Hey all, I am supporting a Microsoft 2003 server that I recently noticed had a fishy service running. The service shows up as Name: “GrayPigeon_Hacker.com.cn” Description is” »Ò¸ë×Ó•þÎñ¶Ë³ÌÐò¡£Ô¶³Ì¼à¿Ø¹ÜÀí.” , Log On: local system account. I disabled this process and looked around for more information on it via the web. http://vil.nai.com/vil/content/v_13... http://www.castlecops.com/o23-all.html Found out it is a Backdoor Trojan… Inside my C:\Windows a file named Hacker.com.cn.exe was created, I renamed the file with an unusable extension for the time being. Upon doing a search in regedit for “gray” I found the following key: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN Inside this key is a directory named “0000” that holds 7 more entries: (Default), REG_SZ ,(value not set) Class, REG_SZ , LegacyDriver ClassGUID, REG_SZ, {8ECC055D-047F-11D1-A537-0000F8753ED1} ConfigFlags, REG_DWORD, 0x00000000 (0) DeviceDesc, REG_SZ, GrayPigeon_Hacker.com.cn Legacy, REG_DWORD, 0x00000000 (1) Service, REG_SZ, GrayPigeon_Hacker.com.cn Along with that registry key I was able to locate I found all of the keys listed on the Nortion site above (1st link). The only difference is that the last two keys listed on the site are not on my machine. These two: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\GrayPigeon_Hacker.com.cn\Enum "0" = "Root\LEGACY_GRAYPIGEON_HACKER.COM.CN\0000" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\GrayPigeon_Hacker.com.cn\Enum "Count" = "01, 00, 00, 00" I ran a full up-to-date scan with Symantec AV version 10.0.2.2 and nothing gets found. I’ve scanned the C:\Windows\hacker.com.cn file directly with Symantec and nothing is found. I’ve ran Hijack this analyzed the log and nothing stands out. I’ve ran Microsoft’s RootKit Revealer and nothing is found. I’ve ran the latest and greatest Windows Malicious Tool, nothing is found. All windows updates have been implemented. Looking at add or remove programs with show updates, nothing out of the norm appears, I have WebEx installed but that was a legit installation from a legit source. Can I go ahead and delete registry keys? Do you think I’ll run into adverse effects from deleting the keys? If this is a backdoor Trojan couldn’t there very likely be a “fake” legit looking program lurking around my server? Looking for some advice from some of you experts out there…

Please download and install the latest version of HijackThis v2.0.2: Download the HijackThis Installer from this link: HijackThis 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop. !!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!! Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Heres the HJT log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:07:09 PM, on 9/18/2007 Platform: Windows 2003 SP2 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Symantec\Backup Exec\beremote.exe C:\WINDOWS\system32\svchost .exe C:\WINDOWS\system32\certsrv.exe C:\WINDOWS\system32\CpqRcmc.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe C:\WINDOWS\system32\Dfssvc.exe C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.exe C:\WINDOWS\System32\dns.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\WINDOWS\system32\inetsrv\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\system32\CBA\pds.exe C:\WINDOWS\System32\ismserv.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\system32\wmiprvse.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\hp\hpsmh\bin\smhstart.exe C:\hp\hpsmh\bin\hpsmhd.exe C:\Program Files\RealVNC\VNC4\WinVNC4.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.exe D:\Exchsrvr\bin\exmgmt.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\hp\hpsmh\bin\hpsmhd.exe D:\Exchsrvr\bin\mad.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\hp\hpsmh\bin\rotatelogs.exe C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe C:\WINDOWS\system32\sysdown.exe C:\WINDOWS\System32\svchost.exe D:\Exchsrvr\bin\store.exe D:\Exchsrvr\bin\emsmta.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\cpqteam.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.exe C:\WINDOWS\system32\oobechk.exe C:\WINDOWS\system32\mshta.exe C:\WINDOWS\system32\wuauclt.exe c:\windows\system32\inetsrv\w3wp.exe C:\WINDOWS\regedit.exe C:\SYS Utilities\Hijack this analyzer\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [DLPSP] "C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPSP.exe" O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O15 - ESC Trusted Zone: http://downloads.canon.com O15 - ESC Trusted Zone: http://www.realvnc.com O15 - ESC Trusted Zone: http://*.windowsupdate.com O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM) O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows... O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://symantec.webex.com/client/T23L/support/ieatgpc.