Page 4 of 5 FirstFirst 12345 LastLast
Results 31 to 40 of 43

Thread: Here's a preview...

  1. #31
    Junior Member
    Join Date
    Apr 2008
    Posts
    2

    Default Found the hidden file!

    Hi again,

    Just a little post. The file that I couldn't find to delete? I found it... sort of...

    Turns out, its being loaded as a hidden device driver. I found it in Device Manager under Hidden Devices. Very tricky, cause that means it was getting loaded under all circumstances, and wasn't a running process, and wasn't starting with "startup processes" under Windows XP.

    I've disabled it tonight. I'll attempt to delete it tomorrow with Recovery Console.

    BUT: Word of warning to those out there: This process was running as a spamming generator! Its just spamming and spamming. The only reason I knew it was even there was because my client got listed on about 6 spam blockers, and all their emails were getting rejected.

    I haven't found this mal-ware with any tool around. Spybot, Adaware, HiJack This, CWShredder, SmitFraudFix. Nothing.

    We're running Trend Micro Client Server Messaging Suite. That didn't find it.

    I have scanned this machine about 30 times. I've done a System Restore. I've deleted all files that came onto the machine the day it got infected.

    I ran WireShark and that didn't see any SMTP requests. The firewall didn't block it, even though I explicity blocked port 25, and it was blocking my attempts to telnet into mail servers. Then I blocked all network activity, and it was still occuring.

    Netstat -oa didn't show any open or listening SMTP ports.

    Its a really tricky one. I've been pulling my hair out for weeks! (I know most of you are wondering why I haven't reinstalled Windows yet... my client just doesn't want me to do that right now... And I really wanted to find it!!!)

    So, in closing! Thanks to RootAlyzer. Its the only clue I had.

    Cateyed

  2. #32
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,579

    Default

    Do you know Total Commander? TC is "just" a standard (good) file manager, but it has quite a simple plugin structure. I created two plugins for TC, found here. These will allow you to browse the harddisk, and the registry, using the same native methods that RootAlyzer uses. You might be able to see the file and its registry entries there, in case you need additional tools
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  3. #33
    Member Becky's Avatar
    Join Date
    Mar 2008
    Posts
    37

    Question With W98, what are the features I shouldn't use?

    Quote Originally Posted by PepiMK View Post
    Ah yes, compatibility, should've mentioned that somewhere

    The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

    The screenshots show XP, admitted Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.
    I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

    Thanks

  4. #34
    Member Becky's Avatar
    Join Date
    Mar 2008
    Posts
    37

    Unhappy

    Quote Originally Posted by Becky View Post
    I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

    Thanks
    Just starting it and... Access Violation....
    Any ideas to use it on W98?

    I'll copy here the bug report

    date/time : 2008-04-17, 22:44:53, 740ms
    computer name : AST COMPUTER
    user name : user2
    registered owner : My Self
    operating system : Windows 98 SE build 2222
    system language : English
    system up time : 1 hour 19 minutes
    program up time : 10 seconds
    physical memory : 348/510 MB (free/total)
    system resources : 80/71 (gdi/user)
    free disk space : (C 3.36 GB
    display mode : 800x600, 24 bit
    process id : $ffe50f69
    allocated memory : 22.89 MB
    executable : ROOTALYZER.EXE
    exec. date/time : 2008-03-31 12:16
    version : 0.1.3.26
    compiled with : BCB 2006
    madExcept version : 3.0e
    callstack crc : $00000000, $17bcefc0, $17bcefc0
    count : 2
    exception number : 1
    exception class : EAccessViolation
    exception message : Access violation at address 00000000. Read of address FFFFFFFF.

