KAVICHS streams attached to everything

Discussion in 'Trojan Defence Suite' started by controler, Dec 24, 2004.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Hello

    After starting TDS this morning I got all kinds of hits on hidden streams.

    The only thing I did was uninstall KAV personal pro trial last night.

    I also moght have tried unhackme and secureworld and uninstalled them both.
    I did notice Bo Clean sounding off when I tried to uninstall Secureworld by MT-Soft and I am still not sure why. After uninstalling Secureworl and getting the warning splash screen from BoClean, Bo Clean would not start up again for about three reboots.
    The funny thing is the stream ads appear to look more like a KAV file to me
    KAVICHS.

    Please take a peek at my TDS log file and tell me what you think.

    Bruce
     

    Attached Files:

  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Controller, The AdStreams are from KAV 5. I have had them once and they are harmless. I believe that you can tell KAV not to ad them in the pro version but not in the home version.
    No idea about the other problem with BoClean though.

    HTH Pilli
     
  3. controler

    controler Guest

    Hi pilli

    I sent you a PM but am still looking for the thread where I posted the first reference to the MZ stream. This DOES not look good to me.
    When I right click and view properties I get MZ.EXE and that isn't a KAV file.

    Bruce
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    controler,

    Have fun reading this long thread. Kaspersky's Stream Remover can be grabbed over there as well.

    regards,

    paul
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  6. controler

    controler Guest

    I will try read it now that I have 4 days off for the holidays LOL

    Here is the funny thing Paul.

    In a thread about a week or two ago I posted that I downloaded a movie.
    I just had not had stream detection enabled before in TDS.
    After running a scan TDS found MZ.EXE attached to the movie and nothing else. I was running KAV and continued running it untill last night when the trial ran out. I don't think uninstalling KAV would have added that file to allmost everything. WHy would they add it on an uninstall?
    EVen though the TXT file shows what appears to be a KAV file, a right click
    properties with TDS shows MZ.EXE attached which is not a KAV file.

    Am I missing something here?

    Bruce
     
  7. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    With all the alleged problems with the KAV streams remover why not use the one from Hijackthis

    It is now built in to HJT1.99

    open HJT/config/misctools/ open adsspy untick quickscan and safe streams, then when it finish scanning ( it will take a while) select all teh unwanted streams and delete them
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Controler,

    In your case, I would focus on getting rid of them in case you want to.

    Derek suggested the obvious solution of course :cool:
     
  9. controler

    controler Guest

    The thing is I don't think the original was attached by KAV.
    I think it came attached to the movie I downloaded.
    I will go look at DSL and see if anyone else had MZ.EXE
    Like I said, WHy would KAV only attach them on uninstall. They sure weren't there before.
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
  11. controler

    controler Guest

    Ok I did read the DSL thread and have the impression KAV might be stuck in the middle of another problem. It appears some of the others had streams they thought were KAV's but the tags were not deleted and KAV's responce is that their program only removed KAV's tags and not others.
    I did not see on mention of the actual EXE file.

    My conclusion: TDS did nt detect the streams untill I uninstalled KAV which make me wonder. DOn't any of you think it funny KAV would add tags on uninstall? there would be no prupose in it.
    I will send the file to TDS and then proceed to reformat.
    I really think there is more here then just a simple KAV tag problem on my machine anyway.

    Bruce
     
  12. controler

    controler Guest

    Thanks ronjor

    Now I am starting to see some sense here.

    I knew I was not drunk. It is too early to start drinking LOL

    I guess I could check my look & stop logs also. I have it set to adanced but was just about to add Phantoms ruleset dangit.

    So it does appear I have this rootkit
    I don't blame pilli for not knowing it from my post a few weeks ago but I do think giving advice about streams smaller then 128 bytes might not be the best with this new rootkit

    I know the first occurance of MZ a few weeks ago was less then 128.
    Now it is growning in size, attaching to all my files and blaming KAV.
    Just because TDS is showing it as KAVICh doesn't mean it IS KAV.
    Like I sad properties shows MZ.EXE



    Bruce
     
  13. controler

    controler Guest

    I see from the other thread DCS had not received the file yet.
    Do you still need it before I reformat?

