smss wink32.sys rootkit or not?

I stopped GhostSec, after a while I restarted it and it showed me this!

Rootkit or not? And if what kind of Rootkit?

Which function does wink32.sys have?

http://i1.tinypic.com/s2v9cx.png

 

Hi Systemjunkie.

Have a look here,i enquired about it a while ago. https://www.wilderssecurity.com/showthread.php?t=120812&highlight=smss.exe

 

first look at the file path:

\windows\system32\systemroot\system32\

normal path of the file is only
\windows\system32\

that part seam to be added to confuse victim
systemroot\system32\



Also note that the normal, micosoft approved way of installing driver is catched by regdefend not appdefend. Appdefend catch only *alternate* backdoor way of installing such a driver.


So i'd say rootkit or at least malware

 

Hi f3x.

Thanks for clearing that up,

I can't see Systemjunkie's image,so just pointed out my post in the hope that he might notice the path differences if there was one.

 

@fx3: so it´s definitely a rootkit?

If so, it´d be there for a long time and it would survive windows xp reinstallations, I disabled IOACPI in Bios last windows reinstallation, but ACPI.sys of Windows install itself, nevertheless if Bios ACPI is on or off. Without ACPI.sys windows doesn´t work.

This path doesn´t exist: \windows\system32\systemroot\system32\

Can someone explain this?http://i2.tinypic.com/s66ete.png

And another question, does anyone know this entry and what is it for?

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\MpShellExecuteHook\MpShellExecuteHook

Could someone test this antikeylogger too, to inform me if you get the same messages below, I think these are mostly false alarms:
http://i1.tinypic.com/s3elia.png

Maybe this will help, last logs of zone alarm:
(flags:S)
FWIN,2006/03/25,19:48:04 +1:00 GMT,60.11.125.44:45101,1xx.xxx.xx.xxx:1026,UDP
FWIN,2006/03/25,19:48:04 +1:00 GMT,60.11.125.44:45101,1xx.xxx.xx.xxx:1027,UDP
FWIN,2006/03/25,19:48:30 +1:00 GMT,204.16.208.61:32793,1xx.xxx.xx.xxx:1027,UDP
FWIN,2006/03/25,19:48:40 +1:00 GMT,196.9.177.211:29820,1xx.xxx.xx.xxx:1026,UDP
FWIN,2006/03/25,19:48:52 +1:00 GMT,221.208.208.87:36298,1xx.xxx.xx.xxx:1026,UDP
FWIN,2006/03/25,19:49:22 +1:00 GMT,212.176.49.56:14267,1xx.xxx.xx.xxx:1080,TCP (flags:S)
FWIN,2006/03/25,19:52:32 +1:00 GMT,221.203.189.44:48149,1xx.xxx.xx.xxx:1027,UDP

What are the UDP Ports 1027,1026 and TCP 1080?
I also noticed that it is impossible to block all udp ports and still get a working internet connectin.

 

Hi SystemJukie

Very few thing survive winxp reinstalation (if you mean system format+reinstall)
If you only did a repair install it'S another story
Maybe you have reinstalled windows on a C partition
But have an infected file on another partition ?

What is the link between ACPI and your "rootkit"?

It'S either good news (reinstall of windows killed the rootkit)
Or very bad news (rootkit hide it's files from operating system)
You should run rootkit revealer form sysinternals to check for hidden files.


**about the pic, i can't read german
May it be about the auto update check of ghost security ?

I'll try to gather more info on this one...
Why are you interested in that key ?


Finally about keylogger, i do not know.
I guess this kind of keylogger checker scan for what program monitor keyboard. If so .. yes it can produce many false positive as it don't know what the program will do with the keyboard information.

 

Could be possible in some cases, but not the last time, it must have to do something with the hardware.

I always have to format the partition that I reinstall, but I made another test and installed a brandnew harddisk, nevertheless this did not change anything.
Many symptoms remained, e.g. while the last installation was in progress windows xp skipped the network configuration and was only available in safe mode, it could not start(!!) after a brandnew reinstall, only in admin mode(safe mode).

