Duhet te alarmohem?

K

koperton

Primus registratum
Duhet te alarmohem?

Sa here qe hap IE ky process: C:WINNTsystem32svchost -k rpcss "Generic Host Processor for Win32 Services" hap C:WINNTsystem32mdm.exe -Embedding "Machine Debug Manager".

If I kill mdm.exe IE still runs fine. When I scann it is not a virus.
Is this an anomaly???

COM3 = free

Code: 
Process: svchost.exe Pid: 372
 
Handle Type             Access       Name
0x40   Directory        0x0002000F   BaseNamedObjects 
0x250  Section          0x00000004   BaseNamedObjects__R_0000000000d9_SMem__ 
0x2E0  Event            0x001F0003   BaseNamedObjectscrypt32LogoffEvent 
0x124  Mutant           0x001F0001   BaseNamedObjectsRasPbFile 
0x1B0  Section          0x000F0007   BaseNamedObjectsRotHintTable 
0x1B8  Event            0x001F0003   BaseNamedObjectsScmCreatedEvent 
0x74   Event            0x001F0003   BaseNamedObjectsuserenv:  User Profile setup event 
0x38   Desktop          0x000F00CF   Default         
0xCC   File             0x001F01FF   DeviceAfdEndpoint 
0xD4   File             0x001F01FF   DeviceAfdEndpoint 
0x190  File             0x001F01FF   DeviceAfdEndpoint 
0x198  File             0x001F01FF   DeviceAfdEndpoint 
0x148  File             0x001200A0   DeviceIp       
0x14C  File             0x00100003   DeviceIp       
0x150  File             0x00100081   DeviceIp       
0x164  File             0x00100001   DeviceKsecDD   
0x44   File             0x0012019F   DeviceNamedPipenetNtControlPipe2 
0x68   File             0x0012019F   DeviceNamedPipesvcctl 
0x180  File             0x00160089   DeviceNamedPipeWinsock2CatalogChangeListener-174-0 
0xD0   File             0x001F01FF   DeviceTcp      
0x140  File             0x001F01FF   DeviceTcp      
0x144  File             0x001F01FF   DeviceTcp      
0x2E4  File             0x001F01FF   DeviceTcp      
0x1B4  File             0x00100000   Dfs             
0x14   Directory        0x00000003   KnownDlls       
0xA0   Port             0x001F0001   RPC Controlepmapper 
0x20   Directory        0x000F000F   Windows         
0x34   WindowStation    0x000F016E   WindowsWindowStationsService-0x0-3e7$ 
0x3C   WindowStation    0x000F016E   WindowsWindowStationsService-0x0-3e7$ 
0x1D0  Token            0x0000000C   VARLEYAdministrator 
0x294  Token            0x000F01FF   VARLEYAdministrator 
0x2A0  Token            0x0000000C   VARLEYAdministrator 
0x3B4  Token            0x0000000C   VARLEYAdministrator 
0x18   File             0x00100020   C:WINNTsystem32 
0x70   Key              0x000F003F   HKCR             
0x1DC  Key              0x000F003F   HKCR             
0x1E0  Key              0x000F003F   HKCR             
0x1F8  Key              0x000F003F   HKCR             
0x220  Key              0x000F003F   HKCR             
0x394  Key              0x00020019   HKCR             
0x3A8  Key              0x00020019   HKCR             
0x3D4  Key              0x00020019   HKCR             
0x1A0  Key              0x000F003F   HKCRAppID       
0x19C  Key              0x00020019   HKCRCLSID       
0x218  Key              0x000F003F   HKCRCLSID       
0x248  Key              0x000F003F   HKCRCLSID       
0x28   Key              0x000F003F   HKLM             
0x1E8  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x200  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x210  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x228  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x238  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x240  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x9C   Key              0x00020019   HKLMSOFTWAREMICROSOFTOLE 
0x184  Key              0x00020019   HKLMSOFTWAREMICROSOFTRpcNetBIOS 
0x170  Key              0x00020019   HKLMSOFTWAREMICROSOFTTracingRASADHLP 
0x11C  Key              0x00020019   HKLMSOFTWAREMICROSOFTTracingRASAPI32 
0xB4   Key              0x00000001   HKLMSYSTEMControlSet001ServicesDnsCacheParameters 
0x160  Key              0x00020019   HKLMSYSTEMControlSet001ServicesNetBTParameters 
0x15C  Key              0x00020019   HKLMSYSTEMControlSet001ServicesNetBTParametersInterfaces 
0x154  Key              0x00020019   HKLMSYSTEMControlSet001ServicesTcpipLinkage 
0x158  Key              0x00020019   HKLMSYSTEMControlSet001ServicesTcpipParameters 
0xC4   Key              0x000F003F   HKLMSYSTEMControlSet001ServicesWinSock2ParametersNameSpace_Catalog5 
0xBC   Key              0x000F003F   HKLMSYSTEMControlSet001ServicesWinSock2ParametersProtocol_Catalog9 
0x1F0  Key              0x00000010   HKU              
0x208  Key              0x00000010   HKU              
0x230  Key              0x00000010   HKU              
0x39C  Key              0x000F003F   HKU              
0xF8   Key              0x000F003F   HKU.DEFAULT     
0x3A0  Process          0x001F0FFF   MDM.EXE(536)     
0x1D4  Token            0x000F01FF   NT AUTHORITYSYSTEM 
0x298  Thread           0x001F03FF   svchost.exe(372): 328 
0x370  Thread           0x001F03FF   svchost.exe(372): 328 
0x60   Thread           0x001F03FF   svchost.exe(372): 360 
0x7C   Thread           0x001F03FF   svchost.exe(372): 376 
0xB0   Thread           0x001F03FF   svchost.exe(372): 376 
0x17C  Thread           0x001F03FF   svchost.exe(372): 392 
0x188  Thread           0x001F03FF   svchost.exe(372): 392 
0x1D8  Thread           0x001F03FF   svchost.exe(372): 624 
0x358  Thread           0x001F03FF   svchost.exe(372): 624 
0x274  Thread           0x001F03FF   svchost.exe(372): 828 
0x29C  Thread           0x001F03FF   svchost.exe(372): 832 
0x340  Thread           0x001F03FF   svchost.exe(372): 832 
0x3C8  Thread           0x001F03FF   svchost.exe(372): 836 
0x2C8  Thread           0x001F03FF   svchost.exe(372): 996
and
Code: 
Process: MDM.EXE Pid: 536
 
Handle Type             Access       Name
0x14   Directory        0x00000003   KnownDlls       
0x18   File             0x00100020   C:WINNTsystem32 
0x20   Directory        0x000F000F   Windows         
0x30   WindowStation    0x000F037F   WindowsWindowStationsWinSta0 
0x34   Desktop          0x000F01FF   Default         
0x38   WindowStation    0x000F037F   WindowsWindowStationsWinSta0 
0x3C   Key              0x000F003F   HKLM             
0x40   Directory        0x0002000F   BaseNamedObjects 
0x54   Key              0x00000001   HKLMSYSTEMControlSet001ServicesDnsCacheParameters 
0x58   Key              0x000F003F   HKCRAppID       
0x5C   Key              0x000F003F   HKCU             
0x60   File             0x00100001   DeviceKsecDD   
0x74   Thread           0x001F03FF   MDM.EXE(536): 1000 
0x80   Port             0x001F0001   RPC ControlOLE10 
0x8C   Thread           0x001F03FF   MDM.EXE(536): 884 
0x9C   Key              0x000F003F   HKCU             
0xA0   Key              0x000F003F   HKCR             
0xA8   Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0xB0   Key              0x00000010   HKU              
0xB8   Key              0x000F003F   HKCR             
0xC0   Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0xC8   Key              0x00000010   HKU              
0xD0   Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0xD8   Key              0x000F003F   HKCRCLSID       
0xE0   Key              0x000F003F   HKCR             
0xE8   Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0xF0   Key              0x00000010   HKU              
0xF8   Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x100  Key              0x000F003F   HKLMSOFTWAREMICROSOFTCOM3 
0x108  Key              0x000F003F   HKCRCLSID       
0x110  Section          0x00000004   BaseNamedObjects__R_0000000000d9_SMem__ 
0x118  Key              0x00020019   HKCU             
0x11C  Key              0x00020019   HKCU             
0x120  Thread           0x001F03FF   MDM.EXE(536): 768 
0x12C  Key              0x00020019   HKCU             
0x134  Key              0x000F003F   HKCU             
0x138  Key              0x00020019   HKCU             
0x13C  Thread           0x001F03FF   MDM.EXE(536): 792 
0x144  Event            0x001F0003   BaseNamedObjectsDeathDetectorSync 
0x14C  Key              0x00020019   HKCU             
0x154  Token            0x0000000C   VARLEYAdministrator  
0x174  Process          0x00100000   IEXPLORE.EXE(900) 
0x178  Key              0x000F003F   HKU
 
A

Admirali

Primus registratum
Re: Duhet te alarmohem?

Edhe mua me del qe MDM.exe eshte aktiv, por ndonje problem nuk kam pasur, por di qe kur aktivizoj firewall qe kam, svchost.exe kerkon te transmetoje ne internet, kurse MDM.exe nuk jep gje shenja per transmetim ilegal.

Dhe dicka tjeter, shih kete link, te ndihmon te bllokosh messenger.exe (mos e ngaterro me IM Messenger)http://grc.com/stm/ShootTheMessenger.htm
 
K

koperton

Primus registratum
Re: Duhet te alarmohem?

Messenger Service eshte disable qe nga dita kur instalova Windows. IM Meesanger, AOL Messenger, MSN Messenger nuk i perdor.
I will try to rename mdm.exe and trace tonight what causes it. I am without sleep whole night and am not willing to take the risk standing in front of a screen today.
 
L

ludwig

Primus registratum
Re: Duhet te alarmohem?

kopperton, nje pyetje kisha une.
kodin e svchost.exe si e ke marre?
 
K

koperton

Primus registratum
Re: Duhet te alarmohem?

Fillimisht postuar nga lor:
[qb] http://www.cexx.org/rpcss.htm
http://accs-net.com/smallfish/dcom.htm
[/qb]
Click to expand...
Thank you for the links. As it turns out in my IE ->Tools->Internet Options->Advanced Tab <<Disable Script Debbuging>> was not checked.

That was bringing mdm.exe process up. I checked it and mdm.exe was no longer running for every instance of IE. Finally I removed the check-mark. It is only few megs occupied by mdm.exe.

Again thanks for links.
 
K

koperton

Primus registratum
Re: Duhet te alarmohem?

Fillimisht postuar nga ludwig:
[qb] kopperton, nje pyetje kisha une.
kodin e svchost.exe si e ke marre? [/qb]
Click to expand...
It is not code for svhost.exe. If you want the code the only way feasible I know is to disassemble it using debug.exe or some other tool. C/C++ I believe it does not exist. Microsoft built it in assembly.

That what do you see is process tree for svhost.exe.
What it does use as winsock how, registry keys in use by process<<et cetera>>.

That is not code at all.
 
L

ludwig

Primus registratum
Re: Duhet te alarmohem?

nuk e kisha fjalen per source code, per kete ka shume programe qe ta japin ne asm.

desha te dija pikerisht ate 'process tree' si e ke marre?
 
You must log in or register to reply here.
Top