    Bruce
     
  14. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Controller, The advice about 128 byte files is from Gavin. I have pm'd you with some other ideas re. unhackme which might find any hidden rootkits.

    Remember a rootkit would need to install a driver or service albeit these may be hidden.

    Pilli
     
  15. dog

    dog Guest

    Just 2 ~little~ cents

    Aren't MZ.EXE old DOS exe's ... o_O Which maybe related to KAV's intergraty checker.

    http://www.kaspersky.com/news?id=46

    Why not inquire with KAV Support before proceding further. ;)

    Steve

    One little side note concerning Merijn's ADS Spy remover/& or the Latest HJT(which includes ADS Spy in the tools section) it only scans the C volume for streams.
     
    Last edited by a moderator: Dec 24, 2004
  16. controler

    controler Guest

    I just installed process explorer now and am not real sure it power yet.
    Can it find hidden sevices and drivers?

    Dog thanks but as I mentioned, Why was it attached to only one video file which I got from Suprnova, ( shut down now )
    and no others files till last night?
    Why did BoClean go off and was shut down for three reboots?

    Bruce
     
  17. richrf

    richrf Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    1,907
    I am not so sure that KAVs use of streams is so innocuous. Once this "door" is opened up, it can be used by other malicious programs to "hide in". I know that I was advised by the folks at Diamondcs to ignore streams less than 64 bytes (by using the TDS-3 setting) - but once I start ignoring streams, how do I know that I am not ignoring something malicious. ADS is the primary reason I did not purchase KAV 5.0 initially. Other instabilies eventually convinced me to purchase 4.5.

    Rich
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Bruce - Have you tried running rkdetector.exe? I'm just curious as to whether it'll show anything flaky.

    It gives you a report that looks something like this:

    . .. ...: Rootkit Detector Profesional 2004 v0.62 :... .. .
    Rootkit Detector Profesional 2004
    Programmed by Andres Tarasco Acuna
    Copyright (c) 2004 - 3wdesign Security
    Url: http://www.3wdesign.es


