Found stuff on my computer

[dimab1]

I have found these files on my computer, I know they are bad, but can anyone tell me what they do? and can I just delete them? I found them by accident, is there another place to look? Thanx, Dima.

Directory of C:\WINNT\system32\Profiles

08/17/2004 10:52a <DIR> .
08/17/2004 10:52a <DIR> ..
09/22/2003 11:41p 39,424 bootdrv.dll
09/30/2003 04:29a 365,896 cygwin1.dll
10/22/2003 02:49p 899,439 ddt.exe
08/17/2004 10:54a 0 dir.txt
06/05/2004 03:02p <DIR> download
06/08/2004 01:41p 90 exe.exe
05/19/2004 08:48a 205 Explorer.bat
04/12/2004 01:03a 217 FireDaemon.bat
06/21/2003 05:41p 81,920 FireDaemon.exe
05/19/2004 08:40a 530 FireLSASS.bat
05/14/2004 02:58p 176,280 FixLGate.com
06/08/2004 01:41p 0 Fixlgate.log
05/28/2004 04:46p 31,534 ****.exe
08/26/2003 02:44p 29,696 HIDDEN32.EXE
08/26/2003 02:44p 1,790,464 iexplorer.exe
07/24/2002 12:51a 228,940 iroffer.exe
07/14/2003 02:21a 35,840 KILL.EXE
06/06/2004 09:58a 14 LG.txt
06/08/2004 01:42p 768 LGScans.log
06/05/2004 03:02p <DIR> logs
04/26/2004 12:13a 155,724 lsass.exe
08/17/2004 10:43a 3,039 mirc.ini
10/28/2003 10:32a 173,600 navdb.txt
09/20/2003 08:23p 59,392 nc.exe
06/08/2004 01:21p 807 RPCScans.log
05/01/2004 12:27a 2,392 sc.exe
05/19/2004 08:47a 4,583 secure.bat
09/06/2003 06:46p 5,632 SecureNetbios.exe
03/12/2004 02:12p 73 serv.dll
05/01/2004 12:43a 68,096 serv.exe
03/12/2004 02:27p 1,466 ServUDaemon.ini
06/05/2004 03:02p <DIR> sounds
05/27/2004 09:09a 19,968 svchost32.exe
10/05/2003 03:35p 286,166 unzip.exe
03/18/2003 02:12a 162,816 wget.exe
06/28/2003 05:45a 497,152 WINMGNT.EXE
33 File(s) 5,122,163 bytes
5 Dir(s) 4,443,504,640 bytes free

[Tiger Shark]

Well.... Where do I start.....

Imagine a mechanic's toolbox..... All those tools..... You have as many here... It's a complete toolkit....

It's impossible to say what they all do since all you can see there is the names and any file is easy to rename. nc.exe is there, that's NetCat probably - the self styled "Swiss Army Knife". There's a bunch of other stuff there too that may or may not be what they purport to be but whatever they are they aren't good.

To be honest this box is so owned that your only safe recourse is to reformat and reinstall from scratch after backing up _only_ data files. Everything else must come from a trusted source.

[Irongeek]

FireDaemon.exe lets you run programs as a service, NC.exe is NetCat and is useful for all sorts of stuff (like shoveling a shell) and there are quite a few other useful tools for a cracker there. Looks like someone has set up a backdoor and some tools on your box, maybe with a kit like Backdoor.IRC.Zcrew (http://securityresponse.symantec.com...c.zcrew.b.html ). I would recommend nuking and rebuilding your computer and changing all the passwords you normally use.

[jinxy]

Picking one off the entries at random. You seem to be infected with the Gaobot worm, for starters.

So as Tiger Shark has suggested re-format and re-install is the best advice. It also allows remote access so a chang of all your passwords and login details to everything you do on line would be wise.

[Ennis]

****.exe <--Dear lord.

[Tiger Shark]

****.exe <--Dear lord.

Yeah... Stuff like that has to be the skiddie idea of hiding something's true intent.....

"OK, if we call it ****.exe maybe they'll think it's some kind of virtual vibrator or something. They sure wouldn't think it was a backdoor or something......."

[dimab1]

The funny part is that I just typed it into a search as a fluke, I knew there was a problem with my computer and out of frastration thats what I typed inot the search f**k.exe and I guess it worked. Can anyone tell me how it could have gotten on my computer and how can I prevent this from happening again. Thanx.

[Irongeek]

Run an up-to-date AV package, run a firewall, keep up on your Windows patches and be careful what you install on your box.

[Tiger Shark]

Do you have a firewall?
Do you apply all the updates when they come out?
Do you have file and printer sharing enabled?
etc. etc. etc.

[Edit]

Old age is slowing me down I guess.....

[/Edit]

[jinxy]

Read all about it here:

http://securityresponse.symantec.com...gaobot.af.html