Keylogger Questions and Advice

[sherlock]

I used AntiVir software scanner and here are some warnings it found. no viruses. keep in mind this is after i did a clean install of windows a few weeks ago. what do these warnings mean?

C:\WINDOWS\system32\CatRoot2\edb.log
[WARNING] The file could not be opened!
C:\WINDOWS\system32\CatRoot2\tmp.edb
[WARNING] The file could not be opened!
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
[WARNING] The file could not be opened!
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\default.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SAM.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\SECURITY.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\software.LOG
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system
[WARNING] The file could not be opened!
C:\WINDOWS\system32\config\system.LOG
[WARNING] The file could not be opened!

[sec_ware]

Hi

These files are used by the system itself (actually are in use),
and thus cannot be opened by a simple scanner like AntiVir. I just went
through the list and would say, that all these are legitimate. Furthermore,
they are plain log/text/config-files, thus not executed/loaded with a
vulnerable engine (like once in the case of jpg-files).

I don't think that scanning in safe mode would make any difference,
but you could give it a try

If you want to do some further investigation, I recommend this
nifty tool filemon[1], and add a filter for, e.g. c:\windows\system32\config\software.log
and try to open that file using notepad - you will see a sharing violation.


Cheers

[1] http://www.sysinternals.com/Utilities/Filemon.html

[nihil]

Yes, I agree with sec_ware's analysis.

The files are in use so AntiVir cannot scan them, that is why it is always better to run your scans in safe mode as much less is started automatically.

Please don't take this as a criticism of AntiVir, in fact you could argue it's a positive feature as you are warned what could not/has not been scanned, and you can make up your own mind and investigate further (as you have).

I have and have had a wide variety of AV products. Quite a few of them behave in the same way.

Others are programmed to ignore files that they cannot open, which is fine if they are meant to be running, but not so clever if they happen to be malware That is a very good reason to run such AVs in safe mode!

Of course, you could always get a R/RW CD or DVD, make a boot disk and load your anti malware products onto that. Then you would not be starting the PC's operating system and B]everything[/B] will get scanned.

Another point is that some AVs won't scan inside compressed files, or you need to alter their default settings to make them do it.................it is worth checking that out. Also set the AV to do heuristic scanning and to scan all files

[sherlock]

Okay thanks for the help. i still have some questions though. I reformatted my hard drive and reinstalled windows. will this get rid of any and all crap that is on my pc? if so great. too bad i deleted the infected file and will nto be able to track it back! o well.

[brokencrow]

I reformatted my hard drive and reinstalled windows. will this get rid of any and all crap that is on my pc?

That should do it (given it was a full format, not a quick format).

[nihil]

Hi sherlock

I reformatted my hard drive and reinstalled windows. will this get rid of any and all crap that is on my pc?

As I am sure you are aware there are a variety of software products that will recover a system from a reformat, so the stuff is still there. Reinstalling Windows, your applications and data will probably overwrite this, even more so if you do a defragmentation afterwards.

You need to be a bit careful with your data files, as you might just reinstall the malware I would be inclined to update all my scanners and scan the media you have saved it onto before reinstalling

Otherwise if you are talking about malicious files or infected files you should be OK.

You might like to consider renaming the nasties something like from XYZ.exe to XYZ.vir and saving them on separate media..............so long as you don't have an application that will execute a .vir extension, you will be free to torture the little beast at your leisure Obviously you open it in a programmers text editor or notepad/wordpad (not Word!!!!)



PS. Remember to defrag

[sherlock]

Sec-Ware,

I got filemon and followed your instructions. I tried opening c:\windows\system32\config\software.log in notepad and it said it was unable to because the file was being used elsewhere. Also, next to the file name, it said "sharing." So what does this mean?

[sec_ware]

Hi

Glad that you want to understand the issue in more detail.
I would like to cover two aspects: some information about
the files in question and NT file locking aspects.


files in c:\windows\system32\config and Process Explorer


Mark R. from sysinternals has written a lot of interesting
articles, one in particular describes the working of the
registry[1]. Here you see that most of the files mentioned
in your post are registry hives, and its supporting files.


Those files are opened already by the system and "locked".
By using sysinternal's Process Explorer[2], you can look
for "software.log" (find.find handle or dll), and you will see
that the System process with PID 4 has the only handle to this file.
With Advapi32.dll[3], programmers are then able to edit the registry.


NT file locking ("sharing violation")


Therefore, the registry (and thus those files in question)
can be modify programmatically, but still, the files themselves
are not readable/editeable by notepad, wordpad, word, ...
Why that?
Actually, filemon tells you it is a sharing violation[4].


This is due to the windows file system and the way I/O processes
are handled[5]. When creating/opening files[6], a flag (a "lock")
is set in a particular way - e.g. a program opens a file in
an exclusive state ie. no other programs can open this file
again. A useful overview of the allowed modes are given here[6]:


File locking is an extremely important issue in any system with
multiple processes. windows can lock files, in whole or in part,
so that no other process can access the locked file region. File
locks can be read-only (shared) or read-write (exclusive).[7]


Cheers




[1] http://www.microsoft.com/technet/arc....mspx?mfr=true
[2] http://www.sysinternals.com/Utilitie...sExplorer.html
[3] http://msdn.microsoft.com/library/de..._functions.asp
[4] http://www.techweb.com/encyclopedia/...ring+Violation
[5] http://support.microsoft.com/kb/316609/en-us
[6] http://windowssdk.msdn.microsoft.com.../ms685006.aspx
[7] Windows System Programming, Third Edition (ISBN: 0-321-25619-0)