Unusual Service Running

Discussion in 'other software & services' started by Airking, Jan 28, 2007.

Thread Status:
Not open for further replies.
  1. Airking

    Airking Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    1,083
    Hi all

    Looking through Services (Local) found the following:

    XMALTMFOKBOECQEDY

    What is it?
     
  2. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
  3. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    Ice: better than admin. tools in control panel? (services)
     
  4. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    services.msc is the admin tool in the control panel ;)

    the other ap might provide a bit more info, (or more accurately all in one interface)
    (color coding is nice, no need to double click to get more info, includes drivers, displays the originating filename)

    but I wouldnt hope too much if its malicious
     
  5. Airking

    Airking Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    1,083
    That's one of the reasons I was asking because it has no dependancies listed and zero info.

    Tried running ServiWin and it didn't show anything more. - Thanks to Ice Czar for the tip.
     
    Last edited: Jan 29, 2007
  6. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    hmmm...

    http://www.nirsoft.net/utils/cprocess.html
    same folks one of many process explorers but again I think a superior interface in that the selected process immediately shows the associated dlls
    and once youve found those you can do a search for em to hopefully uncover more info (like if your lucky one might be in an application directory as opposed to system32)

    but Im more suspicious than ever about that service
    random naming is one of many tricks malware plays these days
    to play hide and seek with detection or easy identification

    was reading through TNT's dangerous trojans thread from last summer
    https://www.wilderssecurity.com/showthread.php?t=136452 (Gromozon)
    and doing a little further research on the always changing strategies these guys employ (very clever stuff)]
    HTML google cache \ PDF
    multiple exploits, custom response based on the detected browser, social engineering ploys, secondary payloads, encryption and obfuscation, rootkits and ADS, wont run in a virtual environment (a plus from some viewpoints, but keeps AV researchers from having a nice orderly zoo) a dropped randomly named service could easily fit the bill, if not specifically at least "in class" of infection

    personally at this point Id likely image the drive for further investigation when I had a chance,
    then wipe it and restore to a known secure state from an image or clone to get back online with a high level of confidence, seems premature Im sure but when youve got these options available its prudent to take advantage of them for even minor things

    if it is a sophisticated subversion youd be hard pressed to fight it with a high level of confidence you got it all though you might break it, Id try to track the processes, disrupt it, scan the piss out of the system from outside if possible and rootkit detection, but even a hint its reasserting itself and Id jst wipe the whole thing from a time investment viewpoint.

    course it could be a harmless driver for some bit o freeware you forgot too :p
     
    Last edited: Jan 29, 2007
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,046
    Location:
    The Netherlands
    Question, did you run RootKitRevealer? This tool does install randomly named services. And besides, if you use a good HIPS it should have notified you about this? ;)
     
  8. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    One by one (utility), we're changing OS without leaving Windows!
     
  9. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    on the one hand I have the goal of virtualizing my W2K install into a Linux World
    on the other I have the objective of hacking it past all recognition as a Windows install :p
    (pretty much just GUI hacks)

    my new bootscreen to be hacked into the ntoskrnl.exe

    http://i7.tinypic.com/4fxx2iw.jpg
     
    Last edited by a moderator: Jan 30, 2007
  10. Pedro

    Pedro Registered Member

    Joined:
    Nov 2, 2006
    Posts:
    3,502
    :D :thumb: I'll get there some day, ntoskrnl.exe and his cousins.
     
  11. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    Yeah, I also wanted to say/suggest that; in fact IIRC RootKitRevealer uses a randomly-named process (common process), and a randomly-named service. Although I am not so sure if these RootKitRevealer's services remain visible after the processing is done.


    stalker
     
  12. Airking

    Airking Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    1,083
    Well interestly, attempted to boot the machine up and blue screen message shows inaccessible device etc. Boot up last know good profile. Then wireless doesn't work, reinstalled driver, still no wireless. System log show renaming? of network adapter, to looks like hexadecimal. Rebooted and says Winnt system32 corrupt...you know the story.

    Looks like a new computer.

    Thanks for every one's help.
     
  13. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    hmmmm....

    we have heard this "upgrade" justification before :p
    but we promise not to tell the wif ;)
     
  14. Airking

    Airking Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    1,083
    True ;-) What you do think of the Intel Core 2 Duo E6700 2.67Ghz?
     
  15. Ice_Czar

    Ice_Czar Registered Member

    Joined:
    May 21, 2002
    Posts:
    696
    Location:
    Boulder Colorado
    a better value than the cloverleafs for the kind of stuff I do (CG)
    however Im a AMD guy more often than not major purchases being in the Tbird era and the Opteron Era when they were knocking Intel into the dirt. (but I swing both ways :p)

    Also a big believer in buying well back from the bleeding edge. ;)
     
  16. Airking

    Airking Registered Member

    Joined:
    Jun 22, 2005
    Posts:
    1,083
    Right on :cool:
     
Loading...
Thread Status:
Not open for further replies.