TeamStation AI System Report LATAM IT Salaries 2024
Malware Infects Baseline Analysis
1. Page 1 of 46
Name: Allen Galvan
Due: 27 October 2005
CSFI 214: Information Security Systems Analysis – Fall 2005
Lab #1: Malware
Last printed 10/26/2005 1:43:00 a10/p10 Page 1
3. Page 3 of 46
Lab Report Instructions
This lab has a series of questions that you will answer to demonstrate that you have done
the tutorial & understand the main concepts.
Each student will hand in a printed copy of the lab report next lab class with the answers to
each question.
The lab report will also be submitted electronically (E-mailed to the instructor – due on the
day of the next lab).
The main body of the lab report should be no more than 2 pages long (max).
• What are your observations?
• What are your findings?
• How does Firefox compare to IE?
• How is the Baseline used?
• What are the differences?
• Why are there differences?
All of the supporting data & screen shots should be placed in the appendix. This appendix
could be very long. Some output files could be very long. In the printed lab report, only
include the first few pages.
Each output file should be clearly labeled to indicate what it is.
Part-II
Verify that the Anti-Virus software is working. Use the EICAR test file. Download the
.TXT & .ZIP files.
• Any differences in behavior between the 2 file types?
Turn off the Anti-Virus software. Download the .TXT & .ZIP files.
• What happened?
• Any differences in behavior between the 2 file types?
Turn on the Anti-Virus software.
• Try opening one of the test files.
• What happened?
Last printed 10/26/2005 1:43:00 a10/p10 Page 3
4. Page 4 of 46
Report Observations and Findings
The purpose of this exercise was to find out what happens when one surfs the web in a
secure manner, and compare that with surfing the web in an insecure manner.
Baseline
The Baseline refers to the documentation of the original state of the system, as it was
before the surfing tests began. If variants to the system Baseline occurred, the prior surfing
behavior was noted, and likely conclusions were inferred.
• The “B02.Current Installed Programs Baseline” Screen (p. 8), and the “B11.Add-
Remove Programs Baseline” Screen (p. 20), both showed only 4 programs
installed.
• “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no Rootkits were
installed.
• “B08.Spybot.Baseline” screen on page 16 indicated no Spyware was detected.
Post-Baseline Firefox
I surfed bad peer-to-peer web sites like www.Kazaa.com using Firefox off (means
what?), and the system integrity was maintained. No rootkits were indicated by
“C09.Rootkit Revealer Firefox Post-Baseline.txt” screen on page 31.
The “C04.Currently Installed Programs Firefox Post-Baseline” Screen (p. 23) showed only
4 programs installed. These results also did not differ from the Baseline observations.
There were no changes.
Post-Baseline IE
I surfed bad peer-to-peer web sites like www.Kazaa.com using IE on (means what?), and
the system got infected with Spyware as indicated on “D13.Spybot-IE Post-Baseline.bmp”
(p. 30), “D03.Autoruns.IE.Post-Baseline.txt” (p. 35), “D04.Currently Installed Program IE
post-Baseline.bmp” (p. 37), and “D12.Add-Remove Programs IE Post-Baseline.bmp” (p.
49)
Also, the computer started misbehaving in an unpredictable manner:
• Ads just popped up in the IE browser, without any user acitivity on the computer.
• When I tried to remove one of the programs that I did not install, the Add-Remove
screen froze, & I had to kill the process using Process Explorer to abnormally exit
the process. When I brought the Add-Remove screen back up, the program was
successfully removed.
Last printed 10/26/2005 1:43:00 a10/p10 Page 4
5. Page 5 of 46
• When I tried to remove another program that I did not install, it prompted me for a
code. This behavior was not normal. It never happened before.
Spybot found numerous Spyware infection as indicated on “D13.Spybot-IE Post-
Baseline.bmp” screen on page 30. When I tried to clean or remove the Spyware, some of
the Spyware instances, persisted, and could not be removed.
No rootkits were indicated by “D09.Rootkit Revealer IE Post-Baseline.txt” on page 44.
Conclusions
The control state of the computer is the Baseline state. It is regarding this control state,
from which the experiment compares changes and their impact on the integrity of the
computer system.
