Still a hidden file in Task Manager (ME)

Discussion in 'Trojan Defence Suite' started by frugalphone, Sep 3, 2003.

Thread Status:
Not open for further replies.
  1. frugalphone

    frugalphone Registered Member

    Joined:
    Sep 3, 2003
    Posts:
    4
    All tools loaded yesterday (TDS-3, Port Explorer, Worm Guard), full system scan run (I think), yet a "hidden" task still starts and runs, even when not connected to web.

    Checked TDS-3 processes, shows Norton Systemworks/antivirus/firewall processes, but these same processes do not show in Task Manager (ccEvtMgr and ccPxySvc don't show, but ccApp does show).

    NSW + virus + firewall 2003 loaded since last fall, stopped 2 buffer overrun attack 2 and 4 days ago, so its doing something.

    In Task Manager (Windows ME) sometimes a blank line shows at the bottom of the list of tasks, sometimes not.
    Yesterday, after installing each application (rebooting after each install) TDS-3 hung. I had Windows Explorer up, ADSL cable unplugged during whole install process and still unplugged, and Windows Explorer hung too. TDS-3 process showed as still running in Task Manager, but the icon disappeared, and couldn't get black console to show on display. :doubt:

    Rebooted, TDS-3 hanging hasn't hung again, yet.
    TDS-3 configured to run at startup with everything scanned except CRC32 System Files Test. Full system scan found 2 files: LeakTest Demo (file ok), and one file named as .com.pif (don't remember file name) but has been archived to D:\ drive already.

    If TDS-3 isn't catching this right now, what can I use?
    What can I look for?
    Just found beginners TDS-3 configuration, haven't done it yet, so my question may be premature?

    Norton might be compromised - Ccap didn't used to run, and started running yesterday. This is a standalone machine, I have 4 port router for ADSL connect, but to me.

    More TDS-3 Process details, Symantec says these should show on Task Manager with ccApp:

    ccEvtMgr.exe : Name: Event Manager Service,
    Window: Win95 RPC Wmsg Window
    ccPxySvc.exe : Name: Norton Internet Security Proxy Service,
    Window: Win95 RPC Wmsg Window
    DDHelp.exe : Name: Microsoft DirectX Helper,
    Window: DDHelpWndClass

    Other Norton files show on TDS-3 process but not Task Manager, is this normal? (I don't know anything, have just been poking around and observing.)

    Where do I start? :p
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hello Frugalphone,
    I asume you are a licensed TDS3 user, first make sure you have the lates radius file, then install execution protection.
    In scan control select everything except for "scan for clients/edit servers" & the two NTFS entries - In generic detection enable both tick boxes and move the sensitivity slider to the right.
    Do a full system scan.
    If you have already done this then start up PE and make sure you have no connections that you have not instigated.
    I have tried the TDS3 process list and it does show task manager as a service when it is running but this is an XP pc and ME may be different.

    BTW have you scanned for spyware using either AdAware or Spybot Search & destroy?
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi frugalphone, welcome to the DCS family!
    What do you notice exactly from the possible hidden process?
    Does it start immediately after reboot or after being connected to the web?
    Are there any unknown keys when you look in TDS > System analysis > autostart explorer?
    And if you look with Start > run > msconfig > autostart tab, are there any unknown or anonymous items?

    Could there be spyware involved? Did you try with spybotS&D for instance or Ad-aware?


    The *.com.pif is a double extension only, if you know the file there is no problem, that leaktest thing is also just a demo, nothing serious.

    I hope with installing your programs you had all other applications closed, especially anti-virus protection and the kind, and the norton parts when installing something else: you might need to uncheck them temporary in the msconfig, reboot, do your installs, if necessary reboot, re-enable your antivirus and norton parts and reboot again and see if everything runs fine as it should.

    I use the CRC32 scan all time, and as you can see in the sticky thread about that you can add your own files to be checked and change paths to where files are on your system, etc.


    Does WormGuard alarm on anything when you try to open any file? Did you for WG install the security and did you press the test button?

    Which processes in Port Explorer show as hidden or could be suspicious? Did you try to spy on their data packets?

    *Edited: we did it again! Pilli and i are such a team huh, see the posting after i sent my posting away. Fortunately we did not tell all the same story (would be so boting) and no contradictions (of course not!), even the same spyware advice! wow!
    Waiting for your further scan results.
    Oh and Pilli said we think you're a licensed user with the updates etc, if so, also install the exec protection.*
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    .com.pif :(
    I don't like the combination of those extensions. Do you have any 16 bit DOS programs running on your system?
    Dolf
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Dolf, Wouldn't Wormguard usually alarm if a dual extention tries to run?

