KAVICHS streams attached to everything

Hello

After starting TDS this morning I got all kinds of hits on hidden streams.

The only thing I did was uninstall KAV personal pro trial last night.

I also moght have tried unhackme and secureworld and uninstalled them both.
I did notice Bo Clean sounding off when I tried to uninstall Secureworld by MT-Soft and I am still not sure why. After uninstalling Secureworl and getting the warning splash screen from BoClean, Bo Clean would not start up again for about three reboots.
The funny thing is the stream ads appear to look more like a KAV file to me
KAVICHS.

Please take a peek at my TDS log file and tell me what you think.

Bruce

 

Hi Controller, The AdStreams are from KAV 5. I have had them once and they are harmless. I believe that you can tell KAV not to ad them in the pro version but not in the home version.
No idea about the other problem with BoClean though.

HTH Pilli

 

Hi pilli

I sent you a PM but am still looking for the thread where I posted the first reference to the MZ stream. This DOES not look good to me.
When I right click and view properties I get MZ.EXE and that isn't a KAV file.

Bruce

 

I will try read it now that I have 4 days off for the holidays LOL

Here is the funny thing Paul.

In a thread about a week or two ago I posted that I downloaded a movie.
I just had not had stream detection enabled before in TDS.
After running a scan TDS found MZ.EXE attached to the movie and nothing else. I was running KAV and continued running it untill last night when the trial ran out. I don't think uninstalling KAV would have added that file to allmost everything. WHy would they add it on an uninstall?
EVen though the TXT file shows what appears to be a KAV file, a right click
properties with TDS shows MZ.EXE attached which is not a KAV file.

Am I missing something here?

Bruce

 

The thing is I don't think the original was attached by KAV.
I think it came attached to the movie I downloaded.
I will go look at DSL and see if anyone else had MZ.EXE
Like I said, WHy would KAV only attach them on uninstall. They sure weren't there before.

 

Ok I did read the DSL thread and have the impression KAV might be stuck in the middle of another problem. It appears some of the others had streams they thought were KAV's but the tags were not deleted and KAV's responce is that their program only removed KAV's tags and not others.
I did not see on mention of the actual EXE file.

My conclusion: TDS did nt detect the streams untill I uninstalled KAV which make me wonder. DOn't any of you think it funny KAV would add tags on uninstall? there would be no prupose in it.
I will send the file to TDS and then proceed to reformat.
I really think there is more here then just a simple KAV tag problem on my machine anyway.

Bruce

 

Thanks ronjor

Now I am starting to see some sense here.

I knew I was not drunk. It is too early to start drinking LOL

I guess I could check my look & stop logs also. I have it set to adanced but was just about to add Phantoms ruleset dangit.

So it does appear I have this rootkit
I don't blame pilli for not knowing it from my post a few weeks ago but I do think giving advice about streams smaller then 128 bytes might not be the best with this new rootkit

I know the first occurance of MZ a few weeks ago was less then 128.
Now it is growning in size, attaching to all my files and blaming KAV.
Just because TDS is showing it as KAVICh doesn't mean it IS KAV.
Like I sad properties shows MZ.EXE



Bruce

 

I see from the other thread DCS had not received the file yet.
Do you still need it before I reformat?

Bruce

 

Hi Controller, The advice about 128 byte files is from Gavin. I have pm'd you with some other ideas re. unhackme which might find any hidden rootkits.

Remember a rootkit would need to install a driver or service albeit these may be hidden.

Pilli

 

Just 2 ~little~ cents

Aren't MZ.EXE old DOS exe's ... Which maybe related to KAV's intergraty checker.

http://www.kaspersky.com/news?id=46

Why not inquire with KAV Support before proceding further.

Steve

One little side note concerning Merijn's ADS Spy remover/& or the Latest HJT(which includes ADS Spy in the tools section) it only scans the C volume for streams.

 

I just installed process explorer now and am not real sure it power yet.
Can it find hidden sevices and drivers?

Dog thanks but as I mentioned, Why was it attached to only one video file which I got from Suprnova, ( shut down now )
and no others files till last night?
Why did BoClean go off and was shut down for three reboots?

Bruce

 

I am not so sure that KAVs use of streams is so innocuous. Once this "door" is opened up, it can be used by other malicious programs to "hide in". I know that I was advised by the folks at Diamondcs to ignore streams less than 64 bytes (by using the TDS-3 setting) - but once I start ignoring streams, how do I know that I am not ignoring something malicious. ADS is the primary reason I did not purchase KAV 5.0 initially. Other instabilies eventually convinced me to purchase 4.5.

Rich

 

Bruce - Have you tried running rkdetector.exe? I'm just curious as to whether it'll show anything flaky.

