Anybody ran into a process which doesn"t appear in task manager?

I got infected with a malicious executable, "GXHO.exe".
My anti virus didn't say anything about it, then this happened:
First my anti spyware warned me that it's being put with the start up,
so i rejected, and opened task manager to close it and didn't find it,
so i assumed it's not running. I went to its folder to delete it, but
it wouldn't delete because it's in use. A while passed and my firewall
asked me whether i allow SMTP access to GXHO.exe, of course i said no,
and checked the task manager again, found nothing!
I was wondering how can i close it, then i chose to restart the
computer hoping it won't start, but it did.
My only way to get rid of it was to activate the proactive defence of
kaspersky, which warned me when this process is trying to launch, and i
clicked terminate, and then could delete it.
So did anybody see anything like that before?

Re: Anybody ran into a process which doesn"t appear in task manager?

Post removed (X-No-Archive: yes)

Re: Anybody ran into a process which doesn"t appear in task manager?

Sebastian Gottschalk wrote:
> Nipi wrote:
>
> > I got infected with a malicious executable, "GXHO.exe".
> > My anti virus didn't say anything about it, then this happened:
> > First my anti spyware warned me that it's being put with the start up,
> > so i rejected, and opened task manager to close it and didn't find it,
> > so i assumed it's not running. I went to its folder to delete it, but
> > it wouldn't delete because it's in use. A while passed and my firewall
> > asked me whether i allow SMTP access to GXHO.exe, of course i said no,
> > and checked the task manager again, found nothing!
> > I was wondering how can i close it, then i chose to restart the
> > computer hoping it won't start, but it did.
> > My only way to get rid of it was to activate the proactive defence of
> > kaspersky, which warned me when this process is trying to launch, and i
> > clicked terminate, and then could delete it.
> > So did anybody see anything like that before?
>
> Yes, user stupidty like running with administrator rights and not
> understanding how to properly clean a compromised system is seen quite
> often.

Ok running with administrator rights is stupid, but you know XP doesn't
offer much choice, you can't do anything as a Limisted user, and anyway
this program was hidden in an installer which means in all cases i
needed administrator rights to run an installer.
As to how to properly clean a compromised system, well instead of just
telling me that i'm wrong why don't you say why, and what's right?

Re: Anybody ran into a process which doesn"t appear in task manager?

Post removed (X-No-Archive: yes)

Re: Anybody ran into a process which doesn"t appear in task manager?

Sebastian Gottschalk wrote:
> You should already know: flatten and rebuild. Or restore from a known-safe
> backup. Or compare against a trustworthy install base (f.e. checksums of
> all files after installation). Most likely the first one will apply.
>
> Is it really too hard to understand that a compromised system isn't
> trustworthy any more and therefore has to be brought back into a
> well-defined state?

Actually, by the looks of it this user has been targeted by something
that runs at a service/driver level (and won't show up in taskmanager)
-or- is actively hiding itself from taskman. A rebuild isn't needed, at
all, and will just cause a lot of lost time. He's already found the
location of the file, and it being "in use" is easily avoided by
restarting in safe mode, and then killing the .exe file (make sure you
get every occurrence of the file). Going into the registry in safe mode
and doing a search on the file name will most likely turn up some hits
where it's started from, too. You might want to kill those entries as well.
It doesn't look like his system was at all compromised, it just has a
program that is being stealthy, running in startup.

I'm curious to know: which installer was this file hidden in?

Re: Anybody ran into a process which doesn"t appear in task manager?

Post removed (X-No-Archive: yes)

Re: Anybody ran into a process which doesn"t appear in task manager?

MC wrote:
> Sebastian Gottschalk wrote:
> > You should already know: flatten and rebuild. Or restore from a known-safe
> > backup. Or compare against a trustworthy install base (f.e. checksums of
> > all files after installation). Most likely the first one will apply.
> >
> > Is it really too hard to understand that a compromised system isn't
> > trustworthy any more and therefore has to be brought back into a
> > well-defined state?
>
> Actually, by the looks of it this user has been targeted by something
> that runs at a service/driver level (and won't show up in taskmanager)
> -or- is actively hiding itself from taskman. A rebuild isn't needed, at
> all, and will just cause a lot of lost time. He's already found the
> location of the file, and it being "in use" is easily avoided by
> restarting in safe mode, and then killing the .exe file (make sure you
> get every occurrence of the file). Going into the registry in safe mode
> and doing a search on the file name will most likely turn up some hits
> where it's started from, too. You might want to kill those entries as well.
> It doesn't look like his system was at all compromised, it just has a
> program that is being stealthy, running in startup.
>
> I'm curious to know: which installer was this file hidden in?


