Jump to content

Phantom Windows Programs


NegativeSpace

Recommended Posts

A few minutes ago I was shutting down one of my XP desktops, when I got a dialogue, have seen them 100 times, the one that tells you that there's a program that isn't responding and has to be closed to shut down windows. This particular one was very strange, because the name of the program that the dialogue reported to be hanging winodws up from shutting down was named as simply the letter "H". I've never seen this one before. Does anyone know what this is? Where is it located, what does it do?

Link to comment
Share on other sites

A few minutes ago I was shutting down one of my XP desktops, when I got a dialogue, have seen them 100 times, the one that tells you that there's a program that isn't responding and has to be closed to shut down windows. This particular one was very strange, because the name of the program that the dialogue reported to be hanging winodws up from shutting down was named as simply the letter "H". I've never seen this one before. Does anyone know what this is? Where is it located, what does it do?

Sounds like rouge software. I wouldn't be surprised if its malware of some sort, but to be safe, check all the usual suspects:

-all registry startup locations

-msconfig

-windows start menu startup folder

Also, get a good virus and malware scanner, then scan your memory and running exe's/dll's. If something was inserted via dll injection or running in memory alone, thats the only place you will find it, and wont see it on the hdd anywhere when scanning normal files, so be sure your scanner can do memory scans as well.

Last thing, or first thing you should check is event logs. Right click mypc and then select manage. Open the event viewer. Any program that hangs on reboot should generate a system message (and/or an a application error).

Link to comment
Share on other sites

This is good advice. Some things there that I hadn't thought of. When I was changing services, I got another dialogue that I've never seen before; "An error was returned while attempting to change a service". Any idea what that could be? Can you recommend a malware scanner? I've not had much luck with them in the recent past. I fear that I have been relying on less than 'prefect' methods for network and internet security, now I might be paying for it.

Link to comment
Share on other sites

A few minutes ago I was shutting down one of my XP desktops, when I got a dialogue, have seen them 100 times, the one that tells you that there's a program that isn't responding and has to be closed to shut down windows. This particular one was very strange, because the name of the program that the dialogue reported to be hanging winodws up from shutting down was named as simply the letter "H". I've never seen this one before. Does anyone know what this is? Where is it located, what does it do?

i may be the only one that can answer your question. first a lot of you may start noticing a lot of stuff happening starting this month after a change in the worm feb 13. what was never told yet and i can now tell only cause the worm changed where a lot of the interceptions are unblocked. the main botnet and intent of the hacker is actually above boot in your motherboard that is an undetectable backdoor. the conficters were made detecable on purpose to take blame. the popups your getting are actually the hacker sending commands using cookies to get in your system. he goes down a list of exploits. the letter H shows the worm that it has a solid exploit that it thinks you cant remove. the hanging windows happen when the thread freezes and the hacker gets in. you can read about it if you do a search on microsoft for adobe exploits and hanging threads. this is how he gets in. and to my notice, he first goes directly to your graphics driver. i bet you cannot update or replace any part of your graphics/audio or ethernet drivers. it will say FAILED...

another thing not mentioned anywhere and you may notice in this response is that letters and words get altered or twisted. another part of the worm takes any focused box and inserts memory pointer strings having nulls that create tiny little blackholes in a sense..

anyways, i hope this gets you started. this botnet is possible only cause a hacker got a job resulting in some fbi gone bad. most are in jail now and is linked to the darkmarket.org situation.

the link if i get it right about the chip flaw that makes the main botnet possible may be at this link.

http://www.technewsworld.com/story/69335.html?wlc=1266287381

Link to comment
Share on other sites

This is good advice. Some things there that I hadn't thought of. When I was changing services, I got another dialogue that I've never seen before; "An error was returned while attempting to change a service". Any idea what that could be? Can you recommend a malware scanner? I've not had much luck with them in the recent past. I fear that I have been relying on less than 'prefect' methods for network and internet security, now I might be paying for it.

