Guest SANTANDER Posted June 25, 2008 Posted June 25, 2008 Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB virus. My antivirus show some executable files where infected, aalso when browse web with Internet Explorer, windows periodically popup error mesages called RUNDLL: "Error loading C:\Windows\AppPatch\Jview.dll The specified module could not be found." (I use Firefox by default). After running whole computer scan, NOD32 isolated the infected files in a Quarantine folder. I removed the Jview.dll As far I know, Win32/Alman.NAD is infector, downloader and it has got his own driver. If it sit inside some legit process (IE), then it will add new registry key again. Then removing will be harder. Then I run HijackThis utility, and got the following report, I looked through the logfile, but I'm not sure which processess and keys are legitimate. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 20:03:59, on 2008.06.25. Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\User\HiJackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 89.251.147.134:6328 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [NetMeter] C:\Program Files\HooTech\NetMeter\HooNetMeter.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O21 - SSODL: JavaView - {DA191DE0-AA86-D04E-4B87-2A3D4928BE99} - C:\WINDOWS\AppPatch\Jview.dll (file missing) O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe -- End of file - 3672 bytes ------------------------------------ In addition, I run DOS utility showing drivers in my system: Microsoft Windows XP [Version 5.1.2600] © Copyright 1985-2001 Microsoft Corp. C:\Documents and Settings\User> drivers Drivers - DiamondCS Freeware Console Tools (www.diamondcs.com.au) --- ADDRESS: IMAGE PATH: 804D7000: \WINDOWS\system32\ntoskrnl.exe 806EC000: \WINDOWS\system32\hal.dll F7AD6000: \WINDOWS\system32\KDCOM.DLL F79E6000: \WINDOWS\system32\BOOTVID.dll F7587000: ACPI.sys F7AD8000: \WINDOWS\System32\DRIVERS\WMILIB.SYS F7576000: pci.sys F75D6000: isapnp.sys F7B9E000: pciide.sys F7856000: \WINDOWS\System32\DRIVERS\PCIIDEX.SYS F7ADA000: intelide.sys F75E6000: MountMgr.sys F7557000: ftdisk.sys F785E000: PartMgr.sys F75F6000: VolSnap.sys F753F000: atapi.sys F7606000: disk.sys F7616000: \WINDOWS\System32\DRIVERS\CLASSPNP.SYS F751F000: fltmgr.sys F750D000: sr.sys F74F6000: KSecDD.sys F7469000: Ntfs.sys F743C000: NDIS.sys F7421000: Mup.sys F6BE3000: \SystemRoot\System32\DRIVERS\intelppm.sys F6BAC000: \SystemRoot\System32\DRIVERS\ialmnt5.sys F6B98000: \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS F7926000: \SystemRoot\System32\DRIVERS\usbuhci.sys F6B75000: \SystemRoot\System32\DRIVERS\USBPORT.SYS F792E000: \SystemRoot\System32\DRIVERS\usbehci.sys F7936000: \SystemRoot\System32\DRIVERS\RTL8139.SYS F6BD3000: \SystemRoot\System32\DRIVERS\i8042prt.sys F793E000: \SystemRoot\System32\DRIVERS\mouclass.sys F7946000: \SystemRoot\System32\DRIVERS\kbdclass.sys F6BC3000: \SystemRoot\System32\DRIVERS\imapi.sys F7646000: \SystemRoot\System32\DRIVERS\cdrom.sys F7656000: \SystemRoot\System32\DRIVERS\redbook.sys F6B52000: \SystemRoot\System32\DRIVERS\ks.sys F6A8B000: \SystemRoot\system32\drivers\cmuda.sys F6A67000: \SystemRoot\system32\drivers\portcls.sys F7666000: \SystemRoot\system32\drivers\drmk.sys F794E000: \SystemRoot\System32\DRIVERS\fdc.sys F7676000: \SystemRoot\System32\DRIVERS\serial.sys F7AAE000: \SystemRoot\System32\DRIVERS\serenum.sys F7956000: \SystemRoot\System32\DRIVERS\irsir.sys F7AB2000: \SystemRoot\System32\DRIVERS\irenum.sys F6A53000: \SystemRoot\System32\DRIVERS\parport.sys F7ABA000: \SystemRoot\System32\DRIVERS\gameenum.sys F7C58000: \SystemRoot\system32\drivers\msmpu401.sys F7C59000: \SystemRoot\System32\DRIVERS\audstub.sys F795E000: \SystemRoot\System32\DRIVERS\rasirda.sys F7966000: \SystemRoot\System32\DRIVERS\TDI.SYS F7686000: \SystemRoot\System32\DRIVERS\rasl2tp.sys F7AC2000: \SystemRoot\System32\DRIVERS\ndistapi.sys F6A3C000: \SystemRoot\System32\DRIVERS\ndiswan.sys F7696000: \SystemRoot\System32\DRIVERS\raspppoe.sys F76A6000: \SystemRoot\System32\DRIVERS\raspptp.sys F6A2B000: \SystemRoot\System32\DRIVERS\psched.sys F76B6000: \SystemRoot\System32\DRIVERS\msgpc.sys F796E000: \SystemRoot\System32\DRIVERS\ptilink.sys F7976000: \SystemRoot\System32\DRIVERS\raspti.sys F76C6000: \SystemRoot\System32\DRIVERS\termdd.sys F7B02000: \SystemRoot\System32\DRIVERS\swenum.sys F6996000: \SystemRoot\System32\DRIVERS\update.sys F7ACE000: \SystemRoot\System32\DRIVERS\mssmbios.sys EE902000: \SystemRoot\system32\drivers\ialmkchw.sys EE8E6000: \SystemRoot\system32\drivers\ialmsbw.sys F76E6000: \SystemRoot\System32\Drivers\NDProxy.SYS F7706000: \SystemRoot\System32\DRIVERS\usbhub.sys F7B04000: \SystemRoot\System32\DRIVERS\USBD.SYS F797E000: \SystemRoot\System32\DRIVERS\flpydisk.sys F7B06000: \SystemRoot\System32\Drivers\Fs_Rec.SYS F7CD7000: \SystemRoot\System32\Drivers\Null.SYS F7B08000: \SystemRoot\System32\Drivers\Beep.SYS F798E000: \SystemRoot\System32\drivers\vga.sys F7B0A000: \SystemRoot\System32\Drivers\mnmdd.SYS F7B0C000: \SystemRoot\System32\DRIVERS\RDPCDD.sys F7996000: \SystemRoot\System32\Drivers\Msfs.SYS F799E000: \SystemRoot\System32\Drivers\Npfs.SYS F7A66000: \SystemRoot\System32\DRIVERS\rasacd.sys EE863000: \SystemRoot\System32\DRIVERS\ipsec.sys EE80B000: \SystemRoot\System32\DRIVERS\tcpip.sys EE7E3000: \SystemRoot\System32\DRIVERS\netbt.sys F7726000: \SystemRoot\system32\DRIVERS\epfwtdir.sys EE7C1000: \SystemRoot\System32\drivers\afd.sys F7736000: \SystemRoot\System32\DRIVERS\netbios.sys EE796000: \SystemRoot\System32\DRIVERS\rdbss.sys EE727000: \SystemRoot\System32\DRIVERS\mrxsmb.sys F7756000: \SystemRoot\System32\Drivers\Fips.SYS EE706000: \SystemRoot\System32\DRIVERS\ipnat.sys F7766000: \SystemRoot\System32\DRIVERS\wanarp.sys F7776000: \SystemRoot\system32\DRIVERS\easdrv.sys F77C6000: \SystemRoot\System32\Drivers\Cdfs.SYS EE6C6000: \SystemRoot\System32\Drivers\dump_atapi.sys F7B14000: \SystemRoot\System32\Drivers\dump_WMILIB.SYS BF800000: \SystemRoot\System32\win32k.sys EE8D2000: \SystemRoot\System32\drivers\Dxapi.sys F79CE000: \SystemRoot\System32\watchdog.sys BF9C3000: \SystemRoot\System32\drivers\dxg.sys F7BBC000: \SystemRoot\System32\drivers\dxgthk.sys BF9E2000: \SystemRoot\System32\ialmdnt5.dll BF9D5000: \SystemRoot\System32\ialmrnt5.dll BFA04000: \SystemRoot\System32\ialmdev5.DLL BFA32000: \SystemRoot\System32\ialmdd5.DLL BFFA0000: \SystemRoot\System32\ATMFD.DLL EE4A8000: \SystemRoot\System32\DRIVERS\irda.sys EE5BE000: \SystemRoot\System32\DRIVERS\ndisuio.sys EE19B000: \SystemRoot\system32\drivers\wdmaud.sys EE2F0000: \SystemRoot\system32\drivers\sysaudio.sys EDF67000: \SystemRoot\System32\DRIVERS\mrxdav.sys F7B62000: \SystemRoot\System32\Drivers\ParVdm.SYS EDEF2000: \SystemRoot\system32\DRIVERS\eamon.sys EDE78000: \SystemRoot\System32\DRIVERS\srv.sys EDB8F000: \SystemRoot\System32\Drivers\HTTP.sys ED843000: \SystemRoot\System32\Drivers\Fastfat.SYS F78E6000: \SystemRoot\system32\DRIVERS\usbccgp.sys F78FE000: \SystemRoot\system32\DRIVERS\HPZius12.sys EE592000: \SystemRoot\system32\drivers\hpfxbulk.sys F7906000: \SystemRoot\system32\drivers\HPFXGEN.SYS EE1E0000: \SystemRoot\system32\DRIVERS\HPZid412.sys EDA04000: \SystemRoot\system32\DRIVERS\Dot4Scan.sys EDA18000: \SystemRoot\system32\DRIVERS\HPZipr12.sys ED818000: \SystemRoot\system32\drivers\kmixer.sys 7C900000: \WINDOWS\system32\ntdll.dll 124 drivers detected. C:\Documents and Settings\User> What is strange, there is 4 running svchost.exe processes.. Quote
