[Dshield] Hidden Process
pmarsh at nmefdn.org
Fri Jan 19 13:18:49 GMT 2007
Just tossing out an update. I haven't had a chance to get into
the drive with another OS, hopefully I'll be able to over the weekend.
RootKitRevealer didn't find anything out of the norm. Matter of fact
RootKitRevealer did not pick up kdnjh.exe as did BlackLight. I loaded
ActivePort and monitored the box while surfing and launching searches,
again nothing out of the norm. Nmap against the box came back normal
both full T: and U:. I tossed on ProcessExplorer and did the same
steps, again nothing out of the norm.
I ran HiJackThis on the box and did find a reg key that none of
the others found.
HKLM\Sys\CCS\Services\Tcpip\Param: NameServer = 85 dot 255 dot
113 dot 147 85 dot 255 dot 112 dot 188
Other than that things look OK, BHO's look OK also.
While googling around I have found what might be a common
denominator regarding "wareout". I've also found a util called
fixwareout.exe that cleans wareout. If all else fails before I flatten
the drive I'll give fixwareout a shot.
I'll post an update once I get a copy of kdnjh.exe off the box.
Again and as always thanks to everyone on the list.
The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.
More information about the list