File Infector or not?

Discussion in 'malware problems & news' started by SystemJunkie, Oct 11, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  2. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I researched a bit and found out that the combination hoqx means HOAX.

    Strange, what a mess in my bios.
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Long time later.. I answer myself... it seems to be a typical string in Nvidia nforce bios, found similar thing on a chinese webside.

    Not the Kcmos file infector. [Addon: But maybe a superhidden kind of Kernelrootkit.]
     
    Last edited: Dec 18, 2006
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Well that's a relief, again !


    StevieO
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    yep, one relief and another mystery at the same time:

    http://i13.tinypic.com/4994235.png

    Gmer, IceSword and Rku seem to be bypassed... not anything useful on informations, only this above is the real hit.

    And Filemon, if you know what you see..

    60 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS SUCCESS Change Notify
    61 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS SUCCESS Change Notify
    62 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS SUCCESS Change Notify
    63 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS SUCCESS Change Notify
    64 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS SUCCESS Change Notify
    65 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS SUCCESS Change Notify
    66 22:51:32 winlogon.exe:1200 DIRECTORY C:\WINDOWS Change Notify

    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\driver\isdrv120 PATH NOT FOUND Attributes: Error
    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\WINDOWS\system32\Unknown Kernel Module NOT FOUND Attributes: Error
    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\Programme\GhostSecuritySuite\ghostsec.sys SUCCESS Attributes: A
    22:51:36 aaksrv.exe:1524 OPEN C:\ SUCCESS Options: Open Directory Access: All
    22:51:36 aaksrv.exe:1524 DIRECTORY C:\ SUCCESS FileBothDirectoryInformation: Programme
    22:51:36 aaksrv.exe:1524 CLOSE C:\ SUCCESS
    22:51:36 aaksrv.exe:1524 OPEN C:\Programme\ SUCCESS Options: Open Directory Access: All
    22:51:36 aaksrv.exe:1524 DIRECTORY C:\Programme\ SUCCESS FileBothDirectoryInformation: GhostSecuritySuite
    22:51:36 aaksrv.exe:1524 CLOSE C:\Programme\ SUCCESS
    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\WINDOWS\system32\drivers\procguard.sys SUCCESS Attributes: A
    22:51:36 aaksrv.exe:1524 OPEN C:\WINDOWS\system32\drivers\ SUCCESS Options: Open Directory Access: All
    22:51:36 aaksrv.exe:1524 DIRECTORY C:\WINDOWS\system32\drivers\ SUCCESS FileBothDirectoryInformation: procguard.sys
    22:51:36 aaksrv.exe:1524 CLOSE C:\WINDOWS\system32\drivers\ SUCCESS
    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\progra~1\proces~1\procgu~1.exe SUCCESS Attributes: A
    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\windows\system32\shlwapi.dll SUCCESS Attributes: A
    22:51:36 aaksrv.exe:1524 QUERY INFORMATION C:\WINDOWS\system32\unknown screen capture program NOT FOUND Attributes: Error

    What the hell is this superhidden monster, bypasses anything except both apps above.
    It surely acts on the lowest of possible levels.
     
    Last edited: Dec 18, 2006
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Let's assume there is a monster. How did you get it?
    Mrk
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    This is a damn good question. I actually don´t know an answer.
    Too many possibilities probably stayed too long in the internet the last 8 years. :)
    You should consider the fact, that I was not always that experienced
    with internet security like I am actually. I made so much forensic because I am so curious by nature
    and I saw the shadow. That highly upgraded my level of awareness.

    When it is a monster, then it only could be a shadow of past times or maybe the echo of darkness.
     
    Last edited: Dec 20, 2006
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,026
    Location:
    The Netherlands
    @ SystemJunkie

    I don´t really get it, but is it true that you often think that your system might actually be infected by some kind of advanced malware, but so far it always have been false alarms correct? :blink:
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    @Rasheed : hopefully :)

    Look at this, the yellow bars in BSOD are a new kind of phenomenon, occured only since the last 1-2 months.

    http://i10.tinypic.com/495rwnp.jpg

    If I would let flow my paranoia, I would say persistent (maybe from hardware?) tcpip.sys hook to bypass frws.
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Rasheed would you assume that this is usual behaviour? ;-)
    Does not look like paranoia.

    http://i12.tinypic.com/315lb14.png

    1792 Non-existent. Neither in Gmer, nor in Process Explorer, nor in IceSword, nor anywhere else.
    Maybe a kind of polymorphic process walker.

    I assume this (provided outpost and aak don´t make permanent false positives) because e.g. aak
    shows the picture below, in totally different situations, in it is totally independent which exe I use right now,
    from time to time the mechanism you see below will appear and you will find no process for it.

    http://i10.tinypic.com/44ly5vc.png
     
    Last edited: Jan 4, 2007
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    If by screen capture you find anything alarming, lots of legitimate software read screens. And some also require keyboard hooks.
    Mrk
     
  13. yankinNcrankin

    yankinNcrankin Registered Member

    Joined:
    May 6, 2006
    Posts:
    406
    Hehe :D looks really .... :D Seen that b4 on my system I remember exactly what I did for that to happen....:D
    I dont own that sytem anymore in fact its been obliterated :D
    Very interesting to find someone in here thats experiencing the dejavu....:D
     
  14. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Sure, but usually aak shows the path to this app you mentioned.
    Except in case of low or ultra low level kernel hooks like e.g. pcacme 7.5.

    You make a confused impression, stop consuming drugs ;-) Or tell us what kind of problem you are talking about.
     
Loading...
Thread Status:
Not open for further replies.