Guest David H. Lipman Posted June 25, 2008 Posted June 25, 2008 From: "SANTANDER" <santander@microsoft.news> | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with Win32/Alman.NAB | virus. My antivirus show some executable files where infected, aalso when | browse web with Internet Explorer, windows periodically popup error mesages | called RUNDLL: | "Error loading C:\Windows\AppPatch\Jview.dll | The specified module could not be found." | (I use Firefox by default). | After running whole computer scan, NOD32 isolated the infected files in a | Quarantine folder. I removed the Jview.dll | As far I know, Win32/Alman.NAD is infector, downloader and it has got his | own driver. If it sit inside some legit process (IE), then it will add new | registry key again. Then removing will be harder. | Then I run HijackThis utility, and got the following report, I looked | through the logfile, but I'm not sure which processess and keys are | legitimate. < snip > | What is strange, there is 4 running svchost.exe processes.. First off do NOT post HJT logs to Usenet in general or the Microsoft hierarchy in partcular. If you had bothered to ask, you would have been told this and you would have been provided with a list of trusted expert forums where HJT logs are allowed and encoraged. Secondly, it is NOT the number of running copies of SVCHOST.EXE that is important. Having 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is important is the fully qualified path. SVCHOST.EXE running from %windir%\system32 is legitimate. SVCHOST.EXE running from a location such as; %windir% or C:\Program Files\Common Files\System are illegitimate locations and are most likely malware. 1. Download and execute HiJack This! (HJT) http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe 2. Disable Notepad's word wrap: In Notepad.exe; Format --> uncheck; "Word wrap" 3. Download/run Deckard's System Scanner: http://www.techsupportforum.com/sectools/Deckard/dss.exe 4. Save the scan results (Main.txt and Extra.txt) 5. And then post the contents of Main.txt and Extra.txt in your post in one of the below expert forums... { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } Forums where you can get expert advice for HiJack This! (HJT) and Deckard's System Scanner Logs. NOTE: Registration is REQUIRED in any of the below before posting a log Suggested primary: http://www.thespykiller.co.uk/index.php?board=3.0 Suggested secondary: http://www.bleepingcomputer.com/forums/forum22.html http://castlecops.com/forum67.html http://www.malwarebytes.org/forums/index.php?showforum=7 Suggested tertiary: http://www.dslreports.com/forum/cleanup http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 http://www.atribune.org/forums/index.php?showforum=9 http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html http://gladiator-antivirus.com/forum/index.php?showforum=170 http://forum.networktechs.com/forumdisplay.php?f=130 http://forums.maddoktor2.com/index.php?showforum=17 http://www.spywarewarrior.com/viewforum.php?f=5 http://forums.spywareinfo.com/index.php?showforum=18 http://forums.techguy.org/f54-s.html http://forums.tomcoyote.org/index.php?showforum=27 http://forums.subratam.org/index.php?showforum=7 http://www.5starsupport.com/ipboard/index.php?showforum=18 http://aumha.net/viewforum.php?f=30 http://makephpbb.com/phpbb/viewforum.php?f=2 http://forums.techguy.org/54-security/ http://forums.security-central.us/forumdisplay.php?f=13 -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest SANTANDER Posted June 25, 2008 Posted June 25, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:O74iyxw1IHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "SANTANDER" <santander@microsoft.news> > > | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with</span> Win32/Alman.NAB<span style="color:blue"> > | virus. My antivirus show some executable files where infected, aalso</span> when<span style="color:blue"> > | browse web with Internet Explorer, windows periodically popup error</span> mesages<span style="color:blue"> > | called RUNDLL: > | "Error loading C:WindowsAppPatchJview.dll > | The specified module could not be found." > | (I use Firefox by default). > > | After running whole computer scan, NOD32 isolated the infected files in</span> a<span style="color:blue"> > | Quarantine folder. I removed the Jview.dll > | As far I know, Win32/Alman.NAD is infector, downloader and it has got</span> his<span style="color:blue"> > | own driver. If it sit inside some legit process (IE), then it will add</span> new<span style="color:blue"> > | registry key again. Then removing will be harder. > | Then I run HijackThis utility, and got the following report, I looked > | through the logfile, but I'm not sure which processess and keys are > | legitimate. > > < snip > > > | What is strange, there is 4 running svchost.exe processes.. > > > First off do NOT post HJT logs to Usenet in general or the Microsoft</span> hierarchy in<span style="color:blue"> > partcular. If you had bothered to ask, you would have been told this and</span> you would have<span style="color:blue"> > been provided with a list of trusted expert forums where HJT logs are</span> allowed and<span style="color:blue"> > encoraged. > > Secondly, it is NOT the number of running copies of SVCHOST.EXE that is</span> important. Having<span style="color:blue"> > 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is</span> important is the<span style="color:blue"> > fully qualified path. SVCHOST.EXE running from %windir%system32 is</span> legitimate.