The Baseline showed only 4 programs installed, as indicated by “B02.Current Installed
Programs Baseline” Screen (p. 8), and the “B11.Add-Remove Programs Baseline” Screen
(p. 20). When I surfed using Firefox, the same programs were shown to be installed, (the
same as the Baseline), which was indicated by the “C04.Currently Installed Programs
Firefox Post-Baseline” Screen (p. 23). This indicated that surfing the web using Firefox
was secure.
However, other unauthorized programs were installed after using IE, as indicated by
“D04.Currently Installed Program IE post-Baseline.bmp” (p. 37), and “D12.Add-Remove
Programs IE Post-Baseline.bmp” (p. 49). This indicated that surfing with IE was insecure.
The evidence indicates that I was able to surf in a relatively secure manner using the
Firefox browser. “B07.Rootkit.Revealer.Baseline” screen on page 15 indicated that no
Rootkits were installed. “B08.Spybot.Baseline” screen on page 16 indicated no Spyware
was detected.
All the unauthorized activity occurred Post-Baseline IE.
• There was more unauthorized TCP/IP activity, indicated on
D02.TCPView.IE.Spyware.Sites.txt.
• There were more unauthorized processes and higher cpu activity indicated on
D03.Autoruns.IE.Post-Baseline.txt, D04.Currently Installed Programs IE post-
Baseline.bmp, D05.Processes IE post-Baseline.bmp, D10.Process Explorer IE Post-
Baseline.txt
• There were unauthorized programs that Spybot could not remove, as detailed on
page D13.Spybot IE Post-Baseline.bmp.
Also the evidence indicates that I was not able to surf the web in a secure manner using
Internet Explorer (IE), since Spybot found a number of installed Spyware programs. The
Last printed 10/26/2005 1:43:00 a10/p10 Page 5
6. Page 6 of 46
computer also began to act erratically. “C09.Rootkit Revealer Firefox Post-Baseline.txt”
screen on page 31 indicated no rootkits.
Ultimately, in no case did Rootkit Revealer indicate the existence of any rootkits. It
appears that this experiment did not install any rootkits. There is a possibility that there
may exist a rootkit that was hidden from Rootkit Revealer.
Based on the findings of this experiment, I would prefer and recommend to surf the web
using Firefox, as a more secure browser than Internet Explorer.
From personal experience, the McAfee Anti-virus software found the EICAR test virus to
verify it was working. McAfee did not find the EICAR test virus when it was zipped. The
McAfee anti-virus software scan did not find the Spyware that Spybot could not eliminate.
Anti-malware programs do not provide adequate protection.
Last printed 10/26/2005 1:43:00 a10/p10 Page 6
7. Page 7 of 46
Appendix
Last printed 10/26/2005 1:43:00 a10/p10 Page 7
8. Page 8 of 46
Baseline
B01.AutoRuns Baseline (Startup Programs)
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwaretray.exe
+ VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareuser.exe
HKLMSystemCurrentControlSetServices
+ VMTools Provides support for synchronizing objects between the host and guest operating systems.(Not verified) VMware, Inc.
c:program filesvmwarevmware toolsvmwareservice.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
+ Display Panning CPL Extension File not found: deskpan.dll
HKLMSystemCurrentControlSetControlSession ManagerKnownDlls
+ DllDirectory c:winntsystem32
HKCUControl PanelDesktopScrnsave.exe
+ (NONE) File not found: (NONE)
Last printed 10/26/2005 1:43:00 a10/p10 Page 8
9. Page 9 of 46
B02.Current Installed Programs Baseline
The above illustrates the programs that were initially installed, before any malicious
activity ensued.
