What is Normal?
We received an email today from Dan Messmer asking about what were the "good services and processes for WinXP and Win2K". It is an excellent question and got me to thinking about how many times we all look for the "abnormal" things without even being sure of what is normal for a system to begin with. How many times have we all sat down to look at a system and what processes and services were running and wondered what something was? This led to some good suggestions that I would like to share with everyone.
It is important to realize that malware can hide itself and not show up as a running process if you are using Task Manager. If you suspect something is going on, make sure and pay close attention to the spelling since many times malware can use services and processes that are spelled almost identical to the valid ones. My tool of choice for looking at processes is using Process Explorer from Sysinternals. It will show you everything and gives you much more information about every process. Fellow handler Patrick Nolan had this recommendation: "In addition to Process Explorer, using the latest version of Autoruns from SysInternals allows you to show Services, select Views - enable Show Services and then enable Hide Microsoft Signed Entries. For the remaining
entries you can now highlight one and right click to Google it."
Another good approach was given by Handler Marc Sachs: "If you routinely check for suspicious computers and have a fairly baselined set of systems here's another approach. Set up a "control" computer that is configured like all of the other ones on your network but don't let anybody use it as a workstation. This computer has the same OS, same patches, same software, etc. Take a look at the running processes, memory allocations, and other metrics on your control computer when examining a suspected computer. The control machine could also be a virtual machine running in VMWare or VirtualPC, it doesn't have to be a separate box."
In addition to the above recommendations, here are some sites that will help you go through your services for what are valid Microsoft services.
Here is another site that folks have written in recommending in response to this diary entry and is a good site to have bookmarked:
If you know of other techniques or tools for recognizing what is normal for any operating system, please let us know.
Fake RedHat Advisory
We have reports of a fake RedHat advisory from Craig Small that is being circulated. One of our handlers also received one of these. The site was taken down on 23 October, however it is a good reminder that even though most of these are aimed at Windows users, always be suspect when receiving an email asking you to download something.
JPEG Repair Utility
Another user passed along a good tool for finding and repairing JPEG files that have been modified using the MS04-028 exploit. The link to this tool is
Lorna J. Hutcheson
Handler on Duty
Oct 25th 2004
1 decade ago