I found another new program called WhenTrust by Whenus. It is a so called HIPS however, I do not see how it is a HIPS. It apparently prevents intrusions, but not in the way of a normal HIPS.

-{ Quote: "The technology that WehnTrust uses is referred to as Address Space Layout Randomization which is a term for the randomizing of the virtual address space layout of any given process. During the process of writing an exploit it is often a requirement that attacker know some memory address that will not vary from one execution of the process to the next. If the address were to vary between instances it would be harder and in some cases impossible to write a reliable exploit. This fact acts as a major deterrent for exploit writers and raises the bar on exploitation. " }-

Check it out:
http://www.wehnus.com/technology.pl

Vista has this by default. It is more a hardening option for XP and lower. I am unsure whteher it still works with XP SP3 though.

Regards Kees

-{ Quote: "Vista has this by default. It is more a hardening option for XP and lower. I am unsure whteher it still works with XP SP3 though.

Regards Kees" }-

Oh ok cool. Thanks Kees :)

Isn't this some sort of software DEP already there via your CPU in XP and Vista. Linux has had this for a while as well.

ATTENTION, please.

DANGER: WehnTrust v1.2, Updated Aug 11, 2008 - is DANGEROUS for you!

After download and Restart of Windows:

IE Tools/Options: no works ( window :Restrictions...).

IE/ Windows Update: no works.

I look on RootRepeal/Stealth Objects: Found 750 stealth objects! ( Hidden Module: ... .dll). Another scan with RootRepeal after 1 minute: 774 stealth objects! Another scan: 828 stealth objects!!!

Indispensable & essential RootRepeal antirootkit!

My another Indispensable Antirootkit Tool (K. D.)/Processes: 'A:System'. Virtual Size: 1908 KB! State: INVISIBLE.
My all processes beginned by: A:C:/ ... !

Now : IE unbootable! (thanks, DEP! ).

In Safe Mode: I deleted all folders of WehnTrust, with HijackThis and in Program Files; I deleted 'WehnTrust Monitor Service' in the Services; in Prefetch: WEHNSERV.EXE and WEHNTRUST.EXE and others ...

Restart of Windows.

IE start and disappears!

Restore of Windows with my Restore Point ...

OK., but one folder is renamed: RandCache , for RandCache(2) !!!

Tiny Watcher: REMOVE RandCache(2) (104060 KB!). Excellent Tiny Watcher, INDISPENSABLE. But 'General warning' (was ist das?)- no possibility of remove in Tiny ...

Now: RootRepeal: 0 stealth objects. K. D. : no 'A:System'.

Now, I want to restart of Windows, but first I want to send this Post ...:argh:

PROROOTECT:thumb:

hi and thanks for this info:thumb: let us know the results please

Yes, WehnTrust v1.2 is EVIL!

... but now I'm clean! The results: all OK.! :thumb:RootRepeal/Stealth Objects: Found 0 stealth objects! And :thumb:K. D. - nothing wrong!:argh:

Still some small souvenirs from Event Viewer today:

14:33 - start of WehnTrust Monitor Service

14:42 - Error (Source: baserand; General Information: Process iexplore.exe; SEH Overwrite Information:
Frame handler: 0x792CEE18
Frame next: 0x3A35F96C
Short jump detected: No (... what is this?...)

15:05 - Warning: Windows cannot unload your classes registry file - it is in use by other applications or services [ or services ...:argh: ]

15:27 - Windows has downloaded the registry when it received a notification that no application or service using the profile.

15:29 - start in Safe Mode ...

16:39 - Restore ...

I'm very clean.:argh: :argh: :argh: Thanks for HijackThis, RootRepeal, K. Detective, Tiny Watcher !!!

Your Horror Series Tonight are finished.

Rest In Peace, Yours PROROOTECT:thumb:

Hello all,

What was that?
Perhaps the original Page WehnTrust was tainted by evil?
Or perhaps this page is original bomb?
And what was the nasty, how to call? A rootkit? A trojan? Something else?
And how to understand the error to 14:42 in Event Viewer, and others?

Your comments are welcome, thank you!:thumb:

PS.'Which nasty do you want to kill today?' ...:argh:

thanks man for your life saving info;) :thumb: :)

Wehnus=skape (http://forum.sysinternals.com/forum_posts.asp?TID=18323&PN=1)

So wait, this program is malware? I'm so lost now ???

No, Wehnus is not malware.

-{ Quote: "No, Wehnus is not malware." }-

Ok cool :thumb:

@PROROOTECT

I submitted WehnTrust to Virus Total, and it came up clean with a score of 0/39.

On the other hand, your indispensable program "KD" came up with a bad score of 15/39. Apparently, 15 MAJOR AV engines said that it may contain a Trojan/PWS. Additionally, ThreatExpert did not have very good reviews in regard to this program either.

You can read up on your indispensable program here:

~Link to VT results removed per Policy. (http://www.wilderssecurity.com/showthread.php?t=180057)~

and here:

http://www.threatexpert.com/report.aspx?md5=24d1e2a73a679ad3377c82f801c63b4e

Hi rodgerdodger Posts: 1,

Thank you very much for your reply very relevant.

I'm well on my previous reflected position.

Too bad that Virus Total does not clean up the RandCache from WehnTrust.

I have a very good - the BEST antivirus software, called AVIRA AntiVir 9; never problems, never false positives.

I also carry some very good antirootkits - with K. D. in BEST position. I love K. D. ! It is the story of love, NOTHING I can do ...

Thank you for your efforts anyway,

Yours PROROOTECT:thumb:

@PROROOTECT

And what is your opinion of ThreatExpert's analysis?

Hi rodgerdodger Posts: 2,

K. D. : Files MD5 & SHA-1.

SSymantec: Spyware?

McAfee: PWS?

Ikarus: Trojan?

Kaspersky: UPX?


OK, OK ...:thumb:

Well, seriously:the suggestions concerning the misconduct of K.D. were of course without real foundation and unprofessional. The Truth is this one:

The GOOD: K.D. by GamingMasteR is not the same as the NASTY: OnlineGames trojan & stealer.

There is what happened:

1. AV Company mark K.D. as OnlineGames trojan (& stealer); this is FALSE POSITIVE because other trojan has similar signature of K.D.,

2. Other Companies marked K.D. as OnlineGames trojan & stealer imitating the 1st AV Company;D :argh: ;D ; pitiful experts, stupid AVs!:P - But not all: false positive numbers was greatly decreased as most top AVs ...

PS. I don't OnlineGames files on my Windows. None.
I have NOTHING bad in Registry.
I'm 100 % clean. In my system32\drivers, I have KeDetective121.sys (152 Kb). And I'm very proud of.

Many many Thanks for his developer.

And this again: To defend against buffer overflow attacks, use COMODO Memory Firewall: http://www.memoryfirewall.comodo.com/ Very LIGHT, SAFE & CLEAN: I tried & approved.

Yours nasty PROROOTECT:thumb:
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" :thumb:
'WHICH NASTY DO YOU WANT TO KILL TODAY?':thumb: