search And Destroy\Search And Destroy.exe
[indent]Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\SearchAndDestroyMFC
HKCU\Software\MPMFC1
HKCU\Software\MPMFC1\\NumBugs
HKCU\Software\MPMFC1\\StartAtWindowsStartup
HKCU\Software\MPMFC1\\Scanned[/indent]C:\Documents and Settings\%UserProfile%\Start Menu\Programs\Search And Destroy
C:\Documents and Settings\All Users\Start Menu\Programs\Search And Destroy
C:\Documents and Settings\%UserProfile%\Desktop\Search And Destroy.lnk
C:\Documents and Settings\All Users\Desktop\Search And Destroy.lnk
C:\Documents and Settings\%UserProfile%\Start Menu\Programs\Search And Destroy\Search And Destroy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Search And Destroy\Search And Destroy.lnk
C:\Program Files\Search And Destroy\Uninstall\IRIMG1.JPG
C:\Program Files\Search And Destroy\Uninstall\IRIMG2.JPG
C:\Program Files\Search And Destroy\Uninstall\IRIMG3.JPG
C:\Documents and Settings\%UserProfile%\Start Menu\Programs\Search And Destroy\Uninstall Search And Destroy.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\Search And Destroy\Uninstall Search And Destroy.lnk
C:\Program Files\Search And Destroy\Uninstall\uninstall.xml[/indent]NOTES: Shortcuts are made available to either "Current User" or "All Users" based on user input during installation.
EDIT: Left a shortcut off. Corrected
Kevin Zoll
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
#4
Posted 03 March 2008 - 02:46 PM
-
- Administrators
-
- 5,158 posts
Forum Deity
- Location:Northampton, MA USA
http://spyrobot.org/
These as well :
http://malwarepro.org/
http://antitrojan-pro.com/
http://www.adwarepro.org/
http://www.spyware-sweeper.com/
http://www.spywarepro.org/
http://www.antivirus-pro.org/
These as well :
http://malwarepro.org/
http://antitrojan-pro.com/
http://www.adwarepro.org/
http://www.spyware-sweeper.com/
http://www.spywarepro.org/
http://www.antivirus-pro.org/
#5
Posted 08 March 2008 - 08:28 PM
-
- Moderators
-
- 355 posts
True Member
Slightly better VT results today.
http://www.virustotal.com/analisis/b6fa49c...245b2f50a60f8cd
Result: 4/31
Nice to see MBAM removes this trash completely.
http://www.virustotal.com/analisis/b6fa49c...245b2f50a60f8cd
Result: 4/31
Nice to see MBAM removes this trash completely.
#6
Posted 11 March 2008 - 03:15 AM
-
- Experts
-
- 419 posts
True Member
- Location:The Internets
Added to RR blacklist and database (168)
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
