hidden files

Discussion in 'Computer Security' started by Jim Watt, Apr 17, 2006.

  1. Jim Watt

    Jim Watt Guest

    I have a machine running server/2000 which had/has some sort of
    malware on it. Running the usual programs does not remove it
    however inspecting the processes running with the excellent tool
    from Sysinternals shows a process called

    ntserv.exe

    Which is started by a registry key and hides in a directory
    under the system of

    controlp.{21EC2020-3AEA-1069-A2DD-08002B30309D}

    The program seems to want to set up a connection to an
    external IP on port 6667.

    Killing the process and removing the key disables it, however
    it raises the issue of the way it hides from the anti-malware
    software and me.

    Its not a recent thing, as its been on the system for around six
    months and was only really a problem when it was re-booted
    which is infrequently. However time to get to bottom of it ...

    In view of their excellent software being free, I bought the
    book.

    BUT WAIT ... theres more

    Immediately after receiving a confirmation email from
    Amazon, I got a phishing email. claiming to be them
    is this magic or co-incidence?

    Its a wicked world out there.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 17, 2006
    #1
    1. Advertising

  2. From: "Jim Watt" <_way>

    | I have a machine running server/2000 which had/has some sort of
    | malware on it. Running the usual programs does not remove it
    | however inspecting the processes running with the excellent tool
    | from Sysinternals shows a process called
    |
    | ntserv.exe
    |
    | Which is started by a registry key and hides in a directory
    | under the system of
    |
    | controlp.{21EC2020-3AEA-1069-A2DD-08002B30309D}
    |
    | The program seems to want to set up a connection to an
    | external IP on port 6667.
    |
    | Killing the process and removing the key disables it, however
    | it raises the issue of the way it hides from the anti-malware
    | software and me.
    |
    | Its not a recent thing, as its been on the system for around six
    | months and was only really a problem when it was re-booted
    | which is infrequently. However time to get to bottom of it ...
    |
    | In view of their excellent software being free, I bought the
    | book.
    |
    | BUT WAIT ... theres more
    |
    | Immediately after receiving a confirmation email from
    | Amazon, I got a phishing email. claiming to be them
    | is this magic or co-incidence?
    |
    | Its a wicked world out there.

    Sounds like an W32/IRCBot. A multi-library search for "ntserv.exe" found nothing but any
    infector can be called anything.


    Please submit a sample of "ntserv.exe" to Virus Total --
    http://www.virustotal.com/flash/index_en.html
    The submission will then be tested against many different AV vendor's scanners.
    That will give you an idea what it is and who recognizes it. In addition, unless told
    otherwise, Virus Total will provide the sample to all participating vendors.

    You can also submit a suspect, one at a time, via the following email URL...
    mailto:?subject=SCAN

    When you get the report, please post back the exact results.

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Apr 17, 2006
    #2
    1. Advertising

  3. Jim Watt

    donnie Guest

    On Mon, 17 Apr 2006 16:09:15 +0200, Jim Watt <_way>
    wrote:

    >BUT WAIT ... theres more
    >
    >Immediately after receiving a confirmation email from
    >Amazon, I got a phishing email. claiming to be them
    >is this magic or co-incidence?
    >
    >Its a wicked world out there.
    >--

    #########################################
    That's funny and no, it's propably not a coincidence.
    donnie, Apr 17, 2006
    #3
  4. Jim Watt

    Jim Watt Guest

    On Mon, 17 Apr 2006 22:44:35 GMT, "David H. Lipman"
    <DLipman~nospam~@Verizon.Net> wrote:

    >Please submit a sample of "ntserv.exe" to Virus Total --


    Indeed theres the problem - I can't access the directory
    although I know its there.

    It no longer runs because the registry key has been
    deleted, (after making a copy)
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 18, 2006
    #4
  5. Jim Watt

    Jim Watt Guest

    On Mon, 17 Apr 2006 22:50:48 GMT, donnie <> wrote:

    >On Mon, 17 Apr 2006 16:09:15 +0200, Jim Watt <_way>
    >wrote:
    >
    >>BUT WAIT ... theres more
    >>
    >>Immediately after receiving a confirmation email from
    >>Amazon, I got a phishing email. claiming to be them
    >>is this magic or co-incidence?
    >>
    >>Its a wicked world out there.
    >>--

    >#########################################
    >That's funny and no, it's propably not a coincidence.


    Thats what I think.

