I found a few files on my c drive that reek of hack activity. I have renamed the files that I could, but did not delete them in order to find out more info.
The path for these files is C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-18
The files are:
change.old
espace libre stro.old
go.bat
info.exe
jasfv.dll
KILL.exe
logout.old
msg.old
serv.bat
servudaemon.ini
ServUStartUpLog.txt
srvany.exe
svchost.exe
All the files that have extension .old were .txt files.
Here is a snippit from one of the files that proves its hack activity.
----------==(¯`'·.¸(¯`'·.¸_______________=========_______________¸.·'´¯)¸.·'´¯)==----------
---------=(¯`'·.¸(¯`'·.¸___________________________________¸.·'´¯)¸.·'´¯)=---------
-------=(¯`'·.¸_ _¸.·'´¯)=-------
-------------------====== Coolbuz ======--------------------
-------------------====== PuBsTrO ======--------------------
-------=(_¸.·'´¯ ¯`'·.¸_)=-------
---------=(_¸.·'´(_¸.·'´¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯`'·.¸_)`'·.¸_)=---------
----------==(_¸.·'´(_¸.·'´¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯=========¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯`'·.¸_)`'·.¸_)==----------
¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸
°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸¸,ø¤°`°¤ø,¸¸,ø¤°`
Disk Free : %DFree Ko
Disc Dur : %Disk
L'heure du stro : %time
La date du stro : %date
Nom de l'utilisateur : %Name
Nombre d'utilisateurs connectés : %UNow sur %MaxUsers
Nombre de personnes qui se sont connectés depuis le lancement du stro : %UAll
Nombre de personnes qui se sont connectés depuis 24heures : %U24h
Votre adresse ip non logguée bien sûr
: %IP
Le serveur (re)marche depuis :
%ServerDays jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs
Total Upload / FXP : %ServerKbUp Ko
Total Download : %ServerKbDown Ko
Vitesse du stro : %ServerKBps KB/s
Vitesse moyenne du stro : %ServerAvg KB/s
Here is the HJ log file as well.
Logfile of HijackThis v1.97.7
Scan saved at 11:58:32 AM, on 4/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Storage Manager\dptcom.exe
C:\Program Files\Storage Manager\dptserv.exe
C:\Program Files\Storage Manager\DPTSCOM.EXE
C:\Program Files\Storage Manager\DPTELOG.EXE
c:\winnt\system32\microsoft\crypto\rsa\S-1-18\srvany.exe
C:\WINNT\System32\svchost.exe
c:\winnt\system32\microsoft\crypto\rsa\S-1-18\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Navnt\NAVAPW32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
c:\program files\bricksoftware\primatedistributor\primatedistributor.exe
C:\WINNT\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - Trusted Zone: http://www.trojanscan.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37740.6295601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F85D44D-AB05-41B3-86D2-B2B0AC7A5A17}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2D25098-9320-49A7-997E-BBA619BA323B}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
Thanks for any help in sorting this out.
The path for these files is C:\WINNT\system32\Microsoft\Crypto\RSA\S-1-18
The files are:
change.old
espace libre stro.old
go.bat
info.exe
jasfv.dll
KILL.exe
logout.old
msg.old
serv.bat
servudaemon.ini
ServUStartUpLog.txt
srvany.exe
svchost.exe
All the files that have extension .old were .txt files.
Here is a snippit from one of the files that proves its hack activity.
----------==(¯`'·.¸(¯`'·.¸_______________=========_______________¸.·'´¯)¸.·'´¯)==----------
---------=(¯`'·.¸(¯`'·.¸___________________________________¸.·'´¯)¸.·'´¯)=---------
-------=(¯`'·.¸_ _¸.·'´¯)=-------
-------------------====== Coolbuz ======--------------------
-------------------====== PuBsTrO ======--------------------
-------=(_¸.·'´¯ ¯`'·.¸_)=-------
---------=(_¸.·'´(_¸.·'´¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯`'·.¸_)`'·.¸_)=---------
----------==(_¸.·'´(_¸.·'´¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯=========¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯`'·.¸_)`'·.¸_)==----------
¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸
°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸,ø¤°`°¤ø,¸¸¸,ø¤°`°¤ø,¸¸,ø¤°`
Disk Free : %DFree Ko
Disc Dur : %Disk
L'heure du stro : %time
La date du stro : %date
Nom de l'utilisateur : %Name
Nombre d'utilisateurs connectés : %UNow sur %MaxUsers
Nombre de personnes qui se sont connectés depuis le lancement du stro : %UAll
Nombre de personnes qui se sont connectés depuis 24heures : %U24h
Votre adresse ip non logguée bien sûr
: %IPLe serveur (re)marche depuis :
%ServerDays jours, %ServerHours Heures, %ServerMins Mins, %ServerSecs Secs
Total Upload / FXP : %ServerKbUp Ko
Total Download : %ServerKbDown Ko
Vitesse du stro : %ServerKBps KB/s
Vitesse moyenne du stro : %ServerAvg KB/s
Here is the HJ log file as well.
Logfile of HijackThis v1.97.7
Scan saved at 11:58:32 AM, on 4/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\netdde.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Storage Manager\dptcom.exe
C:\Program Files\Storage Manager\dptserv.exe
C:\Program Files\Storage Manager\DPTSCOM.EXE
C:\Program Files\Storage Manager\DPTELOG.EXE
c:\winnt\system32\microsoft\crypto\rsa\S-1-18\srvany.exe
C:\WINNT\System32\svchost.exe
c:\winnt\system32\microsoft\crypto\rsa\S-1-18\svchost.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\WINNT\System32\llssrv.exe
C:\PROGRA~1\NetIQ\Endpoint\endpoint.exe
C:\PROGRA~1\Navnt\npssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Belkin Bulldog Plus\upsd.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\PROGRA~1\Navnt\navapsvc.exe
C:\PROGRA~1\Navnt\alertsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\D4\D4.exe
C:\Program Files\Belkin Bulldog Plus\MUPS.exe
C:\Program Files\Navnt\NAVAPW32.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
c:\program files\bricksoftware\primatedistributor\primatedistributor.exe
C:\WINNT\system32\taskmgr.exe
C:\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\ORL\VNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
O4 - HKLM\..\Run: [Dimension4] C:\Program Files\D4\D4.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\NAVAPW32.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O15 - Trusted Zone: http://www.trojanscan.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37740.6295601852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F85D44D-AB05-41B3-86D2-B2B0AC7A5A17}: NameServer =
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2D25098-9320-49A7-997E-BBA619BA323B}: NameServer =
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
Thanks for any help in sorting this out.
