Malware Infects Baseline Analysis

Page 1 of 48

Name: Allen GalvanDue: 27 October 2005CSFI 214: Information Security Systems Analysis – Fall 2005Lab #1: Malware

Last printed 10/26/2005 1:43:00 AM Page 1

Page 2 of 48

Lab Report Instructions..........................................................................................................3Report Observations and Findings.........................................................................................4

Baseline..........................................................................................................................4Post-Baseline Firefox.....................................................................................................4Post-Baseline IE.............................................................................................................4Conclusions....................................................................................................................5

Appendix................................................................................................................................7Baseline..................................................................................................................................8

B01.AutoRuns Baseline (Startup Programs)..................................................................8B02.Current Installed Programs Baseline......................................................................9B03.Processes.Baseline................................................................................................10B04.Hijack This Baseline (Registry, for hacker activity)............................................11B05.TCPView.Baseline (Data Error Capturing Data).................................................12B06.TDIMon.Baseline.txt (Tcp/Udp activity).............................................................13B07.Rootkit Revealer Baseline (blank page, no rootkit found)...................................14B09.Process Explorer.Baseline.txt...............................................................................16B10.RegMon.Baseline.txt (Applications accessing Registry).....................................17B11.Add-Remove Programs Baseline.........................................................................18

Post-Baseline Firefox...........................................................................................................19C01.TCPView Firefox Google (Data Error Capturing Data)......................................19C02.TCPView Firefox Spyware Sites.txt....................................................................20C03.Autoruns.Firefox.post-Baseline.txt......................................................................21C04.Currently Installed Programs Firefox Post-Baseline............................................22C05.Processes Firefox Post-Baseline...........................................................................23C06.Hijack This Firefox Post-Baseline.txt..................................................................24C07.TCPView Firefox Post-Baseline.txt.....................................................................25C08.TDIMon.Firefox.Post-Baseline.txt.......................................................................26C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found).........27C10.Process.Explorer.Firefox.Post-line.txt..................................................................28

Post-Baseline IE...................................................................................................................29D01.TCPView.IE.Google.txt.......................................................................................29D02.TCPView.IE.Spyware.Sites.txt............................................................................30D03Autoruns.IE.Post-Baseline.txt (Startup Spyware).................................................31D04.Currently Installed Programs IE post-Baseline.bmp (Spyware)..........................32D05.Processes IE Post-Baseline.bmp..........................................................................34D06.Hijack This IE Post Baseline.txt..........................................................................35D07.TCPView IE Post Baseline.txt (missing screen shot)..........................................36D08.TDIMon IE Post Baseline.txt...............................................................................37D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found).................39D10.Process Explorer IE Post-Baseline.txt..................................................................40D12.Add-Remove Programs IE Post-Baseline.bmp (Malware)..................................44D13.Spybot IE Post-Baseline.bmp (unresolved Spyware)..........................................45


Page 3 of 48

Lab Report Instructions

This lab has a series of questions that you will answer to demonstrate that you have done the tutorial & understand the main concepts.

Each student will hand in a printed copy of the lab report next lab class with the answers to each question.

The lab report will also be submitted electronically (E-mailed to the instructor – due on the day of the next lab).

The main body of the lab report should be no more than 2 pages long (max).

What are your observations? What are your findings? How does Firefox compare to IE? How is the Baseline used? What are the differences? Why are there differences?

All of the supporting data & screen shots should be placed in the appendix. This appendix could be very long. Some output files could be very long. In the printed lab report, only include the first few pages.

Each output file should be clearly labeled to indicate what it is.

Part-II

Verify that the Anti-Virus software is working. Use the EICAR test file. Download the .TXT & .ZIP files.

Any differences in behavior between the 2 file types?

Turn off the Anti-Virus software. Download the .TXT & .ZIP files. What happened? Any differences in behavior between the 2 file types?

Turn on the Anti-Virus software. Try opening one of the test files. What happened?


Page 4 of 48

Report Observations and Findings

The purpose of this exercise was to find out what happens when one surfs the web in a secure manner, and compare that with surfing the web in an insecure manner.

