Security Basics mailing list archives

Re: 答复: Hacked again???

From: Vijay Vikram <karpagamekapali () gmail com>
Date: Mon, 27 Jun 2005 12:36:38 +0530

More information on the "good" processess running in the computer -
DLLs and EXEs can be seen in

http://www.processlibrary.com/

If the process is not listed in here , we can also run the 

http://www.sysinternals.com/Utilities/ProcessExplorer.html

to find the veracity of the same. 

Finally as  Yu Haitao David pointed , a HijackFix scan will yeild
results to remove the "bad" stuff


regards
KKDU

On 6/16/05, Yu Haitao David <davidyu () tencent com> wrote:

check via googling...

winproc.exe   ---- from http://www.trojaner-board.de/showthread.php?t=2153,
it must be a  brwoser hijacker, use spyware tools to remove it

Rpcservice.exe    ------ no useful information, but from its name, must be
a
RPC server/client. mostly used in many trojans

msnmsgr.exe  ------- if you are soure of that it is NOT from microsoft,
then
it IS the malicious process.

what these three combination could do? hm, if they are really worked
together, your PC might be trojaned or zombied, maybe totally controlled by
someone else.

you may solve this in the following steps:

1. using spyware removing tools, such as HijackThis, to check registry,
delete obvious suspecious entry. especially in RUN;
2. reboot to Safe Mode, delete those files listed;
3. using some browser fixing tools, such as TweakUI, to restore your
browser
settings.

hope it helped.

-----邮件原件-----
发件人: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] 
发送时间: 2005年6月15日 6:20
收件人: security-basics () securityfocus com
主题: Hacked again???

Hi…

I am not sure, but I think that I was hacked again.

I have a w2k SP4 full patched box with KerioFirewall, and this morning I
found three running process on it:
Winproc.exe
Rpcservice.exe
Msnmsgr.exe

The last one it is not the Messenger from Microsoft…

I google those file names, but all I found was in Japanese/Hebrew or
something...
 
Does anyone know some attack with this three files combination?

TIA



Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

Current thread:

Hacked again??? Mauricio Fernandez (Jun 15)
- 答复: Hacked again??? Yu Haitao David (Jun 16)
  - Re: 答复: Hacked again??? Vijay Vikram (Jun 27)
- Re: Hacked again??? Mark Bassett (Jun 16)
  - Re: Hacked again??? zilb (Jun 20)
    - Re: Hacked again??? Valentin Höbel (Jun 20)
    - Re: Hacked again??? Christoph 'knurd' Jeschke (Jun 21)
    - Re: Hacked again??? Ansgar -59cobalt- Wiechers (Jun 27)
- Re: Hacked again??? Christoph 'knurd' Jeschke (Jun 17)
- <Possible follow-ups>
- Re: Hacked again??? mod . sparda (Jun 16)
- Re: Re: Hacked again??? s . omahony (Jun 17)
- Re: Re: Hacked again??? Phil Cryer (Jun 20)