    Frugal phone, I forgot the link to the latest Radius.tds file: http://tds.diamondcs.com.au/radius.td3 Just drop it into your main TDS directory.
    Spybot can be found here: http://security.kolla.de/news.php?lang=en
    & AdAware here: www.lavasoft.de

    Jooske, I just saw your edit :D
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    IF protection has been enabled.... yes
     
  7. frugalphone

    frugalphone Registered Member

    Joined:
    Sep 3, 2003
    Posts:
    4
    A WORM?? Re:Still a hidden file in Task Manager (ME)

    Update: Is this a worm?
    Is this A Worm / virus?

    Tried to run Norton Liveupdate, checked options...none were set for LiveUpdate to run automatically, yet LiveUpdate (or something with its name) has been running. LiveUpdate starting very frequently now, on auto should be once a week...suspicious perhaps? Updates good from 8/27, so problem is recent

    Tried manual run, failed, internal errors in . Filling in Symantec error form, needed AntiVirus version, tried AntiVirus -> "Help", and WormGuard kicked it out! Here's interesting bits, attached is full SafeText

    FILE: c:\windows\help\nav.chm
    SIZE: 217945 bytes
    ---------------------FILE BEGINS <Extracted Strings>---------------------
    231: /#IDXHDR
    247: /#ITBITS
    270: /#STRINGS
    287: /#SYSTEM
    300: /#TOCIDX
    315: /#TOPICS
    330: /#URLSTR
    345: /#URLTBL
    360: /#WINDOWS
    376: /$FIftiMain
    395: /$OBJINST
    412: /$WWAssociativeLinks/
    436: /$WWAssociativeLinks/Property
    472: /$WWKeywordLinks/
    492: /$WWKeywordLinks/BTree
    522: /$WWKeywordLinks/Data
    550: /$WWKeywordLinks/Map
    576: /$WWKeywordLinks/Property
    607: /document.css
    628: /images/
    639: /images/about.gif
    663: /images/abtnohow.gif
    690: /images/abtopengif.gif
    718: /images/clouds.gif
    743: /images/clsdtwst.gif
    769: /images/dot.gif
    791: /images/hotspot.gif
    816: /images/how.gif
    838: /images/note_icon.gif
    865: /images/opentwst.gif
    891: /images/Symc_logo.gif
    919: /LU_PC.html
    937: /LU_PC10.html
    957: /LU_PC11.html
    977: /LU_PC2.html

    and then

    3737: /NAV_virus_found6.html
    3766: /NAV_virus_found7.html
    3795: /NAV_virus_found8.html
    3824: /NAV_virus_found9.html
    3851: i"/NAVW_AutoProtect_enable_proc.html
    3894: /NAVW_inoculation_alerts.html
    3930: /NAVW_liveupdate_about.html
    3962: y+/NAVW_LiveUpdate_Automatic_enable_proc.html
    4012: | /NAVW_Log_Viewer_Monitoring.html
    4053: /NAVW_ManualScan.html
    4079: P&/NAVW_manualscan_bloodhound_about.html
    4124: l$/NAVW_options_autoprotect_about.html
    4167: M-/NAVW_options_autoprotect_advanced_about.html
    4321: //NAVW_options_autoprotect_bloodhound_about.html
    4374: m//NAVW_Options_AutoProtect_Exclusions_items.html
    4430: /NAVW_options_email_about.html
    4466: "/NAVW_options_email_advanced_.html
    4508: /NAVW_options_iml_about.html
    4541: `$/NAVW_options_inoculation_about.html
    4585: #/NAVW_options_liveupdate_about.html
    4626: ^#/NAVW_options_manualscan_about.html
    4668: :(/NAVW_Options_ManualScan_Exclusions.html
    4715: 9&/NAVW_options_miscellaneous_about.html
    4760: V$/NAVW_options_scriptblock_about.html
    4805: /NAVW_password_reset.html
    4837: /NAVW_Quarantine_About.html
    4870: $/NAVW_Quarantine_Options_Change.html
    4912: > /NAVW_scan_repairwizard_use.html
    4953: /NAVW_Subscription_about.html
    4989: /NAVW_virus_list.html
    5017: /Support_CPD.html
    5041: /whatisthis.txt
    5061: ::DataSpace/NameList
    5082: <:):DataSpace/Storage/MSCompressed/Content
    5130: D,::DataSpace/Storage/MSCompressed/ControlDataj
    5179: )::DataSpace/Storage/MSCompressed/SpanInfob
    5224: /::DataSpace/Storage/MSCompressed/Transform/List<&_::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/
    5373: i::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable
    5491: /NAV_about4.html
    5514: /NAV_about5.html
    5537: /NAV_about6.html
    5560: /NAV_about7.html
    5583: /NAV_about8.html
    24290: 0PAV6cy
    25025: @GJkx6
    25586: JYx&\j
    25593: e2GxZ5
    25901: -9]G:%
    26179: `Sy$.:
    26237: ?F6Q{m
    27943: QzVG|8YA
    28023: u2yB$+*
    28725: O:_?.^
    28875: $:"75*.2b
    29017: hFS*0_u
    29057: ?81TU
    29326: 9,aKU*
    29718: {p%D~l
    31358: $z#]Z#
    31652: ?9=C9S
    31968: o$fekx'
    32313: BP"!Kf}
    32375: vqVmmYo0
    32428: Zu"nZ_
    32504: a,n4KW`
    32821: K0+2 j
    33498: (LV^v;
    33977: *{%HR`
    35653: "yck]!
    35720: l$Yqc{
    36008: SS~l=!8o
    36042: G.$r%9
    36576: I ~*ho
    36688: Q ]VSj[/
    37469: 'QX{%z
    37628: U~nAcMM`l
    38199: A%GP8
    38251: l#TV(Y_
    38270: %JI~bu4
    38735: sljQKfU;
    39412: w*G5Jo
    39634: _mu{^#
    40278: +TTeip
    42145: K$Okmnc+u
    42251: (o3W/8
    43491: \d8Ql
    43777: wg+BKwu
    44570: GS2u[A
    44650: 2>|i8(
    45245: o"d~_Rn
    45273: OZc/,(Pb
    45435: @CZh-[
    46181: j?C+j@<+
    46817: Ys~_Z`
    47510: !wgII\Otgs8
    48645: :=W(+,^
    49060: nNosP*7
    52001: !2<$nvp
    52278: ?_\5Ju
    52314: jG#3Ns
    52811: ,j4i\d{\yptf
    54286: R|Yvf=%`kQ
    54481: 3%2*bThQ
    54561: EpIkEL
    54770: \Cu?#2
    54863: G"$3$~
    55308: NF%g`RB
    57319: Z?#rP%
    *****************
    Wow, lots to do and learn, some quick answers, then off to the toolbench:

