Re: What are these??
From: Jim Carlock (anonymous_at_127.0.0.1)
Date: 04/08/04
- Next message: DonS: "Transferring Folders"
- Previous message: anonymous_at_discussions.microsoft.com: "multi user account and desk top icons"
- In reply to: Michael Solomon \(MS-MVP Windows Shell/User\): "Re: What are these??"
- Next in thread: Michael Solomon \(MS-MVP Windows Shell/User\): "Re: What are these??"
- Reply: Michael Solomon \(MS-MVP Windows Shell/User\): "Re: What are these??"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 7 Apr 2004 23:52:09 -0400
Eww, that's a long post. There's information there about a
SetupHlp.cmd that copies altsvc to the Windows\System32
folder. The article seems to indicate that people are connected/
connecting to the host with such a file and they're setting up
Serv-u ftp file sharing software. Read the article and look at
the contents of that .cmd file.
I ran into this last year about in the month of March, and they
start pulling all kind of tricks on your system. Look at your
ntdll.dll file which should be in the Windows\System32 folder,
they might have put a modified file that may or may not be
detected by antivirus. The serv-u ftp is a valid program that
is not a virus, it just opens up your system to the whole world
and the whole world can connect to you.
They'll put modified ntdll.dll files on your system, so check the
dates and such against "valid" files, because if you have a bogus
one, that works in every manner like the real one, but is NOT
a virus, but instead something that opens your system up by
setting up some extra functions that other software can call...
whew, the thoughts are getting messy... There are some clever
folks out there. I happened to run across this because I opened
an .html file that was included in Email, and that file in turn
executed a Nimbda Virus, which in turn opened up the system
for hackers, and then Serv-U popped up.
I can't be 100% certain that's what's happened to you, but
I know what it did to my system and the people using those
hacks are quite clever.
So with that, I'll add, the following facts:
Only open HTML documents with Notepad. I put a shortcut
to notepad in my SendTo list and open almost files in this
manner to get a glimpse of what's in them. It doesn't matter
that you got an HTML file from a friend, so be very wary about
opening such documents.
The same applies to any .EML files. And I'm sure you are aware
that it applies to .CHM, .HLP and many other files, including,
.CMD, .EXE, .JS, .VBS and another 20 other types of files.
HTML is the primary source of viral transmission, system
exploitation. .CHM files are HTML. I think the HLP files work
in the same manner, but without the HTML stuff... I'm only
including those because I know code can be placed inside of
them but I just don't know the full extent to which they are
capable of throwing your system into the hands of those that
want to take control of it.
I hope this information helps and makes you 500% aware of
the potential abuse that can be had. I'm not pulling things out
of thin air. It happened to me, it can happen to you. <g> Not
that I'm anything special. ;-) Good luck!
-- Jim Carlock http://www.microcosmotalk.com/ Post replies to the newsgroup. "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in message news:%23aVP7zOHEHA.1528@TK2MSFTNGP09.phx.gbl... Do you have anything in your Network Protocol that might be starting this service? -- Michael Solomon MS-MVP Windows Shell/User Backup is a PC User's Best Friend DTS-L.Org: http://www.dts-l.org/ "Ratan Maitra" <ratanmaitra@stopspam.hotmail.com> wrote in message news:eDzpS2NHEHA.1944@TK2MSFTNGP11.phx.gbl... > There has been no apparent effect of shifting both msthost and altsvc out > of > system32 directory. Mike. > However, on doing some detective work of my own, I found that Netbios > Helper > Service (listed under Services) was automatically starting altsvc.exe and > there are no Dependencies !!! > Does it make any sense to anyone?? > > "Ratan Maitra" <ratanmaitra@stopspam.hotmail.com> wrote in message > news:%23MOlKdGHEHA.700@TK2MSFTNGP09.phx.gbl... >> Thanks a lot Mike, for your painstaking detective work :-)) >> >> As these haven't caused any 'significant' problems yet, I'm presently >> killing these two processes and manually preventing msthost from > connecting >> to the net, after each booting. You have rightly observed, it is this >> suspicious behaviour of