    There are three possibilities

    1. sheer co-incidence
    2. I have a problem
    3. They have a problem

    If one rules out 1 on the basis that its the first amazon phising
    attempt I've seen, it raises the question of how an external
    process has knowledge that I have just placed an order.

    The response from them was prompt but the usual blurb one
    gets on reporting these things.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 18, 2006
    #5
  6. Jim Watt wrote:

    > There are three possibilities
    >
    > 1. sheer co-incidence
    > 2. I have a problem
    > 3. They have a problem
    >
    > If one rules out 1 on the basis that its the first amazon phising attempt
    > I've seen, it raises the question of how an external process has knowledge
    > that I have just placed an order.


    You're assuming too much I think.

    First, you can't discard the possibility of this being a coincidence. I've
    never seen an Amazon phishing attempt until recently myself, but received
    three this last week and a half or so. These things always seem to come in
    "waves".

    Second, it might be that you were discussing making a purchase or even the
    subject teh purchase pertained to in a public place, and the phisher just
    took a wild stab in the dark. I've received phishing attempts that were
    forging as specialized, regional banks for instance, because my real email
    address has indications of my physical location.

    Third, it makes absolutely no sense at all that a phisher who had this
    sort of control over Amazon's shopping cart services would do this. The
    whole idea is to get usable credit card info, and they already have
    everything they need a LOT easier than trying to con you out of it. I
    could see checking the numbers on the card for a bank type and phishing
    THAT account, but phishing your Amazon info would out them big time and
    ruin everything they already have for little or no gain, and a huge risk.

    Nope, makes no sense. These crooks are crooked, not that stupid. ;)

    >
    > The response from them was prompt but the usual blurb one gets on
    > reporting these things.


    They probably get so many of them that's all they can do. :(
    George Orwell, Apr 18, 2006
    #6
  7. Jim Watt

    donnie Guest


    >
    >First, you can't discard the possibility of this being a coincidence.

    ################
    I don't think he has discarded it completely, although I have by 99%.
    ################

    >Third, it makes absolutely no sense at all that a phisher who had this
    >sort of control over Amazon's shopping cart services would do this. The
    >whole idea is to get usable credit card info, and they already have
    >everything they need a LOT easier than trying to con you out of it.

    ####################################
    True, but maybe they don't have control over the shopping cart
    services. Maybe it's just captured packets from a router. Isn't a man
    in the middle attack between 2 routers? That's the way I understand
    it.
    donnie, Apr 19, 2006
    #7
  8. donnie wrote:

    >>First, you can't discard the possibility of this being a coincidence.

    > ################
    > I don't think he has discarded it completely, although I have by 99%.


    I'd say the evidence points to the contrary conclusion, and you're
    "glamorizing" the problem because it's sexier than seeing it as a mere
    anomaly.

    There's really nothing wrong with that, it's human nature to want to be
    intrigued by a mystery. ;-) No offense intended.

    >>Third, it makes absolutely no sense at all that a phisher who had this
    >>sort of control over Amazon's shopping cart services would do this. The
    >>whole idea is to get usable credit card info, and they already have
    >>everything they need a LOT easier than trying to con you out of it.

    > ####################################
    > True, but maybe they don't have control over the shopping cart services.
    > Maybe it's just captured packets from a router. Isn't a man in the middle
    > attack between 2 routers? That's the way I understand it.


    A MITM attack means exactly that. It doesn't have anything to do with any
    type of equipment, and can be launched even from an "end" computer. IOW,
    the "middle" really means an attack against a connection or protocol
    anywhere between the starting point and ending point between which some
    data travels. It's not unusual for routers to be the attack vector, but
    there's scores of other possibilities.

    The biggest thing that suggests MITM isn't the case is the Amazon
    shopping cart connection being end to end SSL encrypted. There's no
    known attacks against (current version) SSL that don't include the user
    accepting invalid or unsigned certificates. So if this were the case it
    would be even easier to spot than a compromised machine. One or two people
    out of some large number might have their browsers set to automatically
    accept untrusted certs without warning, but the raw numbers of people
    shopping at Amazon would raise red flags all over the place in a VERY
    short period of time.

    Also, if someone had launched a successful MITM attack they'd again
    already have all the information they needed, and accomplish nothing at
    all but outing themselves by trying to phish for it.

    The odds are about a billion to one against any sort of en route attack
    IMO. It's either coincidental, or one of the two machines are owned. With
    those choices the one that's the most "rational" would be coincidence, odd
    as it seems.