<span style="color:blue"> > SVCHOST.EXE running from a location such as; %windir% or C:Program</span> Files\Common<span style="color:blue"> > FilesSystem are illegitimate locations and are most likely malware. > > > > 1. Download and execute HiJack This! (HJT) > http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe > > 2. Disable Notepad's word wrap: > In Notepad.exe; Format --> uncheck; "Word wrap" > > 3. Download/run Deckard's System Scanner: > http://www.techsupportforum.com/sectools/Deckard/dss.exe > > 4. Save the scan results (Main.txt and Extra.txt) > > 5. And then post the contents of Main.txt and Extra.txt in your post in</span> one of the below<span style="color:blue"> > expert forums... > > > { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } > > Forums where you can get expert advice for HiJack This! (HJT) and</span> Deckard's System Scanner<span style="color:blue"> > Logs. > > NOTE: Registration is REQUIRED in any of the below before posting a log > > Suggested primary: > http://www.thespykiller.co.uk/index.php?board=3.0 > > Suggested secondary: > http://www.bleepingcomputer.com/forums/forum22.html > http://castlecops.com/forum67.html > http://www.malwarebytes.org/forums/index.php?showforum=7 > > Suggested tertiary: > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 > http://www.atribune.org/forums/index.php?showforum=9 ></span> http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html<span style="color:blue"> > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://forum.networktechs.com/forumdisplay.php?f=130 > http://forums.maddoktor2.com/index.php?showforum=17 > http://www.spywarewarrior.com/viewforum.php?f=5 > http://forums.spywareinfo.com/index.php?showforum=18 > http://forums.techguy.org/f54-s.html > http://forums.tomcoyote.org/index.php?showforum=27 > http://forums.subratam.org/index.php?showforum=7 > http://www.5starsupport.com/ipboard/index.php?showforum=18 > http://aumha.net/viewforum.php?f=30 > http://makephpbb.com/phpbb/viewforum.php?f=2 > http://forums.techguy.org/54-security/ > http://forums.security-central.us/forumdisplay.php?f=13 > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp ></span> -------- Well, thanks for advices. santander Quote
Guest SANTANDER Posted June 28, 2008 Posted June 28, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:O74iyxw1IHA.4492@TK2MSFTNGP02.phx.gbl...<span style="color:blue"> > From: "SANTANDER" <santander@microsoft.news> > > | Win XP home, NOD32 3.0.650.0 antivirus. I got infected with</span> Win32/Alman.NAB<span style="color:blue"> > | virus. My antivirus show some executable files where infected, aalso</span> when<span style="color:blue"> > | browse web with Internet Explorer, windows periodically popup error</span> mesages<span style="color:blue"> > | called RUNDLL: > | "Error loading C:WindowsAppPatchJview.dll > | The specified module could not be found." > | (I use Firefox by default). > > | After running whole computer scan, NOD32 isolated the infected files in</span> a<span style="color:blue"> > | Quarantine folder. I removed the Jview.dll > | As far I know, Win32/Alman.NAD is infector, downloader and it has got</span> his<span style="color:blue"> > | own driver. If it sit inside some legit process (IE), then it will add</span> new<span style="color:blue"> > | registry key again. Then removing will be harder. > | Then I run HijackThis utility, and got the following report, I looked > | through the logfile, but I'm not sure which processess and keys are > | legitimate. > > < snip > > > | What is strange, there is 4 running svchost.exe processes.. > > > First off do NOT post HJT logs to Usenet in general or the Microsoft</span> hierarchy in<span style="color:blue"> > partcular. If you had bothered to ask, you would have been told this and</span> you would have<span style="color:blue"> > been provided with a list of trusted expert forums where HJT logs are</span> allowed and<span style="color:blue"> > encoraged. > > Secondly, it is NOT the number of running copies of SVCHOST.EXE that is</span> important. Having<span style="color:blue"> > 4 ~ 8 running copies of SVCHOST.EXE can be considered normal. What is</span> important is the<span style="color:blue"> > fully qualified path. SVCHOST.EXE running from %windir%system32 is</span> legitimate.<span style="color:blue"> > SVCHOST.EXE running from a location such as; %windir% or C:Program</span> Files\Common<span style="color:blue"> > FilesSystem are illegitimate locations and are most likely malware. > > > > 1. Download and execute HiJack This! (HJT) > http://www.trendsecure.com/portal/en-US/th.../HJTInstall.exe > > 2. Disable Notepad's word wrap: > In Notepad.exe; Format --> uncheck; "Word wrap" > > 3. Download/run Deckard's System Scanner: > http://www.techsupportforum.com/sectools/Deckard/dss.exe > > 4. Save the scan results (Main.txt and Extra.txt) > > 5. And then post the contents of Main.txt and Extra.txt in your post in</span> one of the below<span style="color:blue"> > expert forums... > > > { Please - Do NOT post the HJT and Deckard's System Scanner Logs here ! } > > Forums where you can get expert advice for HiJack This! (HJT) and</span> Deckard's System Scanner<span style="color:blue"> > Logs. > > NOTE: Registration is REQUIRED in any of the below before posting a log > > Suggested primary: > http://www.thespykiller.co.uk/index.php?board=3.0 > > Suggested secondary: > http://www.bleepingcomputer.com/forums/forum22.html > http://castlecops.com/forum67.html > http://www.malwarebytes.org/forums/index.php?showforum=7 > > Suggested tertiary: > http://www.dslreports.com/forum/cleanup > http://www.cybertechhelp.com/forums/forumdisplay.php?f=25 > http://www.atribune.org/forums/index.php?showforum=9 ></span> http://www.geekstogo.com/forum/Malware_Rem...o_Here-f37.html<span style="color:blue"> > http://gladiator-antivirus.com/forum/index.php?showforum=170 > http://forum.networktechs.com/forumdisplay.php?f=130 > http://forums.maddoktor2.com/index.php?showforum=17 > http://www.spywarewarrior.com/viewforum.php?f=5 > http://forums.spywareinfo.com/index.php?showforum=18 > http://forums.techguy.org/f54-s.html > http://forums.tomcoyote.org/index.php?showforum=27 > http://forums.subratam.org/index.php?showforum=7 > http://www.5starsupport.com/ipboard/index.php?showforum=18 > http://aumha.net/viewforum.php?f=30 > http://makephpbb.com/phpbb/viewforum.php?f=2 > http://forums.techguy.org/54-security/ > http://forums.security-central.us/forumdisplay.php?f=13 > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp ></span> ----- This forums are absolutely useless, same as most of mentioned tolls like Deckard's System Scanner, etc, etc. This "tools" just litter registry settings and are are ineffective and useless. Windows has "malicious software removal tool" but itts also absolutely useless thing, and not working at all.. Quote
