Process masking detected, PID = 0 name " "

Printable View

05.02.2009, 01:52
peter.levy

Вложений: 1

Process masking detected, PID = 0 name " "

Hi
I use KIS 2009 on 3 PCs and have run AVZ which detects a rootkit WIN32.go or similar but after it is deleted further scans with AVZ show masking detected and that the PID has been changed to 0 with a name of " " (no name).

Is there a way to prevent or stop this process?

I have used auto AVP tool with no result. I would like to try the manual AVP tool with your help.

Attached is the AVPtool_syscheck.sys

Thanks for your help
Peter
05.02.2009, 10:18
drongo

Please download in my signature special avz, put it in new folder on desktop.
Please execute this script in avz:You will be asked to confirm from UAC, please confirm all requests from UAC.
(Do remember to exit kaspersky and disconnect from internet before that)
[code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
QuarantineFile('C:\Windows\system32\b479F5.sys','');
SetAVZPMStatus(true);
BC_ImportAll;
BC_Activate;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
RebootWindows(true);
end.[/code]
Your computer will reboot, exit again kaspersky, exit any program in system tray that you can,lunch an internet explorer and another browser that you are might using, only than
Start AVZ*. Choose from the menu "File" => "Standard scripts" and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the "Execute selected scripts" button.
Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as [B]virusinfo_syscure.zip[/B].

After reboot:
1.[B]virusinfo_syscure.zip[/B] please attach to your next post.
2. Read appendix#3 of the rules [url]http://virusinfo.info/showthread.php?t=9184[/url]
upload quarantine by [url]http://virusinfo.info/upload_virus_eng.php?tid=38984[/url]
06.02.2009, 00:47
peter.levy

Вложений: 1

Hi drongo
Well I hope this worked, I had a few false starts.
1) failed to stop apps and disconnect internet, restarted and did it correctly second time.
2) Failed to start IE browser before running std script, restarted and did it correctly second time (I did not connect the internet when running standard script, I hope this was correct).

I hope this did not affect the result. I have a second machine I can do this on if it did not work correctly.

Best regards
Peter
06.02.2009, 10:43
drongo

1.You did forget upload your quarantine from this computer, please execute this script in avz:

[code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
SetAVZPMStatus(false);
QuarantineFile('C:\Windows\system32\rdpclip','');
QuarantineFile('C:\Windows\System32\acer.scr','');
QuarantineFile('C:\Windows\PLFSetI.exe','');
QuarantineFile('C:\Windows\system32\b479F5.sys','');
QuarantineFile('C:\Windows\system32\DRIVERS\PSDNServ.sys','');
QuarantineFile('C:\Windows\system32\DRIVERS\PSDVdisk.sys','');
QuarantineFile('C:\Windows\system32\drivers\int15.sys','');
BC_ImportAll;
BC_Activate;
RebootWindows(true);
end.[/code]
Read appendix#3 of the rules [url]http://virusinfo.info/showthread.php?t=9184[/url]
upload quarantine by [url]http://virusinfo.info/upload_virus_eng.php?tid=38984[/url]

2. Please download gmer,[url]http://www.gmer.net/gmer.zip[/url], disable/exit antivirus and disconnect from internet, unzip it to some new folder.
Run gmer.exe ( allow @ UAC for running), select Rootkit tab and click the "Scan" button.save log, and then restart, enable antivirus and attach this log in your next post.
06.02.2009, 14:28
peter.levy

Hi Drongo
Thank you for your patience.

I have tried to Upload the quarantine file but it stalls with warnings for example from Kaspersky;

bcqr00002.dat is password protected this happens for;

\??\C:\windows\system32\ (followed by)

rdpclip\bcqrooo2.dat

drivers\psdvdisk.sys \bcqr00011.dat
drivers\psdvdisk.sys \bcqr00010.dat
drivers\psdvdisk.sys \bcqr00009.dat
drivers\psdvdisk.sys \bcqr00012.dat

int15.sys\bcqr00013.dat

b479F5.sys\bcqr00008.dat

acer.scr\avz00001.dta

Some of these (kaspersky report) are from the RecycleBin. I will try again to send non password files after sending this reply in case it fails to upload again.

Best regards
Peter
06.02.2009, 15:30
drongo

No, absolutely not !!! avz protect zip automatically with password- it is ok :)

We did get the quarantine. -)

[size="1"][color="#666686"][B][I]Добавлено через 31 минуту[/I][/B][/color][/size]

archive is too big, i am unable download now, i think problems on our server. could you archive with avz only C:\Windows\system32\b479F5.sys and upload ? i think this driver cause these problems. all the rest seems ok.
where the gmer log ?

[size="1"][color="#666686"][B][I]Добавлено через 10 минут[/I][/B][/color][/size]

here script for deleting this thing :
(Remember to disable system restore and only after that execute the script)
[code]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
DeleteFile('C:\Windows\system32\b479F5.sys');
BC_ImportAll;
BC_DeleteSvc('b479F5');
ExecuteSysClean;
ExecuteRepair(6);
ExecuteRepair(8);
ExecuteRepair(9);
BC_Activate;
RebootWindows(true);
end.

[/code]
06.02.2009, 18:07
peter.levy

Вложений: 2

Follow up to B479F5

Hi Drongo
Thanks, I have sent the above file to the Upload and this reply has the attachments you requested, when the upload seemed to stall I must have cancelled the reply with the attachment.
Thanks again I will now use the delete script and report result.

Best regards
Peter
06.02.2009, 19:48
drongo

at least logs seems to be ok :) how is your system ?
07.02.2009, 15:41
peter.levy

Вложений: 2

Scan second time hidden process back

Hi Drongo
Thank you for the help with this.
I though we had cracked it, checking the scan after third custom scan stops the hidden processes, but restarting and scanning again it was back as hidden processes, I tried this several times and on 2 other machines with the same result, the hidden process re-appeared on scanning for second time after restart.
I have included uploaded quarantine and attached files. I guess it is hiding on another application.

Best regards
Peter
07.02.2009, 17:49
drongo

Now i don't see what is cause this, perhaps it is becuse acer utility.
I will ask my colleges, perhaps they will see, what i can't.
On all your computers you have utilities from acer ?
08.02.2009, 13:47
peter.levy

Hi Drongo
Thanks again for your help.
I have 2 off Acer laptops and 1 off Desktop with a ASRock 775i65GV and a 3GHz Dual Core CPU motherboard. Yesterday I repeated the process on the ASRock because it is much quicker. On auto restart from 3rd Script I scanned twice with pif.paf (after enabling AVZPM) and the Hidden Process did not appear. On restarting again and scanning with pif.paf the Hidden Process re-appeared. This is the same behaviour on all 3 machines. There are no Acer programmes or processes on the ASRock.

Best regards
Peter

p.s
If after delete process I install KVPM driver, restart showing Hidden Process, delete KVZPM driver, restart, install KVPM driver the Hidden Process is gone, restart again and it re-appears.

After some research it appears that Vista SP1 causes this 'hidden masking', pre SP1 - downloading dodgy files such as Nero key generators, Hirrens Boot Disk or Acronis apps also causes this effect.