hacktool.dfind - page file issue? 1

[nickpin]

Hi all,

Long description I'm afraid... please bear with me!

I have Windows 2003 Server running Symantec Antivirus. About a month ago we got a message saying it had quarantined dfind.exe (hacktool.dfind) - from what I gather this scans all ports on the server to look for security holes. At the same time the page file usage went up to 1.5gb (normally 500mb), and our internet connection pings to google went off the scale, with lots of time outs too. A third party checked our firewall and it had 2000+ connections on it - normally it should have about 100 I'm told, for 8 of us in the office.

So, I deleted the quarrantined dfind.exe files and rebooted - all hunky dory. But it has now happened again twice - same symptoms. The problem I have is that while Symantec is finding and quarrantining these files, something else must be going on to cause the page file usage and internet issue, I just can't find what, and virii really aren't my bag... I've obviously made sure I've updated Symantec and run a full scan, plus tried Spybot to no avail.

Anyone else had a similar issue? Reccomendations on next steps? Help!!!

Cheers,
Nick

 

[erikhertzel]

I would possibly suspect that someone has used this tool to gain entry into the server. I would take a look at posting a hijack this log and we will see what is up here.

Download here:

http://www.thespykiller.co.uk/files/hijackthis_sfx.exe

Run and scan and post back here.

Also, some good tools in the future.

Webroot Spysweeper

Download it here:

http://www.sabethacomputing.com/downloads.html

Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:

http://www.ewido.net/en

Update it and run a complete scan.


I would also check it with some other virus scanners just to make sure.

http://housecall.trendmicro.com

http://www.pandasoftware.com/activescan

But, first, let's see what HJT looks like.

Erik

 

[erikhertzel]

You also need to look into finding rootkits. Check out this tool:

RootkitRevealer
Sysinternals -

http://www.sysinternals.com

Regards.

Erik

 

[nickpin]

Hi both,

Thanks for the replies... I ran hijack this and the log is as follows:

**************************************
Logfile of HijackThis v1.99.1
Scan saved at 09:33:03, on 15/05/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\WINNT\system32\MsgSys.EXE
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\SAV\VPC32.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\UltraVNC\WinVNC.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.google.co.uk/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://companyweb

O1 - Hosts: 69.93.97.2 ftp.mxdigital.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Ultr@VNC Server.lnk = C:\Program Files\UltraVNC\WinVNC.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1128676956578

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MXD.local
O17 - HKLM\Software\..\Telephony: DomainName = MXD.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C07710D-EAB4-4831-90B8-2A74B36233BD}: NameServer = 192.168.15.10,62.105.161.10,62.105.165.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D70B020B-B2FD-44C0-B32C-9CDB21B0F15F}: NameServer = 193.84.87.10,62.105.161.10,216.218.195.243,62.105.165.10,192.168.15.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MXD.local
O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Symantec Quarantine Agent (IcePack) - IBM Corp. - C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: MSSQL$SHAREPOINT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe" -sSHAREPOINT (file missing)
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
O23 - Service: Symantec Quarantine Scanner (ScanExplicit) - IBM Corp. - C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - %SystemDrive%\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQLAgent$SBSMONITORING - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE" -i SBSMONITORING (file missing)
O23 - Service: SQLAgent$SHAREPOINT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE" -i SHAREPOINT (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
*************************************

This morning Symantec has again found items. Both were in a sub directory of c:\system volume information. The first was hacktool.dfind (with a file name of svchost.exe), the second hacktool.hidewindow (file name hidden32.exe). Both had multiple instances, which Symantec managed to delete.

So it definitely looks like there is a backdoor or something installed on the box.

Thanks for your time with this,
Nick

 

[erikhertzel]

This one I would look into:

c:\winnt\system32\inetsrv\w3wp.exe

O1 - Hosts: 69.93.97.2 ftp.mxdigital.co.uk (do you know what this is?)

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)

O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy.dll (possibly bad, not sure look into it)

 

[pechenegs]

Those files are in system restore so they won't be going anywhere!


Turn off spybot's teatimer!


Download the Hoster from:

http://www.funkytoad.com/download/hoster.zip

UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.

download cleanup:

http://www.stevengould.org/software/cleanup/download.html

* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set
when the Slide Bar to the left is set to Standard Cleanup.
* Click OK
* Run cleanup






have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 



Run an online antivirus check from

http://www.kaspersky.com/virusscanner

choose extended database for the scan!


Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the kaspersky and active scan logs



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[pechenegs]

http://castlecops.com/o20list-19.html

you should also post the ewido and spysweeper logs!

Erik, missing files in the 09, 20s and 023 is a flaw in hijack this. If the file is legit leave them alone!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars

 

[erikhertzel]

pechenegs,

The 020 I was unsure of, that is what I said. They are not always legit and I just said look into it. That's all. Thanks for the clarification.

 

[pechenegs]

Yes,no problem! I am just informing you and others of this glitch in hijack this! Obviously some of the 020s are pests with Vundo, haxdoor and l2me among the main culprits!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars