NegativeSpace Posted February 20, 2010 Share Posted February 20, 2010 A few minutes ago I was shutting down one of my XP desktops, when I got a dialogue, have seen them 100 times, the one that tells you that there's a program that isn't responding and has to be closed to shut down windows. This particular one was very strange, because the name of the program that the dialogue reported to be hanging winodws up from shutting down was named as simply the letter "H". I've never seen this one before. Does anyone know what this is? Where is it located, what does it do? Quote Link to comment Share on other sites More sharing options...
digip Posted February 20, 2010 Share Posted February 20, 2010 A few minutes ago I was shutting down one of my XP desktops, when I got a dialogue, have seen them 100 times, the one that tells you that there's a program that isn't responding and has to be closed to shut down windows. This particular one was very strange, because the name of the program that the dialogue reported to be hanging winodws up from shutting down was named as simply the letter "H". I've never seen this one before. Does anyone know what this is? Where is it located, what does it do? Sounds like rouge software. I wouldn't be surprised if its malware of some sort, but to be safe, check all the usual suspects: -all registry startup locations -msconfig -windows start menu startup folder Also, get a good virus and malware scanner, then scan your memory and running exe's/dll's. If something was inserted via dll injection or running in memory alone, thats the only place you will find it, and wont see it on the hdd anywhere when scanning normal files, so be sure your scanner can do memory scans as well. Last thing, or first thing you should check is event logs. Right click mypc and then select manage. Open the event viewer. Any program that hangs on reboot should generate a system message (and/or an a application error). Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted February 20, 2010 Author Share Posted February 20, 2010 This is good advice. Some things there that I hadn't thought of. When I was changing services, I got another dialogue that I've never seen before; "An error was returned while attempting to change a service". Any idea what that could be? Can you recommend a malware scanner? I've not had much luck with them in the recent past. I fear that I have been relying on less than 'prefect' methods for network and internet security, now I might be paying for it. Quote Link to comment Share on other sites More sharing options...
antihacker101 Posted February 24, 2010 Share Posted February 24, 2010 A few minutes ago I was shutting down one of my XP desktops, when I got a dialogue, have seen them 100 times, the one that tells you that there's a program that isn't responding and has to be closed to shut down windows. This particular one was very strange, because the name of the program that the dialogue reported to be hanging winodws up from shutting down was named as simply the letter "H". I've never seen this one before. Does anyone know what this is? Where is it located, what does it do? i may be the only one that can answer your question. first a lot of you may start noticing a lot of stuff happening starting this month after a change in the worm feb 13. what was never told yet and i can now tell only cause the worm changed where a lot of the interceptions are unblocked. the main botnet and intent of the hacker is actually above boot in your motherboard that is an undetectable backdoor. the conficters were made detecable on purpose to take blame. the popups your getting are actually the hacker sending commands using cookies to get in your system. he goes down a list of exploits. the letter H shows the worm that it has a solid exploit that it thinks you cant remove. the hanging windows happen when the thread freezes and the hacker gets in. you can read about it if you do a search on microsoft for adobe exploits and hanging threads. this is how he gets in. and to my notice, he first goes directly to your graphics driver. i bet you cannot update or replace any part of your graphics/audio or ethernet drivers. it will say FAILED... another thing not mentioned anywhere and you may notice in this response is that letters and words get altered or twisted. another part of the worm takes any focused box and inserts memory pointer strings having nulls that create tiny little blackholes in a sense.. anyways, i hope this gets you started. this botnet is possible only cause a hacker got a job resulting in some fbi gone bad. most are in jail now and is linked to the darkmarket.org situation. the link if i get it right about the chip flaw that makes the main botnet possible may be at this link. http://www.technewsworld.com/story/69335.html?wlc=1266287381 Quote Link to comment Share on other sites More sharing options...
antihacker101 Posted February 24, 2010 Share Posted February 24, 2010 This is good advice. Some things there that I hadn't thought of. When I was changing services, I got another dialogue that I've never seen before; "An error was returned while attempting to change a service". Any idea what that could be? Can you recommend a malware scanner? I've not had much luck with them in the recent past. I fear that I have been relying on less than 'prefect' methods for network and internet security, now I might be paying for it. when it comes to a good antivirus, none really work on this backdoor aka indetectble, but so far eset.com is the first ever(actually 2nd) to detect over 16 trojans which are part of the worm. the first was kasperty 2010, but the hacker shortly after intercepted the detection never detected again. it detected over 60 generic keyloggers resulting in my graphics/audio/lan drivers to be updatable for the first time in a year. but it came back shortly after. but try eset.com Quote Link to comment Share on other sites More sharing options...