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mydomain.com O17 - HKLM\Software\..\Telephony: DomainName = mydomain.com O17 - HKLM\System\CCS\Services\Tcpip\..\{587698C9-EAE9-4866-A3EF-96F4BD052E20}: NameServer = na.me.server,na.me.server O17 - HKLM\System\CCS\Services\Tcpip\..\{8A3819B3-24B2-407F-933B-345C40841184}: NameServer = na.me.server O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mydomain.com O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beremote.exe O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\benetns.exe O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\pvlsvr.exe O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\bengine.exe O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\beserver.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: CCProxy - Unknown owner - C:\WINDOWS\system32\svchost .exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: Dell Printer Status Watcher (DLPWD) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLPWDNT.exe O23 - Service: Dell Printer Status Database (DLSDB) - Dell Inc. - C:\Program Files\Dell Printers\Additional Color Laser Software\Status Monitor\DLSDBNT.exe O23 - Service: Event Notification (ENS) - Unknown owner - C:\WINDOWS\netsvc.exe O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINDOWS\system32\inetsrv\svchost.exe O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing) O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe -- End of file - 7367 bytes Looking like some svchost.exe issues. Notice the svchost .exe (space after file name), Looks like CCProxy may be a culprit, I did a quick scan on the net and CCProxy may be tied in with Symantec... I'll have to verify. Looks like we may be getting somewhere. Also to note: Found svchost .exe in C:\Windows\system32 size is 776KB when highlighted the description shows as: "CCProxy Microsoft MFC Application" Proxy? huh? could be spamming with my ip / domain? task manager says it is currently using 6,600 K of memory. The other svchost.exe in system32 directory is 15kb task manager shows 10 svchost.exe's running ontop of the 1 svchost .exe I looked at date created on the 15k svchost and it was feb 17, 2007. svchost .exe was april 23,2007. there is an svchost.exe in dir C:\Windows\system32\inetsrv date created was april 22, 2007. I think we may be on to something. I don't have the ability to modify system settings just quite yet. I want to make sure we get a full back-up done before i start messing around, hopefully tonight that will go through without any problems. Thanks again

There are not many auto cleaners for Windows 2003 so we will need to try to remove it manually. This service is fraudulent: O23 - Service: Shell Hardware Dectection Service (HWDect) - Unknown owner - C:\WINDOWS\system32\inetsrv\svchost.exe (the word detection is spelled wrong) Go start> control panel> admistrative tools> services> sccroll down to"Shell Hardware Dectection Service (HWDect)" and double click on it the click> stop>apply> ok. Next, to the far right of "startup type" click the blue drop down arrow> click disable> apply> ok. Exit Services Do a seach for these files and delete them if found, including the file you renamed. windows.exe windowsupdate.exe abc.exe winlogoin.exe C:\WINDOWS\system32\inetsrv\svchost.exe Navigate to and delete this folder if found: C:\WINDOWS\system32\inetsrv Open notepad (Start Menu > Run > Type notepad and press "ok". Copy and paste everything into notepad between the x's making regedit4 the top line. XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4 [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GRAYPIGEON_HACKER.COM.CN] [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001 \Services\GrayPigeon_Hacker.com.cn] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop. Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes. If you continue to have problems this service may be a virus: O23 - Service: Event Notification (ENS) - Unknown owner - C:\WINDOWS\netsvc.exe You can disable it and run for a day or so and if you have no problem running delete the file: C:\WINDOWS\netsvc.exe Please let us know how things turn out.