PDA

View Full Version : CmdLineExt03



kressens
2006-06-09, 20:09
Hi folks !

I found a dll in system32 that looks like suspicious, first because it doesn't contain any description nor compagny name, nor date, nor etc.

Here is the filename with his path:
CmdLineExt03.dll \Windows\system32\

On some site they said it's related to SecureROM protection, some others say it's a real spyware... I tried to check it with CompatAlyser, no suspicious fuction were found.

Here is the problem, if this dll comes with SecureROM protected game, then we got a problem because i NEVER installed game on this computer ... so ?

Thanks for your help,
kressens.

tashi
2006-06-09, 20:24
Hello.

Please follow the instructions in this sticky topic:
BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

kressens
2006-06-09, 23:38
I'm not sure what you mean about the sticky topic.

If you said it for the two posts, that's not my fault: i got an error "Wrong forum ID" then the page refresh itself and then there was two topics instead of one.

For the problem of course i looked at google, i have Spybot up to date and nothing is detected, I'm carefuly looking for my computer security, etc.

But i need some more informations about it, some informations that only an expert can give me about this file and what it is used to.

So far i didn't get any problem with this file, but going torough in system scan i found this file that looks like suspicious to me.

tashi
2006-06-13, 19:44
We need to see the logs, hence the link I provided. ;)

BEFORE you post and who will advise you. Preliminary Steps (http://forums.spybot.info/showthread.php?t=288)

kressens
2006-06-13, 22:05
Ok here is some logs I made, but there is nothing to see:


Logfile of HijackThis v1.99.1
Scan saved at 18:48:04, on 13/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Documents and Settings\Admin\Menu Démarrer\Programmes\Utilitaires\Sécurité\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Applications\Spybot\SDHelper.dll
O4 - Startup: Foobar.lnk.disabled
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133439302781
O17 - HKLM\System\CCS\Services\Tcpip\..\{16172282-7A3C-4C05-B23B-0A1A866DB884}: NameServer = 194.49.160.1,193.55.10.101


CompatAlyser shows 9 known functions, no one suspicious.

RessHacker shows two tress, Registry & TypeLib with only one ressource in each collapsed tree. Here's registry related:


HKCR
{
CmdLineExt.CmdLineContextMenu.1 = s 'CmdLineContextMenu Class'
{
CLSID = s '{9869EFB4-18E9-11D3-A837-00104B9E30B5}'
}
CmdLineExt.CmdLineContextMenu = s 'CmdLineContextMenu Class'
{
CLSID = s '{9869EFB4-18E9-11D3-A837-00104B9E30B5}'
CurVer = s 'CmdLineExt.CmdLineContextMenu.1'
}
NoRemove CLSID
{
ForceRemove {9869EFB4-18E9-11D3-A837-00104B9E30B5} = s 'CmdLineContextMenu Class'
{
ProgID = s 'CmdLineExt.CmdLineContextMenu.1'
VersionIndependentProgID = s 'CmdLineExt.CmdLineContextMenu'
InprocServer32 = s '%MODULE%'
{
val ThreadingModel = s 'Apartment'
}
'TypeLib' = s '{9869EFA6-18E9-11D3-A837-00104B9E30B5}'
}
}
}


Looks like really usual to me.

Spybot S&D scan shows no spyware found (for years on this machine).
ClamWin scan shows no virus found. Both have been updated to the last software & signatures version.

Now here's: Removed, please do not link to infected files.

It has no compagny name nor description.

If you need more informations, just ask ...

Thanks a lot. Regards,
Kr.

kressens
2006-06-14, 00:12
The file isn't infected by anything, it's just a to-study file.

No executable spyware, nothing dangerous "as it" in it. It just comes as system library layer thorough processus.

I don't know how you can investigate what the file is in reality without it.

And anyway, if what some forums say (that the file is a SecuROM library) it isn't dangerous at all ...

LonnyRJones
2006-06-14, 06:41
If you suscpect a file in the furtue get it scanned at virustotal or Jotti's
http://www.virustotal.com/flash/index_en.html
http://virusscan.jotti.org/
Thats an alarming Hijackthis log, NO antivirus No firewall

kressens
2006-06-14, 11:00
Not really you know ... Beside the fact that I'm a sysadmin, and i don't think an antivirus & firewall should be a normal part of any system - but that's a long troll wich will come thorough software programming-, I have an antivirus (ClamWin) but it's not resident, because resident program, or daemon or however you call it, is the worse idea to me, etc., etc. And in fact i didn't get a spyware nor virus in years on my machines ;).

But I got ClamAv & PF working on my gateway (NetBSD) that check, control and analyse the whole traffic of my network.

-- --

The Jotti scan is interesting:
"MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)"

But nothing known where found by any Antivirus. It's just an heuristic based method, that could be totaly wrong.

-- --

VirusTotal shows one warning from Fortinet. All the other say nothing found. I guess it's just another heuristic scan, but they don't give more informations so...

-- --

You're taking the wrong way by supposing the file is infected by something known or acts like virus or spyware.

The file itself isn't injected in processus (verified myself) and for hours of logging no program nor resident processus service (I disabled so many ...) call his functions.

I can delete it manually without problem, the file doesn't reappear at reboot.

LonnyRJones
2006-06-14, 17:55
Well, good luck and safe surfing then.