Baseline

The Baseline refers to the documentation of the original state of the system, as it was before the surfing tests began. If variants to the system Baseline occurred, the prior surfing behavior was noted, and likely conclusions were inferred.

The “B02.Current Installed Programs Baseline” Screen (p. 8), and the “B11.Add-Remove Programs Baseline” Screen (p. 20), both showed only 4 programs installed.

“B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no Rootkits were installed.

“B08.Spybot.Baseline” screen on page 16 indicated no Spyware was detected.

Post-Baseline Firefox

I surfed bad peer-to-peer web sites like www.Kazaa.com using Firefox off (means what?), and the system integrity was maintained. No rootkits were indicated by “C09.Rootkit Revealer Firefox Post-Baseline.txt” screen on page 31.

The “C04.Currently Installed Programs Firefox Post-Baseline” Screen (p. 23) showed only 4 programs installed. These results also did not differ from the Baseline observations. There were no changes.

Post-Baseline IE

I surfed bad peer-to-peer web sites like www.Kazaa.com using IE on (means what?), and the system got infected with Spyware as indicated on “D13.Spybot-IE Post-Baseline.bmp” (p. 30), “D03.Autoruns.IE.Post-Baseline.txt” (p. 35), “D04.Currently Installed Program IE post-Baseline.bmp” (p. 37), and “D12.Add-Remove Programs IE Post-Baseline.bmp” (p. 49)

Also, the computer started misbehaving in an unpredictable manner: Ads just popped up in the IE browser, without any user acitivity on the computer. When I tried to remove one of the programs that I did not install, the Add-Remove

screen froze, & I had to kill the process using Process Explorer to abnormally exit the process. When I brought the Add-Remove screen back up, the program was successfully removed.

When I tried to remove another program that I did not install, it prompted me for a code. This behavior was not normal. It never happened before.


http://www.Kazaa.com/

http://www.Kazaa.com/

Page 5 of 48

Spybot found numerous Spyware infection as indicated on “D13.Spybot-IE Post-Baseline.bmp” screen on page 30. When I tried to clean or remove the Spyware, some of the Spyware instances, persisted, and could not be removed.

No rootkits were indicated by “D09.Rootkit Revealer IE Post-Baseline.txt” on page 44.

Conclusions

The control state of the computer is the Baseline state. It is regarding this control state, from which the experiment compares changes and their impact on the integrity of the computer system.

The Baseline showed only 4 programs installed, as indicated by “B02.Current Installed Programs Baseline” Screen (p. 8), and the “B11.Add-Remove Programs Baseline” Screen (p. 20). When I surfed using Firefox, the same programs were shown to be installed, (the same as the Baseline), which was indicated by the “C04.Currently Installed Programs Firefox Post-Baseline” Screen (p. 23). This indicated that surfing the web using Firefox was secure.

However, other unauthorized programs were installed after using IE, as indicated by “D04.Currently Installed Program IE post-Baseline.bmp” (p. 37), and “D12.Add-Remove Programs IE Post-Baseline.bmp” (p. 49). This indicated that surfing with IE was insecure.

The evidence indicates that I was able to surf in a relatively secure manner using the Firefox browser. “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no Rootkits were installed. “B08.Spybot.Baseline” screen on page 16 indicated no Spyware was detected.

All the unauthorized activity occurred Post-Baseline IE.

There was more unauthorized TCP/IP activity, indicated on D02.TCPView.IE.Spyware.Sites.txt.

There were more unauthorized processes and higher cpu activity indicated on D03.Autoruns.IE.Post-Baseline.txt, D04.Currently Installed Programs IE post-Baseline.bmp, D05.Processes IE post-Baseline.bmp, D10.Process Explorer IE Post-Baseline.txt

There were unauthorized programs that Spybot could not remove, as detailed on page D13.Spybot IE Post-Baseline.bmp.

Also the evidence indicates that I was not able to surf the web in a secure manner using Internet Explorer (IE), since Spybot found a number of installed Spyware programs. The computer also began to act erratically. “C09.Rootkit Revealer Firefox Post-Baseline.txt” screen on page 31 indicated no rootkits.


