Unusual Service Running

Hi all

Looking through Services (Local) found the following:

XMALTMFOKBOECQEDY

What is it?

 

to me it looks randomly named
which wouldnt be a good sign

start > run > services.msc > DClick its entry > Dependencies

&

http://www.nirsoft.net/utils/serviwin.html

 

Ice: better than admin. tools in control panel? (services)

 

services.msc is the admin tool in the control panel

the other ap might provide a bit more info, (or more accurately all in one interface)
(color coding is nice, no need to double click to get more info, includes drivers, displays the originating filename)

but I wouldnt hope too much if its malicious

 

That's one of the reasons I was asking because it has no dependancies listed and zero info.

Tried running ServiWin and it didn't show anything more. - Thanks to Ice Czar for the tip.

 

hmmm...

http://www.nirsoft.net/utils/cprocess.html
same folks one of many process explorers but again I think a superior interface in that the selected process immediately shows the associated dlls
and once youve found those you can do a search for em to hopefully uncover more info (like if your lucky one might be in an application directory as opposed to system32)

but Im more suspicious than ever about that service
random naming is one of many tricks malware plays these days
to play hide and seek with detection or easy identification

was reading through TNT's dangerous trojans thread from last summer
https://www.wilderssecurity.com/showthread.php?t=136452 (Gromozon)
and doing a little further research on the always changing strategies these guys employ (very clever stuff)]
HTML google cache \ PDF
multiple exploits, custom response based on the detected browser, social engineering ploys, secondary payloads, encryption and obfuscation, rootkits and ADS, wont run in a virtual environment (a plus from some viewpoints, but keeps AV researchers from having a nice orderly zoo) a dropped randomly named service could easily fit the bill, if not specifically at least "in class" of infection

personally at this point Id likely image the drive for further investigation when I had a chance,
then wipe it and restore to a known secure state from an image or clone to get back online with a high level of confidence, seems premature Im sure but when youve got these options available its prudent to take advantage of them for even minor things

if it is a sophisticated subversion youd be hard pressed to fight it with a high level of confidence you got it all though you might break it, Id try to track the processes, disrupt it, scan the piss out of the system from outside if possible and rootkit detection, but even a hint its reasserting itself and Id jst wipe the whole thing from a time investment viewpoint.

course it could be a harmless driver for some bit o freeware you forgot too

 

Question, did you run RootKitRevealer? This tool does install randomly named services. And besides, if you use a good HIPS it should have notified you about this?

 

One by one (utility), we're changing OS without leaving Windows!

 

on the one hand I have the goal of virtualizing my W2K install into a Linux World
on the other I have the objective of hacking it past all recognition as a Windows install
(pretty much just GUI hacks)

my new bootscreen to be hacked into the ntoskrnl.exe

http://i7.tinypic.com/4fxx2iw.jpg

 

I'll get there some day, ntoskrnl.exe and his cousins.

 

Yeah, I also wanted to say/suggest that; in fact IIRC RootKitRevealer uses a randomly-named process (common process), and a randomly-named service. Although I am not so sure if these RootKitRevealer's services remain visible after the processing is done.


stalker

 

Well interestly, attempted to boot the machine up and blue screen message shows inaccessible device etc. Boot up last know good profile. Then wireless doesn't work, reinstalled driver, still no wireless. System log show renaming? of network adapter, to looks like hexadecimal. Rebooted and says Winnt system32 corrupt...you know the story.

Looks like a new computer.

Thanks for every one's help.

 

hmmmm....

we have heard this "upgrade" justification before
but we promise not to tell the wif

 

True ;-) What you do think of the Intel Core 2 Duo E6700 2.67Ghz?

 

a better value than the cloverleafs for the kind of stuff I do (CG)
however Im a AMD guy more often than not major purchases being in the Tbird era and the Opteron Era when they were knocking Intel into the dirt. (but I swing both ways )

Also a big believer in buying well back from the bleeding edge.

 

Right on