when it comes to a good antivirus, none really work on this backdoor aka indetectble, but so far eset.com is the first ever(actually 2nd) to detect over 16 trojans which are part of the worm. the first was kasperty 2010, but the hacker shortly after intercepted the detection never detected again. it detected over 60 generic keyloggers resulting in my graphics/audio/lan drivers to be updatable for the first time in a year.

but it came back shortly after. but try eset.com

Link to comment
Share on other sites

when it comes to a good antivirus, none really work on this backdoor aka indetectble, but so far eset.com is the first ever(actually 2nd) to detect over 16 trojans which are part of the worm. the first was kasperty 2010, but the hacker shortly after intercepted the detection never detected again. it detected over 60 generic keyloggers resulting in my graphics/audio/lan drivers to be updatable for the first time in a year.

but it came back shortly after. but try eset.com

You forgot to add that the Windows install disk fixes it too.

Link to comment
Share on other sites

You forgot to add that the Windows install disk fixes it too.

What should I do about this? If it's undetecable, then why did windows tell me that there was some process running called H? If windows detects it, how is it even a far posiblity that there are no software that can detect it? I'm not disputing what is being said, I'm really asking.

Link to comment
Share on other sites

I don't have one of these chips that the link article talks about being vulnerable, and no hacker has had physical access to my computer, so I don't think my machine would have this infection. Regardless of which infection it is or might be (if in fact there is an infection), I need to figure it out and get rid of it, and maybe do a little testing to see if I can't find a way to fight whatever it is just in case future events bring it back around.

Link to comment
Share on other sites

BFIR - Backup, Format, Install, Restore

Honestly, I'm not completely convinced that my machine is infected with this strange worm. Before I choose to format and reinstall, I am going to have to make sure that it's warranted.

Link to comment
Share on other sites

So it's just listed in your "Processes" tab as "H"? "H.exe" perhaps?

Chances are when you're shutting down and it hangs, that you could cancel and open your "Ctrl+Alt+Del" menu and click processes. If it's listed as something like "H.exe" you could try a search for the specified process. It might even show where it's coming from.

I'd hate to see you back up and reformat your PC if not necessary.

Link to comment
Share on other sites

  • 2 weeks later...

Anti-virus is an important extra layer of security but it is not very hard for an attacker to beat your AV. If it is obvious that you are infected but your virus scanner is not picking anything up, back up and wipe the machine. If you have reason to suspect infection but you aren't sure and your virus scanner isn't picking anything up, hubbing out and sniffing your traffic with wireshark is a good way to detect malware. Also its a good idea to check your traffic after a successful virus scan to make sure there aren't other undetected backdoors or anything. Just make sure you stop any services or programs that would be generating network traffic to get rid of the extra noise on the network.

Link to comment
Share on other sites

Try using Process Hacker (http://processhacker.sourceforge.net/) it's way better than the default task manager and it shows some hidden processes. And if it doesn't show, chances are you may have got rooted by some Malware.

I found this with a quick Google search (unknown process h -process.h -windows.h)

http://spyware.scanspyware.net/spyware-rem...wn+process.html

Which has C:\Documents and Settings\user-account-name\Local Settings\Temp\H.exe in its unknown Processes List

If I were you,

I'll BFIR for sure. (it's easier for me as I also have Linux on my hdd and also on my usb )

Link to comment
Share on other sites

It could be a watchdog process, for example TrendMicro office scan runs a randomly named process which automatically restarts the AV services if they are killed. If its not this, then I'd archive the machine, then reinstall. Once it has been archived you can play with it some more.

Link to comment
Share on other sites

You may also want to take a look at this program: http://www.prnwatch.com/prio.html, It adds a new tab or two to the windows task manager, but more importantly for you, on the processes tab, it adds a mouse over tooltip which includes a full path to any of the processes.

That's pretty sweet! Thanks.

Link to comment
Share on other sites

Sysinternals Process Explorer will do all the Prio stuff and a whole lot more, like tell you what dll's its using for each process and show you what it has in memory, a minimal debugger to trace the executables connections and so on. Its also free from Microsoft.

Link to comment
Share on other sites

  • 2 weeks later...

If what else fails try using hijackthis, or simply format your system.

http://free.antivirus.com/hijackthis/

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...