Page 6 of 48

Ultimately, in no case did Rootkit Revealer indicate the existence of any rootkits. It appears that this experiment did not install any rootkits. There is a possibility that there may exist a rootkit that was hidden from Rootkit Revealer.

Based on the findings of this experiment, I would prefer and recommend to surf the web using Firefox, as a more secure browser than Internet Explorer.

From personal experience, the McAfee Anti-virus software found the EICAR test virus to verify it was working. McAfee did not find the EICAR test virus when it was zipped. The McAfee anti-virus software scan did not find the Spyware that Spybot could not eliminate. Anti-malware programs do not provide adequate protection.


Page 7 of 48

Appendix


Page 8 of 48

Baseline

B01.AutoRuns Baseline (Startup Programs)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

+ VMware Tools VMwareTray(Not verified) VMware, Inc. c:\program files\vmware\vmware tools\vmwaretray.exe

+ VMware User Process VMwareUser (Not verified) VMware, Inc. c:\program files\vmware\vmware tools\vmwareuser.exe

HKLM\System\CurrentControlSet\Services

+ VMTools Provides support for synchronizing objects between the host and guest operating systems. (Not verified) VMware, Inc. c:\program files\vmware\vmware tools\vmwareservice.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

+ Display Panning CPL Extension File not found: deskpan.dll

HKLM\System\CurrentControlSet\Control\Session Manager\KnownDlls

+ DllDirectory c:\winnt\system32

HKCU\Control Panel\Desktop\Scrnsave.exe

+ (NONE) File not found: (NONE)


Page 9 of 48

B02.Current Installed Programs Baseline

The above illustrates the programs that were initially installed, before any malicious activity ensued.


Page 10 of 48

B03.Processes.Baseline


Page 11 of 48

B04.Hijack This Baseline (Registry, for hacker activity)

Logfile of HijackThis v1.99.1Scan saved at 8:57:33 PM, on 9/6/2005Platform: Windows 2000 (WinNT 5.00.2195)MSIE: Internet Explorer v5.00 (5.00.2920.0000)

Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\VMware\VMware Tools\VMwareService.exeC:\WINNT\Explorer.exeC:\Program Files\VMware\VMware Tools\VMwareTray.exeC:\Program Files\VMware\VMware Tools\VMwareUser.exeE:\VMwareShared\autoruns.exeC:\WINNT\System32\taskmgr.exeE:\VMwareShared\HijackThis.exe

O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exeO4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe


Page 12 of 48

B05.TCPView.Baseline (Data Error Capturing Data)

ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ


Page 13 of 48

B06.TDIMon.Baseline.txt (Tcp/Udp activity)

1 0.00000000 VMwareService.e:8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX

2 0.00031121 VMwareService.e:8144AB28 IRP_MJ_DEVICE_CONTROL TCP:<none>SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX

3 0.00038301 VMwareService.e:81375668 IRP_MJ_DEVICE_CONTROL TCP:<none>SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX




























Page 14 of 48

B07.Rootkit Revealer Baseline (blank page, no rootkit found)

The above illustrates that the tool Rootkit revealer, is blank, because no rootkits were found. Although there is a possibility that rootkits could still be installed, but Rootkit Reveler didn’t find them.


Page 15 of 48

B08.Spybot Baseline (Spyware Remover)


Page 16 of 48

B09.Process Explorer.Baseline.txt

Process PID CPU Description Company NameSystem Idle Process 0 100.00 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 8 smss.exe 140 Windows NT Session Manager

Microsoft Corporation csrss.exe 164 Client Server Runtime Process

Microsoft Corporation winlogon.exe 184 Windows NT Logon Application

Microsoft Corporation services.exe 212 Services and Controller app

Microsoft Corporation svchost.exe 384 Generic Host Process for Win32 Services

Microsoft Corporation SPOOLSV.EXE 416 Spooler SubSystem App


Microsoft Corporation regsvc.exe 496 Remote Registry Service

Microsoft Corporation mstask.exe 520 Task Scheduler Engine

Microsoft Corporation VMwareService.e 580 VMware Tools Service

VMware, Inc. lsass.exe 224 LSA Executable and Server DLL (Export Version)