Last printed 10/26/2005 1:43:00 a10/p10 Page 9
10. Page 10 of 46
B03.Processes.Baseline
Last printed 10/26/2005 1:43:00 a10/p10 Page 10
11. Page 11 of 46
B04.Hijack This Baseline (Registry, for hacker activity)
Logfile of HijackThis v1.99.1
Scan saved at 8:57:33 PM, on 9/6/2005
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 (5.00.2920.0000)
Running processes:
C:WINNTSystem32smss.exe
C:WINNTsystem32winlogon.exe
C:WINNTsystem32services.exe
C:WINNTsystem32lsass.exe
C:WINNTsystem32svchost.exe
C:WINNTsystem32spoolsv.exe
C:WINNTSystem32svchost.exe
C:WINNTsystem32regsvc.exe
C:WINNTsystem32MSTask.exe
C:Program FilesVMwareVMware ToolsVMwareService.exe
C:WINNTExplorer.exe
C:Program FilesVMwareVMware ToolsVMwareTray.exe
C:Program FilesVMwareVMware ToolsVMwareUser.exe
E:VMwareSharedautoruns.exe
C:WINNTSystem32taskmgr.exe
E:VMwareSharedHijackThis.exe
O4 - HKLM..Run: [VMware Tools] C:Program FilesVMwareVMware ToolsVMwareTray.exe
O4 - HKLM..Run: [VMware User Process] C:Program FilesVMwareVMware ToolsVMwareUser.exe
O4 - HKLM..Run: [Synchronization Manager] mobsync.exe /logon
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:WINNTSystem32dmadmin.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:Program FilesVMwareVMware ToolsVMwareService.exe
Last printed 10/26/2005 1:43:00 a10/p10 Page 11
12. Page 12 of 46
B05.TCPView.Baseline (Data Error Capturing Data)
ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐ
ÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈ
ÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ
Last printed 10/26/2005 1:43:00 a10/p10 Page 12
14. Page 14 of 46
B07.Rootkit Revealer Baseline (blank page, no rootkit found)
The above illustrates that the tool Rootkit revealer, is blank, because no rootkits were
found. Although there is a possibility that rootkits could still be installed, but Rootkit
Reveler didn’t find them.
Last printed 10/26/2005 1:43:00 a10/p10 Page 14
15. Page 15 of 46
B08.Spybot Baseline (Spyware Remover)
Last printed 10/26/2005 1:43:00 a10/p10 Page 15
16. Page 16 of 46
B09.Process Explorer.Baseline.txt
Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe140 Windows NT Session Manager Microsoft Corporation
csrss.exe 164 Client Server Runtime Process Microsoft Corporation
winlogon.exe 184 Windows NT Logon Application Microsoft Corporation
services.exe 212 Services and Controller app Microsoft Corporation
svchost.exe 384 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 416 Spooler SubSystem App Microsoft Corporation
svchost.exe 460 Generic Host Process for Win32 Services Microsoft Corporation
regsvc.exe 496 Remote Registry Service Microsoft Corporation
mstask.exe 520 Task Scheduler Engine Microsoft Corporation
VMwareService.e 580 VMware Tools Service VMware, Inc.
lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation
taskmgr.exe 692 Windows TaskManager Microsoft Corporation
explorer.exe 704 Windows Explorer Microsoft Corporation
VMwareTray.exe 760 VMwareTray VMware, Inc.
VMwareUser.exe 780 VMwareUser VMware, Inc.
autoruns.exe 844 Autostart program viewer Sysinternals - www.sysinternals.com
HijackThis.exe 852 HijackThis Soeperman Enterprises Ltd.
