Показано с 1 по 11 из 11.

Process masking detected, PID = 0 name " "

  1. #1
    Junior Member Репутация
    Регистрация
    04.02.2009
    Сообщений
    8
    Вес репутации
    33

    Process masking detected, PID = 0 name " "

    Hi
    I use KIS 2009 on 3 PCs and have run AVZ which detects a rootkit WIN32.go or similar but after it is deleted further scans with AVZ show masking detected and that the PID has been changed to 0 with a name of " " (no name).

    Is there a way to prevent or stop this process?

    I have used auto AVP tool with no result. I would like to try the manual AVP tool with your help.

    Attached is the AVPtool_syscheck.sys

    Thanks for your help
    Peter
    Вложения Вложения

  2. #2
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    Please download in my signature special avz, put it in new folder on desktop.
    Please execute this script in avz:You will be asked to confirm from UAC, please confirm all requests from UAC.
    (Do remember to exit kaspersky and disconnect from internet before that)
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     QuarantineFile('C:\Windows\system32\b479F5.sys','');
     SetAVZPMStatus(true);
    BC_ImportAll;
    BC_Activate;
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    RebootWindows(true);
    end.
    Your computer will reboot, exit again kaspersky, exit any program in system tray that you can,lunch an internet explorer and another browser that you are might using, only than
    Start AVZ*. Choose from the menu "File" => "Standard scripts" and mark the "Healing/Quarantine and Advanced System Investigation" check box. Click on the "Execute selected scripts" button.
    Automatic scanning, healing and system check will be executed. A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.

    After reboot:
    1.virusinfo_syscure.zip please attach to your next post.
    2. Read appendix#3 of the rules http://virusinfo.info/showthread.php?t=9184
    upload quarantine by http://virusinfo.info/upload_virus_eng.php?tid=38984
    Последний раз редактировалось drongo; 05.02.2009 в 10:39.

  3. #3
    Junior Member Репутация
    Регистрация
    04.02.2009
    Сообщений
    8
    Вес репутации
    33
    Hi drongo
    Well I hope this worked, I had a few false starts.
    1) failed to stop apps and disconnect internet, restarted and did it correctly second time.
    2) Failed to start IE browser before running std script, restarted and did it correctly second time (I did not connect the internet when running standard script, I hope this was correct).

    I hope this did not affect the result. I have a second machine I can do this on if it did not work correctly.

    Best regards
    Peter
    Вложения Вложения

  4. #4
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    1.You did forget upload your quarantine from this computer, please execute this script in avz:

    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     SetAVZPMStatus(false);
      QuarantineFile('C:\Windows\system32\rdpclip','');
     QuarantineFile('C:\Windows\System32\acer.scr','');
     QuarantineFile('C:\Windows\PLFSetI.exe','');
     QuarantineFile('C:\Windows\system32\b479F5.sys','');
     QuarantineFile('C:\Windows\system32\DRIVERS\PSDNServ.sys','');
     QuarantineFile('C:\Windows\system32\DRIVERS\PSDVdisk.sys','');
     QuarantineFile('C:\Windows\system32\drivers\int15.sys','');
    BC_ImportAll;
    BC_Activate;
    RebootWindows(true);
    end.
    Read appendix#3 of the rules http://virusinfo.info/showthread.php?t=9184
    upload quarantine by http://virusinfo.info/upload_virus_eng.php?tid=38984

    2. Please download gmer,http://www.gmer.net/gmer.zip, disable/exit antivirus and disconnect from internet, unzip it to some new folder.
    Run gmer.exe ( allow @ UAC for running), select Rootkit tab and click the "Scan" button.save log, and then restart, enable antivirus and attach this log in your next post.
    Последний раз редактировалось drongo; 06.02.2009 в 10:56.

  5. #5
    Junior Member Репутация
    Регистрация
    04.02.2009
    Сообщений
    8
    Вес репутации
    33
    Hi Drongo
    Thank you for your patience.

    I have tried to Upload the quarantine file but it stalls with warnings for example from Kaspersky;

    bcqr00002.dat is password protected this happens for;

    \??\C:\windows\system32\ (followed by)

    rdpclip\bcqrooo2.dat

    drivers\psdvdisk.sys \bcqr00011.dat
    drivers\psdvdisk.sys \bcqr00010.dat
    drivers\psdvdisk.sys \bcqr00009.dat
    drivers\psdvdisk.sys \bcqr00012.dat

    int15.sys\bcqr00013.dat

    b479F5.sys\bcqr00008.dat

    acer.scr\avz00001.dta

    Some of these (kaspersky report) are from the RecycleBin. I will try again to send non password files after sending this reply in case it fails to upload again.