Guest David H. Lipman Posted June 28, 2008 Posted June 28, 2008 From: "SANTANDER" <santander@microsoft.news> | This forums are absolutely useless, same as most of mentioned tolls like | Deckard's System Scanner, etc, etc. This "tools" just litter registry | settings and are are ineffective and useless. | Windows has "malicious software removal tool" but itts also absolutely | useless thing, and not working at all.. The tools are NOT useless. Somone with skills or training can interpret if you are infected via the system load points. You don't have those skills thus you came to a faux conclusion. The forums are not useless as well. The forums have personnel who have the skills to interpret the logs of the tools. Again a faux conclusion. The MRT is an "on Demand' anti malware scanner and is geared to a limited list of malware. While not the best of anti malware On Demand scanners, it does have a level of efficacy and capability and is far from useless. The fact that you don't have malware targeted by the MRT should not lead you to the faux conclusion "absolutely useless thing". I'm sorry but you asked for assistance and I gave you assistance. It was bad enough that you posted a HJT log without asking first but the additional claims of "uselessness" based upon your limited skill sets means you are unwilling to take appropriate action. This is unfortunate. Plaese tear down that brick wall you have created in your mind! -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted June 28, 2008 Posted June 28, 2008 On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" <santander@microsoft.news> wrote: <span style="color:blue"> >What is strange, there is 4 running svchost.exe processes..</span> Not strange at all. Svchost.exe is the service executive. It's the process that starts service processes. (RPC, DNS, Auto update, windows audio, etc.) There are several instances of it depending on the configuration of the machine and the kinds of services that are started. As for validating executables, see www.sysinternals.com for process utilities like Process Explorer that can check for signed code from Microsoft and others. http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx Be aware, not all Microsoft code is signed but they have been making great strides in signing their code. Just be careful and don't delete a suspect binary just because it's not signed. Autoruns, another good tool from the same place also verifies signed code and allows easy access to the registry keys and binary files. http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx Sysinternals was bought out and merged with Microsoft but Mark and Bryce still develop the products. Quote
Guest SANTANDER Posted June 28, 2008 Posted June 28, 2008 "Geoff" <geoff@invalid.invalid> wrote in message news:3rgc64h26o5p0c38o01ta9a88vhfh3v1h9@4ax.com...<span style="color:blue"> > On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" <santander@microsoft.news> > wrote: ><span style="color:green"> > >What is strange, there is 4 running svchost.exe processes..</span> > > Not strange at all. Svchost.exe is the service executive. It's the process > that starts service processes. (RPC, DNS, Auto update, windows audio,</span> etc.)<span style="color:blue"> > There are several instances of it depending on the configuration of the > machine and the kinds of services that are started. > > As for validating executables, see www.sysinternals.com for process > utilities like Process Explorer that can check for signed code from > Microsoft and others. > http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx > > Be aware, not all Microsoft code is signed but they have been making great > strides in signing their code. Just be careful and don't delete a suspect > binary just because it's not signed. > > Autoruns, another good tool from the same place also verifies signed code > and allows easy access to the registry keys and binary files. > http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx > > Sysinternals was bought out and merged with Microsoft but Mark and Bryce > still develop the products.</span> ------------ Very helpful utilities. I want check drivers. I just run a console tool that list all drivers installed in my system; 124 drivers where detected. Does it possible check whether all of the drivers are legitimate or not? Thanks. Quote
Guest Geoff Posted June 29, 2008 Posted June 29, 2008 On Sun, 29 Jun 2008 02:42:11 +0300, "SANTANDER" <santander@microsoft.news> wrote: <span style="color:blue"> > >"Geoff" <geoff@invalid.invalid> wrote in message >news:3rgc64h26o5p0c38o01ta9a88vhfh3v1h9@4ax.com...<span style="color:green"> >> On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" <santander@microsoft.news> >> wrote: >><span style="color:darkred"> >> >What is strange, there is 4 running svchost.exe processes..</span> >> >> Not strange at all. Svchost.exe is the service executive. It's the process >> that starts service processes. (RPC, DNS, Auto update, windows audio,</span> >etc.)<span style="color:green"> >> There are several instances of it depending on the configuration of the >> machine and the kinds of services that are started. >> >> As for validating executables, see www.sysinternals.com for process >> utilities like Process Explorer that can check for signed code from >> Microsoft and others. >> http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx >> >> Be aware, not all Microsoft code is signed but they have been making great >> strides in signing their code. Just be careful and don't delete a suspect >> binary just because it's not signed. >> >> Autoruns, another good tool from the same place also verifies signed code >> and allows easy access to the registry keys and binary files. >> http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx >> >> Sysinternals was bought out and merged with Microsoft but Mark and Bryce >> still develop the products.</span> >------------ > >Very helpful utilities. I want check drivers. I just run a console tool that >list all drivers installed in my system; 124 drivers where detected. Does it >possible check whether all of the drivers are legitimate or not? > >Thanks.