firefox.exe 672 Firefox Mozilla
procexp.exe 840 Sysinternals Process Explorer Sysinternals
Process: Procexp Pid: -2
Type Name
Last printed 10/26/2005 1:43:00 a10/p10 Page 16
17. Page 17 of 46
B10.RegMon.Baseline.txt (Applications accessing Registry)
1 1.96351099 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutes SUCCESS
Access: 0x20019
2 1.96390235 Regmon.exe:836 QueryValue HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutesTahoma NOT FOUND
3 1.96415102 Regmon.exe:836 CloseKey HKLMSoftwareMicrosoftWindows NTCurrentVersionFontSubstitutes SUCCESS
4 2.03640127 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND
5 2.03652668 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Access: 0x1
6 2.03655314 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood NOT FOUND
7 2.03659463 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
8 2.03663611 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND
9 2.03666997 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Access: 0x1
10 2.03669119 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoInternetIcon
NOT FOUND
11 2.03671908 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
12 2.03681421 Regmon.exe:836 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityApplicationsRegmon.exe
NOT FOUND
13 2.03692174 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND
14 2.03695560 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Access: 0x1
15 2.03697419 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoCommonGroups
NOT FOUND
16 2.03700423 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
17 2.03710175 Regmon.exe:836 OpenKey HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityObjects{20D04FE0-3AEA-
1069-A2D8-08002B30309D} NOT FOUND
18 2.03732586 Regmon.exe:836 QueryKey HKCUCLSID SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214-839522115-
500_ClassesCLSID
19 2.03746939 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND
20 2.03754115 Regmon.exe:836 OpenKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Access: 0x2000000
21 2.03766656 Regmon.exe:836 QueryKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32
22 2.03777146 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
23 2.03802896 Regmon.exe:836 QueryValue HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32(Default)
SUCCESS "%SystemRoot%system32shell32.dll"
24 2.03806305 Regmon.exe:836 QueryKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
Name: REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32
25 2.03811383 Regmon.exe:836 OpenKey HKCUCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
26 2.03813267 Regmon.exe:836 QueryValue HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32LoadWithoutCOM
NOT FOUND
27 2.03817320 Regmon.exe:836 CloseKey HKCRCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
28 2.03824568 Regmon.exe:836 OpenKey HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer NOT FOUND
29 2.03828311 Regmon.exe:836 OpenKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Access: 0x1
30 2.03830242 Regmon.exe:836 QueryValue HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolders
NOT FOUND
31 2.03833055 Regmon.exe:836 CloseKey HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer SUCCESS
Last printed 10/26/2005 1:43:00 a10/p10 Page 17
18. Page 18 of 46
B11.Add-Remove Programs Baseline
Last printed 10/26/2005 1:43:00 a10/p10 Page 18
19. Page 19 of 46
Post-Baseline Firefox
C01.TCPView Firefox Google (Data Error Capturing Data)
ÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐ
ÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈ
ÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔÈÐÔ
Last printed 10/26/2005 1:43:00 a10/p10 Page 19
27. Page 27 of 46
C09.Rootkit Revealer Firefox Post-Baseline.txt (blank page, no rootkit found)
-Intentionally left blank, because no rootkit was found-
Last printed 10/26/2005 1:43:00 a10/p10 Page 27
28. Page 28 of 46
C10.Process.Explorer.Firefox.Post-line.txt
Process PID CPU Description Company Name
System Idle Process 0 96.88
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe140 Windows NT Session Manager Microsoft Corporation
csrss.exe 164 Client Server Runtime Process Microsoft Corporation
winlogon.exe 184 1.56 Windows NT Logon Application Microsoft Corporation
services.exe 212 Services and Controller app Microsoft Corporation
svchost.exe 384 Generic Host Process for Win32 Services Microsoft Corporation
SPOOLSV.EXE 416 Spooler SubSystem App Microsoft Corporation
svchost.exe 460 Generic Host Process for Win32 Services Microsoft Corporation
regsvc.exe 496 Remote Registry Service Microsoft Corporation
mstask.exe 520 Task Scheduler Engine Microsoft Corporation
VMwareService.e 580 VMware Tools Service VMware, Inc.
lsass.exe 224 LSA Executable and Server DLL (Export Version) Microsoft Corporation
explorer.exe 704 Windows Explorer Microsoft Corporation
VMwareTray.exe 760 VMwareTray VMware, Inc.
VMwareUser.exe 780 VMwareUser VMware, Inc.