Microsoft Corporation taskmgr.exe 692 Windows TaskManager

Microsoft Corporationexplorer.exe704 Windows Explorer Microsoft Corporation VMwareTray.exe 760 VMwareTray VMware, Inc. VMwareUser.exe 780 VMwareUser VMware, Inc. autoruns.exe 844 Autostart program viewer

Sysinternals - www.sysinternals.com HijackThis.exe 852 HijackThis

Soeperman Enterprises Ltd. firefox.exe 672 Firefox Mozilla procexp.exe 840 Sysinternals Process Explorer

Sysinternals

Process: Procexp Pid: -2

Type Name


Page 17 of 48

B10.RegMon.Baseline.txt (Applications accessing Registry)

1 1.96351099 Regmon.exe:836 OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes SUCCESS Access: 0x20019 2 1.96390235 Regmon.exe:836 QueryValue HKLM\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes\Tahoma NOT FOUND3 1.96415102 Regmon.exe:836 CloseKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes SUCCESS4 2.03640127 Regmon.exe:836 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND5 2.03652668 Regmon.exe:836 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 6 2.03655314 Regmon.exe:836 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood NOT FOUND7 2.03659463 Regmon.exe:836 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS8 2.03663611 Regmon.exe:836 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND9 2.03666997 Regmon.exe:836 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 10 2.03669119 Regmon.exe:836 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon NOT FOUND11 2.03671908 Regmon.exe:836 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS12 2.03681421 Regmon.exe:836 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Regmon.exe NOT FOUND13 2.03692174 Regmon.exe:836 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND14 2.03695560 Regmon.exe:836 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 15 2.03697419 Regmon.exe:836 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups NOT FOUND16 2.03700423 Regmon.exe:836 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS17 2.03710175 Regmon.exe:836 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D} NOT FOUND18 2.03732586 Regmon.exe:836 QueryKey HKCU\CLSID SUCCESS Name: \REGISTRY\USER\S-1-5-21-484763869-1085031214-839522115-500_Classes\CLSID19 2.03746939 Regmon.exe:836 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 NOT FOUND20 2.03754115 Regmon.exe:836 OpenKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS Access: 0x2000000 21 2.03766656 Regmon.exe:836 QueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer3222 2.03777146 Regmon.exe:836 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer32 NOT FOUND23 2.03802896 Regmon.exe:836 QueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default) SUCCESS "%SystemRoot%\system32\shell32.dll"24 2.03806305 Regmon.exe:836 QueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer3225 2.03811383 Regmon.exe:836 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer32 NOT FOUND26 2.03813267 Regmon.exe:836 QueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\LoadWithoutCOM NOT FOUND27 2.03817320 Regmon.exe:836 CloseKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS28 2.03824568 Regmon.exe:836 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND29 2.03828311 Regmon.exe:836 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 30 2.03830242 Regmon.exe:836 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders NOT FOUND31 2.03833055 Regmon.exe:836 CloseKey HKCU\Software\Microsoft\Windows\

CurrentVersion\Policies\Explorer SUCCESS


Page 18 of 48

B11.Add-Remove Programs Baseline


Page 19 of 48

Post-Baseline Firefox

C01.TCPView Firefox Google (Data Error Capturing Data)

ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ


Page 20 of 48

C02.TCPView Firefox Spyware Sites.txt

svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENINGSystem:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENINGmstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1029 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1065 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1028 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1028 localhost:1029 ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1029 localhost:1028 ESTABLISHEDSystem:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1065 66.70.68.147:http ESTABLISHEDSystem:8 TCP vmware-afi1cid5:1080 cdn.fastclick.net:http TIME_WAITSystem:8 TCP vmware-afi1cid5:1093 cdn.fastclick.net:http TIME_WAITSystem:8 TCP vmware-afi1cid5:1099 cdn.fastclick.net:http TIME_WAITSystem:8 TCP vmware-afi1cid5:1111 cdn.fastclick.net:http TIME_WAITfirefox.exe:672 TCP vmware-afi1cid5:1123 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1123 66.70.68.147:http ESTABLISHEDsvchost.exe:384 UDP vmware-afi1cid5:epmap *:*System:8 UDP vmware-afi1cid5:microsoft-ds *:*services.exe:212 UDP vmware-afi1cid5:1026 *:*System:8 UDP vmware-afi1cid5:netbios-ns *:*System:8 UDP vmware-afi1cid5:netbios-dgm *:*lsass.exe:224 UDP vmware-afi1cid5:isakmp *:*