</span> You're welcome. It's very difficult to know for sure which drivers are legitimate. Autoruns will verify signatures but if the publisher doesn't sign the code then this method fails and you have to look into each driver and evaluate it yourself. Many driver vendors don't sign their code. There is no sure tool that I am aware of that will validate a driver automatically without some kind of code signature. The Drivers tab of Autoruns will list all your drivers. As far as malware or viruses are concerned, your principle indicators will be: 1. Strange behavior of computer. 2. Strange filename or location of executable. 3. Lack of publisher name. 4. Not signed. 5. Program or driver phones home or accesses TCP/IP. 6. Executable is compressed or obfuscated. 7. Multiple instances of the binary of the same length, same date/time under different names in the system32/ or system32/drivers file with very strange version information blocks. You cannot effectively use the filename alone as an indicator. Using Autoruns or Process Explorer you can search online (google) by selecting the item and hitting ctrl-M. This presents a list of hits that you can research. Very handy. Of course, some of what is written about some of these files is written by non-experts or the occasional troll, so you must judge what is reasonable, valid information. Quote
Guest David H. Lipman Posted June 29, 2008 Posted June 29, 2008 From: "Geoff" <geoff@invalid.invalid> | You're welcome. | It's very difficult to know for sure which drivers are legitimate. Autoruns < snip > So VERY true. I have seen many instances of malware that have faked information in a DLL to make it look like it was created by Microsoft. In addition, malware authors are now digitally signing their malware to bypass the security of Vista. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted June 29, 2008 Posted June 29, 2008 On Sat, 28 Jun 2008 21:07:55 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> >From: "Geoff" <geoff@invalid.invalid> > > >| You're welcome. > >| It's very difficult to know for sure which drivers are legitimate. Autoruns > >< snip > > >So VERY true. I have seen many instances of malware that have faked information in a DLL >to make it look like it was created by Microsoft. In addition, malware authors are now >digitally signing their malware to bypass the security of Vista.</span> Hi David, I had heard of this but have not encountered it yet. I don't deal with it daily. If code can be signed and validated against the key then the key process is hopelessly broken. If malware can be signed and the perpetrators not identified then the certificate process is worthless. P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few days just for fun. style_emoticons/ I finally ended up pulling the HDD and scanning it from mine as a 3rd disk. Deep scanning and purging wasn't working when it was the boot partition in the notebook. Quote
Guest David H. Lipman Posted June 29, 2008 Posted June 29, 2008 From: "Geoff" <geoff@invalid.invalid> | Hi David, | I had heard of this but have not encountered it yet. I don't deal with it | daily. If code can be signed and validated against the key then the key | process is hopelessly broken. If malware can be signed and the perpetrators | not identified then the certificate process is worthless. | P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few | days just for fun. style_emoticons/ I finally ended up pulling the HDD and scanning it | from mine as a 3rd disk. Deep scanning and purging wasn't working when it | was the boot partition in the notebook. Example of digitally signed malware: http://sunbeltblog.blogspot.com/2008/02/da...-greetings.html -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted June 29, 2008 Posted June 29, 2008 On Sun, 29 Jun 2008 07:12:29 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> >From: "Geoff" <geoff@invalid.invalid> > > > >| Hi David, > >| I had heard of this but have not encountered it yet. I don't deal with it >| daily. If code can be signed and validated against the key then the key >| process is hopelessly broken. If malware can be signed and the perpetrators >| not identified then the certificate process is worthless. > >| P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few >| days just for fun. style_emoticons/ I finally ended up pulling the HDD and scanning it >| from mine as a 3rd disk. Deep scanning and purging wasn't working when it >| was the boot partition in the notebook. > >Example of digitally signed malware: >http://sunbeltblog.blogspot.com/2008/02/da...-greetings.html</span> They stopped short of the certification path. One more pic of that tab would have helped. This looks like a simple individual code sign cert that you can generate as an individual on your PC. The fact it is individual and OK means either it was imported and trusted or the root cert. authority cross-signed it and it passed that check. The UTN (AddTrust) cross sig indicates the latter. I'd say AddTrust's root certificate needs to be revoked by their cross signers. There are so many CA's now it's impossible to tell the good ones from the bad ones. I even have expired certs from Microsoft that expired in 2006 and Verisign certs that expired in 2002 and 2004. If UTN signed that cert without verifying identity and performing due diligence then they deserve to have their authority revoked, IMO. When CA's can't do business because they didn't have proper procedures in place, then reform will come. The examples of Verisign's incompetence when they were induced to sign keys from the fraudulent Microsoft account shows this. Personally, I detest ActiveX, Java, JavaScript and the whole concept of client side BHO's published indiscriminately. The idea that one can't read a web document without them is abhorrent. Just visit any big commercial web domain without these devices and see what you don't see. style_emoticons/ The result of all this indiscriminate meta-data is universal trust or blissful ignorance of the implications of all of it running on your computer. Net result, malware or spyware at every mouse click or someone putting one more piece of trash on your system in the name of "content". Quote