ZoneAlarm setting for msthost.exe that drew my >> attention to the processes running in the background. Moreover, neither >> msthost nor altsvc appear in any start-up programs !!! >> >> I'll delete these files and let you know the results. >> Thanks again >> >> "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote in >> message news:OdEfauBHEHA.700@TK2MSFTNGP09.phx.gbl... >> > I was doing some work in my Registry when I came upon a reference for >> > msthost.exe and altsvc.exe in a sub-key of Search Assistant. However, >> > I >> > don't show them on my system as being located on my hard drive. >> > >> > Why they are in your system32 folder I don't know unless there's > something >> > on your system that has placed them there. The interaction you >> > describe >> > with Zone Alarm raises a red flag with me and it would seem to indicate >> > malware, possibly taking advantage of a registry pointer but you say Ad >> > Aware and Spybot came up clean as did AV scan. >> > >> > I'm sorry, I can't give you much beyond this. >> > >> > -- >> > Michael Solomon MS-MVP >> > Windows Shell/User >> > Backup is a PC User's Best Friend >> > DTS-L.Org: http://www.dts-l.org/ >> > >> > "Ratan Maitra" <ratanmaitra@stopspam.hotmail.com> wrote in message >> > news:OW3dh8%23GEHA.2576@TK2MSFTNGP11.phx.gbl... >> > > There are absolutely no details except the file size, which I have >> already >> > > mentioned... >> > > I have noticed one feature though, after each reboot, msthost manages > to >> > > erase the "block" settings of ZoneAlarm and I have to block it > afresh... >> > > >> > > Any other suggestions, please?? >> > > >> > > "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> wrote > in >> > > message news:eErvYz6GEHA.2408@TK2MSFTNGP12.phx.gbl... >> > >> These are not Windows files. You can try right clicking and > selecting >> > >> properties to see if you can figure out to what they belong. If you >> have >> > > no >> > >> viruses or malware installed, they may belong to other applications >> > >> installed on your system. >> > >> >> > >> -- >> > >> Michael Solomon MS-MVP >> > >> Windows Shell/User >> > >> Backup is a PC User's Best Friend >> > >> DTS-L.Org: http://www.dts-l.org/ >> > >> >> > >> "Ratan Maitra" <ratanmaitra@stopspam.hotmail.com> wrote in message >> > >> news:%23R7rV34GEHA.3164@TK2MSFTNGP11.phx.gbl... >> > >> > Thanks Mike, but I do mean msthost.exe (817kb) and altsvc.exe > (13kb) >> > >> > ...both >> > >> > located in system32 directory..as correctly mentioned earlier. >> > >> > I have the latest 4 April NAV update and run the scan >> > >> > regularly...I >> > >> > have >> > >> > also undergone free online scans of Panda and Trend....but nothing >> was >> > >> > detected. >> > >> > I couldn't get any information about these two processes running >> > >> > in >> the >> > >> > background... >> > >> > >> > >> > >> > >> > "Michael Solomon (MS-MVP Windows Shell/User)" <user@#notme.com> > wrote >> > >> > in >> > >> > message news:e$FX1E3GEHA.2840@TK2MSFTNGP10.phx.gbl... >> > >> >> If you mean alertsvc.exe and mshost.exe, the first thing you >> > >> >> need >> to >> > > do >> > >> > is >> > >> >> make sure your antivirus software is up to date and run a scan. >> > >> >> >> > >> >> -- >> > >> >> Michael Solomon MS-MVP >> > >> >> Windows Shell/User >> > >> >> Backup is a PC User's Best Friend >> > >> >> DTS-L.Org: http://www.dts-l.org/ >> > >> >> >> > >> >> "Ratan Maitra" <ratanmaitra@stopspam.hotmail.com> wrote in >> > >> >> message >> > >> >> news:OGCEdu2GEHA.2844@tk2msftngp13.phx.gbl... >> > >> >> > Of late I have noticed msthost.exe and altsvc.exe (both located > in >> > >> >> > Windows/system32) are >> > >> >> > running in the background. .....and msthost tries to connect to >> the >> > >> >> > internet >> > >> >> > immediately after logging on.. >> > >> >> > What are these, any ideas?? >> > >> >> > >> > >> >> > >> > >> >> > >> > >> >> >> > >> >> >> > >> > >> > >> > >> > >> >> > >> >> > > >> > > >> > >> > >> >> > >
- Next message: DonS: "Transferring Folders"
- Previous message: anonymous_at_discussions.microsoft.com: "multi user account and desk top icons"
- In reply to: Michael Solomon \(MS-MVP Windows Shell/User\): "Re: What are these??"
- Next in thread: Michael Solomon \(MS-MVP Windows Shell/User\): "Re: What are these??"
- Reply: Michael Solomon \(MS-MVP Windows Shell/User\): "Re: What are these??"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