Tcpview.exe 500 1.56 TCP/UDP endpoint viewer Sysinternals
firefox.exe 288 Firefox Mozilla
procexp.exe 572 Sysinternals Process Explorer Sysinternals
Process: Procexp Pid: -2
Type Name
Last printed 10/26/2005 1:43:00 a10/p10 Page 28
30. Page 30 of 46
D02.TCPView.IE.Spyware.Sites.txt
svchost.exe:384 TCP vmware-afi1cid5:epmap vmware-afi1cid5:0 LISTENING
System:8 TCP vmware-afi1cid5:microsoft-ds vmware-afi1cid5:0 LISTENING
mstask.exe:504 TCP vmware-afi1cid5:1025 vmware-afi1cid5:0 LISTENING
istsvc.exe:892 TCP vmware-afi1cid5:1204 vmware-afi1cid5:0 LISTENING
System:8 TCP vmware-afi1cid5:netbios-ssn vmware-afi1cid5:0 LISTENING
istsvc.exe:892 TCP vmware-afi1cid5:1204 216.127.33.119:http CLOSE_WAIT
svchost.exe:384 UDP vmware-afi1cid5:epmap *:*
System:8 UDP vmware-afi1cid5:microsoft-ds *:*
services.exe:212 UDP vmware-afi1cid5:1026 *:*
System:8 UDP vmware-afi1cid5:netbios-ns *:*
System:8 UDP vmware-afi1cid5:netbios-dgm *:*
lsass.exe:224 UDP vmware-afi1cid5:isakmp *:*
The program istsvc.exe is a new program that indicates possible unauthorized acitivity.
Last printed 10/26/2005 1:43:00 a10/p10 Page 30
31. Page 31 of 46
D03Autoruns.IE.Post-Baseline.txt (Startup Spyware)
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
+ BullsEye Network c:program filesbullseye networkbinbargains.exe
+ Internet Optimizer c:program filesinternet optimizeroptimize.exe
+ IST Service c:program filesistsvcistsvc.exe
+ Power Scan PowerScan v1.1 c:program filespower scanpowerscan.exe
+ SurfAccuracy c:program filessurfaccuracysacc.exe
+ ugclljcm c:winntsystem32ugclljcm.exe
+ VMware Tools VMwareTray (Not verified) VMware, Inc. c:program filesvmwarevmware
toolsvmwaretray.exe
+ VMware User Process VMwareUser (Not verified) VMware, Inc. c:program filesvmwarevmware
toolsvmwareuser.exe
+ Z9GwE c:winntflswcpje.exe
HKLMSystemCurrentControlSetServices
+ VMTools Provides support for synchronizing objects between the host and guest operating
systems.(Not verified) VMware, Inc. c:program filesvmwarevmware toolsvmwareservice.exe
HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved
+ Display Panning CPL Extension File not found: deskpan.dll
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
+ ADP UrlCatcher Class ADP Module (Not verified) eXact Advertising c:winntsystem32msbe.dll
+ BAHelper Class BrowserHelperObject Module c:program filessidefindsfbho.dll
+ BHObj Class DyFuCA_BH Module c:winntnem220.dll
HKLMSoftwareMicrosoftInternet ExplorerToolbar
+ È|Ûwÿÿÿÿåf ¤ƒÛw@ YourSiteBar c:program filesyoursitebarysb.dll
HKLMSystemCurrentControlSetControlSession ManagerKnownDlls
+ DllDirectory c:winntsystem32
HKCUControl PanelDesktopScrnsave.exe
+ (NONE) File not found: (NONE)
The initial conditions of this test regarding the only authorized installed programs were
Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This
means that all the other programs shown above were installed without the authorization of
the user.
Last printed 10/26/2005 1:43:00 a10/p10 Page 31
32. Page 32 of 46
D04.Currently Installed Programs IE post-Baseline.bmp (Spyware)
The initial conditions of this test regarding the only authorized installed programs were
Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This
means that all the other programs shown above were installed without the authorization of
the user.
For example, the above programs and program ISTsvc is a new program that indicates
possible malicious or unauthorized activity.
Last printed 10/26/2005 1:43:00 a10/p10 Page 32
33. Page 33 of 46
Last printed 10/26/2005 1:43:00 a10/p10 Page 33
34. Page 34 of 46
D05.Processes IE Post-Baseline.bmp
The initial conditions of this test regarding the only authorized installed programs were
Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This
means that all the other programs shown above were installed without the authorization of
the user.
Istsvc.exe, flswcpje.exe, SAcc.exe are all examples of process shown above that were
installed without the user’s authorization.
