Sysinternals Forums

Sysinternals Forums http://forum.sysinternals.com/ This is an XML content feed of; Sysinternals Forums : Last 10 Posts Sat, 07 Nov 2009 12:19:28 +0000 Sat, 07 Nov 2009 11:00:27 +0000 http://blogs.law.harvard.edu/tech/rss Web Wiz Forums 9.54 30 forum.sysinternals.com/RSS_topic_feed.asp Sysinternals Forums http://forum.sysinternals.com/forum_images/images_hero_windows_sysinternals.jpg http://forum.sysinternals.com/ Internals : Device Driver Listing http://forum.sysinternals.com/forum_posts.asp?TID=21009&PID=111242#111242 Author: Meriadoc
Subject: Device Driver Listing
Posted: 07 November 2009 at 11:00am

MaybeDriverView

The only way to confirm it for yourself would be to run Windbg or something like blue screen view.

Edited by Meriadoc - Today at 11:35am]]> Sat, 07 Nov 2009 11:00:27 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21009&PID=111242#111242 Malware : Analyzing memory dump for malware http://forum.sysinternals.com/forum_posts.asp?TID=21013&PID=111241#111241 Author: PROROOTECT
Subject: Analyzing memory dump for malware
Posted: 07 November 2009 at 9:05am

Hi Bomb123,

Try free tool from Mandiant, called Memoryze: http://www.mandiant.com/software/freesoftware.htm

... also MBAM, a-squared ...

]]> Sat, 07 Nov 2009 09:05:43 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21013&PID=111241#111241 Malware : Analyzing memory dump for malware http://forum.sysinternals.com/forum_posts.asp?TID=21013&PID=111240#111240 Author: Bomb123
Subject: Analyzing memory dump for malware
Posted: 07 November 2009 at 8:15am

Hello. Is there any tool that would search some malicious code from a memory dump file. I have this memory dump of explorer.exe and it size is 61.6 mb, so how could i find some tool that would tell me if there something malicious in it. All av says that it's clean. Thanks.

Edited by Bomb123 - Today at 8:15am]]> Sat, 07 Nov 2009 08:15:22 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21013&PID=111240#111240 RootkitRevealer Logs : my Gmer log http://forum.sysinternals.com/forum_posts.asp?TID=21012&PID=111239#111239 Author: bug_hunt
Subject: my Gmer log
Posted: 07 November 2009 at 6:22am

Using Gmer, my RKR gives so much unwanted data like it filles pages,tht is even after
uninstalling most programs and doing a full disk cleanup.get lots of readings from
application data,i formated my system recently.

My details
asus eee
windows vista premium

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-04 12:06:02
Windows 6.0.6000
Running: boor187g.exe; Driver: C:\Users\droid\AppData\Local\Temp\pgroapod.sys

---- System - GMER 1.0.15 ----

INT 0x62 ?                                                                                                99FBE550
INT 0x71 ?                                                                                                99FC5A50
INT 0x72 ?                                                                                                99FBEA50
INT 0x81 ?                                                                                                99FC5CD0
INT 0xB2 ?                                                                                                99FBECD0

---- Devices - GMER 1.0.15 ----

Device    \Driver\BTHUSB \Device\0000005b                                                                  bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)
Device    \Driver\BTHUSB \Device\0000005d                                                                  bthport.sys (Bluetooth Bus Driver/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg       HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015aff97688
Reg       HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015aff97688 (not active ControlSet)

---- EOF - GMER 1.0.15 ----

]]> Sat, 07 Nov 2009 06:22:28 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21012&PID=111239#111239 Filemon : Security Event Logs being cleared by User=SYSTEM http://forum.sysinternals.com/forum_posts.asp?TID=21011&PID=111238#111238 Author: acuster
Subject: Security Event Logs being cleared by User=SYSTEM
Posted: 07 November 2009 at 2:35am

OK, I am dumbfounded on this one.  
Our Security event logs are being cleared.  This is a serious violation of out ITRM policy for obvious reasons.  The event log states USER=system.  Clearing always occurs  at the top of the hour.  This behavior is indicative of a script or EXE.  All the obvious have been checked; GPO and scheduled tasks.  We have checked the other logs, and nothing occurs around the same time. The SA team is thinking it is an application proc doing this, but I need definitive proof of the root cause.
Is there any other logs, or auditing that will show what proc, running under the system context, is clearing the security log?  Or does anyone know of a free app that has more granular auditing. 
I am hoping this community can help me before I open a case with MSThanks In AdvanceAaron
Aaron

]]> Sat, 07 Nov 2009 02:35:56 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21011&PID=111238#111238 Autoruns : no icons in list http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111237#111237 Author: molotov
Subject: no icons in list
Posted: 07 November 2009 at 1:29am

Excellent - good to hear!]]> Sat, 07 Nov 2009 01:29:21 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111237#111237 Autoruns : no icons in list http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111236#111236 Author: mcatis
Subject: no icons in list
Posted: 07 November 2009 at 1:26am

Oh my God!! Simply solution!! Thanks, It works!]]> Sat, 07 Nov 2009 01:26:24 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111236#111236 Autoruns : no icons in list http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111235#111235 Author: molotov
Subject: no icons in list
Posted: 07 November 2009 at 1:24am

Hi mcatis,

Consider exiting Autoruns, renaming/removing [HKEY_CURRENT_USER\Software\Sysinternals\AutoRuns], and then starting Autoruns again. Does that help?

]]> Sat, 07 Nov 2009 01:24:19 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111235#111235 Autoruns : no icons in list http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111234#111234 Author: mcatis
Subject: no icons in list
Posted: 07 November 2009 at 12:57am

I don't see the little icons in the left of the list in all sections of Autoruns.

The images are only an example to explain better my problem. Solutions? I have win7 64bit. Little problem but very strange.

Edited by mcatis - Today at 1:13am]]> Sat, 07 Nov 2009 00:57:19 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=21010&PID=111234#111234 Miscellaneous Utilities : Procdump Hung Window Functionality http://forum.sysinternals.com/forum_posts.asp?TID=20790&PID=111233#111233 Author: MrMoo
Subject: Procdump Hung Window Functionality
Posted: 07 November 2009 at 12:54am

Same here. I'm trying to use procdump, but it's a royal pain as hung window detection appears to be enabled all the time. I'm just trying a basic:

procdump -e 1234

This is on 32-bit XP SP3. I have to use an ugly workaround like:

procdump -e -n 100 1234

]]> Sat, 07 Nov 2009 00:54:23 +0000 http://forum.sysinternals.com/forum_posts.asp?TID=20790&PID=111233#111233