smss wink32.sys rootkit or not?

Discussion in 'Ghost Security Suite (GSS)' started by SystemJunkie, Mar 23, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I stopped GhostSec, after a while I restarted it and it showed me this!

    Rootkit or not? And if what kind of Rootkit?

    Which function does wink32.sys have?

    http://i1.tinypic.com/s2v9cx.png
     
  2. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
  3. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    first look at the file path:

    \windows\system32\systemroot\system32\

    normal path of the file is only
    \windows\system32\

    that part seam to be added to confuse victim
    systemroot\system32\



    Also note that the normal, micosoft approved way of installing driver is catched by regdefend not appdefend. Appdefend catch only *alternate* backdoor way of installing such a driver.


    So i'd say rootkit or at least malware
     
  4. tonyjl

    tonyjl Registered Member

    Joined:
    May 25, 2004
    Posts:
    287
    Hi f3x.

    Thanks for clearing that up, :)

    I can't see Systemjunkie's image,so just pointed out my post in the hope that he might notice the path differences if there was one.
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    @fx3: so it´s definitely a rootkit?

    If so, it´d be there for a long time and it would survive windows xp reinstallations, I disabled IOACPI in Bios last windows reinstallation, but ACPI.sys of Windows install itself, nevertheless if Bios ACPI is on or off. Without ACPI.sys windows doesn´t work.

    This path doesn´t exist: \windows\system32\systemroot\system32\

    Can someone explain this?http://i2.tinypic.com/s66ete.png

    And another question, does anyone know this entry and what is it for?

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\MpShellExecuteHook\MpShellExecuteHook

    Could someone test this antikeylogger too, to inform me if you get the same messages below, I think these are mostly false alarms:
    http://i1.tinypic.com/s3elia.png

    Maybe this will help, last logs of zone alarm:
    (flags:S)
    FWIN,2006/03/25,19:48:04 +1:00 GMT,60.11.125.44:45101,1xx.xxx.xx.xxx:1026,UDP
    FWIN,2006/03/25,19:48:04 +1:00 GMT,60.11.125.44:45101,1xx.xxx.xx.xxx:1027,UDP
    FWIN,2006/03/25,19:48:30 +1:00 GMT,204.16.208.61:32793,1xx.xxx.xx.xxx:1027,UDP
    FWIN,2006/03/25,19:48:40 +1:00 GMT,196.9.177.211:29820,1xx.xxx.xx.xxx:1026,UDP
    FWIN,2006/03/25,19:48:52 +1:00 GMT,221.208.208.87:36298,1xx.xxx.xx.xxx:1026,UDP
    FWIN,2006/03/25,19:49:22 +1:00 GMT,212.176.49.56:14267,1xx.xxx.xx.xxx:1080,TCP (flags:S)
    FWIN,2006/03/25,19:52:32 +1:00 GMT,221.203.189.44:48149,1xx.xxx.xx.xxx:1027,UDP

    What are the UDP Ports 1027,1026 and TCP 1080?
    I also noticed that it is impossible to block all udp ports and still get a working internet connectin.
     
    Last edited: Mar 25, 2006
  6. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hi SystemJukie

    Very few thing survive winxp reinstalation (if you mean system format+reinstall)
    If you only did a repair install it'S another story
    Maybe you have reinstalled windows on a C partition
    But have an infected file on another partition ?


    What is the link between ACPI and your "rootkit"?


    It'S either good news (reinstall of windows killed the rootkit)
    Or very bad news (rootkit hide it's files from operating system)
    You should run rootkit revealer form sysinternals to check for hidden files.


    **about the pic, i can't read german
    May it be about the auto update check of ghost security ?

    I'll try to gather more info on this one...
    Why are you interested in that key ?


    Finally about keylogger, i do not know.
    I guess this kind of keylogger checker scan for what program monitor keyboard. If so .. yes it can produce many false positive as it don't know what the program will do with the keyboard information.
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Could be possible in some cases, but not the last time, it must have to do something with the hardware.

    I always have to format the partition that I reinstall, but I made another test and installed a brandnew harddisk, nevertheless this did not change anything.
    Many symptoms remained, e.g. while the last installation was in progress windows xp skipped the network configuration and was only available in safe mode, it could not start(!!) after a brandnew reinstall, only in admin mode(safe mode).

