how can i investigate this malware? processguard?

Discussion in 'other anti-malware software' started by jameshanley39, Jul 23, 2007.

Thread Status:
Not open for further replies.
  1. jameshanley39
    Offline

    jameshanley39 Registered Member

    some malware is using internet explorer , going to sites, so things pop up.

    I tried processguard, but it doesn't stop it or tell me much, just that it's accessing some site like go.itemdb.com , it's prob a different site each time.

    I know i could try lots of malware scanners in safemode.. (though i have an issue that what if some malware comes back when windows is shut down. It's a laptop, i can't pull the plug, and it's a strange one, i can't access the battery)

    I'm more interested in investigating it though. What file or thing is calling iexplore. I thought maybe processguard would tell me, but I don't see where.
  2. Jarmo P
    Offline

    Jarmo P Registered Member

    Processguard does not prevent a program starting another program.
    You can delete IE rule, so you will get asked when it tries/is started by another prog.
    PG will ask what prgrams you allow to start and there is a list for you to see what runs/has run in your system.

    With SSM you get more information with parent/child rules.
    And also if you run a firewall like Comodo that has rules for what parent is allowed to start an application, it can be used instead to find out the parent.

    But just deleting IE rule in PG and monitoring your system with something like Process Explorer you could maybe find out the culprit when PG gives you a popup prompt for IE allowance.
  3. TopperID
    Offline

    TopperID Registered Member

    Processguard is intended to be installed onto a clean machine and will prevent infection by blocking any program from running unless it has (or is given) permission to run. It offers very strong protection and could certainly have prevented your browser hijack. However it sounds like you are trying to shut the stable door after the horse has bolted!

    iexplore is I.E. and will appear in PG in both the 'Protection' and 'Security' tabs, you need to check the file path though, it should be C:\Program Files\Internet Explorer\iexplore.exe. Check its credentials by navigating to the file in Windows Explorer, right clicking and selecting Properties.

    You really need to go into 'safe' mode and scan will a suitable AS prog; a lot users have had success cleaning with SuperAntispyware, so you may care to try that.

    Well it most certainly does on my system!

    Programs capable of running other progs (such as wscript.exe, cscript.exe, net.exe, net1.exe, javaw.exe, rundll32.exe, cmd.exe, ntvdm.exe, regsvr32.exe, etc, etc) need to be set to 'permit once'. The advantage of SSM is that you have the 'parameters' option which permits running for specific tasks. I think you are confusing Execution protection with running as a Child/Parent, which is a different approach.

    If malware cannot execute it cannot 'run' anything! The only way round that would be to 'exploit' a prog like cmd.exe or ntvdm.exe; however if these are set to permit once they cannot be exploited unless you allow it to happen.

    The current full release of SSM is started by Winlogon and so runs too late in the startup list to prevent malware starting up. PG runs as a service and hence could be helpful in blocking malware startups. (I don't know about the beta SSMs though - perhaps they do run as a service?).
    Last edited: Jul 23, 2007
  4. Jarmo P
    Offline

    Jarmo P Registered Member

    A browser hijack did not come to my mind since I have never experienced it.
    Normally allowed applications are allowed to start other allowed applications and my writing was about that only, but either you choose to read me wrong or wanted to add some more information and then it is ok by me.

    I have not gone as far in my protection to use that permit once feature and maybe I should.

    One interesting thing I have found using the last PG 3.410 free. It seems to block wgtray.exe from connecting to internet with system starting even with no rule made for it. It is perhaps a kind of a bug feature, but a wellcome one. I mention this since you wrote about early starting apps.
    It is like this. With PG not installed either kerio 2.1.5 or Comodo 2.4 will give a firewall permission prompt for wgatray.exe. With PG installed, the currently installed software firewall will not get you prompted. I rather believe in PG blocking wgatray.exe than passing it to internet and bypassing a firewall. Hope someone can bring more light into this curious behaviour.
    Last edited: Jul 23, 2007
Thread Status:
Not open for further replies.