Page 21 of 48

C03.Autoruns.Firefox.post-Baseline.txt


+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:\program files\vmware\vmware tools\vmwaretray.exe











Page 22 of 48

C04.Currently Installed Programs Firefox Post-Baseline


Page 23 of 48

C05.Processes Firefox Post-Baseline


Page 24 of 48

C06.Hijack This Firefox Post-Baseline.txt


Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\VMware\VMware Tools\VMwareService.exeC:\WINNT\Explorer.exeC:\Program Files\VMware\VMware Tools\VMwareTray.exeC:\Program Files\VMware\VMware Tools\VMwareUser.exeC:\Program Files\Mozilla Firefox\firefox.exeE:\VMwareShared\Tcpview.exeE:\VMwareShared\autoruns.exeE:\VMwareShared\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.qsrch.com/O4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exeO4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cabO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe

The above illustrates a clean system.


Page 25 of 48

C07.TCPView Firefox Post-Baseline.txt

svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENINGSystem:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENINGmstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1029 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1065 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1123 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1133 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1148 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1028 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1028 localhost:1029 ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1029 localhost:1028 ESTABLISHEDSystem:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1065 66.70.68.147:http ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1123 66.70.68.147:http ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1133 cdn.fastclick.net:http ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1148 208.53.131.181:http ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1169 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1169 208.53.131.181:http ESTABLISHEDfirefox.exe:672 TCP vmware-afi1cid5:1170 vmware-afi1cid5:0 LISTENINGfirefox.exe:672 TCP vmware-afi1cid5:1170 208.53.131.181:http ESTABLISHEDsvchost.exe:384 UDP vmware-afi1cid5:epmap *:*System:8 UDP vmware-afi1cid5:microsoft-ds *:*services.exe:212 UDP vmware-afi1cid5:1026 *:*System:8 UDP vmware-afi1cid5:netbios-ns *:*System:8 UDP vmware-afi1cid5:netbios-dgm *:*lsass.exe:224 UDP vmware-afi1cid5:isakmp *:*


Page 26 of 48

C08.TDIMon.Firefox.Post-Baseline.txt

1 0.00000000 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX2 0.00031568 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX3 0.00036429 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX4 0.25002870 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX5 0.25010553 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX6 0.25028069 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX7 0.25033936 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX8 0.25038517 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX9 0.25045306 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX10 0.25049022 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX11 0.25052430 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX12 0.25055782 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX13 0.25061593 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX14 0.25064890 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX15 0.25068186 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX16 0.25072544 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX17 0.25118332 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX18 0.25123221 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX19 0.25129646 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX20 0.25134787 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX21 0.25139201 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX22 0.25145710 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX23 0.25149118 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX24 0.25152498 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX25 0.25155851 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX26 0.25159762 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX27 0.25163030 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX28 0.25166355 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX29 0.25170378 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROL

TCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX


Page 27 of 48


Page 28 of 48

C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found)

-Intentionally left blank, because no rootkit was found-


Page 29 of 48

C10.Process.Explorer.Firefox.Post-line.txt

Process PID CPU Description Company NameSystem Idle Process 0 96.88 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 8 smss.exe 140 Windows NT Session Manager

Microsoft Corporation csrss.exe 164 Client Server Runtime Process

Microsoft Corporation winlogon.exe 184 1.56 Windows NT Logon Application

Microsoft Corporation services.exe 212 Services and Controller app


Microsoft Corporation SPOOLSV.EXE 416 Spooler SubSystem App


Microsoft Corporation regsvc.exe 496 Remote Registry Service

Microsoft Corporation mstask.exe 520 Task Scheduler Engine

Microsoft Corporation VMwareService.e 580 VMware Tools Service

VMware, Inc. lsass.exe 224 LSA Executable and Server DLL (Export Version)

