2

When starting Wireshark (v1.12.2, using runas /user:administrator) on an old Windows XP SP3 system, Privacyware Privatefirewall alerted me that Wireshark was trying to load c:\docume~1\admini~1\locals~1\temp\nsq18.tmp\system.dll

Is there any way this is not an exploited system? Is there any legitimate reason why a program would be loading a "system.dll" from such a path?

I've been having an increasing paranoia that this machine has been hacked, but haven't been able to pinpoint anything. I've tried to lock down the machine as well as I can, but it's an old system and I'm no expert. (I have only minimal services running, always run as an unprivileged user, all ports closed from the outside, etc, but I really feel that I am really in over my head)

Jonathan J. Bloggs
  • 31
  • 2

2 Answers2

1

Download the 32bit Portable Apps version of Wireshark directly from Wireshark.org not from some third party site where their system could have been compromised. Verify the signature with the hash files if you are not sure.

If that DLL is still being called when you execute the portable app, then the DLL was hooked by something within explorer and there is a very high chance that your system has been compromised.

You can always upload any suspicious files to VirusTotal and they will throw it at several different AV vendor products to see what they catch.

You should strongly consider moving systems that are used in production environments off of Windows XP.

Rowan Hawkins
  • 111
  • 4
1

Hmm, how did you install wireshark on your system? IMHO, what is bad is the existence of a system.dll file in c:\Document and settings\administrator\locals...\temp (I cannot remember exactly how the local temp folder is named in XP).

That being said, Windows rules specify that a DLL file is first searched in the folder that contains the executable. So what is to blame is not the fact that a running instance of wireshark tries to load a DLL from a weird folder, but the fact that is could be installed in that folder and that its installation (or the installation of any other program) has put a system.dll there.

My advice when things go that way is to keep calm, save all the data, reinstall the system (including formatting the hard disk), install a good antivirus (avira or avast or correct free possibilities), ask the antivirus to scan the saved data and restore it. Then reinstall every software properly from official or well knows sources in acceptable places (a temp folder is not...). It may or not be possible if this computer has programs that you are no longer able to reinstall and that you do not want to lose, but it is the more robust and simple way to recover a sane environment.

The alternative are:

  • do nothing and pray hoping nothing worse happens
  • carefully examine all installed pieces of software to build a map of all used files and folders (good luck with that...)

Simply passing antivirus or any other automatic malware detection software without fully understanding what they can do and what can be their limits is not very different than first alternative (just pray)...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84