Guest David H. Lipman Posted June 29, 2008 Posted June 29, 2008 From: "Geoff" <geoff@invalid.invalid> <span style="color:blue"><span style="color:green"> >>| Hi David,</span></span> <span style="color:blue"><span style="color:green"> >>| I had heard of this but have not encountered it yet. I don't deal with it >>| daily. If code can be signed and validated against the key then the key >>| process is hopelessly broken. If malware can be signed and the perpetrators >>| not identified then the certificate process is worthless.</span></span> <span style="color:blue"><span style="color:green"> >>| P.S. Try dealing with Wanso, in Chinese, on your wife's notebook for a few >>| days just for fun. style_emoticons/ I finally ended up pulling the HDD and scanning it >>| from mine as a 3rd disk. Deep scanning and purging wasn't working when it >>| was the boot partition in the notebook.</span></span> <span style="color:blue"><span style="color:green"> >>Example of digitally signed malware: >>http://sunbeltblog.blogspot.com/2008/02/da...-greetings.html</span></span> | They stopped short of the certification path. One more pic of that tab | would have helped. This looks like a simple individual code sign cert that | you can generate as an individual on your PC. The fact it is individual and | OK means either it was imported and trusted or the root cert. authority | cross-signed it and it passed that check. The UTN (AddTrust) cross sig | indicates the latter. | I'd say AddTrust's root certificate needs to be revoked by their cross | signers. There are so many CA's now it's impossible to tell the good ones | from the bad ones. I even have expired certs from Microsoft that expired in | 2006 and Verisign certs that expired in 2002 and 2004. If UTN signed that | cert without verifying identity and performing due diligence then they | deserve to have their authority revoked, IMO. When CA's can't do business | because they didn't have proper procedures in place, then reform will come. | The examples of Verisign's incompetence when they were induced to sign keys | from the fraudulent Microsoft account shows this. | Personally, I detest ActiveX, Java, JavaScript and the whole concept of | client side BHO's published indiscriminately. The idea that one can't read | a web document without them is abhorrent. Just visit any big commercial web | domain without these devices and see what you don't see. style_emoticons/ | The result of all this indiscriminate meta-data is universal trust or | blissful ignorance of the implications of all of it running on your | computer. Net result, malware or spyware at every mouse click or someone | putting one more piece of trash on your system in the name of "content". That's was just a publicly available sample and the blog was geared twoward the greeting card phishing end. I have see numerous sampples now. Some signed by Comodo. Alebeit, Melih has had the certivicate revoke upon identification. The point is that it can be difficult to "trust" a given EXE/DLL and the information in a binary's information may be falsified. So far I have only seen falsifying a Microsoft origin but any "trusted" company coould be impersonated. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest SANTANDER Posted June 30, 2008 Posted June 30, 2008 "Geoff" <geoff@invalid.invalid> wrote in message news:6ukd649p53erjj0f4r4km9sn53mkb6njbt@4ax.com...<span style="color:blue"> > On Sun, 29 Jun 2008 02:42:11 +0300, "SANTANDER" <santander@microsoft.news> > wrote: ><span style="color:green"> >> >>"Geoff" <geoff@invalid.invalid> wrote in message >>news:3rgc64h26o5p0c38o01ta9a88vhfh3v1h9@4ax.com...<span style="color:darkred"> >>> On Thu, 26 Jun 2008 00:09:16 +0300, "SANTANDER" >>> <santander@microsoft.news> >>> wrote: >>> >>> >What is strange, there is 4 running svchost.exe processes.. >>> >>> Not strange at all. Svchost.exe is the service executive. It's the >>> process >>> that starts service processes. (RPC, DNS, Auto update, windows audio,</span> >>etc.)<span style="color:darkred"> >>> There are several instances of it depending on the configuration of the >>> machine and the kinds of services that are started. >>> >>> As for validating executables, see www.sysinternals.com for process >>> utilities like Process Explorer that can check for signed code from >>> Microsoft and others. >>> http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx >>> >>> Be aware, not all Microsoft code is signed but they have been making >>> great >>> strides in signing their code. Just be careful and don't delete a >>> suspect >>> binary just because it's not signed. >>> >>> Autoruns, another good tool from the same place also verifies signed >>> code >>> and allows easy access to the registry keys and binary files. >>> http://technet.microsoft.com/en-us/sysinte...s/bb963902.aspx >>> >>> Sysinternals was bought out and merged with Microsoft but Mark and Bryce >>> still develop the products.</span> >>------------ >> >>Very helpful utilities. I want check drivers. I just run a console tool >>that >>list all drivers installed in my system; 124 drivers where detected. Does >>it >>possible check whether all of the drivers are legitimate or not? >> >>Thanks.</span> > > You're welcome. > > It's very difficult to know for sure which drivers are legitimate. > Autoruns > will verify signatures but if the publisher doesn't sign the code then > this > method fails and you have to look into each driver and evaluate it > yourself. Many driver vendors don't sign their code. There is no sure tool > that I am aware of that will validate a driver automatically without some > kind of code signature. The Drivers tab of Autoruns will list all your > drivers. > > As far as malware or viruses are concerned, your principle indicators will > be: > > 1. Strange behavior of computer. > 2. Strange filename or location of executable. > 3. Lack of publisher name. > 4. Not signed. > 5. Program or driver phones home or accesses TCP/IP. > 6. Executable is compressed or obfuscated. > 7. Multiple instances of the binary of the same length, same date/time > under different names in the system32/ or system32/drivers file with very > strange version information blocks. > > You cannot effectively use the filename alone as an indicator. > > Using Autoruns or Process Explorer you can search online (google) by > selecting the item and hitting ctrl-M. This presents a list of hits that > you can research. Very handy. Of course, some of what is written about > some > of these files is written by non-experts or the occasional troll, so you > must judge what is reasonable, valid information.</span> ---------------- Just tried Process Explorer, does it show hidden DLLs that possibly can loaded inside explorer.exe process? Some processes displayed by Process Explorer not fully clear: process PID Description System 4 what is 'System' process with PID 4? Process Explorer show System Idle Process take 98.46 percent. Why so many? Is there similar security tools that can work on win98? Thanks. Quote