Last printed 10/26/2005 1:43:00 a10/p10 Page 34
39. Page 39 of 46
D09.Rootkit Revealer IE Post-Baseline.txt (blank page, no rootkit found)
-Intentionally left blank. Missing screen shot-
Last printed 10/26/2005 1:43:00 a10/p10 Page 39
40. Page 40 of 46
D10.Process Explorer IE Post-Baseline.txt
Process PID CPU Description Company Name
System Idle Process 0 100.00
Interrupts n/a Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 8
smss.exe 140 Windows NT Session Manager Microsoft
Corporation
csrss.exe 164 Client Server Runtime Process Microsoft
Corporation
winlogon.exe 184 Windows NT Logon Application Microsoft
Corporation
services.exe212 Services and Controller appMicrosoft Corporation
svchost.exe384 Generic Host Process for Win32 Services Microsoft
Corporation
SPOOLSV.EXE 412 Spooler SubSystem App Microsoft
Corporation
svchost.exe444 Generic Host Process for Win32 Services Microsoft
Corporation
regsvc.exe 484 Remote Registry Service Microsoft Corporation
mstask.exe504 Task Scheduler Engine Microsoft Corporation
VMwareService.e 572 VMware Tools Service VMware, Inc.
lsass.exe 224 LSA Executable and Server DLL (Export Version)
Microsoft Corporation
explorer.exe 712 Windows Explorer Microsoft Corporation
VMwareTray.exe 760 VMwareTrayVMware, Inc.
VMwareUser.exe 780 VMwareUser VMware, Inc.
procexp.exe 640 Sysinternals Process Explorer Sysinternals
istsvc.exe 892
flswcpje.exe 908
SAcc.exe 940
optimize.exe 1000
bargains.exe 1096
ugclljcm.exe 972
Process: Procexp Pid: -2
Type Name
The initial conditions of this test regarding the only authorized installed programs were
Mozilla Firefox, Sybot, and WMware Tools. All other activity is unauthorized. This
means that all the other programs shown above were installed without the authorization of
the user.
Above shows unauthorized processes.
Last printed 10/26/2005 1:43:00 a10/p10 Page 40
41. Page 41 of 46
D11.RegMon IE Post-Baseline.txt
1 0.97014344 istsvc.exe:892 CreateKey
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SUCCESS
Access: 0x2
2 0.97070354 istsvc.exe:892 SetValue
HKLMSoftwareMicrosoftWindowsCurrentVersionRunIST Service
SUCCESS "C:Program FilesISTsvcistsvc.exe"
3 0.97090244 istsvc.exe:892 CloseKey
HKLMSoftwareMicrosoftWindowsCurrentVersionRun SUCCESS
4 0.97159195 istsvc.exe:892 QueryValue
HKCUSOFTWAREMICROSOFTWindowsCURRENTVERSIONInternet
SettingsEnableAutodial SUCCESS 0x0
5 1.00403678 Regmon.exe:1100 OpenKey
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NOT FOUND
6 1.00424612 Regmon.exe:1100 OpenKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS Access: 0x1
7 1.00429749 Regmon.exe:1100 QueryValue
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoNetHood
NOT FOUND
8 1.00463104 Regmon.exe:1100 CloseKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS
9 1.00468636 Regmon.exe:1100 OpenKey
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NOT FOUND
10 1.00473380 Regmon.exe:1100 OpenKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS Access: 0x1
11 1.00476038 Regmon.exe:1100 QueryValue
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoInternetIc
on NOT FOUND
12 1.00479865 Regmon.exe:1100 CloseKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS
13 1.00492191 Regmon.exe:1100 OpenKey
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityApplic
ationsRegmon.exe NOT FOUND
14 1.00502610 Regmon.exe:1100 OpenKey
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NOT FOUND
Last printed 10/26/2005 1:43:00 a10/p10 Page 41
42. Page 42 of 46
15 1.00507104 Regmon.exe:1100 OpenKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS Access: 0x1
16 1.00509703 Regmon.exe:1100 QueryValue
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoCommon
Groups NOT FOUND
17 1.00513446 Regmon.exe:1100 CloseKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS
