Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

hacktool.dfind overloading ports on the firewall

Status
Not open for further replies.

Archiee3

IS-IT--Management
Dec 12, 2008
6
GB
Hi,

We've been having a recurring problem here with a particular machine behind a firewall running a dfind.exe process which overloads the firewall by maxing out the connections (at 4096). The problem has been identified and deleted time and time again but keeps coming back, so it seems there is another process that is causing the malware to come back.

The machine is a Windows Server 2003 machine with Symantec Endpoint Protection 11 installed. SEP has only come up with identifying the virus (hacktool.dfind) once, and each time the virus comes back and our firewall goes down the process is called something else (eg it was called rtvscan.exe last time).

We've run SEP, Malwarebytes, spybot, hijack this (log file available at: trend micro housecall and rootkit revealer to no avail.

I have trawled the web for people who've had similar problems, and can currently only find the following posts which are similar, but none of them seem to have solutions!



Any help would be very much appreciated! Its an important server, and an even more important firewall its overloading, so if there is any way at all to stop this malware before having to rebuild the machine that would be brilliant!!
 
According to the author of the program (see Sysinternals Forums) this is a replacement for NMap. A hacker has taken a copy of the program, found a hole in your system, and installed a virus. (Not that that help much.) As you suspect, it is another process that is re-installing it.

Are you fully patched?


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Yes the system is fully patched and up to date
 
here are some anomalies I found in the HJT log:

C:\WINDOWS\system32\dllcache\csrss.exe
Should be : C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\dllcache\ServiceDaemon.exe
needs to be quarantined or deleted! This is a service spoofer, e.g. it will allow any program to be run as a service under any name... unless you have installed this yourself, I definitely would delete it...

read about it: and



Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top