Why windows xp pro skips the network configuration during installation?
Why windows does not start normally only in safe mode?
No matter how often I reinstall it, this concerns especially this computer.
Why VICE does not work on this computer?
Why is the bios no more able to recognize the floppy drive? Bootloader destruction??
Why I always get a strange purplebluegreen screen like that (while I install or reinstall windows xp):
(this screen always appeared since I bought the computer 12 months ago, the alterations like bios flash, harddisk change, winxp installations didn´t change this behaviour)http://i2.tinypic.com/s6jbpu.jpg

Questions over questions.

Because it is always reconstructed no matter how often I delete it from registry and I did not find anything in google about this mysterious key
the same with this key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\MpComExports\MpComExports

0 entries in google!?!

I even reflashed the bios (from CD to HD! normally not possible, but the floppy did not work)
with latest update, but the first area of bios remained.

Another thing, I block svchost always, I told App Defend to block svchost always, now the 4th times this pops up
http://i2.tinypic.com/s6k6k9.png

(rkrevealer found nothing special only: HKLM\SOFTWARE\Classes\webcal\URL Protocol 16.03.2006 10:55 13 bytes Data mismatch between Windows API and raw hive data.)
While scanning with rkrevealer nod32 found this on my restricted user account:
http://i2.tinypic.com/s6klmd.png
This is the temporary cache of firefox and the long exe is rkrevealer.

 

Hi systemJunky
This post is getting off topic regarding to appdefend, however i'll try to help my best.

First thing i have to question is the situation of your hardware.
Is it new hardware from a reconised compagny ?
Is is old or something you have put together yourself ?

Winxp skiping part could be that your hardware is so defective, it does not reconise any network card ? Or that the driver of your network card is not reconised by default.

If windows does not want to boot on somethihng else than safemode i'd really question your hardware. And i highly doubt any virus have yet the advanced capacity of doing all your symptoms + hide in the bios + resist bios flash.

The screen look like either a really crappy monitor or corrupted videocard / ram


I have yet not find something interesting about your key, however the second key you suggest contain
CurrentVersion\Tracing

I'd guess it's a sort of event-log or something like that. This would explain why the key keep being rebuild.

Svchost is a special case.... as it's mentioned it's a "host" process that can host many subprocess inside. If you blocked alwais svchost 4 time, it's really possible you have blocked 5 diferent svchost (see command line in appdefend tab)

Beware before making assumption too fast on rootkitrevealer.
Effectively .... rkrevealer is the program who triguer the nod32 alert.
Because rkrevealer will read *all* file on your HD. Nod32 realtime protetion will scan files that rkrevealer is reading .. and thus this is why nod foud a virus in / document and seting / yourname

The long exe there is really a virus not rkrevealer.
I'd recommand doing a full system scan.


You are saying tht you keep being infected each time you reinstall windows ?
DO you have a firewall / router that protect windows from being attack by a knwo vulnerability ? You should reinstall your windows with a winXP slipstreamed with SP2 and other recent hotpatches ... this will give you a solid ground to prevent infection. Are you sure you do not have another compuer on the network you send virus to uninfected comp ?


I am sorry for you but each time i see your photo of the blue-purple i think that well some part (if not the totality) of your hardware need a strong servicing if not a complete replacement. The other thing i have in my mind is that the industry of PC have *recently* be plagued by a crisis of bad capacitor that do weird thing in motherboard.. i wonder if this could be the case. Have you thought of selling the photo as modern art ?

Hope that the bad shape of the PC (hardware + virus) will be soon better.
I wish you good luck.

 

First thanks a lot for taking time to answer all these questions.

I own the original WinXP Pro SP2 CD and installed all hot fixes in safe mode after installing win xp to hd, I even close all ports and unnecessary services before going into the internet. (Dcom, netbios...)

As you see my monitor works very nice, otherwise I wouldn´t be here in this forum.

This is maybe the case, but in doubt, because when win xp is installed the video card works totally faultless. This crappy green color effect only appears on my screen before windows xp is installed and loaded and only while installing or loading winxp either from external cd rom or installation cd rom. It happens only from external devices in this case cd-rom which is in fact needed to install win xp.