It gives you a report that looks something like this:

. .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
Rootkit Detector Profesional 2004
Programmed by Andres Tarasco Acuna
Copyright (c) 2004 - 3wdesign Security
Url: http://www.3wdesign.es


-Gathering Service list Information... ( Found: 283 services )
-Gathering process List Information... ( Found: 57 process )
-Searching for Hidden process Handles. ( Found: 0 Hidden Process )
-Checking Visible Process.............
c:\program files\compaq\easy access button support\starteak.exe
c:\program files\spywareguard\sgbhp.exe
c:\windows\system32\svchost.exe
c:\windows\system32\locator.exe
c:\windows\system32\snoopfreesvc.exe
c:\windows\system32\smss.exe
c:\windows\system32\tlntsvr.exe
c:\windows\system32\csrss.exe
c:\windows\system32\ups.exe
c:\windows\system32\services.exe
c:\windows\system32\lsass.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe
c:\program files\compaq\easy access button support\cpqeadm.exe
c:\windows\system32\svchost.exe
c:\compaq\cpqinet\cpqinet.exe
c:\compaq\eakdrv\eausbkbd.exe
c:\windows\system32\spoolsv.exe
c:\windows\system32\alg.exe
c:\windows\explorer.exe
c:\program files\apc\apc powerchute personal edition\mainserv.exe
c:\program files\processguard\dcsuserprot.exe
c:\program files\ewido\security suite\ewidoctrl.exe
c:\program files\eset\nod32krn.exe
c:\program files\java\j2re1.5.0\bin\jusched.exe
c:\windows\system32\pctspk.exe
c:\program files\spyblocker software\spyblocker.exe
c:\windows\system32\pgpserv.exe
c:\program files\microsoft security\limewire\limewire.exe
c:\program files\tds3\tds-3.exe
c:\program files\eset\nod32kui.exe
c:\program files\internet explorer\iexplore.exe
c:\windows\msagent\agentsvr.exe
c:\progra~1\compaq\easyac~1\bttnserv.exe
c:\program files\sockscapv2\sc32lnch.exe
c:\windows\snoopfreeui.exe
c:\program files\processguard\pgaccount.exe
c:\program files\acesoft\tracks eraser pro\te.exe
c:\program files\processguard\procguard.exe
c:\program files\spybot - search & destroy\teatimer.exe
c:\program files\pgp corporation\pgp for windows xp\pgptray.exe
c:\program files\privoxy\privoxy.exe
c:\program files\shadowstor\shadowuser\shadowuser.exe
c:\program files\bhodemon 2\bhodemon.exe
c:\program files\mru-blaster\scheduler.exe
c:\program files\apc\apc powerchute personal edition\apcsystray.exe
c:\windows\system32\rkdetector.exe
c:\windows\system32\cmd.exe
c:\program files\cookiemuncher\cookiem.exe
c:\program files\opera\opera.exe
c:\program files\id-blaster plus\idblasterplus.exe
c:\program files\spywareguard\sgmain.exe
c:\program files\outlook express\msimn.exe
-Searching again for Hidden Services..
-Gathering Service list Information... ( Found: 0 Hidden Services)
-Searching for wrong Service Paths.... ( Found: 5 wrong Services )
-------------------------------------------------------------------------------
*SV: EACMOS (EACMOS) PATH: c:\windows\system32\drivers\eacmos.sys
-------------------------------------------------------------------------------
*SV: EAWDMFD (EAWDMFD) PATH: c:\windows\system32\drivers\eawdmfd.sys
-------------------------------------------------------------------------------
*SV: procguard (procguard) PATH: c:\windows\system32\drivers\procguard.sys
-------------------------------------------------------------------------------
*SV: SnoopFree (SnoopFree Driver) PATH: c:\windows\system32\drivers\snopfree.sy
s
-------------------------------------------------------------------------------
*SV: VFILT (Outpost Firewall Kernel Driver) PATH: c:\progra~1\agnitum\outpos~1\
kernel\2000\filtnt.sys
-------------------------------------------------------------------------------
-Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
-Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
-Searching for hxdef hooks............ ( Found: 0 running rootkits)
-Searching for other rootkits......... ( Found: 0 running rootkits)

The point being, of course, to see if it does come up with anything besides 0's for suspicious running modules or rootkits. Pete

 

I think I tried an older version pete way back but yes I will get back on my other computer and give it a try. If I knew more about process explorer I might see something there.
Even though everybody seems to think this is not a problem for me I am feeling very uneasy about this one.
It makes no sense. I sure hate to stay online on what could be an infected computer. I also want to get to the bottom of it in case it is a liget problem.
for one it came attached to a movie and was not attached by KAV.
I took everyones word for files not being larger then 128 bytes were safe so I extracted the file and clicked on it anyways lol.
Doc said yesterday I have an ear infection, Upper Resp infection and diverticulitus ewwwww and never got any pain killers only antibiotics.
I am still kickin though....

I can't read the web page http://www.3wdesign.es/entrada.html



Bruce

 

Click on "SERVICIOS", then "3W Design & Security" - it'll be on the next page that comes up over on the right. Pete

 

Is this to be run from DOS prompt?
I clicked on it , it ran through a DOS window then closed lol

before it closed I could see some red text with Kaspersky in it.

Before it closes I see found suspicious files then genterates the MS send report

 

see attached DOC

 

Hmm..to my not-very-educated eyes, it looks NOT TOO GOOD! You might want to generate a HJT report and get someone to look at it, too.

Hopefully, I'm wrong. Pete

 

Just for the heck of it I tried running Rkdetector on my other machine and it kills My Anti-Keologger program. Now that is interesting

I will try shutting down spysweeper ect and see if I can see what is hooking

Bruce