Guest Geoff Posted June 30, 2008 Posted June 30, 2008 On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news> wrote: <span style="color:blue"> > >Just tried Process Explorer, does it show hidden DLLs that possibly can >loaded inside explorer.exe process? ></span> It shows every process. AFAIK, nothing can hide from it. <span style="color:blue"> >Some processes displayed by Process Explorer not fully clear: >process PID Description > >System 4 > >what is 'System' process with PID 4?</span> System is the Windows NT kernel. Don't poke at it. It is essential for proper operation of your system. System is the owner of all other processes and drivers in the computer. <span style="color:blue"> >Process Explorer show System Idle Process take 98.46 percent. Why so many? ></span> Every multitasking system has an Idle process. This is the task that is run when other tasks are not running. It is the lowest priority task. It gets all CPU time remaining that is not "other processes". Windows NT Idle process runs when all other scheduled processes have returned control to the OS. It does some very basic Windows housekeeping and then a halt instruction. The CPU wakes up and exits the idle process on the next kernel interrupt and proceeds to other tasks. <span style="color:blue"> >Is there similar security tools that can work on win98? ></span> Process Explorer works on Windows 98. I don't use 98 anymore so I don't know what is available. Quote
Guest SANTANDER Posted June 30, 2008 Posted June 30, 2008 "Geoff" <geoff@invalid.invalid> wrote in message news:24rh64ldt1kbleu6jmp4dgrkrse149pa3u@4ax.com...<span style="color:blue"> > On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news> > wrote: ><span style="color:green"> >> >>Just tried Process Explorer, does it show hidden DLLs that possibly can >>loaded inside explorer.exe process? >></span> > > It shows every process. AFAIK, nothing can hide from it. ><span style="color:green"> >>Some processes displayed by Process Explorer not fully clear: >>process PID Description >> >>System 4 >> >>what is 'System' process with PID 4?</span> > > System is the Windows NT kernel. Don't poke at it. It is essential for > proper operation of your system. System is the owner of all other > processes > and drivers in the computer. ><span style="color:green"> >>Process Explorer show System Idle Process take 98.46 percent. Why so many? >></span> > > Every multitasking system has an Idle process. This is the task that is > run > when other tasks are not running. It is the lowest priority task. It gets > all CPU time remaining that is not "other processes". Windows NT Idle > process runs when all other scheduled processes have returned control to > the OS. It does some very basic Windows housekeeping and then a halt > instruction. The CPU wakes up and exits the idle process on the next > kernel > interrupt and proceeds to other tasks. ><span style="color:green"> >>Is there similar security tools that can work on win98? >></span> > > Process Explorer works on Windows 98. I don't use 98 anymore so I don't > know what is available.</span> -------------- just to clarify, when show Task Manager show CPU 98, it seems not the percents, CPU Usage shown below is 7-8%. Process Explorer does NOT work on Windows 98, I tried (though I read somewhere that it works on Win98). When executed, it show the timer some time(that take some pause more than normally), but no GUI shown. I just end it via Task manager. Quote
Guest Geoff Posted June 30, 2008 Posted June 30, 2008 On Mon, 30 Jun 2008 19:05:49 +0300, "SANTANDER" <santander@microsoft.news> wrote: <span style="color:blue"> >just to clarify, when show Task Manager show CPU 98, it seems not the >percents, CPU Usage shown below is 7-8%.</span> Utilization is measured as any process running that is not Idle time. IdleTime + SumOfAllProcessTime = 100% Percent of time spent in idle is non-utilized time but Taskman and PE will show the percentage of time spent in idle vs. other tasks. <span style="color:blue"> >Process Explorer does NOT work on Windows 98, I tried (though I read >somewhere that it works on Win98). When executed, it show the timer some >time(that take some pause more than normally), but no GUI shown. I just end >it via Task manager.</span> News to me. PE's help file says it supports all OS but maybe that only applied for older versions of PE and they never updated the help file or perhaps there is a different download version for 9x/Me. From help: "Process Explorer does not require administrative privileges to run and works on Windows 9x/Me, Windows NT 4.0, Windows 2000, Windows XP, Server 2003, Windows Vista, Windows Server 2008 and on the x64 version of 64-bit Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008." Quote
Guest David H. Lipman Posted June 30, 2008 Posted June 30, 2008 From: "Geoff" <geoff@invalid.invalid> | On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news> | wrote: <span style="color:blue"><span style="color:green"> >>Just tried Process Explorer, does it show hidden DLLs that possibly can >>loaded inside explorer.exe process?</span></span> | It shows every process. AFAIK, nothing can hide from it. That is NOT true. Many forms of malware can use low level Win32/Win64 programming constructs that can indeed hide the process form usitlities like Process Explorer. This is where a anti RootKit utility such as Gmer is useful. Additionally, Process Explorer will not identify files that are stored using the Alternate Data Streams (ADS) capabailities of NTFS. < snip > -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted June 30, 2008 Posted June 30, 2008 On Mon, 30 Jun 2008 16:54:08 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> >From: "Geoff" <geoff@invalid.invalid> > >| On Mon, 30 Jun 2008 16:36:51 +0300, "SANTANDER" <santander@microsoft.news> >| wrote: > ><span style="color:green"><span style="color:darkred"> >>>Just tried Process Explorer, does it show hidden DLLs that possibly can >>>loaded inside explorer.exe process?</span></span> > > >| It shows every process. AFAIK, nothing can hide from it. > > >That is NOT true. Many forms of malware can use low level Win32/Win64 programming >constructs that can indeed hide the process form usitlities like Process Explorer. This >is where a anti RootKit utility such as Gmer is useful. Additionally, Process Explorer >will not identify files that are stored using the Alternate Data Streams (ADS) >capabailities of NTFS. ></span> Well, if you have specific info I'd like to see it. If it has a PID, it can be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the same time when he found the Sony rootkit. As for ADS, a process is not a file,to which part of PE are you referring to about hiding a process in an ADS? Quote