Microsoft Corporationexplorer.exe704 Windows Explorer Microsoft Corporation VMwareTray.exe 760 VMwareTray VMware, Inc. VMwareUser.exe 780 VMwareUser VMware, Inc. Tcpview.exe 500 1.56 TCP/UDP endpoint viewer

Sysinternals firefox.exe 288 Firefox Mozilla procexp.exe 572 Sysinternals Process Explorer

Sysinternals


Type Name


Page 30 of 48

Post-Baseline IE

D01.TCPView.IE.Google.txt

svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENINGSystem:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENINGmstask.exe:520 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENINGSystem:8 TCP vmware-afi1cid5:1199 localhost:1198 TIME_WAITSystem:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENINGsvchost.exe:384 UDP vmware-afi1cid5:epmap *:*System:8 UDP vmware-afi1cid5:microsoft-ds *:*services.exe:212 UDP vmware-afi1cid5:1026 *:*System:8 UDP vmware-afi1cid5:netbios-ns *:*System:8 UDP vmware-afi1cid5:netbios-dgm *:*lsass.exe:224 UDP vmware-afi1cid5:isakmp *:*IEXPLORE.EXE:836 UDP vmware-afi1cid5:1223 *:*


Page 31 of 48

D02.TCPView.IE.Spyware.Sites.txt

svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENINGSystem:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENINGmstask.exe:504 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENINGistsvc.exe:892 TCP vmware-afi1cid5:1204 vmware-afi1cid5:0 LISTENINGSystem:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENINGistsvc.exe:892 TCP vmware-afi1cid5:1204 216.127.33.119:http CLOSE_WAITsvchost.exe:384 UDP vmware-afi1cid5:epmap *:*System:8 UDP vmware-afi1cid5:microsoft-ds *:*services.exe:212 UDP vmware-afi1cid5:1026 *:*System:8 UDP vmware-afi1cid5:netbios-ns *:*System:8 UDP vmware-afi1cid5:netbios-dgm *:*lsass.exe:224 UDP vmware-afi1cid5:isakmp *:*

The program istsvc.exe is a new program that indicates possible unauthorized acitivity.


Page 32 of 48

D03Autoruns.IE.Post-Baseline.txt (Startup Spyware)


+ BullsEye Network c:\program files\bullseye network\bin\bargains.exe+ Internet Optimizer c:\program files\internet optimizer\optimize.exe+ IST Service c:\program files\istsvc\istsvc.exe+ Power Scan PowerScan v1.1 c:\program files\power scan\powerscan.exe+ SurfAccuracy c:\program files\surfaccuracy\sacc.exe+ ugclljcm c:\winnt\system32\ugclljcm.exe+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:\program files\vmware\vmware tools\vmwaretray.exe


+ Z9GwE c:\winnt\flswcpje.exe





HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

+ ADP UrlCatcher Class ADP Module (Not verified) eXact Advertising c:\winnt\system32\msbe.dll+ BAHelper Class BrowserHelperObject Module c:\program files\sidefind\sfbho.dll+ BHObj Class DyFuCA_BH Module c:\winnt\nem220.dll

HKLM\Software\Microsoft\Internet Explorer\Toolbar

+ È|Ûwÿÿÿÿåf ¤ƒÛw@ YourSiteBar c:\program files\yoursitebar\ysb.dll






Page 33 of 48

The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user.


Page 34 of 48

D04.Currently Installed Programs IE post-Baseline.bmp (Spyware)

The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user.For example, the above programs and program ISTsvc is a new program that indicates possible malicious or unauthorized activity.


Page 35 of 48


Page 36 of 48

D05.Processes IE Post-Baseline.bmp

The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user.

Istsvc.exe, flswcpje.exe, SAcc.exe are all examples of process shown above that were installed without the user’s authorization.


