MobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

Excerpt from Microsoft KB 314512 Articles (2002)

The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

MobSync Issue

MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

QuickFact:

• MobSync.exe can record inputs.
• Its hide itself from monitor applications.

Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit.

Should I disabled Mobsync?

If you used windows for surfing and office works you probably wont need this programs (crapware) most modern mobile device has a build in Synchronization Manager and doesnt relies on microsoft mobsync (dependencies issue). Its recommended to disabled this programs as it can hide itself from being monitored and doesnt showup on running process lists.

Step by step guide to disabled MobSync from your windows.

1. Disabled System Restore

   You will need to disabled Windows System Restore (Temporary).

2. View hidden system files

   Suspicious files is known to hide itself as Windows System files. The following settings will set all hidden files viewable so we could removed it.

   • Click on Windows Start → Control Panel → Folder Options → View Tab
   • Turn on the option to show hidden files

3. Clean Temporary Files and Windows Prefetch Files

   This wont harm your system. Removes all files inside the following directory. Remove the contents only not the folders.

   • C:\temp
   • C:\windows\temp
   • C:\Documents and Settings\<username>\Local Settings\Temp
   • C:\windows\prefetch

4. Boot in SafeMode

   Restart your PC in safe mode. Refer KB 31522 on How To Boot in Safe Mode.

5. Disabled MobSync Process

   1. Click on start → Run → mobsync
   2. Next, Click on Setup buttons
   3. On “Synchronizations Settings” Windows Logon/Logoff tab un-check all the following options:

      Automatically Synchronize the following items:

      • When I log on to my computer
      • When I log off to my computer
   4. While still in “Synchronizations Settings” Windows select the next tab label “on Idle” un-check the following items:
      • Synchronize the selected items while my computer is idle

6. Removed from system registry

   If you arent familiar with registry you may skip this part. Most normal startup programs can be found at the following registry path.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   In Windows XP all loaded “startup programs” (start menu/startup items) can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

   Mobsync registry HKLM\Software\Microsoft\Windows\CurrentVersion\syncmgr

Note on using Rootkit Scanner.

• James A. Eshelman HijackThis
• SysInternal RootkitRevealer
• F-secure Blacklight

Most advance Rootkit has a self mechanism to shutdown the system if any of this programs is identify in the memory. If you had this programs installed its advice to rename the programs first.

• RootKitRevealer.exe → RKV.exe
• HijackThis → hjct.exe

How to validate if the running programs is Tempered

Get Certificate Verification Tool ( WM Software Corp) and verify the programs signature or you could also run Microsoft sigverif.exe (c:\windows\SIGVERIF.TXT) to verify digital signature.

Caveat: Most Rookit is “padded/mugged” with unix controls character so its not readable by Windows (ANSI).

Setupapi.log entries

Setupapi.log can be found inside c:\windows\setupapi.log You need to enabled logging in verbose mode to get proper setup log.
HKLM\Software\Microsoft\Windows\CurrentVersion\SetupLogLevel

Insert DWORD value 0000FFFF to enabled verbose mode logging

Insert DWORD value 0 to disabled it

Tempered MobSync.exe & similar windows networks files.

An unsigned or incorrectly signed file
(c:\windows\msdownld.tmp\as03b1e1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll to
C:\WINDOWS\SYSTEM\msidle.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe to
C:\WINDOWS\SYSTEM\mobsync.exe.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll to
C:\WINDOWS\SYSTEM\mobsync.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll to
C:\WINDOWS\SYSTEM\sens.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll to
C:\WINDOWS\SYSTEM\sensapi.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll to
C:\WINDOWS\SYSTEM\senscfg.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll to
C:\WINDOWS\SYSTEM\es.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll to
C:\WINDOWS\SYSTEM\esshared.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll to
C:\WINDOWS\SYSTEM\estier2.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd to
C:\WINDOWS\SYSTEM\sage.vxd.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll to
C:\WINDOWS\SYSTEM\esenu.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf to
C:\WINDOWS\INF\mobilepk.inf.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp to
C:\WINDOWS\help\chnscsvr.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat to
C:\WINDOWS\SYSTEM\sfp\ie\mobilepk.cat.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp to
C:\WINDOWS\help\mobsync.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp) was installed. Error
0xe000022f: The third-party INF does not contain digital signature information.

Summary

What really bother me, is Microsoft Windows Setup API. Any downloaded Microsoft system files has embed sign-in digital signature. Windows installation will validate all setup file and logs out error if the file has a bad signature (third party signature or file being tempered). The flaw is within the Windows Setup API itself. It doesn’t protect you from installing bad programs.

You should thanks Microsoft developer for making good Installation Programs and reporting tools. it remind you of error but installed it nonetheless.

External Links

• MSDN System Event Notification Service (SENS)

AcroRd32Info is a another creative pieces of crap from Adobe a package for Acrobat Reader. Embed in Windows Explorer Shell, its main role is to start an initial prefetching for PDF documents in the Memory.

To test this program behavior, you will need to open your windows task manager (ctrl+alt+del once) and browse to any folder that contained a PDF documents and stay idle. Within just few seconds AdobeRd32Info will be loaded in the background and stay in memory.That was just for browsing the folder without opening any PDF files yet.

Windows has a standard prefetch modes and its fairly stable for most of the applications out there. Having a another background prefetcher hook on explorer is plain abusive not to mention its running without the owner permissions.

Adobe Reader is cheating. Its understable that with this methods it will improve the Acrobat boot time log, but I dont see much differences when its running in the background preparing to load a single PDF documents, its a pollutions.

AcroRd32Info stay in your memory so consider it as a pestware.

Here’s how you can safely removed this programs.

The proper way

• open Adobe AcroRd32
• Edit » Preferences
• Select the internet categories in the menu list then disabled
  Allow fast web view & Allow speculative downloading in the background

If thats doesnt work, you try this unrecommended method to disabled it.

• Browse to Adobe Reader directory usually at “Program Files\Adobe\Reader\”
• Find AcroRd32Info.exe
• Rename it from AcroRd32Info.exe to Acro_Rd32Info.exe

Recent Exploit on Adobe Reader

Exploit:W32/AdobeReader.K

From FSECURE, Exploit:W32/AdobeReader.K is detection of a malicious PDF file that is being heavily spammed through e-mail and it appears as an attachment.
This malicious PDF file takes advantage of a vulnerability on the URI handling of PDF files. This vulnerability affects IE7, Adobe Acrobat, and Adobe Reader on some platforms.
Users should update their Adobe Reader installations.

Affected Software Versions

Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier. Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier.

More info on this exploits at National Vulnerability Database