Here's a preview...

[cateyed]

Hi again,

Just a little post. The file that I couldn't find to delete? I found it... sort of...

Turns out, its being loaded as a hidden device driver. I found it in Device Manager under Hidden Devices. Very tricky, cause that means it was getting loaded under all circumstances, and wasn't a running process, and wasn't starting with "startup processes" under Windows XP.

I've disabled it tonight. I'll attempt to delete it tomorrow with Recovery Console.

BUT: Word of warning to those out there: This process was running as a spamming generator! Its just spamming and spamming. The only reason I knew it was even there was because my client got listed on about 6 spam blockers, and all their emails were getting rejected.

I haven't found this mal-ware with any tool around. Spybot, Adaware, HiJack This, CWShredder, SmitFraudFix. Nothing.

We're running Trend Micro Client Server Messaging Suite. That didn't find it.

I have scanned this machine about 30 times. I've done a System Restore. I've deleted all files that came onto the machine the day it got infected.

I ran WireShark and that didn't see any SMTP requests. The firewall didn't block it, even though I explicity blocked port 25, and it was blocking my attempts to telnet into mail servers. Then I blocked all network activity, and it was still occuring.

Netstat -oa didn't show any open or listening SMTP ports.

Its a really tricky one. I've been pulling my hair out for weeks! (I know most of you are wondering why I haven't reinstalled Windows yet... my client just doesn't want me to do that right now... And I really wanted to find it!!!)

So, in closing! Thanks to RootAlyzer. Its the only clue I had.

Cateyed

[PepiMK]

Do you know Total Commander? TC is "just" a standard (good) file manager, but it has quite a simple plugin structure. I created two plugins for TC, found here. These will allow you to browse the harddisk, and the registry, using the same native methods that RootAlyzer uses. You might be able to see the file and its registry entries there, in case you need additional tools

[Becky]

Ah yes, compatibility, should've mentioned that somewhere

The whole file/registry stuff is NT/2000/XP/2k3/Vista only, since it compars NT native mode function results against Win32 subsystem results (no NT would mean nothing to compare against). Process stuff could work on 9x as well.

The screenshots show XP, admitted Wouldn't see why it wouldn't work on Vista, though I didn't test it a lot there.

I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

Thanks

[Becky]

I have W98, what are the "Process stuff"? Are there any features that could be dangerous to execute under W98?

Thanks

Just starting it and... Access Violation....
Any ideas to use it on W98?

I'll copy here the bug report

date/time : 2008-04-17, 22:44:53, 740ms
computer name : AST COMPUTER
user name : user2
registered owner : My Self
operating system : Windows 98 SE build 2222
system language : English
system up time : 1 hour 19 minutes
program up time : 10 seconds
physical memory : 348/510 MB (free/total)
system resources : 80/71 (gdi/user)
free disk space : (C 3.36 GB
display mode : 800x600, 24 bit
process id : $ffe50f69
allocated memory : 22.89 MB
executable : ROOTALYZER.EXE
exec. date/time : 2008-03-31 12:16
version : 0.1.3.26
compiled with : BCB 2006
madExcept version : 3.0e
callstack crc : $00000000, $17bcefc0, $17bcefc0
count : 2
exception number : 1
exception class : EAccessViolation
exception message : Access violation at address 00000000. Read of address FFFFFFFF.

main thread ($ffe50ee9):
00000000 +000 ???
304f3a41 +0ed ROOTALYZER.EXE snlFilesListWinNative 92 +8 TNTFileEnumerator.EnumNTPathFileNames
30532f97 +073 ROOTALYZER.EXE snlRootKitsNTFiles 49 +8 TRootKitIndicatorNTFiles.ExecuteTests
3053354f +023 ROOTALYZER.EXE snlRootKitsList 75 +3 TRootKitIndicatorList.Process
30536752 +03a ROOTALYZER.EXE FrameUnitRKScanSimple 135 +5 TframeRKScanSimpleBase.Process
3053e069 +019 ROOTALYZER.EXE FormUnitRKIndicators 235 +3 TformRKIndicators.FormPaint
304ad6d9 +015 ROOTALYZER.EXE Forms 4471 +1 TCustomForm.Paint
304ad768 +068 ROOTALYZER.EXE Forms 4486 +5 TCustomForm.PaintWindow
30499b71 +055 ROOTALYZER.EXE Controls 7306 +4 TWinControl.PaintHandler
3049a153 +03f ROOTALYZER.EXE Controls 7462 +6 TWinControl.WMPaint
304ad88d +02d ROOTALYZER.EXE Forms 4523 +4 TCustomForm.WMPaint
30495c8f +2bb ROOTALYZER.EXE Controls 5143 +83 TControl.WndProc
304999d5 +499 ROOTALYZER.EXE Controls 7246 +105 TWinControl.WndProc
304ab1f5 +4c1 ROOTALYZER.EXE Forms 3284 +125 TCustomForm.WndProc
30499160 +02c ROOTALYZER.EXE Controls 7021 +3 TWinControl.MainWndProc
3046bb88 +014 ROOTALYZER.EXE Classes 11572 +8 StdWndProc
304b2834 +0fc ROOTALYZER.EXE Forms 7670 +23 TApplication.ProcessMessage
304b286e +00a ROOTALYZER.EXE Forms 7689 +1 TApplication.HandleMessage
304b2a8e +096 ROOTALYZER.EXE Forms 7773 +16 TApplication.Run
30540c70 +064 ROOTALYZER.EXE RootAlyzer 29 +5 initialization

thread $ffe7eccd:
bff99b32 KERNEL32.DLL

[PepiMK]

Hmm, I thought I had written it somewhere, but I can't find it right now :D

Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.

[Becky]

Hmm, I thought I had written it somewhere, but I can't find it right now :D

Most rootkit methods are targeted at NT-based systems, since the dual layer structure allows for hiding things on the upper, regularly used one while being to access the hidden things through the lower one. These kinds of trouble you won't have on 9x. I've added a todo entry for myself to make sure that nt-specific tests won't be executed on 9x though, to make it run for those few left at least.

Thanks a lot
Now, How can I know when it is modifyed?

Thanks again

[PepiMK]

See this entry: 9x compatibility

Next version will have a "check for updates" option integrated, until then, you'll have to check the forum. Subscribe to this thread, for example (available in the Thread Tools menu above this thread).

Detect removed admin privileges is what I want to finish first before uploading the next version.

[pacificmorrowind]

Found some false Positives:
:: RootAlyzer Results
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8a97cf1e451.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
File:"Unknown ADS","C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c8b15d5c3d38.tif:Xj1phwzh5qcwungrN45kt3kiCe:$DATA"
Those are some faxes from the Microsoft Fax program. They are not infected or dangerous.
PacificMorrowind.

[PepiMK]

Uh... "funny" name for a stream ("Xj1phwzh5qcwungrN45kt3kiCe")
Added a feature request here, just need to find out what exactly that first special character is. Thanks for the information

[Becky]

Just a suggestion: Could you please update the link on the 1st. note of this thread to point to the new version?
Thanks, Becky