Page 37 of 48

D06.Hijack This IE Post Baseline.txt


Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\WINNT\System32\svchost.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\VMware\VMware Tools\VMwareService.exeC:\WINNT\Explorer.exeC:\Program Files\VMware\VMware Tools\VMwareTray.exeC:\Program Files\VMware\VMware Tools\VMwareUser.exeC:\Program Files\ISTsvc\istsvc.exeC:\WINNT\flswcpje.exeC:\Program Files\SurfAccuracy\SAcc.exeC:\Program Files\Internet Optimizer\optimize.exeC:\Program Files\BullsEye Network\bin\bargains.exeC:\WINNT\System32\ugclljcm.exeE:\VMwareShared\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.qsrch.com/R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem220.dllO2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dllO2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINNT\System32\msbe.dllO3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dllO4 - HKLM\..\Run: [VMware Tools] C:\Program Files\VMware\VMware Tools\VMwareTray.exeO4 - HKLM\..\Run: [VMware User Process] C:\Program Files\VMware\VMware Tools\VMwareUser.exeO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exeO4 - HKLM\..\Run: [Z9GwE] C:\WINNT\flswcpje.exeO4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exeO4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exeO4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exeO4 - HKLM\..\Run: [ugclljcm] C:\WINNT\System32\ugclljcm.exe


Page 38 of 48

O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dllO16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_1002245.cabO16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cabO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe


Page 39 of 48

D07.TCPView IE Post Baseline.txt (missing screen shot)

-Intentionally left blank. Missing screen shot-


Page 40 of 48

D08.TDIMon IE Post Baseline.txt

1 0.00000000 VMwareService.e: 81481928 IRP_MJ_DEVICE_CONTROLTCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX





6 0.51692408 VMwareService.e: 814065E8 IRP_MJ_DEVICE_CONTROLTCP:<none> SUCCESS IOCTL_TCP_QUERY_INFORMATION_EX






















Page 41 of 48





Page 42 of 48

D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found)

-Intentionally left blank. Missing screen shot-


Page 43 of 48

D10.Process Explorer IE Post-Baseline.txt

Process PID CPU Description Company NameSystem Idle Process 0 100.00 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 8 smss.exe 140 Windows NT Session Manager Microsoft Corporation csrss.exe 164 Client Server Runtime Process Microsoft Corporation winlogon.exe 184 Windows NT Logon Application Microsoft Corporation services.exe212 Services and Controller appMicrosoft Corporation svchost.exe 384 Generic Host Process for Win32 Services

Microsoft Corporation SPOOLSV.EXE 412 Spooler SubSystem App Microsoft Corporation svchost.exe 444 Generic Host Process for Win32 Services

Microsoft Corporation regsvc.exe 484 Remote Registry Service Microsoft Corporation mstask.exe504 Task Scheduler Engine Microsoft Corporation VMwareService.e 572 VMware Tools Service VMware, Inc. lsass.exe 224 LSA Executable and Server DLL (Export Version)

Microsoft Corporationexplorer.exe 712 Windows Explorer Microsoft Corporation VMwareTray.exe 760 VMwareTrayVMware, Inc. VMwareUser.exe 780 VMwareUser VMware, Inc. procexp.exe 640 Sysinternals Process Explorer Sysinternalsistsvc.exe 892flswcpje.exe 908SAcc.exe 940optimize.exe 1000bargains.exe 1096ugclljcm.exe 972


Type Name

The initial conditions of this test regarding the only authorized installed programs were Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This means that all the other programs shown above were installed without the authorization of the user.Above shows unauthorized processes.


Page 44 of 48

D11.RegMon IE Post-Baseline.txt1 0.97014344 istsvc.exe:892 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0x2 2 0.97070354 istsvc.exe:892 SetValue HKLM\Software\Microsoft\Windows\CurrentVersion\Run\IST Service SUCCESS "C:\Program Files\ISTsvc\istsvc.exe"3 0.97090244 istsvc.exe:892 CloseKey HKLM\Software\Microsoft\Windows\CurrentVersion\Run SUCCESS4 0.97159195 istsvc.exe:892 QueryValue HKCU\SOFTWARE\MICROSOFT\Windows\CURRENTVERSION\Internet Settings\EnableAutodial