    Best regards
    Peter

  6. #6
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    No, absolutely not !!! avz protect zip automatically with password- it is ok

    We did get the quarantine. -)

    Добавлено через 31 минуту

    archive is too big, i am unable download now, i think problems on our server. could you archive with avz only C:\Windows\system32\b479F5.sys and upload ? i think this driver cause these problems. all the rest seems ok.
    where the gmer log ?

    Добавлено через 10 минут

    here script for deleting this thing :
    (Remember to disable system restore and only after that execute the script)
    Код:
    begin
    SearchRootkit(true, true);
    SetAVZGuardStatus(True);
     DeleteFile('C:\Windows\system32\b479F5.sys');
     BC_ImportAll; 
     BC_DeleteSvc('b479F5'); 
    ExecuteSysClean;
    ExecuteRepair(6);
    ExecuteRepair(8);
    ExecuteRepair(9);
    BC_Activate;
    RebootWindows(true);
    end.
    Последний раз редактировалось drongo; 06.02.2009 в 15:30. Причина: Добавлено

  7. #7
    Junior Member Репутация
    Регистрация
    04.02.2009
    Сообщений
    8
    Вес репутации
    33

    Follow up to B479F5

    Hi Drongo
    Thanks, I have sent the above file to the Upload and this reply has the attachments you requested, when the upload seemed to stall I must have cancelled the reply with the attachment.
    Thanks again I will now use the delete script and report result.

    Best regards
    Peter
    Вложения Вложения

  8. #8
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    at least logs seems to be ok how is your system ?

  9. #9
    Junior Member Репутация
    Регистрация
    04.02.2009
    Сообщений
    8
    Вес репутации
    33

    Scan second time hidden process back

    Hi Drongo
    Thank you for the help with this.
    I though we had cracked it, checking the scan after third custom scan stops the hidden processes, but restarting and scanning again it was back as hidden processes, I tried this several times and on 2 other machines with the same result, the hidden process re-appeared on scanning for second time after restart.
    I have included uploaded quarantine and attached files. I guess it is hiding on another application.

    Best regards
    Peter
    Вложения Вложения

  10. #10
    Senior Member Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Репутация Аватар для drongo
    Регистрация
    17.09.2004
    Адрес
    Israel
    Сообщений
    7,165
    Вес репутации
    971
    Now i don't see what is cause this, perhaps it is becuse acer utility.
    I will ask my colleges, perhaps they will see, what i can't.
    On all your computers you have utilities from acer ?
    Последний раз редактировалось drongo; 07.02.2009 в 17:55.

  11. #11
    Junior Member Репутация
    Регистрация
    04.02.2009
    Сообщений
    8
    Вес репутации
    33
    Hi Drongo
    Thanks again for your help.
    I have 2 off Acer laptops and 1 off Desktop with a ASRock 775i65GV and a 3GHz Dual Core CPU motherboard. Yesterday I repeated the process on the ASRock because it is much quicker. On auto restart from 3rd Script I scanned twice with pif.paf (after enabling AVZPM) and the Hidden Process did not appear. On restarting again and scanning with pif.paf the Hidden Process re-appeared. This is the same behaviour on all 3 machines. There are no Acer programmes or processes on the ASRock.

    Best regards
    Peter

    p.s
    If after delete process I install KVPM driver, restart showing Hidden Process, delete KVZPM driver, restart, install KVPM driver the Hidden Process is gone, restart again and it re-appears.

    After some research it appears that Vista SP1 causes this 'hidden masking', pre SP1 - downloading dodgy files such as Nero key generators, Hirrens Boot Disk or Acronis apps also causes this effect.
    Последний раз редактировалось Rene-gad; 08.04.2009 в 16:53.

Похожие темы

  1. Ответов: 7
    Последнее сообщение: 26.04.2012, 15:16
  2. Ошибка "Generic Host Process for Win32 Services"
    От Alex41 в разделе Помогите!
    Ответов: 2
    Последнее сообщение: 08.10.2009, 00:58
  3. "csrcs.exe", Generetic Host Process For Win32 Services
    От larkin_en в разделе Помогите!
    Ответов: 7
    Последнее сообщение: 18.03.2009, 22:15
  4. Ответов: 14
    Последнее сообщение: 22.02.2009, 06:26

Свернуть/Развернуть Ваши права в разделе

  • Вы не можете создавать новые темы
  • Вы не можете отвечать в темах
  • Вы не можете прикреплять вложения
  • Вы не можете редактировать свои сообщения
  •  
Page generated in 0.01585 seconds with 17 queries