No definitely not, AppDefend is not capable to memorize my task(Block Always), with every computer reboot it asks the same question(svchost trying access to udp) and even while I am surfing. (probably because it is in beta phase) But Antihooker 2.5 e.g. has similar problems, Antihook is even more vulnerable, it sometimes tells you to block Hooks but in reality the hook survives, especially if it is related to the csrss.exe.

Additionally concerning AppDefend: why is a betaphase product as expensive? Normally Betaphase products are for free, isn´t it strange? In a german forum they questioned me why am I using so much unstable beta stuff which isn´t proven yet.

I use no router, I use the MSI K8 Neo4 Platinum Board which has a hardware firewall based on software, but it is not good, in march 2005 I installed the apache firewall which immediately got a buffer overflow after the first boot and was open like a big hole. I never used this crappy firewall again and disabled it totally.

This seems to be the most plausibel reason.
But once I noticed that this screen was generated from the bios, look at this:
http://i2.tinypic.com/qnp57c.jpg

The foto is not that good, but on the left bottom you will see the bios date and signature, so it is probably a bios phenomenon which comes from the msi neo4 board. The extraordinary is that this greenpurple plate was there since I bought this computer. My first thought was, maybe a antivirus protection of my amd cpu, then I thought about a nvidia logo, but in reality this effect can only come from the board, bios or the vga card. Most plausible seems to be a crappy bios from the beginning. I reflashed the bios 4 times always updates, but the effect remained: A greenpurple plate which moves from the top of the screen down to the bottom then disappears and for some seconds nothing happens, then the windows installation goes on.

That´s it! It´s a yukon network card driver I have to install it after the installation has completed.

If someone knows or recognizes this green plate and know something about it please post your information in here.
I am extremely curious about to know if someone else in the world experienced this extraterrestrial green screen.

 

Now we are getting back on the topic
Yes, appdefend is in beta. However it's more or less what i call GUI-beta.
The backgroud is really stable but there are thing missing to be a complete product.

One of the bug i know that si fixed in the next comming beta is short filename.
Eg: if you have a program
C:/program files/blah.exe
C:/program~1/blah

It'l appear as two different program.

I'm curious to see a screenshot of your appdefend tab.
In that tab you'll see a list of all the application that have you have clicked allow alwais + those you have manually added to configure. I'm curious to see the section that have the svchost process.

If there is none i'll ask you if gss.exe have enougth permission to write it's config files

 

Something for your curiosity

http://i1.tinypic.com/scfhb7.png

 

Hmm this screenshot isn.t of great help isn't it

Ok i'll try to answear your question.

Hmm i've dig an interesting thread regarding appdefend + network access.
You should know that svchost will need some sort of access to make certain service (eg DNS) work.

https://www.wilderssecurity.com/showthread.php?t=107631

about your svchost...
You show me that one of them is set to alwais block.
What about the two others? are they configured the same ?
Appdefend consider the three svchost as complete diferent application as they do not have the same command line.

Anywais, you should not block svchost to have network access as it's needed for normal web browsing.

Ghost security have lifetime licence policy. When you pay the cost for appdefend you don't buy a betaproduct, you buy a lifetime licence for all future version also. This should explain the cost. It's like paying for all the future version, but in advance.

You cvan have 10 or 15% (don't remember) off if you register on the ghost security website.

Many of use use the product daily and it's anything but unstable.

 

Original post is COMPLETELY NORMAL activity. Auto allow this.

\system32\win32k.sys is the driver being installed, is always there. This is normal, it would happen if you created a new user.. or more precisely the first time you logged into that user. The user initialisation includes the creation of a new user and user space - a new SESSION, and lots of other interesting stuff.

Problems with a screen if you formatted ? it must be the hardware

 

Oh and the seemingly \windows\system32\systemroot\system32\ added to confuse victim, is added by a bug in the program IMHO

 

The Zone Alarm warning looks like it thinks gss.exe attacked by modifying that process memory space, it shows the full commandline of the process that was modified.

 

I can confirm this also - it is present on my (darn sure it's clean ) Win2K system. Interesting info on its purpose though.

