Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: HJT-log....rooted

  1. #1
    Senior Member
    Join Date
    Aug 2003


    This is what a log looks like that has been rooted. How many pieces of nastiness can you find in there?? And for the extra bonus, can you identify the rootkit involved?

    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Java\jre1.5.0\bin\jusched.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
    O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINNT\system32\RevoTask.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Security Patches] WinLab32.exe
    O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
    O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hiddenrun.exe mdll.exe
    O4 - HKLM\..\RunServices: [Security Patches] WinLab32.exe
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Research (HKLM)
    O9 - Extra button: ICQ 4.1 (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...153.8308680556
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab

    No really, if you have any idea what rootkit this is from, please let me know. meeeeeeeeee and I have been looking all afternoon and not having alot of luck

  2. #2
    @ÞΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    St. Petersburg, FL
    Actually everything in there is malware as far as I can see.

    This machine seems to be infected with adware, spyware, ZA, and Windows.
    Real security doesn't come with an installer.

  3. #3
    Senior Member
    Join Date
    Aug 2003

  4. #4
    Senior Member
    Join Date
    Jul 2003
    That makes Windows the rootkit right?

    Congrats, groovicus, that might be the first HJT log of the one machine that contains all the spyware in the internet... did it take long for that to happen?

  5. #5
    Regal Making Handler
    Join Date
    Jun 2002
    C:\WINNT\system32\services.exe...........related to above
    Details Here: http://vil.nai.com/vil/content/v_99378.htm

    It's a remote access threat, maybe part of your rootkit.

    You also got a worm...WinLab32.exe
    Details Here: http://uk.trendmicro-europe.com/ente...=WORM_SDBOT.GD

    Details: xscan.exe
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  6. #6
    Hoopy Frood
    Join Date
    Jun 2004
    If this is a real machine and what people are saying is true, perhaps you may want to format? It may be quicker. BTW, it has Sasser, I believe. You can read the details at Symantec's site: http://securityresponse.symantec.com...oval.tool.html
    Symantec Security Response - W32.Sasser Removal Tool

    /edit - putting in all necessary words helps understanding.
    "Personality is only ripe when a man has made the truth his own."

    -- Søren Kierkegaard

  7. #7
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Couple of things I noticed that don't look right. I'm on 2000 at work right now so I'm verifying what looks suspicious with my machine that's not infected with anything.

    C:\WINNT\system32\srvany.exe - what is that and why are there multiple instances?
    C:\WINNT\system32\firewall.exe - doesn't exist on my machine and I've never heard of that before so it sounds suspicious unless I'm completely wrong.
    C:\WINNT\system32\RevoTask.exe - what is that? It's all over your machine.
    C:\winnt\system32\dhcp\ - not sure, this exists on mine but mine is empty of anything. Might be legit but if so, that's the weirdest way I've ever seen DHCP being used...

    Now for the registry stuff...

    O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINNT\system32\RevoTask.exe - lose this
    O4 - HKLM\..\Run: [Security Patches] WinLab32.exe - and this...it's the WORM_SDBOT.GD variant as found here
    O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe - I have no idea what that could possibly mean/be/etc..lose it just in case unless you know what it is.

    O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hiddenrun.exe mdll.exe - there's that weird DHCP thing again...I don't buy that it's really dhcp because I've never known anything to be named "hiddenrun" and calling another executable at that. I'd lose it just in case because chances are, you're not serving out DHCP leases.

    Lookup on 'hiddenrun.exe' revealed this thread here where it's shown as a method to hide execution of other scripts/etc. Bad news if you ask me...that's just like trojaning your ps/ls/find/top/etc programs in *nix to hide various bad things...

    Hope this helps some...I'm no expert on the veritable thousands of windows exploits but I do know suspicious stuff when I see it. I'd go to another machine, download the latest NAV updates, download Ad-Aware and the latest reference file, as well as Spybot's S&D, and the SwatIt trojan-scanner, burn them all to a CD, then boot the infected machine up (unplugged from the network), install all that, reboot into safe mode, then scan the living hell outta it!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  8. #8
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Ok here goes..

    Pieces of Nasty!

    C:\WINNT\system32\tlntsvr.exe <-- May be part of the kit NASTY
    C:\winnt\system32\dhcp\files\xscan.exe <--Also part of kit
    O4 - HKLM\..\Run: [Security Patches] WinLab32.exe <-- more the IRC batch
    O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe <-- says it all
    O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hiddenrun.exe mdll.exe <-- bye bye
    O4 - HKLM\..\RunServices: [Security Patches] WinLab32.exe <-- blah blah
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 <-- prolly get rid of this anyway

    things I thought at first
    C:\WINNT\system32\RevoTask.exe <--
    This is the Control Application for M-Audio Revolution 7.1 sound card. The sound card will function without it; but changes to speaker setup and sound modification (Bass/Treble etc) will not be available.

    C:\WINNT\system32\srvany.exe <--
    Application that is associated with Microsoft Windows NT 4, 2000, and XP Resource Kits and is used to run normal Windows applications as services.

    C:\Program Files\Java\jre1.5.0\bin\jusched.exe <--
    checks the Sun site to see if newer Java versions are available.
    Now while some of these look nasty there is a lot of things that are running because of programs you have chosen to run. Looks like the answer to your question is that IRC BOT bug that found its way in and propagated itself everywhere

    Edit: grammer and such
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click

  9. #9
    Senior Member
    Join Date
    Feb 2004
    Just FYI this line is LOP, a fairly common peice of malware, and nothing to be overly concerned with. It's the rest of the "ick" that's worrisome.

    O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    I'd be looking a bit futher than the hijackthis log to.

    I'd be looking for any of the pstools aps that may have been uploaded. Or similar.

    This is more a question than anything. Does hijackthis show hidden process and registry entries?? I ask because i came across the following:

    Luckily many crackers are careless and portions of their rootkit can be detected. The trojaned files above often have configuration files that list which programs to hide and which to display. Often they forget to hide the configuration files themselves. Since /dev is the default location for many of these configuration files, looking in there for anything that is a normal file is often a good idea.

    A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs – for example, Task Manager

    Full artice here: http://www.windowsecurity.com/articl...vironment.html
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts