Virus/trojan creating system32/.exe file on Win2K server

GriffMG · Jul 1, 2008

I have a win2k server which seems to have a virus or trojan on it.

I've scanned it with AVG, and PCTools Antispyware and AntiVirus, but they can't find anything.

The virus is manifesting itself by creating a file in c:\winnt\system32 called '.exe' this file is 0 bytes long and is being held open by a service (I think). Once in a while it creates an ftp script called 'i' in the same folder and tries to execute it - but I have removed ftp.exe so it does not seem to be able to.

Periodically the server is rebooting quietly, but that may be unrelated.

Any ideas anyone?

Regards

Griff
Keep [Smile]ing

GriffMG · Jul 1, 2008

this is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:14:50, on 01/07/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\WatchGuard\Mobile User VPN\IreIKE.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\msdtc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WatchGuard\Mobile User VPN\IPSecMon.exe
C:\WINNT\System32\llssrv.exe
C:\Program Files\Tiny Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\apache\ApacheOld\Aude.exe
D:\apache\ApacheOld\finedata.exe
D:\apache\ApacheOld\finedata.exe
D:\apache\ApacheOld\Aude.exe
C:\WINNT\System32\SCardSvr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\mdm.exe
C:\APPS\DocElite\docelite.exe
C:\APPS\WEBELITE-WEB01\WebElite.EXE
C:\APPS\DEPOTWATCH\DepotWatch.EXE
C:\APPS\WEBELITE-WEB04\WebElite.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Aude.lnk = D:\apache\ApacheOld\Aude.exe
O4 - Startup: depotwatch.lnk = C:\APPS\depotwatch\depotwatch.exe
O4 - Startup: docelite.exe.lnk = C:\APPS\DocElite\docelite.exe
O4 - Startup: finedata.lnk = D:\apache\ApacheOld\finedata.exe
O4 - Startup: web01.lnk = C:\APPS\WebElite-web01\webelite.exe
O4 - Startup: web04.lnk = C:\APPS\WebElite-web04\webelite.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{587F2C33-089B-41FA-AD18-1C3AD1434429}: NameServer = 80.84.160.226,80.84.160.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{587F2C33-089B-41FA-AD18-1C3AD1434429}: NameServer = 80.84.160.226,80.84.160.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Tiny Personal Firewall (PersFw) - Tiny Software - C:\Program Files\Tiny Personal Firewall\persfw.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe

--
End of file - 3117 bytes

Regards

Griff
Keep [Smile]ing

2ffat · Jul 1, 2008

Nothing sticks out. Look at these and if you don't know what they are or didn't set them up. Get rid of them. Make sure you have a good backup first.

C:\WINNT\system32\mdm.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{587F2C33-089B-41FA-AD18-1C3AD1434429}: NameServer = 80.84.160.226,80.84.160.1

O17 - HKLM\System\CS1\Services\Tcpip\..\{587F2C33-089B-41FA-AD18-1C3AD1434429}: NameServer = 80.84.160.226,80.84.160.1

James P. Cottingham
-----------------------------------------
^{I'm number 1,229!

I'm number 1,229!}

GriffMG · Jul 1, 2008

Hi

Thank you for looking at it for me.

I tried removing the two O17 ... NameServer entries, but then the machine couldn't resolve IPs for browsing, it removed the DNS entries from the network settings.

I will look at the mdm.exe though.

Martin

Regards

Griff
Keep [Smile]ing

GriffMG · Jul 1, 2008

Hi

MDM.exe is the Machine Debug Manager, which I need for debugging scripts in IIS/ASP.

I don't *think* I can remove it...

Regards

Griff
Keep [Smile]ing

2ffat · Jul 2, 2008

Look at some for some rootkits. Look at the FAQs in this forum for info on rootkits.

James P. Cottingham
-----------------------------------------
^{I'm number 1,229!

I'm number 1,229!}

GriffMG · Jul 2, 2008

I did look at all the rootkit stuff, but it didn't help. Then I did some googling for

hidden service creating "c:\winnt\system32\.exe"

And came across a reference to something similar where the advice was to use SDFix - which found the .exe and a trojan in router.exe and some stuff in the recycler...

I'm waiting to see what is broken!

B-)

Thanks for the help as usual.

Regards

Griff
Keep [Smile]ing

GriffMG · Jul 2, 2008

Darn, .exe is back!

Regards

Griff
Keep [Smile]ing

sggaunt · Jul 3, 2008

Griff. You probably need to do a deep clean up using sdfix and some other tools in safe mode and in sequence.
Look at some of pechnegs replies to other posts.

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

GriffMG · Jul 3, 2008

Steve

I think you are right, a reinstall might be easier!

Regards

Griff
Keep [Smile]ing

2ffat · Jul 3, 2008

Also make certain your system restore is off.

James P. Cottingham
-----------------------------------------
^{I'm number 1,229!

I'm number 1,229!}

GriffMG · Jul 3, 2008

Does win 2k have system restore, it doesn't have a tab for it in system properties?

Regards

Griff
Keep [Smile]ing

wahnula · Jul 5, 2008

Nope. No System Restore in Win2K. Hopefully the data backups will not be infected too. Do you have any idea how this creature got into your system?

Tony

Users helping Users...

GriffMG · Jul 6, 2008

Hi Tony,

I have no idea how it got in, but I'm struggling to get rid of it.

There is no email client on the machine, and it's not used for browsing. Perhaps the problem is a vunerability that I need to patch first, rather than something lurking?

Martin

Regards

Griff
Keep [Smile]ing

wahnula · Jul 6, 2008

Have you seen this solution???

Tony

Users helping Users...

GriffMG · Jul 7, 2008

I'm trying that now.

Regards

Griff
Keep [Smile]ing

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Virus/trojan creating system32/.exe file on Win2K server

GriffMG

Programmer

GriffMG

Programmer

2ffat

Programmer

GriffMG

Programmer

GriffMG

Programmer

2ffat

Programmer

GriffMG

Programmer

GriffMG

Programmer

sggaunt

Programmer

GriffMG

Programmer

2ffat

Programmer

GriffMG

Programmer

wahnula

Technical User

GriffMG

Programmer

wahnula

Technical User

GriffMG

Programmer

Similar threads

Part and Inventory Search

Sponsor