    Second best bet would be the user's machine being compromised, but again,
    why would an attacker waste time phishing for information they already
    have? It just makes no sense at all.

    The only other possibility that makes any sense at all has nothing to do
    with computers..... some sort of "mole" somewhere at Amazon. A lesser
    customer service weenie type who has access to lists of email addresses
    but not much else. Entirely plausible, but even here phishing attempts
    made soon after customer activity raises bright red flags. A crook that
    attacked current customers in sync with their activities would be
    absolutely begging to be caught.

    Typically these sorts of things are done in "batches" and those email
    lists are collected and sold to "anonymous" parties who hit them all at
    once. It almost has to be this way because the accounts and machines
    phishers use are extremely transient. One or two emails at a time would be
    fruitless because there would be so few responses before the phishing site
    was taken down.

    No, even with the "mole" theory the time line of the OP's incident makes
    me gravitate toward coincidence. And it's almost a sure bet it has nothing
    at all to do with any compromised equipment or "hackers" poking into
    routers or anything as exciting as that. <grin>
    Borked Pseudo Mailed, Apr 19, 2006
    #8
  9. Jim Watt

    Guest

    I'd say that it looks a rootkit variant....
    , Apr 19, 2006
    #9
  10. Jim Watt

    Jim Watt Guest

    On 19 Apr 2006 11:49:54 -0700, wrote:

    >I'd say that it looks a rootkit variant....


    I ran rootkit revealer and it didn't
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 19, 2006
    #10
  11. David H. Lipman, Apr 19, 2006
    #11
  12. Jim Watt

    donnie Guest

    On Wed, 19 Apr 2006 01:00:04 -0600 (MDT), Borked Pseudo Mailed
    <> wrote:

    >I'd say the evidence points to the contrary conclusion, and you're
    >"glamorizing" the problem because it's sexier than seeing it as a mere
    >anomaly.
    >
    >There's really nothing wrong with that, it's human nature to want to be
    >intrigued by a mystery. ;-) No offense intended.

    ########################################
    You must be joking. Glamorizing, sexier, intrigued by mystery, all
    because I didn't thnk it was a coincidence???????? How did you come
    to that conclusion? Are you a psychologist as well as a computer guy?
    Stick to computers, you're much better at it.
    donnie, Apr 21, 2006
    #12
  13. Jim Watt

    Jim Watt Guest

    On Thu, 20 Apr 2006 23:12:06 GMT, donnie <> wrote:

    >You must be joking.


    Methinks he is pulling your plonker. Anyhow no further emails -
    perhaps I should order another book as a test ...
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 21, 2006
    #13
  14. donnie wrote:

    > On Wed, 19 Apr 2006 01:00:04 -0600 (MDT), Borked Pseudo Mailed
    > <> wrote:
    >
    >>I'd say the evidence points to the contrary conclusion, and you're
    >>"glamorizing" the problem because it's sexier than seeing it as a mere
    >>anomaly.
    >>
    >>There's really nothing wrong with that, it's human nature to want to be
    >>intrigued by a mystery. ;-) No offense intended.

    > ######################################## You must be joking. Glamorizing,
    > sexier, intrigued by mystery, all because I didn't thnk it was a
    > coincidence????????


    No, all because you still believe it's not a coincidence in spite of
    every bit of common sense and the evidence pointing to the contrary. The
    discussion of which you felt compelled to snip, in favor of throwing your
    little hissy fit.

    > How did you come to that conclusion? Are you a
    > psychologist as well as a computer guy? Stick to computers, you're much
    > better at it.


    Maybe, but I'm a pretty good psychologist too. For instance, I see you're
    an immature prat who can't take any amount of criticism, no matter what
    spirit it's offered in.

    Thanks for dropping your drawers and showing everyone EXACTLY what you're
    made of kid. Saves me any time I'd waste trying to be civil to you in the
    future, at least.
    George Orwell, Apr 21, 2006
    #14
  15. Jim Watt

    Jim Watt Guest

    On Fri, 21 Apr 2006 04:25:02 +0200 (CEST), George Orwell
    <> wrote:

    >No, all because you still believe it's not a coincidence in spite of
    >every bit of common sense and the evidence pointing to the contrary.


    I fail to see any 'evidence' that it was a co-incidence. As that is
    the only bit of phishing email I have seem from Amazon its hard to
    put numbers on its frequency. I regularly get similar emails in
    respect of banks which are not mine and receive around 300
    emails a day, many of which are concerned with products of no
    interest and are automatically trashed.