Sparda Posted February 24, 2010 Share Posted February 24, 2010 when it comes to a good antivirus, none really work on this backdoor aka indetectble, but so far eset.com is the first ever(actually 2nd) to detect over 16 trojans which are part of the worm. the first was kasperty 2010, but the hacker shortly after intercepted the detection never detected again. it detected over 60 generic keyloggers resulting in my graphics/audio/lan drivers to be updatable for the first time in a year. but it came back shortly after. but try eset.com You forgot to add that the Windows install disk fixes it too. Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted March 1, 2010 Author Share Posted March 1, 2010 You forgot to add that the Windows install disk fixes it too. What should I do about this? If it's undetecable, then why did windows tell me that there was some process running called H? If windows detects it, how is it even a far posiblity that there are no software that can detect it? I'm not disputing what is being said, I'm really asking. Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted March 1, 2010 Author Share Posted March 1, 2010 I don't have one of these chips that the link article talks about being vulnerable, and no hacker has had physical access to my computer, so I don't think my machine would have this infection. Regardless of which infection it is or might be (if in fact there is an infection), I need to figure it out and get rid of it, and maybe do a little testing to see if I can't find a way to fight whatever it is just in case future events bring it back around. Quote Link to comment Share on other sites More sharing options...
digip Posted March 1, 2010 Share Posted March 1, 2010 BFIR - Backup, Format, Install, Restore Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted March 4, 2010 Author Share Posted March 4, 2010 BFIR - Backup, Format, Install, Restore Honestly, I'm not completely convinced that my machine is infected with this strange worm. Before I choose to format and reinstall, I am going to have to make sure that it's warranted. Quote Link to comment Share on other sites More sharing options...
Sudo Posted March 4, 2010 Share Posted March 4, 2010 So it's just listed in your "Processes" tab as "H"? "H.exe" perhaps? Chances are when you're shutting down and it hangs, that you could cancel and open your "Ctrl+Alt+Del" menu and click processes. If it's listed as something like "H.exe" you could try a search for the specified process. It might even show where it's coming from. I'd hate to see you back up and reformat your PC if not necessary. Quote Link to comment Share on other sites More sharing options...
Ogma Posted March 12, 2010 Share Posted March 12, 2010 Anti-virus is an important extra layer of security but it is not very hard for an attacker to beat your AV. If it is obvious that you are infected but your virus scanner is not picking anything up, back up and wipe the machine. If you have reason to suspect infection but you aren't sure and your virus scanner isn't picking anything up, hubbing out and sniffing your traffic with wireshark is a good way to detect malware. Also its a good idea to check your traffic after a successful virus scan to make sure there aren't other undetected backdoors or anything. Just make sure you stop any services or programs that would be generating network traffic to get rid of the extra noise on the network. Quote Link to comment Share on other sites More sharing options...
Thanish Posted March 12, 2010 Share Posted March 12, 2010 Try using Process Hacker (http://processhacker.sourceforge.net/) it's way better than the default task manager and it shows some hidden processes. And if it doesn't show, chances are you may have got rooted by some Malware. I found this with a quick Google search (unknown process h -process.h -windows.h) http://spyware.scanspyware.net/spyware-rem...wn+process.html Which has C:\Documents and Settings\user-account-name\Local Settings\Temp\H.exe in its unknown Processes List If I were you, I'll BFIR for sure. (it's easier for me as I also have Linux on my hdd and also on my usb ) Quote Link to comment Share on other sites More sharing options...
VaKo Posted March 12, 2010 Share Posted March 12, 2010 It could be a watchdog process, for example TrendMicro office scan runs a randomly named process which automatically restarts the AV services if they are killed. If its not this, then I'd archive the machine, then reinstall. Once it has been archived you can play with it some more. Quote Link to comment Share on other sites More sharing options...
pizzaguy Posted March 13, 2010 Share Posted March 13, 2010 You may also want to take a look at this program: http://www.prnwatch.com/prio.html, It adds a new tab or two to the windows task manager, but more importantly for you, on the processes tab, it adds a mouse over tooltip which includes a full path to any of the processes. Quote Link to comment Share on other sites More sharing options...
NegativeSpace Posted March 21, 2010 Author Share Posted March 21, 2010 You may also want to take a look at this program: http://www.prnwatch.com/prio.html, It adds a new tab or two to the windows task manager, but more importantly for you, on the processes tab, it adds a mouse over tooltip which includes a full path to any of the processes. That's pretty sweet! Thanks. Quote Link to comment Share on other sites More sharing options...
digip Posted March 21, 2010 Share Posted March 21, 2010 Sysinternals Process Explorer will do all the Prio stuff and a whole lot more, like tell you what dll's its using for each process and show you what it has in memory, a minimal debugger to trace the executables connections and so on. Its also free from Microsoft. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted April 2, 2010 Share Posted April 2, 2010 If what else fails try using hijackthis, or simply format your system. http://free.antivirus.com/hijackthis/ Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.