    Why windows xp pro skips the network configuration during installation?
    Why windows does not start normally only in safe mode?
    No matter how often I reinstall it, this concerns especially this computer.
    Why VICE does not work on this computer?
    Why is the bios no more able to recognize the floppy drive? Bootloader destruction??
    Why I always get a strange purplebluegreen screen like that (while I install or reinstall windows xp):
    (this screen always appeared since I bought the computer 12 months ago, the alterations like bios flash, harddisk change, winxp installations didn´t change this behaviour)http://i2.tinypic.com/s6jbpu.jpg

    Questions over questions.

    Because it is always reconstructed no matter how often I delete it from registry and I did not find anything in google about this mysterious key
    the same with this key

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\MpComExports\MpComExports

    0 entries in google!?!

    I even reflashed the bios (from CD to HD! normally not possible, but the floppy did not work)
    with latest update, but the first area of bios remained.

    Another thing, I block svchost always, I told App Defend to block svchost always, now the 4th times this pops up
    http://i2.tinypic.com/s6k6k9.png

    (rkrevealer found nothing special only: HKLM\SOFTWARE\Classes\webcal\URL Protocol 16.03.2006 10:55 13 bytes Data mismatch between Windows API and raw hive data.)
    While scanning with rkrevealer nod32 found this on my restricted user account:
    http://i2.tinypic.com/s6klmd.png
    This is the temporary cache of firefox and the long exe is rkrevealer.
     
    Last edited: Mar 25, 2006
  8. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hi systemJunky
    This post is getting off topic regarding to appdefend, however i'll try to help my best.

    First thing i have to question is the situation of your hardware.
    Is it new hardware from a reconised compagny ?
    Is is old or something you have put together yourself ?

    Winxp skiping part could be that your hardware is so defective, it does not reconise any network card ? Or that the driver of your network card is not reconised by default.

    If windows does not want to boot on somethihng else than safemode i'd really question your hardware. And i highly doubt any virus have yet the advanced capacity of doing all your symptoms + hide in the bios + resist bios flash.

    The screen look like either a really crappy monitor or corrupted videocard / ram


    I have yet not find something interesting about your key, however the second key you suggest contain
    CurrentVersion\Tracing

    I'd guess it's a sort of event-log or something like that. This would explain why the key keep being rebuild.

    Svchost is a special case.... as it's mentioned it's a "host" process that can host many subprocess inside. If you blocked alwais svchost 4 time, it's really possible you have blocked 5 diferent svchost (see command line in appdefend tab)

    Beware before making assumption too fast on rootkitrevealer.
    Effectively .... rkrevealer is the program who triguer the nod32 alert.
    Because rkrevealer will read *all* file on your HD. Nod32 realtime protetion will scan files that rkrevealer is reading .. and thus this is why nod foud a virus in / document and seting / yourname

    The long exe there is really a virus not rkrevealer.
    I'd recommand doing a full system scan.


    You are saying tht you keep being infected each time you reinstall windows ?
    DO you have a firewall / router that protect windows from being attack by a knwo vulnerability ? You should reinstall your windows with a winXP slipstreamed with SP2 and other recent hotpatches ... this will give you a solid ground to prevent infection. Are you sure you do not have another compuer on the network you send virus to uninfected comp ?


    I am sorry for you but each time i see your photo of the blue-purple i think that well some part (if not the totality) of your hardware need a strong servicing if not a complete replacement. The other thing i have in my mind is that the industry of PC have *recently* be plagued by a crisis of bad capacitor that do weird thing in motherboard.. i wonder if this could be the case. Have you thought of selling the photo as modern art ?

    Hope that the bad shape of the PC (hardware + virus) will be soon better.
    I wish you good luck.
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    First thanks a lot for taking time to answer all these questions.

    I own the original WinXP Pro SP2 CD and installed all hot fixes in safe mode after installing win xp to hd, I even close all ports and unnecessary services before going into the internet. (Dcom, netbios...)

    As you see my monitor works very nice, otherwise I wouldn´t be here in this forum.

    This is maybe the case, but in doubt, because when win xp is installed the video card works totally faultless. This crappy green color effect only appears on my screen before windows xp is installed and loaded and only while installing or loading winxp either from external cd rom or installation cd rom. It happens only from external devices in this case cd-rom which is in fact needed to install win xp.