    If you want to do some calculations on the probability of adjacent
    emails occuring at random, please do. However the result will
    indicate its low. I understand enough about probability theory and
    traffic analysis not to bother doing the calculation.

    19:38:20 Order placed and logged here
    19:42:00 Message1 origination Genuine
    20:03:41 Message2 origination Bogus

    All times UTC as given

    I respect Donnie's views because he has credibility.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 21, 2006
    #15
  16. Jim Watt wrote:

    > On Fri, 21 Apr 2006 04:25:02 +0200 (CEST), George Orwell
    > <> wrote:
    >
    >>No, all because you still believe it's not a coincidence in spite of
    >>every bit of common sense and the evidence pointing to the contrary.

    >
    > I fail to see any 'evidence' that it was a co-incidence.


    Is that so? Then why don't you try going back and addressing the reasons
    no phisher would even HAVE to attack you, let alone want to, in stead of
    skipping over it just so you can prop up your "believe what you want to
    believe" romanticism by claiming you're blind?

    > If you want to do some calculations on the probability of adjacent emails
    > occuring at random, please do. However the result will indicate its low.


    Yeah, and you're the only one reporting it out of how many Amazon
    customers Jim? How many transactions every day?

    Think about what you're saying for God's sake. DO the math. If current
    Amazon customers were being targeted like this, even a percentage of them,
    don't you suppose we might have heard about it? CERT, Wired, or on CNN or
    something even?

    <googles> (again today)

    Nothing. Diddly squat. There's no evidence at all this was anything but a
    coincidence, not even a second corroborating report. And every shred of
    common sense says it's NOT an inside job.

    Ever hear of Occam's razor Jim?

    > I respect Donnie's views because he has credibility. -- Jim Watt


    The only thing he did was agree with you. If agreement is your yardstick
    for credibility your tool is broken, never mind your measurements. The
    simple fact of the matter is he AND you lose credibility when you discard
    every bit of rationality in favor of "conspiracy theory" capering.

    Sorry guy, as attractive as it might be to think you're the only one
    James Bond smart enough to ferret out an insidious criminal element in a
    multinational corporation, without some sort of evidence you're just that
    one in a million, OUT of a million, long shot who happened to get an
    Amazon phishing email a half hour or so after he bought a book. Get over
    it. You notified them, life is as good as it's going to get, now move on.
    George Orwell, Apr 21, 2006
    #16
  17. Jim Watt

    Jim Watt Guest

    On Fri, 21 Apr 2006 17:55:14 +0200 (CEST), George Orwell
    <> wrote:

    <snip>

    I don't recall asking for a long meaningless rant (like)

    >Then why don't you try going back and addressing the reasons
    >no phisher would even HAVE to attack you, let alone want to, in stead of
    >skipping over it


    Nobody 'attacked' me, I got a phishing email, its just the timing was
    a bit suspicious. You may have noticed the name of the group is
    alt.computer.security - I am sharing by experience with others to see
    if there is a pattern.

    Some of us do this stuff for a living and are naturally suspicious
    about anything strange that happens. Thats how those stories
    on the Internet start. If we all kept quiet there would be none

    >every shred of common sense says it's NOT an inside job.


    Your seems shredded As I say there is no evidence apart from timing


    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Apr 21, 2006
    #17
  18. Jim Watt

    donnie Guest

    On Fri, 21 Apr 2006 04:25:02 +0200 (CEST), George Orwell
    <> wrote:

    >No, all because you still believe it's not a coincidence in spite of
    >every bit of common sense and the evidence pointing to the contrary. The
    >discussion of which you felt compelled to snip, in favor of throwing your
    >little hissy fit.


    >Maybe, but I'm a pretty good psychologist too. For instance, I see you're
    >an immature prat who can't take any amount of criticism, no matter what
    >spirit it's offered in.
    >
    >Thanks for dropping your drawers and showing everyone EXACTLY what you're
    >made of kid. Saves me any time I'd waste trying to be civil to you in the
    >future, at least.

    #############################################
    First of all, I didn't throw any fit. I simply questioned your
    psyco-analysis of me which was way off the mark. Why that would make
    you decide that you are no longer going to be civil to me, I don't
    know. Either way, it doesn't matter. Many people are tough when they
    are hiding behind a keyboard.
    donnie, Apr 21, 2006
    #18
  19. Jim Watt wrote:

    > On Fri, 21 Apr 2006 17:55:14 +0200 (CEST), George Orwell
    > <> wrote:
    >
    > <snip>
    >
    > I don't recall asking...