 

Thanks Gavin, f3x and paranoid for the infos but what about this:

http://i1.tinypic.com/se0jnc.png

http://i1.tinypic.com/se0sw3.png

I tried opera because A2 IDS told me that firefox is probably modified with lanbypass spy, then Opera got a BO and look at the Stack: win32k.sys.

Looks scary.

 

Sorry for the many pictures, but I am digging deep into the system and there are lots of questions.

This procedure is necessary otherwise internet connection is not possible,
looks normal, isn´t it?

http://i1.tinypic.com/se16ad.png

Now PG 3.3 beta tries to block explorer from modifying opera but opera still doesn´t want to start: (I disallowed explorer to modify things)

http://i1.tinypic.com/se16rb.png

Now another prove for scary things on my system, there was a tool called switch sniffer on a computer cd, that should help analyzing the network, but there is a BO too in switchsniffer.exe and now look what happens if I list the directories with explorer.exe and cmd.exe:

http://i1.tinypic.com/se1s9j.png

 

Hello,

A simple question : have you scanned your computer for viruses ?
The best in your case is either to boot on a CD (BartPE) having an up to date AV, or to disconnect physically your HDD, to put it into an external USB HDD box, and to scan it with an up to date AV from another _clean_ computer.

I don't know if you are watching legitimate system activities or rogue stealth programs, but in any case a scan is always good.

Regards,
gkweb.

 

gkweb, naturally I always scan my computer with the best available scanner on the market: Nod32 and GData alias Kaspersky+BitDefender.
The idea with the usb hdd box ist good but a non compromised pc to find is harder, according to the announcements of microsoft in the press every fifth computer is infected with rootkits. Simple software rootkits like hxdef, fu and so on, are in my opinion not the danger, the danger comes from another side but actually I am not sure from which, as you see my screens above. (more hardware based or file infection via unknown or hidden partitions or flashed devices, who knows)

 

Hmm Gavin You are rigth...
Well partially. The file is normal... it's ok
The bad path is my fault not appdefend ones.


The first line is the path of the executable
C:/windows/system32/

The second line is the path + arguments
/systemroot/system32/smss.exe


What was confusing is that Systemroot was not transalted into C:/windows/

What can be a bug is that Jason told us the "rootkit" popup don't happen in normal situation ... while it look like this one is a legitimate case

 

f3x,
The way the smss.exe process is being reported is due to the way that it is started by Windows. If you look at it with Process Explorer you will see exactly the same thing in the "Command Line" and gss is just presenting the information without filtering it

In an alert dialog it is definitely confusing to report smss.exe with 2 different paths, especially since they resolve to the same place. It would probably be a good thing for this to receive a little special attention for the alert dialog to save confusion

 

Thank you for the information gottadoit.

It may be possible that smss start very soon in windows boot process and we don't really have partition mapped or something like that ... this would explain systemroot.

After thinking twice... i beleive the best way to handle the situation is to include the exe filename in the path.

C:/windows/system32/smss.exe
/systemroot/system32/smss.exe

This would have prevented me from missinterpreting the path as a single splited with a \n newline.

 

Why not allow explorer.exe to modify ? could be the root of all your problems. If you're that unsure about the system's state, format and be sure. Then you won't be likely to worry ?

http://www.osronline.com/DDKx/graphics/gdifncs_776v.htm

EngDeleteSurface is part of a graphics operation. If you do not allow the SHELL (explorer) modify access, it could be intefering with a drawing operation in Opera.

 

@Gavin: I am tired always reformatting in the end it will always be the same situation. Yep, the surface of Opera was deleted, but in filemon a BuffOvflw. was shown simultaneously with the deletesurface.

Beside actually Opera works finally, don´t know why. The a squared messages are nothing dangerous, the biggest problem of those anti protection tools is that it is sometimes very difficult to distinguish whether the message is true or not, in many cases the danger is not that high as showed, I experienced.

But something I really wonder, why in most threads one find the win32k.sys, is the process so important? Naturally Opera process was non-existent because the surface has been deleted.

PS: Someone should tell the appdefend inventor that it occurs a blue screen when trying to use IceSword and AppDefend, in my case I also use ZoneAlarm. Everytime I try starting IceSword the Computer makes a BSOD.