    No definitely not, AppDefend is not capable to memorize my task(Block Always), with every computer reboot it asks the same question(svchost trying access to udp) and even while I am surfing. (probably because it is in beta phase) But Antihooker 2.5 e.g. has similar problems, Antihook is even more vulnerable, it sometimes tells you to block Hooks but in reality the hook survives, especially if it is related to the csrss.exe.

    Additionally concerning AppDefend: why is a betaphase product as expensive? Normally Betaphase products are for free, isn´t it strange? In a german forum they questioned me why am I using so much unstable beta stuff which isn´t proven yet.

    I use no router, I use the MSI K8 Neo4 Platinum Board which has a hardware firewall based on software, but it is not good, in march 2005 I installed the apache firewall which immediately got a buffer overflow after the first boot and was open like a big hole. I never used this crappy firewall again and disabled it totally.

    This seems to be the most plausibel reason.
    But once I noticed that this screen was generated from the bios, look at this:
    http://i2.tinypic.com/qnp57c.jpg

    The foto is not that good, but on the left bottom you will see the bios date and signature, so it is probably a bios phenomenon which comes from the msi neo4 board. The extraordinary is that this greenpurple plate was there since I bought this computer. My first thought was, maybe a antivirus protection of my amd cpu, then I thought about a nvidia logo, but in reality this effect can only come from the board, bios or the vga card. Most plausible seems to be a crappy bios from the beginning. I reflashed the bios 4 times always updates, but the effect remained: A greenpurple plate which moves from the top of the screen down to the bottom then disappears and for some seconds nothing happens, then the windows installation goes on.

    That´s it! It´s a yukon network card driver I have to install it after the installation has completed.

    If someone knows or recognizes this green plate and know something about it please post your information in here.
    I am extremely curious about to know if someone else in the world experienced this extraterrestrial green screen.
     
    Last edited: Mar 26, 2006
  10. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Now we are getting back on the topic ;)
    Yes, appdefend is in beta. However it's more or less what i call GUI-beta.
    The backgroud is really stable but there are thing missing to be a complete product.

    One of the bug i know that si fixed in the next comming beta is short filename.
    Eg: if you have a program
    C:/program files/blah.exe
    C:/program~1/blah

    It'l appear as two different program.

    I'm curious to see a screenshot of your appdefend tab.
    In that tab you'll see a list of all the application that have you have clicked allow alwais + those you have manually added to configure. I'm curious to see the section that have the svchost process.

    If there is none i'll ask you if gss.exe have enougth permission to write it's config files
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  12. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hmm this screenshot isn.t of great help isn't it ;)

    Ok i'll try to answear your question.


    Hmm i've dig an interesting thread regarding appdefend + network access.
    You should know that svchost will need some sort of access to make certain service (eg DNS) work.

    https://www.wilderssecurity.com/showthread.php?t=107631

    about your svchost...
    You show me that one of them is set to alwais block.
    What about the two others? are they configured the same ?
    Appdefend consider the three svchost as complete diferent application as they do not have the same command line.

    Anywais, you should not block svchost to have network access as it's needed for normal web browsing.

    Ghost security have lifetime licence policy. When you pay the cost for appdefend you don't buy a betaproduct, you buy a lifetime licence for all future version also. This should explain the cost. It's like paying for all the future version, but in advance.

    You cvan have 10 or 15% (don't remember) off if you register on the ghost security website.

    Many of use use the product daily and it's anything but unstable.
     
  13. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Original post is COMPLETELY NORMAL activity. Auto allow this.

    \system32\win32k.sys is the driver being installed, is always there. This is normal, it would happen if you created a new user.. or more precisely the first time you logged into that user. The user initialisation includes the creation of a new user and user space - a new SESSION, and lots of other interesting stuff.

    Problems with a screen if you formatted ? it must be the hardware
     
  14. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Oh and the seemingly \windows\system32\systemroot\system32\ added to confuse victim, is added by a bug in the program IMHO
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The Zone Alarm warning looks like it thinks gss.exe attacked by modifying that process memory space, it shows the full commandline of the process that was modified.
     