    I'm sorry, did someone else post to a public discussion forum under your
    name? Maybe you have "issues" after all. <shrug>

    > ...for a long meaningless rant (like)


    Failed attempt to paint common sense and critical reasoning as a "rant"
    noted, and filed in the same folder with your blatant discarding of logic
    in favor of your OWN fevered ravings.

    Coneon Jim..... answer the questions. Why would a phisher, who would
    obviously have to have access to your personal information to know you
    bought something, have to bother phishing you at all? If Amazon, or
    even you, were compromised, where's the benefit that justifies that
    blatant act? For that matter, why would even a "casual" data miner expose
    themselves by phishing you immediately after you made a purchase?

    If you HAVE any sort of intelligent rebuttal to this simple logic, by all
    means feel free to offer it up. If simple logic frightens you, just say
    so. If all you can do is wring your hands and yell "IS TOO", don't waste
    your time replying.

    >>Then why don't you try going back and addressing the reasons no phisher
    >>would even HAVE to attack you, let alone want to, in stead of skipping
    >>over it

    >
    > Nobody 'attacked' me, I got a phishing email,


    Semantical quibbling noted, and filed as above. In fact, you disingenuous
    prat, the tone and nature of your original post insinuated you HAD been
    personally attacked.

    Just to be absolutely clear about it, you went out of your way to discard
    the possibility of a coincidence to PROP UP your unstudied assumption that
    someone had been compromised. Here's exactly what you said, quibble with
    your self about it if you want.....

    There are three possibilities

    1. sheer co-incidence
    2. I have a problem
    3. They have a problem

    If one rules out 1 on the basis that its the first amazon phising
    attempt I've seen, it raises the question of how an external process has
    knowledge that I have just placed an order.

    > its just the timing was a bit suspicious.


    Yeah, it was. And it does raise the questions I've already addressed. If
    you can't muster the ability to continue the conversation intelligently
    from that point you're just a nut who abandoned common sense for self
    delusion.

    > You may have noticed the name
    > of the group is alt.computer.security - I am sharing by experience with
    > others to see if there is a pattern.


    There isn't. One instance does not a pattern make.

    Anything else?

    > Some of us do this stuff for a living


    Yeah.... some of us DO.

    > and are naturally suspicious about
    > anything strange that happens. Thats how those stories on the Internet
    > start. If we all kept quiet there would be none


    I have no problem with that at all. It's why I'm here injecting a bit of
    sanity into mostly Donnie's dogged belief that Amazon has been owned, and
    your and his collective inability to address some really simple and
    straightforward concepts.

    >>every shred of common sense says it's NOT an inside job.

    >
    > Your seems shredded


    By what? You fleeing it and spitting invectives over your shoulder on the
    way? Not even close Jimbo.

    > As I say there is no evidence apart from timing


    When you sand up and actually defend that assertion rather then merely
    parroting it, I'll start to believe you're saying it with some conviction.
    Until then you're just yapping.
    George Orwell, Apr 21, 2006
    #19
  20. Jim Watt

    donnie Guest

    On Fri, 21 Apr 2006 23:18:57 +0200 (CEST), George Orwell
    <> wrote:

    >I have no problem with that at all. It's why I'm here injecting a bit of
    >sanity into mostly Donnie's dogged belief that Amazon has been owned, and
    >your and his collective inability to address some really simple and
    >straightforward concepts.
    >

    ##############################################
    I'm starting to think that you might own a good amount of shares in
    amazon.com and you are concerned that if anyone even thinks it's a
    possibility that information could be compromised, you might lose some
    money.
    donnie, Apr 21, 2006
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ed Mullikin

    Hidden files?

    Ed Mullikin, Sep 13, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    552
    Ed Mullikin
    Sep 14, 2003
  2. Pete Holland Jr.

    Really Hidden Files And Folders

    Pete Holland Jr., Feb 5, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    537
  3. Mike
    Replies:
    0
    Views:
    479
  4. Me/PDX

    Hidden folders/files in C: XP Home

    Me/PDX, Sep 4, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    540
    Me/PDX
    Sep 4, 2004
  5. Boppy
    Replies:
    10
    Views:
    1,096
    Sweetpea
    Jan 23, 2010
Loading...

Share This Page