CISVC.EXE Question

  • Thread starter Thread starter Mark Levy
  • Start date Start date
M

Mark Levy

Hi all,

I've got a client who is using Windows2000, and they are worried that they
might have gotten hit with a keystroke logger program.

CISVC.EXE is a process that is running on the user's Win2KPro workstation,
and she has seen that this file may be linked to a keyboard capture utility
from spyarsenal.com. While the file that is on her computer appears to be
the Windows 2000 distribution of the program used in file indexing by
Windows, there are a few issues that are causing alarm.

Regedit shows that in two keys under Internet Explorer, the values
"spyarsenal" and "cisvc.txr" are found. However, as I am NOT a Windows
specialist, and the key included the term "MRU," this may be from searching
for information on the Internet, rather than from an installation of the
software.

When I tried killing the process in Task Manager, I was unable to do so.
This may or not be an issue, as Windows will not allow you to terminate a
dependant process, and this might be the case.

An error message for CISVC.EXE comes up with "There is no disk in the drive.
Please insert a disk into drive \device\harddisk\dr1" when the system boots.

When I deleted the file from the C:\WINNT\SYSTEM32 directory, within just a
few seconds, the file was back again. As this is an EXE, rather than a DLL
file, I don't believe that this would be coming from the DLL Cache, but of
course, I could be wrong. I simply don't know enough about Windows to know
if this is proper behavior for this file.


I ran the web based Pest Patrol scan ( http://www.pestpatrol.com ) on the
computer to try to establish if the file was really the keystroke logger
from spyarsenal. While it did find a few issues, none were serious threats.
I started by checking the task manager to see if it was running and tried to
kill the process, but I was unable to do so. I tried copying the file to a
backup in the C:\WINNT\SYSTEM32 directory (cisvc.bad) and then deleted the
file. When I did a directory, the file no longer appeared in the directory,
but within a few minutes, it was back again. I checked in the I386 directory
on the workstation, and found that there was a cisvc.ex_ file, and I used
expand to move the file and check the file size and date of the extracted
and expanded file. It was the same as the file originally in the SYSTEM32
directory. I also checked on Shahara's other workstation, and the file was
in the same location, with the same file size, version, date and time. Just
to be sure, I called a coworker, and asked him to check the information on
the file on one of his Win2K systems, and got the same results.

The error message "There is no disk in the drive. Please insert a disk into
drive \device\harddisk\dr1" seems to be a common error in Windows systems,
and it's common with many different programs. Searching on this error
message on Google gave many hundreds of hits, for programs ranging from
Quicktime to Lotus Notes, to Microsoft Office. From what I was able to piece
together, it seems that this message is caused by a hiccup in the
installation program. It seems to occur most often when someone installs
software, but removes the installation media too early. It does not appear
that this is caused by a logger, but it is somewhat possible that the hiccup
occurred while installing the CISVC program. And it's possible that the
installation might have been installing the logger file.

The process starts up through a normal registry entry. In order to be sure
that the process does not begin, I shut down the computer and restarted it
in safe mode. From there, I deleted the file (
C:\WINNT\SYSTEM32\CISVC.EXE ), leaving the copied CISVC.BAD file in the
directory. I then restarted the computer, and the error message to insert
the disk has disappeared. The process is no longer running as well, and as
of last night (4/21/2004) the file had not been recreated

Again, I do not believe that the CISVC.EXE is a malicious file, but the
simple fact is that it was exhibiting some suspicious behavior. I'm just
wondering if someone can tell me if this is the normal way that the program
works? This user is going nuts, and believes that her computer has been
compromised.

Thanks in advance,

Mark
 
The file cisvc.exe is indeed a legitimate file and also does live in the dllcache
folder. You can use System File Checker - sfc /scannow if you want to check for
correct versions of you WFP system files. The link below explains more on that.

http://support.microsoft.com/default.aspx?scid=kb;en-us;222471 -- probably will
require access to install cdrom

You also may want to scan using SpyBot Search and Destroy being sure to download
their latest definitions which are over 12,400 I believe. If the program itself
stalls at getting updates [frequently it does] you can download the latest package at
their website. It scans for a lot of keyboard loggers. You may also want to use
Control Panel/add remove programs/add remove Windows Components and disable the
indexing service to see if it stops that process.

Your client sounds to me though as the best approach may be to backup her data and
format the hard drive and reinstall. Yes it is extra work but that may be the only
thing that will convince her that her computer is clean - at least for a day or so.
See the links below for more info and encourage her to use the minimum security
settings prescribed in the second link for Internet Explorer. --- Steve

http://www.microsoft.com/security/protect/ --- absolute minimum security
requirements. Antivirus must scan all email also.
http://mvps.org/winhelp2002/unwanted.htm -- Securing Internet Explorer is more
important than ever. Info about SpyBot here also including link.
 
I just wanted to thank you for your answer. Interestingly enough, I never
did get a response here in my news reader, however, I did read your response
to my post in a Google Groups search.

I just wanted to thank you for your help.

Mark
 
Thanks Mark! I appreciate the reply. Sometimes the newsgroups seem to work a bit
strangely. I guess not too surprising with all the chaos on the internet these days.
Sometimes I post replies and don't see them show up for days later. Anyhow
hanks. --- Steve
 
Back
Top