    Philli, yes licensed, already got Updates and latest Radius, execution protection is on.
    - Full system scan done with tick boxes as you recommended, but not with the Current Scan List filled in; will re-do full system scan.
    - Blank line in task manager shows up even when not connected to web, then goes away again. Cannot seem to correlate it to any activity, so unsure what PE could tell me (maybe my system is trying to send something....hmmmm...hadn't thought of that....)
    - Haven't scanned for spyware or adware yet - thanks for links.

    Jooske, blank line takes a while to show up after boot. I've tried to "catch" it doing intermittent Task Managers during boot process, have seen <unknown> in task list, once saw two <unknown>s, but ME is pretty thin for system management it seems. Caught it once, killed the task, then couldn't even shut down the system - had to power off.
    - Ran --> autostart explorer, no unknown keys, although 3 keys are <empty> Run, RunOnce, and RunOnceEx
    - Neither Port Explorer or WormGuard has hollered - I keep hoping they will. The buffer overrun was stopped by Norton, I didn't have DCS tools loaded yet (talk about incentive), aggressor IP address showed as mine, but the port kept changing, and timing between attacks seemed steady.
    - Did not turn off Norton utilities when installing, will re-do everything.
    - Will look for CRC32 link.

    Dollefie, Don't know how to check for 16-bit process (?). File was from Panda Antivirus (downloaded, don't recall ever running it)
    pqremove.com.pif
    "Performs text-based (command-line) functions, Created Mar 20, 2002, Modified Dec 19, 2001.
    I think I'll quarantine it anyway.

    Dumb question, but does it matter that file names are all caps? Most Norton files have mixed font file names that match its File Properties, but some are all caps, and version numbers displayed doesn't matched File Properties value either. Seems one way a hacker could tell what's his or not.... ?

    Thanks for great directions -- this'll keep me busy for the next 10 minutes .... ;)
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Wormguard will frequently alert you when it does a pre-launch analysis of a file that is found to have the string "virus" in it (Yes, many viruses do include such strings in their code) so it is likely a false alarm. You can scan it using other means (TDS, on-line scanner, etc) just to be certain.

    You might also want to pinpoint the location of the LiveUpdate that is running but not apparently doing anything, stop the process and use the "String Extractor" utility from TDS (in the Utilities menu) to look for suspicious strings as well to scan with TDS.

    HTH

    Dan
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The *.com.pif could be for instance clrav.com.pif, the shortcut on the desktop for a cleansing tool, in this case for sircam if i remember well. So i am not worried at all for such a tool which i know and it will not run unless i press that shortcut to start the cleaner.
    Various of my shortcuts have such double extensions and i know which files they are connected to, so no worries there yet.
    I would look deeper if they show up in other places.
     
Thread Status:
Not open for further replies.