    main thread ($ffe50ee9):
    00000000 +000 ???
    304f3a41 +0ed ROOTALYZER.EXE snlFilesListWinNative 92 +8 TNTFileEnumerator.EnumNTPathFileNames
    30532f97 +073 ROOTALYZER.EXE snlRootKitsNTFiles 49 +8 TRootKitIndicatorNTFiles.ExecuteTests
    3053354f +023 ROOTALYZER.EXE snlRootKitsList 75 +3 TRootKitIndicatorList.Process
    30536752 +03a ROOTALYZER.EXE FrameUnitRKScanSimple 135 +5 TframeRKScanSimpleBase.Process
    3053e069 +019 ROOTALYZER.EXE FormUnitRKIndicators 235 +3 TformRKIndicators.FormPaint
    304ad6d9 +015 ROOTALYZER.EXE Forms 4471 +1 TCustomForm.Paint
    304ad768 +068 ROOTALYZER.EXE Forms 4486 +5 TCustomForm.PaintWindow
    30499b71 +055 ROOTALYZER.EXE Controls 7306 +4 TWinControl.PaintHandler
    3049a153 +03f ROOTALYZER.EXE Controls 7462 +6 TWinControl.WMPaint
    304ad88d +02d ROOTALYZER.EXE Forms 4523 +4 TCustomForm.WMPaint
    30495c8f +2bb ROOTALYZER.EXE Controls 5143 +83 TControl.WndProc
    304999d5 +499 ROOTALYZER.EXE Controls 7246 +105 TWinControl.WndProc
    304ab1f5 +4c1 ROOTALYZER.EXE Forms 3284 +125 TCustomForm.WndProc
    30499160 +02c ROOTALYZER.EXE Controls 7021 +3 TWinControl.MainWndProc
    3046bb88 +014 ROOTALYZER.EXE Classes 11572 +8 StdWndProc
    304b2834 +0fc ROOTALYZER.EXE Forms 7670 +23 TApplication.ProcessMessage
    304b286e +00a ROOTALYZER.EXE Forms 7689 +1 TApplication.HandleMessage
    304b2a8e +096 ROOTALYZER.EXE Forms 7773 +16 TApplication.Run
    30540c70 +064 ROOTALYZER.EXE RootAlyzer 29 +5 initialization

    thread $ffe7eccd:
    bff99b32 KERNEL32.DLL

  5. #35
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,579

    Default

    Hmm, I thought I had written it somewhere, but I can't find it right now :D

    Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  6. #36
    Member Becky's Avatar
    Join Date
    Mar 2008
    Posts
    37

    Default

    Quote Originally Posted by PepiMK View Post
    Hmm, I thought I had written it somewhere, but I can't find it right now :D

    Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.
    Thanks a lot
    Now, How can I know when it is modifyed?

    Thanks again

  7. #37
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,579

    Default

    See this entry: 9x compatibility

    Next version will have a "check for updates" option integrated, until then, you'll have to check the forum. Subscribe to this thread, for example (available in the Thread Tools menu above this thread).

    Detect removed admin privileges is what I want to finish first before uploading the next version.
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  8. #38
    Junior Member
    Join Date
    May 2008
    Posts
    1

    Default

    Found some false Positives:
    :: RootAlyzer Results
    File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8a97cf1e451.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
    File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8b15d5c3d38.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
    Those are some faxes from the Microsoft Fax program. They are not infected or dangerous.
    PacificMorrowind.

  9. #39
    Member of Team Spybot PepiMK's Avatar
    Join Date
    Oct 2005
    Location
    Planet Earth
    Posts
    3,579

    Default

    Uh... "funny" name for a stream ("Xj1phwzh5qcwungrN45kt3kiCe")
    Added a feature request here, just need to find out what exactly that first special character is. Thanks for the information
    Just remember, love is life, and hate is living death.
    Treat your life for what it's worth, and live for every breath
    (Black Sabbath: A National Acrobat)

  10. #40
    Member Becky's Avatar
    Join Date
    Mar 2008
    Posts
    37

    Lightbulb Update new version link

    Just a suggestion: Could you please update the link on the 1st. note of this thread to point to the new version?
    Thanks, Becky

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •