|
-
July 6th, 2004, 12:42 AM
#1
HJT-log....rooted
This is what a log looks like that has been rooted. How many pieces of nastiness can you find in there?? And for the extra bonus, can you identify the rootkit involved? 
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\System32\svchost.exe
C:\winnt\system32\Shared\dllhost.exe
C:\WINNT\system32\srvany.exe
C:\winnt\system32\Shared\lsass.exe
C:\winnt\system32\firewall.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\srvany.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\srvany.exe
C:\WINNT\system32\Ati2evxx.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mobsync.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\WINNT\system32\RevoTask.exe
C:\WINNT\system32\tlntsvr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINNT\system32\ctfmon.exe
C:\winnt\system32\dhcp\files\mdll.exe
C:\winnt\system32\dhcp\files\xscan.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
D:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINNT\system32\RevoTask.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Security Patches] WinLab32.exe
O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hiddenrun.exe mdll.exe
O4 - HKLM\..\RunServices: [Security Patches] WinLab32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Research (HKLM)
O9 - Extra button: ICQ 4.1 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...153.8308680556
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
No really, if you have any idea what rootkit this is from, please let me know. meeeeeeeeee and I have been looking all afternoon and not having alot of luck 
-
July 6th, 2004, 12:52 AM
#2
Actually everything in there is malware as far as I can see.
This machine seems to be infected with adware, spyware, ZA, and Windows.
Real security doesn't come with an installer.
-
July 6th, 2004, 12:58 AM
#3
-
July 6th, 2004, 01:07 AM
#4
That makes Windows the rootkit right?
Congrats, groovicus, that might be the first HJT log of the one machine that contains all the spyware in the internet... did it take long for that to happen? 
/  \\
-
July 6th, 2004, 01:21 AM
#5
tlntsvr.exe..........Trojan
C:\WINNT\system32\services.exe...........related to above
Details Here: http://vil.nai.com/vil/content/v_99378.htm
It's a remote access threat, maybe part of your rootkit.
You also got a worm...WinLab32.exe
Details Here: http://uk.trendmicro-europe.com/ente...=WORM_SDBOT.GD
xscan.exe.......Hacktool
Details: xscan.exe
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
July 6th, 2004, 01:40 AM
#6
If this is a real machine and what people are saying is true, perhaps you may want to format? It may be quicker. BTW, it has Sasser, I believe. You can read the details at Symantec's site: http://securityresponse.symantec.com...oval.tool.html
Symantec Security Response - W32.Sasser Removal Tool
/edit - putting in all necessary words helps understanding.
"Personality is only ripe when a man has made the truth his own."
-- Søren Kierkegaard
-
July 6th, 2004, 01:48 AM
#7
Couple of things I noticed that don't look right. I'm on 2000 at work right now so I'm verifying what looks suspicious with my machine that's not infected with anything.
C:\WINNT\system32\srvany.exe - what is that and why are there multiple instances?
C:\WINNT\system32\firewall.exe - doesn't exist on my machine and I've never heard of that before so it sounds suspicious unless I'm completely wrong.
C:\WINNT\system32\RevoTask.exe - what is that? It's all over your machine.
C:\winnt\system32\dhcp\ - not sure, this exists on mine but mine is empty of anything. Might be legit but if so, that's the weirdest way I've ever seen DHCP being used...
Now for the registry stuff...
O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINNT\system32\RevoTask.exe - lose this
O4 - HKLM\..\Run: [Security Patches] WinLab32.exe - and this...it's the WORM_SDBOT.GD variant as found here
O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe - I have no idea what that could possibly mean/be/etc..lose it just in case unless you know what it is.
O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hiddenrun.exe mdll.exe - there's that weird DHCP thing again...I don't buy that it's really dhcp because I've never known anything to be named "hiddenrun" and calling another executable at that. I'd lose it just in case because chances are, you're not serving out DHCP leases.
Lookup on 'hiddenrun.exe' revealed this thread here where it's shown as a method to hide execution of other scripts/etc. Bad news if you ask me...that's just like trojaning your ps/ls/find/top/etc programs in *nix to hide various bad things...
Hope this helps some...I'm no expert on the veritable thousands of windows exploits but I do know suspicious stuff when I see it. I'd go to another machine, download the latest NAV updates, download Ad-Aware and the latest reference file, as well as Spybot's S&D, and the SwatIt trojan-scanner, burn them all to a CD, then boot the infected machine up (unplugged from the network), install all that, reboot into safe mode, then scan the living hell outta it!
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
July 6th, 2004, 05:19 AM
#8
Ok here goes..
Pieces of Nasty!
C:\winnt\system32\firewall.exe
C:\WINNT\system32\tlntsvr.exe <-- May be part of the kit NASTY
C:\winnt\system32\dhcp\files\mdll.exe
C:\winnt\system32\dhcp\files\xscan.exe <--Also part of kit
O4 - HKLM\..\Run: [Security Patches] WinLab32.exe <-- more the IRC batch
O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe <-- says it all
O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hiddenrun.exe mdll.exe <-- bye bye
O4 - HKLM\..\RunServices: [Security Patches] WinLab32.exe <-- blah blah
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 <-- prolly get rid of this anyway
things I thought at first
C:\WINNT\system32\RevoTask.exe <--
This is the Control Application for M-Audio Revolution 7.1 sound card. The sound card will function without it; but changes to speaker setup and sound modification (Bass/Treble etc) will not be available.
here
C:\WINNT\system32\srvany.exe <--
Application that is associated with Microsoft Windows NT 4, 2000, and XP Resource Kits and is used to run normal Windows applications as services.
here
C:\Program Files\Java\jre1.5.0\bin\jusched.exe <--
checks the Sun site to see if newer Java versions are available.
Now while some of these look nasty there is a lot of things that are running because of programs you have chosen to run. Looks like the answer to your question is that IRC BOT bug that found its way in and propagated itself everywhere
Edit: grammer and such
Duct tape.....A whole lot of Duct Tape 
Spyware/Adaware problem click
here
-
July 6th, 2004, 02:00 PM
#9
Just FYI this line is LOP, a fairly common peice of malware, and nothing to be overly concerned with. It's the rest of the "ick" that's worrisome.
O4 - HKLM\..\Run: [timesettings] C:\PROGRA~1\Meow obj eq\byte mess gpl.exe
-
July 6th, 2004, 02:46 PM
#10
I'd be looking a bit futher than the hijackthis log to.
I'd be looking for any of the pstools aps that may have been uploaded. Or similar.
This is more a question than anything. Does hijackthis show hidden process and registry entries?? I ask because i came across the following:
Luckily many crackers are careless and portions of their rootkit can be detected. The trojaned files above often have configuration files that list which programs to hide and which to display. Often they forget to hide the configuration files themselves. Since /dev is the default location for many of these configuration files, looking in there for anything that is a normal file is often a good idea.
A rootkit, however, cannot affect processes that have _root_ in their names. In other words, when a system administrator, is analyzing the system log using Regedit.exe, he cannot see hidden entries, but just by changing its name to _root_regedit.exe, it will be enough for him to see all of them as well as hidden keys and registry entries. This is true for all programs – for example, Task Manager
Full artice here: http://www.windowsecurity.com/articl...vironment.html
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
