Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Got an odd one (posted something on it yesterday). Did RAV's online scan, which turned up Netsky.C buried in a mail file and a "Tool: HideWindows" infecting svchost32.exe and a file in the Temp folder in the WINNT directory. Symptoms were mass mailing coming from the affected computer. Ran Symantec's FxNetsky tool (v1.0.3) and it found no Netsky, which I attributed to a new variant of the virus. Went back in this a.m. after seeing Symantec had a new FxNetsky tool (v1.0.4), ran it, AND it found nothing. In the meantime, I did some homework last night on the "Tool: HideWindows" and turns out that it may be an IRC/trojan that's very well-hidden on the computer. Norton's AV, which I updated and ran, had quarantined just such a trojan last summer from the very same temp folder (it's turning up nada now). I also ran CWShredder and Stinger, which turned up nothing. We finally unhooked the computer from the network and had the email service disable this particular account. Panda's online scan has this thing as clean, but they're not as good as RAV, and I suspect the svchost32.exe. file may have been rewritten somehow.
Here's the HJT log file:
Logfile of HijackThis v1.97.7
Scan saved at 10:39:44 AM, on 3/9/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\LightningFAX\LFapifbk\LFapifbk.exe
C:\Program Files\LightningFAX\LFserver\LFprint.exe
C:\Program Files\LightningFAX\LFrcp\LFrcp.exe
C:\Program Files\LightningFAX\LFserver\LFserver.exe
C:\Program Files\LightningFAX\LFserver\LFslave.exe
C:\Program Files\LightningFAX\LFsmtp\lfsmtp.exe
C:\Program Files\Microsoft SQL Server\MSSQL$EMMSDE\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\WINNT\Fonts\explorer.exe
C:\Program Files\LightningFAX\LFclient\lfsndmng.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.exe
C:\Program Files\Microsoft Office\Office\OSA.exe
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\HijackThis.exe
C:\WINNT\system32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msilending.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [explore] C:\WINNT\System32\explore.exe
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
O4 - HKLM\..\Run: [lfsndmng] "C:\Program Files\LightningFAX\LFclient\lfsndmng.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Launcher] E:\setup.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {05842B0C-271B-412F-958F-D1A8F6CAD937} (ClickLoan Control) - https://www.clickloan.com/CAB/GenClickLoan/1,0,0,9/GenClickLoan.cab
O16 - DPF: {21F49842-BFA9-11D2-A89C-00104B62BDDA} (ChartFX IE 2000 Control) - http://www.wfg-online.com/Chart/Download/CfxIE.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://www.installshield.com/client/iftwclix.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF05D910-DC8E-403A-93B0-5C866F3200D1} (PtClickLoan Control) - http://www.clickloan.com/CAB/PtClickLoan.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://elliemae.webex.com/client/latest/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DBF731C8-391F-4FCC-B878-B292BD04E702}: NameServer = 192.168.0.1Is there something here I'm missing? Thanks!
Seems a funny place to find explorer..
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exe
I'd at least be checking this out.
D4
0 
Hi,
Put a check next to these, click "fix checked" and reboot.
O4 - HKLM\..\Run: [explore] C:\WINNT\System32\explore.exe
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exeRestart the computer.
Go into C:\WINNT\system32
and delete explore.exeJust the one spelled exactly like this. Do not confuse this with the legitimate iexplore.exe which is in the Program Files\Internet Explorer folder, or explorer.exe which is in the Windows folder.
Good luck
0 0
Thanks, seems to me to be a pretty serious hack. How about formatting the hdd and reinstalling Windows?
0
More info for you.
Found a name to go with:
O4 - HKLM\..\Run: [TaskMan] C:\WINNT\Fonts\rundll32.exe
O4 - HKLM\..\Run: [Explorer] C:\WINNT\Fonts\explorer.exehttp://securityresponse.symantec.com/avcenter/venc/data/backdoor.dvldr.html
O4 - HKLM\..\Run: [explore] C:\WINNT\System32\explore.exe
Info on above, #4 on this page.
http://www.sysinfo.org/startuplist.php?filter=explore.exe&count=&type="How about formatting the hdd and reinstalling Windows?"
Whatever you do, windows updates are
important.Good luck
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