18 1.00523674 Regmon.exe:1100 OpenKey
HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellCompatibilityObject
s{20D04FE0-3AEA-1069-A2D8-08002B30309D} NOT FOUND
19 1.00554395 Regmon.exe:1100 QueryKey HKCUCLSID
SUCCESS Name: REGISTRYUSERS-1-5-21-484763869-1085031214-
839522115-500_ClassesCLSID
20 1.00571191 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND
21 1.00576580 Regmon.exe:1100 OpenKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Access:
0x2000000
22 1.00579965 Regmon.exe:1100 QueryKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name:
REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-
A2D8-08002B30309D}InprocServer32
23 1.00587201 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
24 1.00593376 Regmon.exe:1100 QueryValue HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32(Default) SUCCESS
"%SystemRoot%system32shell32.dll"
25 1.00597394 Regmon.exe:1100 QueryKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS Name:
REGISTRYMACHINESOFTWARECLASSESCLSID{20D04FE0-3AEA-1069-
A2D8-08002B30309D}InprocServer32
26 1.00603235 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InprocServer32 NOT FOUND
27 1.00605774 Regmon.exe:1100 QueryValue HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32LoadWithoutCOM NOT
FOUND
28 1.00609851 Regmon.exe:1100 CloseKey HKCRCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 SUCCESS
29 1.00617003 Regmon.exe:1100 OpenKey
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NOT FOUND
Last printed 10/26/2005 1:43:00 a10/p10 Page 42
43. Page 43 of 46
30 1.00621557 Regmon.exe:1100 OpenKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS Access: 0x1
31 1.00624526 Regmon.exe:1100 QueryValue
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoSetFolder
s NOT FOUND
32 1.00628102 Regmon.exe:1100 CloseKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS
33 1.00632870 Regmon.exe:1100 OpenKey
HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
NOT FOUND
34 1.00637233 Regmon.exe:1100 OpenKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS Access: 0x1
35 1.00644696 Regmon.exe:1100 QueryValue
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerNoControlPa
nel NOT FOUND
36 1.00648320 Regmon.exe:1100 CloseKey
HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer
SUCCESS
37 1.00692403 Regmon.exe:1100 OpenKey
HKLMSystemCurrentControlSetControlSession Manager SUCCESS
Access: 0x1
38 1.00698912 Regmon.exe:1100 QueryValue
HKLMSystemCurrentControlSetControlSession
ManagerAdditionalBaseNamedObjectsProtectionModeNOT FOUND
39 1.00702739 Regmon.exe:1100 CloseKey
HKLMSystemCurrentControlSetControlSession Manager SUCCESS
40 1.00717628 Regmon.exe:1100 OpenKey
HKLMSYSTEMCurrentControlSetControlSession Manager
SUCCESS Access: 0x20019
41 1.00722098 Regmon.exe:1100 QueryValue
HKLMSYSTEMCurrentControlSetControlSession
ManagerCriticalSectionTimeout SUCCESS 0x278D00
42 1.00725758 Regmon.exe:1100 CloseKey
HKLMSYSTEMCurrentControlSetControlSession Manager
SUCCESS
43 1.00805521 Regmon.exe:1100 OpenKey
HKLMSOFTWAREMicrosoftOLEAUT NOT FOUND
44 1.00809801 Regmon.exe:1100 OpenKey
HKLMSOFTWAREMicrosoftOLEAUTUserEra NOT FOUND
Last printed 10/26/2005 1:43:00 a10/p10 Page 43
44. Page 44 of 46
45 1.00841975 Regmon.exe:1100 QueryKey HKCU SUCCESS
Name: REGISTRYUSERS-1-5-21-484763869-1085031214-839522115-
500_Classes
46 1.00846565 Regmon.exe:1100 OpenKey HKCUCLSID{20D04FE0-
3AEA-1069-A2D8-08002B30309D}InProcServer32 NOT FOUND
Last printed 10/26/2005 1:43:00 a10/p10 Page 44
45. Page 45 of 46
D12.Add-Remove Programs IE Post-Baseline.bmp (Malware)
Last printed 10/26/2005 1:43:00 a10/p10 Page 45
46. Page 46 of 46
D13.Spybot IE Post-Baseline.bmp (unresolved Spyware)
Spybot couldn’t eradicate the above unauthorized activity.
Last printed 10/26/2005 1:43:00 a10/p10 Page 46