    -Gathering Service list Information... ( Found: 283 services )
    -Gathering process List Information... ( Found: 57 process )
    -Searching for Hidden process Handles. ( Found: 0 Hidden Process )
    -Checking Visible Process.............
    c:\program files\compaq\easy access button support\starteak.exe
    c:\program files\spywareguard\sgbhp.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\locator.exe
    c:\windows\system32\snoopfreesvc.exe
    c:\windows\system32\smss.exe
    c:\windows\system32\tlntsvr.exe
    c:\windows\system32\csrss.exe
    c:\windows\system32\ups.exe
    c:\windows\system32\services.exe
    c:\windows\system32\lsass.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe
    c:\program files\compaq\easy access button support\cpqeadm.exe
    c:\windows\system32\svchost.exe
    c:\compaq\cpqinet\cpqinet.exe
    c:\compaq\eakdrv\eausbkbd.exe
    c:\windows\system32\spoolsv.exe
    c:\windows\system32\alg.exe
    c:\windows\explorer.exe
    c:\program files\apc\apc powerchute personal edition\mainserv.exe
    c:\program files\processguard\dcsuserprot.exe
    c:\program files\ewido\security suite\ewidoctrl.exe
    c:\program files\eset\nod32krn.exe
    c:\program files\java\j2re1.5.0\bin\jusched.exe
    c:\windows\system32\pctspk.exe
    c:\program files\spyblocker software\spyblocker.exe
    c:\windows\system32\pgpserv.exe
    c:\program files\microsoft security\limewire\limewire.exe
    c:\program files\tds3\tds-3.exe
    c:\program files\eset\nod32kui.exe
    c:\program files\internet explorer\iexplore.exe
    c:\windows\msagent\agentsvr.exe
    c:\progra~1\compaq\easyac~1\bttnserv.exe
    c:\program files\sockscapv2\sc32lnch.exe
    c:\windows\snoopfreeui.exe
    c:\program files\processguard\pgaccount.exe
    c:\program files\acesoft\tracks eraser pro\te.exe
    c:\program files\processguard\procguard.exe
    c:\program files\spybot - search & destroy\teatimer.exe
    c:\program files\pgp corporation\pgp for windows xp\pgptray.exe
    c:\program files\privoxy\privoxy.exe
    c:\program files\shadowstor\shadowuser\shadowuser.exe
    c:\program files\bhodemon 2\bhodemon.exe
    c:\program files\mru-blaster\scheduler.exe
    c:\program files\apc\apc powerchute personal edition\apcsystray.exe
    c:\windows\system32\rkdetector.exe
    c:\windows\system32\cmd.exe
    c:\program files\cookiemuncher\cookiem.exe
    c:\program files\opera\opera.exe
    c:\program files\id-blaster plus\idblasterplus.exe
    c:\program files\spywareguard\sgmain.exe
    c:\program files\outlook express\msimn.exe
    -Searching again for Hidden Services..
    -Gathering Service list Information... ( Found: 0 Hidden Services)
    -Searching for wrong Service Paths.... ( Found: 5 wrong Services )
    -------------------------------------------------------------------------------
    *SV: EACMOS (EACMOS) PATH: c:\windows\system32\drivers\eacmos.sys
    -------------------------------------------------------------------------------
    *SV: EAWDMFD (EAWDMFD) PATH: c:\windows\system32\drivers\eawdmfd.sys
    -------------------------------------------------------------------------------
    *SV: procguard (procguard) PATH: c:\windows\system32\drivers\procguard.sys
    -------------------------------------------------------------------------------
    *SV: SnoopFree (SnoopFree Driver) PATH: c:\windows\system32\drivers\snopfree.sy
    s
    -------------------------------------------------------------------------------
    *SV: VFILT (Outpost Firewall Kernel Driver) PATH: c:\progra~1\agnitum\outpos~1\
    kernel\2000\filtnt.sys
    -------------------------------------------------------------------------------
    -Searching for Rootkit Modules........ ( Found: 0 Suspicious modules )
    -Trying to detect hxdef with TCP data..( Found: 0 running rootkits)
    -Searching for hxdef hooks............ ( Found: 0 running rootkits)
    -Searching for other rootkits......... ( Found: 0 running rootkits)

    The point being, of course, to see if it does come up with anything besides 0's for suspicious running modules or rootkits. Pete
     
  19. controler

    controler Guest

    I think I tried an older version pete way back but yes I will get back on my other computer and give it a try. If I knew more about process explorer I might see something there.
    Even though everybody seems to think this is not a problem for me I am feeling very uneasy about this one.
    It makes no sense. I sure hate to stay online on what could be an infected computer. I also want to get to the bottom of it in case it is a liget problem.
    for one it came attached to a movie and was not attached by KAV.
    I took everyones word for files not being larger then 128 bytes were safe so I extracted the file and clicked on it anyways lol.
    Doc said yesterday I have an ear infection, Upper Resp infection and diverticulitus ewwwww and never got any pain killers only antibiotics.
    I am still kickin though....

    I can't read the web page http://www.3wdesign.es/entrada.html



    Bruce
     
  20. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Click on "SERVICIOS", then "3W Design & Security" - it'll be on the next page that comes up over on the right. Pete
     
  21. controler

    controler Guest

    Is this to be run from DOS prompt?
    I clicked on it , it ran through a DOS window then closed lol

    before it closed I could see some red text with Kaspersky in it.

    Before it closes I see found suspicious files then genterates the MS send report
     
  22. controler

    controler Guest

    see attached DOC
     

    Attached Files:

  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hmm..to my not-very-educated eyes, it looks NOT TOO GOOD! You might want to generate a HJT report and get someone to look at it, too.

    Hopefully, I'm wrong. Pete
     
  24. controler

    controler Guest

    Just for the heck of it I tried running Rkdetector on my other machine and it kills My Anti-Keologger program. Now that is interesting

    I will try shutting down spysweeper ect and see if I can see what is hooking

    Bruce
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    controler,

    For the sake of it, give Dmitry Sokolov's Unhackme a try as well. Not convinced at first glance there's something fishy going on without any doubt.
     
Thread Status:
Not open for further replies.