Re: Alternate data streams

From: eingram (eingram_at_discussions.microsoft.com)
Date: 10/16/05

  • Next message: Peter Foldes: "Re: W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!!" 
    Date: Sat, 15 Oct 2005 19:36:03 -0700

    OK! Finally someone with some practical advice! (Although I'm going to have
    to get a degree in Windows security before I'm done, that's ok.) Could you
    provide any links for this "BART" stuff? I can make a bootable cd. I made
    one with panda AV for my wife's computer. PS I forgot to mention that
    blacklight didn't show anything, but rootkit revealer from sysinternals
    showed two, one was what my Trend micro was using. The other was an obscure
    reference to a registry key that contained nulls. I didn't do anything with
    those. Adaware showed 745 ADS (all in docs and settings) I quarantined these
    and so far have seen no bad effects from quarantining but no improvement on
    the ram prob. I'm running out of uncommon thins to search for. (If it's
    common stuff then no proof it's linked to my searches)

    "cquirke (MVP Windows shell/user)" wrote:

    > On Sat, 15 Oct 2005 05:47:03 -0700, "eingram"
    >
    > >I have two reasons to suspect something's wrong. First let me list what I've
    > >used, then my reasons for suspision. I use Trend Micro AV. I regularly scan
    > >with AdAware Pro., Webroot SpySweeper, a-squared anti malware, MS
    > >antispyware, and Spybot S&D. In addition I have installed Spyware Blaster,
    > >which I keep updated.
    >
    > OK. I don't know a-squared, so I don't know that it's not one of the
    > 200+ rogue "antispyware scanners", but I don't recognise the name as
    > one of those (e.g. NoAdware, ZoftSpy) either.
    >
    > >Now my two reasons:
    >
    > >1. If I search on a topic that I don't normally search on, I will start
    > >receiving spam in my Outlook junk mail which directly relates to whatever I
    > >searched on.
    >
    > That certainly sounds like a commercial malware effect. Does your
    > mileage change if you use an alternate browser? If so, does IE behave
    > better if you disable all BHOs etc.?
    >
    > >2. If I leave my machine on for a significant length of time, my amount of
    > >free ram (I have 1 GB total) goes down, and all processes increase their ram
    > >footprints. Typicall my free ram goes from about 500 MB just after boot up
    > >down to about 300 MB. Thats why I suspect somethin is going on that is well
    > >hidden from normal anti spyware tools.
    >
    > That doesn't sound as clear-cut, because the system may well be
    > "consuming" more memory as a way of speeding up expected future
    > accesses. Is this behavior a departure from that which you observed
    > in this OS version before? Or is it something you noticed for the
    > first time after getting suspicious?
    >
    > If the latter, may not be significant.
    >
    > >"Phil Weldon" wrote:
    > >> 'eingram' wrote:
    >
    > >> |I used Crucial Security's "CrucialADS" program and found over 550+ ADS's on
    > >> | my system.
    > >> | Now I know it won't be practical to check them one by one so does anyone
    > >> | know of a list (maybe by MS) that gives legitimate ones that I can compare to?
    >
    > ADS are used to hold thumbnails, document Properties, etc. by the OS.
    > I use ADS Spy, which can be run in different ways; either showing
    > everything, or it can screen out the ADSs that are likely to be
    > "normal". There is usually not a lot of bulk within ADSs.
    >
    > Also, some av may store ingerity check info in ADS associated with
    > code files; that can look like a problem too.
    >
    > AFAIK as at October 2005, malware code within an ADS has to be
    > explicitly referenced from somewhere else, such as more exposed
    > malware code, or some integration point setting.
    >
    > I think you're standing too close to the tree bark here - I'd start
    > with a formal malware scan, using Bart PE bootable CDR. Yep, that
    > means quite a bit of research to figure out how to build a Bart
    > bootable CDR, integrate av into it, etc. plus the need for a
    > known-clean system to do all this on, but that's what I'd do.
    >
    > Free scanners that work well from a Bart PE boot include:
    > - Trend SysClean *
    > - McAfee Stinger
    > - McAfee ScanPM, as per SuperDats (command line scanner)
    > - F-Prot command line scanner, from the F-Prot for Windows demo
    > - AntiVir 6 *
    > - SpyBot 1.4
    > - AdAware (needs RunScanner to access host registry)
    >
    > * Must be run from writable disk, i.e. HD or RAM disk rather
    > than directly from CDR
    >
    > You can also use integration scanners from Bart, but you must use
    > these with the RunScanner plugin else they read the Bart rather than
    > HD registry (RunScanner redirects this):
    > - HiJackThis
    > - tools from www.nirsoft.net
    > - Faber Toys
    > - ...etc.
    >
    > The next best thing to do, if you "can't" do a Bart scan, is to scan
    > from Safe Mode Command Prompt Only. But then there's a real risk the
    > malware will be active, and rootkits in particular can hide
    > themselves. You get scanners dedicated to rootkits, such as F-Secure
    > BlackLight beta and RootKitRevealer, and because these look for "live"
    > runtime behavior, they paradoxically work best when run from the
    > infected environment rather than from a Bart boot!
    >
    > >> Did your up-to-date antivirus program with up-to-date virus definitions
    > >> report anything? Did your anti-spyware program report anything? Did your
    > >> anti-adware program report anything?
    >
    > If informal tools can't find anything, it either means there is
    > nothing to find, or there is malware that is successfullt defending
    > itself. The original poster wants to tell the difference.
    >
    > >> If none of these up-to-date programs report any malware, and if you also run
    > >> such programs in the 'safe mode', there is not much more you should do.
    >
    > There may not be "easy" stuff you can do, but life is not constrained
    > only to what is "easy".
    >
    >
    >
    > >--------------- ---- --- -- - - - -
    > I'm baaaack!
    > >--------------- ---- --- -- - - - -
    >

  • Next message: Peter Foldes: "Re: W2K netstat detects port 1433 is listenning but fport does NOT..., can't start mission critical sql server !!!"
    • Quantcast