SPONSORS:






User Tag List

Results 1 to 10 of 10
  1. #1
    Senior Member
    Join Date
    Jun 2000
    Location
    Hartford, CT, USA
    Posts
    163
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    How to capture rogue codes

    This looks like digression from our Forum but pardon me as this is where I consider 'my forum':

    Last week, one of my machines started running slower for every small task.
    The CPU is 1.8mHz with 512mb ram, it has enough harddisk space ...
    Two symptoms: Slower machine and Disabled Norton AV autoprotect...
    IT looks like someone had tried to hack the system and may have installed some kind or rogue codes to run in the background.

    Any help... ? One of my non-silkuser-friend suggested that try capturing the thread and then investigate... Any Idea how it could be done using Silk?


    ------------------
    Jaimini Bhatt
    jaiminita@hotmail.com
    jaiminita@yahoo.com

    [This message has been edited by jaiminita (edited 03-19-2003).]
    Jaimini Bhatt

  2. #2
    Senior Member
    Join Date
    Jul 1999
    Location
    Bellingham, WA USA
    Posts
    1,323
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    What operating system? What processes are running? Can you positively identify all of them? Are any NT services running? What are they?

    Check out Gibson Research. You will need to do a search for that, but he has a web site. I recall several years ago getting a utility from him to identify malicious programs running like this in the background.

    ------------------

  3. #3
    Senior Member
    Join Date
    Jan 2001
    Posts
    750
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    I have MSSQL 2k running at home and this week it took all my resource. It was the slmmer worm. Check your network traffic too.
    IIS and MSSQL 2k might give you troubles.
    Also sometimes windows file explorer would take a lot of resource(100%). I usually just kill it, and everything goes back to normal.

    Use task manager to investigate the problem.
    I use winxp pro.

    ------------------

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Location
    Bozeman, MT, USA
    Posts
    265
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    if you have a strong suspicion you were hacked you are better off formatting and rebuilding the machine. When you rebuild be sure to run hfnetchk to get all the security patches you will be missing.

    ------------------
    Ryan McCullough
    Accelrys Inc.
    ryan@accelrys.com
    Ryan McCullough
    RightNow Tech. Inc.

  5. #5
    Senior Member
    Join Date
    Jun 2000
    Location
    Hartford, CT, USA
    Posts
    163
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    1. Operating System is Win2000

    I ran Norton AV once and it had showed me 8-10 programs that were suspicious... I had quarantined them in a hurry as I was running late for a presentation.

    Subsequently this is what is happening:
    1. Norton Anti-Virus auto-protect is not enabling
    2. I am not allowed to kill most of the processes
    3. Any service I try to stop or disable... it simply takes a very long time at the end, windows tells me that the request was timed out.
    4. Any attempt to download any program, it downloads just the stub and declares a complete download... which is not true... only 400-500 kb files show up...
    5. Slows all processes...

    This machine as a large number of my collection of different utilities, free wares, etc. Plus, a library of my own work is maintained on it.

    Sometimes back I had a friend's copy of 'Windows Registry 2000 - BlackBox' which had reference to how to identify a code that could be controlling the vital functions of my machine. In this case it seems to be controlling servises.exe. When writing this the following programs/processes are shown running on my machine.
    atievxx.exe
    cidaemon.exe (2 processes)
    cisvc.exe
    csrss.exe
    dllhost.exe
    dmadmin.exe
    explorer.exe
    loadqm.exe
    lsass.exe
    mpservic.exe (no spelling mistake here)
    mqsvc.exe
    msdtc.exe
    mstask.exe
    navapsvc.exe
    ntvdm.exe
    wowexec.exe
    nvsvc32.exe
    pctspk.exe
    sbserv.exe
    services.exe
    services.exe
    smss.exe
    snmp.exe
    snmptrap.exe
    spoolsv.exe
    svchost.exe
    system
    system idle process
    taskmgr.exe
    tcpsvcs.exe
    wanmpsvc.exe
    waol.exe
    winlogon.exe
    winmgmt.exe