SUCCESS 0x05 1.00403678 Regmon.exe:1100 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND6 1.00424612 Regmon.exe:1100 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 7 1.00429749 Regmon.exe:1100 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood NOT FOUND8 1.00463104 Regmon.exe:1100 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS9 1.00468636 Regmon.exe:1100 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND10 1.00473380 Regmon.exe:1100 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 11 1.00476038 Regmon.exe:1100 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon NOT FOUND12 1.00479865 Regmon.exe:1100 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS13 1.00492191 Regmon.exe:1100 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\Regmon.exe

NOT FOUND14 1.00502610 Regmon.exe:1100 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND15 1.00507104 Regmon.exe:1100 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 16 1.00509703 Regmon.exe:1100 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups NOT FOUND17 1.00513446 Regmon.exe:1100 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS18 1.00523674 Regmon.exe:1100 OpenKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}NOT FOUND19 1.00554395 Regmon.exe:1100 QueryKey HKCU\CLSID

SUCCESS Name: \REGISTRY\USER\S-1-5-21-484763869-1085031214-839522115-500_Classes\CLSID20 1.00571191 Regmon.exe:1100 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 NOT FOUND


Page 45 of 48

21 1.00576580 Regmon.exe:1100 OpenKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS Access: 0x2000000 22 1.00579965 Regmon.exe:1100 QueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer3223 1.00587201 Regmon.exe:1100 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer32 NOT FOUND24 1.00593376 Regmon.exe:1100 QueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\(Default) SUCCESS

"%SystemRoot%\system32\shell32.dll"25 1.00597394 Regmon.exe:1100 QueryKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS Name: \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer3226 1.00603235 Regmon.exe:1100 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InprocServer32 NOT FOUND27 1.00605774 Regmon.exe:1100 QueryValue HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32\LoadWithoutCOM NOT FOUND28 1.00609851 Regmon.exe:1100 CloseKey HKCR\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 SUCCESS29 1.00617003 Regmon.exe:1100 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND30 1.00621557 Regmon.exe:1100 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 31 1.00624526 Regmon.exe:1100 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders NOT FOUND32 1.00628102 Regmon.exe:1100 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS33 1.00632870 Regmon.exe:1100 OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOT FOUND34 1.00637233 Regmon.exe:1100 OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Access: 0x1 35 1.00644696 Regmon.exe:1100 QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel NOT FOUND36 1.00648320 Regmon.exe:1100 CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS37 1.00692403 Regmon.exe:1100 OpenKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS Access: 0x1 38 1.00698912 Regmon.exe:1100 QueryValue HKLM\System\CurrentControlSet\Control\Session Manager\AdditionalBaseNamedObjectsProtectionMode NOT FOUND39 1.00702739 Regmon.exe:1100 CloseKey HKLM\System\CurrentControlSet\Control\Session Manager SUCCESS


Page 46 of 48

40 1.00717628 Regmon.exe:1100 OpenKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SUCCESS Access: 0x20019 41 1.00722098 Regmon.exe:1100 QueryValue HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\CriticalSectionTimeout SUCCESS

0x278D0042 1.00725758 Regmon.exe:1100 CloseKey HKLM\SYSTEM\CurrentControlSet\Control\Session Manager SUCCESS43 1.00805521 Regmon.exe:1100 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT NOT FOUND44 1.00809801 Regmon.exe:1100 OpenKey HKLM\SOFTWARE\Microsoft\OLEAUT\UserEra NOT FOUND45 1.00841975 Regmon.exe:1100 QueryKey HKCU SUCCESS

Name: \REGISTRY\USER\S-1-5-21-484763869-1085031214-839522115-500_Classes46 1.00846565 Regmon.exe:1100 OpenKey HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 NOT FOUND


Page 47 of 48

D12.Add-Remove Programs IE Post-Baseline.bmp (Malware)


Page 48 of 48

D13.Spybot IE Post-Baseline.bmp (unresolved Spyware)

Spybot couldn’t eradicate the above unauthorized activity.


Technology

Malware Infects Baseline Analysis