Guest David H. Lipman Posted July 1, 2008 Posted July 1, 2008 From: "Geoff" <geoff@invalid.invalid> | Well, if you have specific info I'd like to see it. If it has a PID, it can | be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the | same time when he found the Sony rootkit. | As for ADS, a process is not a file,to which part of PE are you referring | to about hiding a process in an ADS? This is an area where I fall off the ledge. I still have much to learn. However it is my understanding the following are used to hide processes... ZwCreateThread ZwOpenProcess ZwOpenThread ZwTerminateProcess ZwWriteVirtualMemory The PID would be hidden from normal scrutiny and thus NOT shown in Process Explorer. You are correct in that ADS refers to how a file is stored and not a process. However, you can not tell from Process Explorer if a file is executed from an Alternate Data Stream. SVCHOST.EXE executed as an ADS is most certainly malware. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest Geoff Posted July 1, 2008 Posted July 1, 2008 On Mon, 30 Jun 2008 20:11:32 -0400, "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote: <span style="color:blue"> >From: "Geoff" <geoff@invalid.invalid> > > >| Well, if you have specific info I'd like to see it. If it has a PID, it can >| be seen. Rootkit Revealer found it. Not sure if Mark was using PE at the >| same time when he found the Sony rootkit. > >| As for ADS, a process is not a file,to which part of PE are you referring >| to about hiding a process in an ADS? > >This is an area where I fall off the ledge. I still have much to learn. However it is my >understanding the following are used to hide processes... > >ZwCreateThread >ZwOpenProcess >ZwOpenThread >ZwTerminateProcess >ZwWriteVirtualMemory > >The PID would be hidden from normal scrutiny and thus NOT shown in Process Explorer. > >You are correct in that ADS refers to how a file is stored and not a process. However, >you can not tell from Process Explorer if a file is executed from an Alternate Data >Stream. SVCHOST.EXE executed as an ADS is most certainly malware.</span> Yes, kernel mode functions can get you places, but I am googling for how a PID can be hidden and have not found it yet. It was my understanding that PE used a KM technique to make it difficult for KM processes to hide from it but I could be wrong. One of the first examples I found in a google search for ZwOpenProcess had a sample that resisted process info probes from PE but was not invisible to it. ADS had to be one of the worst ideas ever. I still encounter ADS stripping messages when I copy files from my company laptop to non-ntfs media. Corporate IT insisted on using CA Antivirus and it tagged every file with an ADS signature. What a waste. Quote
Guest David H. Lipman Posted July 1, 2008 Posted July 1, 2008 From: "Geoff" <geoff@invalid.invalid> < snip > | Yes, kernel mode functions can get you places, but I am googling for how a | PID can be hidden and have not found it yet. It was my understanding that | PE used a KM technique to make it difficult for KM processes to hide from | it but I could be wrong. One of the first examples I found in a google | search for ZwOpenProcess had a sample that resisted process info probes | from PE but was not invisible to it. | ADS had to be one of the worst ideas ever. I still encounter ADS stripping | messages when I copy files from my company laptop to non-ntfs media. | Corporate IT insisted on using CA Antivirus and it tagged every file with | an ADS signature. What a waste. I think ADS was added for Macintosh file support. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp Quote
Guest jen Posted July 1, 2008 Posted July 1, 2008 "David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message news:Oo4XZAy2IHA.5024@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > From: "Geoff" <geoff@invalid.invalid> > < snip > > | Yes, kernel mode functions can get you places, but I am googling for > how a > | PID can be hidden and have not found it yet. It was my understanding > that > | PE used a KM technique to make it difficult for KM processes to hide > from > | it but I could be wrong. One of the first examples I found in a > google > | search for ZwOpenProcess had a sample that resisted process info > probes > | from PE but was not invisible to it. > | ADS had to be one of the worst ideas ever. I still encounter ADS > stripping > | messages when I copy files from my company laptop to non-ntfs media. > | Corporate IT insisted on using CA Antivirus and it tagged every file > with > | an ADS signature. What a waste. > I think ADS was added for Macintosh file support.</span> File system forks are traditionally associated with Apple's Hierarchical File System (HFS), but are also available in other file systems. In Microsoft's NTFS they are known as Alternate Data Streams (ADS). Other filesystems such as Novell's Novell Storage Services (NSS) and NetWare File System (NWFS), Solaris's UFS (in Solaris 9 and later) and ZFS, and Veritas Software's Veritas File System (VxFS) also support file system forks. In Solaris they are known as extended attributes, although they can be as large as a file and are accessed in the same way a file's data is and thus behave like a fork. UDF, being a universal file system for general data exchange, supports forks as well. In 1993, Microsoft released the first version of the Windows NT operating system which introduced the NTFS filesystem. This filesystem includes support for multiple named forks as alternate data streams for compatibility with pre-existing operating systems that support forks. With Windows 2000, Microsoft started using alternate data streams in NTFS to store things such as author or title file attributes and image thumbnails. With Service Pack 2 for Windows XP, Microsoft introduced the Attachment Execution Service that stores details on the origin of downloaded files in alternate data streams attached to files, in an effort to protect users from downloaded files that may present a risk. http://en.wikipedia.org/wiki/Fork_(filesystem) -jen Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.