    ------------------
    Jaimini Bhatt
    jaiminita@hotmail.com
    jaiminita@yahoo.com
    Jaimini Bhatt

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Location
    NC, United States
    Posts
    148
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    there is a worm floating around which does these (the symptoms looks so). Norton had released a patch in Jan which takes care of this. You may want to take a shot at that

    ------------------
    -gram
    -gram

  7. #7
    Senior Member
    Join Date
    Jun 2000
    Location
    Hartford, CT, USA
    Posts
    163
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    This is the latest:
    1. It hangs services.exe
    I downloaded a patch from MicroSoft as this is one of their bug
    2. defragged the drives
    3. Installed RegVac--- cleaned up the registry
    4. UnInstalled some drivers that were memory hoggers
    5. Installed a freeware SpyBot

    Machine is running fine, but still it is not enabling Norton... Tonight I will work on making Norton work... Any further Tip:?:



    ------------------
    Jaimini Bhatt
    jaiminita@hotmail.com
    jaiminita@yahoo.com
    Jaimini Bhatt

  8. #8
    Senior Member
    Join Date
    Jul 2000
    Posts
    117
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    Been here ... done this ... <grin>

    The problem is that one of the blasted viruses (would that be virie?) installs a little gadget that prevents you from running or even installing NAV (it looks at the executables and blocks 'em)!

    Try http://housecall.trendmicro.com -- this is a web-based virus scanner that downloads a Java applet to your box to do the job. It will find (I predict) several copies of the offending virus -- and let you delete them. Once deleted, you should be able to re-enable (or re-install) NAV.

    Good Luck!

    DISCLAIMER: I don't work for Trend Micro, nor do I have any financial interest in same. Just used the product to get myself out of a similar dilemma.

    ------------------

  9. #9
    Senior Member
    Join Date
    Jun 2000
    Location
    Hartford, CT, USA
    Posts
    163
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    Thanks Brent.... it seems my services, which I had tried to stop are still showing in process of 'Stopping'... (sic!)

    I am determined now to solve this without erasing the h/d....

    Trend Micro it will be... this time ( still smiling nervously ~

    ------------------
    Jaimini Bhatt
    jaiminita@hotmail.com
    jaiminita@yahoo.com
    Jaimini Bhatt

  10. #10
    Senior Member
    Join Date
    Jun 2000
    Location
    Hartford, CT, USA
    Posts
    163
    Post Thanks / Like
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: How to capture rogue codes

    Gurria, I am documenting my struggle in this issue nowadays... Surely I will put it up in this forums...

    Meanwhile,
    No luck with Trend Micro and Norton websites... They found no viruses... But
    1. Norton Auto-protect gets disabled
    2. Services refuse to change their state

    Upon studying the registry I find no entry for:
    HKEY_LOCAL_MACHINE/Softwares/Microsoft/Windows/Current_Version/RunServices

    In other machine's registry (it has '98 though) this entry is there...
    Is it be connected?

    Any more catalysts for serendipity?

    -Jaimini


    --- Gurria <mgz001@hotmail.com> wrote:
    > Jaimini,
    >
    > Hello! I have the same problem that you have!! Did
    > you find an answer to it?
    >
    > My Norton keeps turning off...and things are rather
    > slow. I feel as If I am being watch...
    >
    > I would appreciate any help.
    >
    > THank you have good night,
    >
    > Martin Gurria
    >
    > PSLL NMaim.exe
    > atievxx.exe


    ------------------
    Jaimini Bhatt
    jaiminita@hotmail.com
    jaiminita@yahoo.com
    Jaimini Bhatt

 

 

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

vBulletin Optimisation provided by vB Optimise v2.6.0 Beta 4 (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.0.9 (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
Questions / Answers Form provided by vBAnswers (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
vBNominatevBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
Feedback Buttons provided by Advanced Post Thanks / Like (Pro) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
Username Changing provided by Username Change (Free) - vBulletin Mods & Addons Copyright © 2016 DragonByte Technologies Ltd.
BetaSoft Inc.
Digital Point modules: Sphinx-based search
All times are GMT -8. The time now is 08:54 AM.

Copyright BetaSoft Inc.