The installer was an exe, which is supposed to extract kaspersky 6, and
in fact it did, but also installed the malware at the same time.
I honestly didn't trust it from the beginning because it wasn't a
normal self extractor (winrar didn't recognize it) not to mention that
i got it from file-sharing (yes illegal), but i took my chances because
there was no virus warning.

Re: Anybody ran into a process which doesn"t appear in task manager?

Sebastian Gottschalk wrote:
> So, and what about the rootkit hidden inside some modified system binaries?
> And the MBR and the bootloader? Dude, you really have no idea what "hiding"
> actually means.
I do. But you are jumping to conclusions you shouldn't draw. It was
already clear that this was a separate program, that it was extracted
from an installer and put in place to auto-load on windows startup.
Dude, don't talk about MBR/bootloader virii/malware when it obviously
isn't. Don't talk about embedded code in existing binaries when it's a
separate executable.

Re: Anybody ran into a process which doesn"t appear in task manager?

Nipi wrote:
> The installer was an exe, which is supposed to extract kaspersky 6, and
> in fact it did, but also installed the malware at the same time.
> I honestly didn't trust it from the beginning because it wasn't a
> normal self extractor (winrar didn't recognize it) not to mention that
> i got it from file-sharing (yes illegal), but i took my chances because
> there was no virus warning.
Well, that wasn't very smart... Why would you want to risk this kind of
problem when there are free AV-suites available that are just as good as
commercial ones?

Quite often you won't get a virus warning on installers that were built
with the purpose of dropping malware, especially not when a lot of
malware/adware isn't even classified as a virus in the first place (and
won't be part of the virus database). Why is that? Because those files
are normally compressed in the data part of the installer, don't give
the installer executable that is scanned a signature that they would
recognise as a virus, and won't get flagged by most AV suites when just
extracted to disk.

Of course, too, whoever made this installer made sure that the malware
supplied with it is one that the kaspersky suite doesn't recognise as
dangerous ;)

Re: Anybody ran into a process which doesn"t appear in task manager?

Post removed (X-No-Archive: yes)

Re: Anybody ran into a process which doesn"t appear in task manager?

MC wrote:

>
> Of course, too, whoever made this installer made sure that the malware
> supplied with it is one that the kaspersky suite doesn't recognise as
> dangerous ;)

But you can also think that a person would say, this guy wants to
intall kaspersky it means he doesn't have it :), and when he does, it
would be already too late, because the file was trying to SMTP one
server, so maybe he wanted to send every personal information that I
have once and for all, before kaspersky installs. But of course we all
know that this is not true now, because kaspersky didn't detect it.

Re: Anybody ran into a process which doesn"t appear in task manager?

ok yes this "gxho.exe" was in a torrent
Kaspersky FULL 6.0.1.411 Including Final keys [5-dec-2006]

don't want to here anything about p2p -- ok i buying it is the best
just help on this app -people always have there options not true tech
help
only 4 listing in Google on is this one

my Zone alarm saw it accessing net like nipi said
i did not check taskmgr before killing took nipi work of that --just
wanted to kill
the process is running as a process
can be seen and killed with Process Explorer
http://www.microsoft.com/technet/sysinternals/utilities/Proc essExplorer.mspx

will report today on where it found and where to del it all

brb shaun

Re: Anybody ran into a process which doesn"t appear in task manager?

Post removed (X-No-Archive: yes)

Re: Anybody ran into a process which doesn"t appear in task manager?

Sebastian Gottschalk wrote:
> Bullshit. The system was compromised, thus you have to flatten and rebuild.
I'd like to see you flatten and rebuild every time you find a program
that you don't know exactly what it does ;-)

It's an end-user system, not a mission critical server with highest
level confidential data on it. I think you're being too rigorous in your
advice. You want this level of security on your own system? well go
ahead, but that means you can't use it for relaxation purposes and have
to use it for work only, with authorized and verified applications only
(meaning also go through every open source program's source code to
check for anything you might not want and then build it)

Once again, there is _no need_ to rebuild or re-install if you can
confirm that whatever caused the problem has been removed, and don't run
the installer again *chuckles*

Re: Anybody ran into a process which doesn"t appear in task manager?

Post removed (X-No-Archive: yes)