  16. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I can confirm this also - it is present on my (darn sure it's clean :D) Win2K system. Interesting info on its purpose though.
     
  17. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
  18. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Sorry for the many pictures, but I am digging deep into the system and there are lots of questions.

    This procedure is necessary otherwise internet connection is not possible,
    looks normal, isn´t it?

    http://i1.tinypic.com/se16ad.png

    Now PG 3.3 beta tries to block explorer from modifying opera but opera still doesn´t want to start: (I disallowed explorer to modify things)

    http://i1.tinypic.com/se16rb.png

    Now another prove for scary things on my system, there was a tool called switch sniffer on a computer cd, that should help analyzing the network, but there is a BO too in switchsniffer.exe and now look what happens if I list the directories with explorer.exe and cmd.exe:

    http://i1.tinypic.com/se1s9j.png
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hello,

    A simple question : have you scanned your computer for viruses ?
    The best in your case is either to boot on a CD (BartPE) having an up to date AV, or to disconnect physically your HDD, to put it into an external USB HDD box, and to scan it with an up to date AV from another _clean_ computer.

    I don't know if you are watching legitimate system activities or rogue stealth programs, but in any case a scan is always good.

    Regards,
    gkweb.
     
  20. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    gkweb, naturally I always scan my computer with the best available scanner on the market: Nod32 and GData alias Kaspersky+BitDefender.
    The idea with the usb hdd box ist good but a non compromised pc to find is harder, according to the announcements of microsoft in the press every fifth computer is infected with rootkits. Simple software rootkits like hxdef, fu and so on, are in my opinion not the danger, the danger comes from another side but actually I am not sure from which, as you see my screens above. (more hardware based or file infection via unknown or hidden partitions or flashed devices, who knows)
     
  21. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Hmm Gavin You are rigth...
    Well partially. The file is normal... it's ok
    The bad path is my fault not appdefend ones.


    The first line is the path of the executable
    C:/windows/system32/

    The second line is the path + arguments
    /systemroot/system32/smss.exe


    What was confusing is that Systemroot was not transalted into C:/windows/

    What can be a bug is that Jason told us the "rootkit" popup don't happen in normal situation ... while it look like this one is a legitimate case
     
  22. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    f3x,
    The way the smss.exe process is being reported is due to the way that it is started by Windows. If you look at it with Process Explorer you will see exactly the same thing in the "Command Line" and gss is just presenting the information without filtering it

    In an alert dialog it is definitely confusing to report smss.exe with 2 different paths, especially since they resolve to the same place. It would probably be a good thing for this to receive a little special attention for the alert dialog to save confusion
     
  23. f3x

    f3x Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    311
    Location:
    Montreal, Quebec
    Thank you for the information gottadoit.

    It may be possible that smss start very soon in windows boot process and we don't really have partition mapped or something like that ... this would explain systemroot.

    After thinking twice... i beleive the best way to handle the situation is to include the exe filename in the path.

    C:/windows/system32/smss.exe
    /systemroot/system32/smss.exe

    This would have prevented me from missinterpreting the path as a single splited with a \n newline.
     
  24. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Why not allow explorer.exe to modify ? could be the root of all your problems. If you're that unsure about the system's state, format and be sure. Then you won't be likely to worry ? ;)

    http://www.osronline.com/DDKx/graphics/gdifncs_776v.htm

    EngDeleteSurface is part of a graphics operation. If you do not allow the SHELL (explorer) modify access, it could be intefering with a drawing operation in Opera.
     
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    @Gavin: I am tired always reformatting in the end it will always be the same situation. Yep, the surface of Opera was deleted, but in filemon a BuffOvflw. was shown simultaneously with the deletesurface.

    Beside actually Opera works finally, don´t know why. The a squared messages are nothing dangerous, the biggest problem of those anti protection tools is that it is sometimes very difficult to distinguish whether the message is true or not, in many cases the danger is not that high as showed, I experienced.

    But something I really wonder, why in most threads one find the win32k.sys, is the process so important? Naturally Opera process was non-existent because the surface has been deleted.

    PS: Someone should tell the appdefend inventor that it occurs a blue screen when trying to use IceSword and AppDefend, in my case I also use ZoneAlarm. Everytime I try starting IceSword the Computer makes a BSOD.
     
Thread Status:
Not open for further replies.