Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon.exe Leaking Handles


  • Please log in to reply
3 replies to this topic

#1 Kevin Sproule

Kevin Sproule

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 23 October 2007 - 05:09 PM

Windows 2000 Server with terminal services was broken into and Administrator was compromised. Now WINLOGON.EXE processes are leaking handles and using CPU in bursts. Server must be rebooted every few hours due to exhausted memory. Does anyone have any suggestions to fix this? Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:27 PM, on 10/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator\WINDOWS\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\termsrv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\CA\Alert\ALERT.EXE
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\WINNT\system32\CpqRcmc.exe
C:\WINNT\system32\Dfssvc.exe
E:\eagle\EagleWebPoller\EagleWebOrderPoller.exe
E:\eagle\EagleWebUsagePoller\EagleWebUsagePoller.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\WINNT\system32\ntfrs.exe
E:\eagle\RavenOrderPoller\RavenOrderPoller.exe
E:\eagle\RavenUsagePoller\RavenUasgePoller.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\locator.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Synergex\SynergyDE\dbl\bin\synd.exe
C:\hp\hpsmh\bin\smhstart.exe
e:\eagle\watcher\dmssky.exe
C:\WINNT\System32\lserver.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\yahoo.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\ismserv.exe
C:\WINNT\System32\msdtc.exe
C:\WINNT\system32\sysdown.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\hpsmhd.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\hp\hpsmh\bin\rotatelogs.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINNT\system32\Atiptaxx.exe
e:\eagle\watcher\eagleflight.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\PlanetPress Suite 3\PlanetPress Watch\Ppwcfg.exe
C:\Program Files\PlanetPress Suite 3\PlanetPress Watch\Ppwatch3.exe
C:\Program Files\PlanetPress Suite 3\PlanetPress\ppress3.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\PlanetPress Suite 3\PlanetPress Image\PPIMAGE3.EXE
C:\PROGRA~1\Adobe\ACROBA~1.0\Distillr\acrodist.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\mdm.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\taskmgr.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\cmd.exe
C:\temp\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKUS\S-1-5-21-2025429265-606747145-1801674531-1121\..\Run: [] (User 'John')
O4 - HKUS\S-1-5-21-2025429265-606747145-1801674531-1122\..\Run: [] (User 'pete f')
O4 - HKUS\S-1-5-21-2025429265-606747145-1801674531-1130\..\Run: [] (User 'Spare1')
O4 - HKUS\S-1-5-21-2025429265-606747145-1801674531-1131\..\Run: [] (User 'Spare2')
O4 - HKUS\S-1-5-21-2025429265-606747145-1801674531-1138\..\Run: [] (User 'Dan')
O4 - HKUS\S-1-5-21-2025429265-606747145-1801674531-1139\..\Run: [] (User 'Cindy')
O4 - HKUS\.DEFAULT\..\Run: [] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator\windows\system32\rnr20.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kareagle.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{B850F91E-1A2B-44E1-8ED0-103CB20BD9E2}: NameServer = 10.220.1.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kareagle.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kareagle.local
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = kareagle.local
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: helpsvr - C:\WINNT\System32\Sysem.dll
O23 - Service: Alert Notification Server - Computer Associates International, Inc. - C:\Program Files\Common Files\CA\Alert\ALERT.EXE
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - Symantec Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Unknown owner - C:\CA_LIC\lic98rmt.exe (file missing)
O23 - Service: CA License Server (CA_LIC_SRVR) - Unknown owner - C:\CA_LIC\lic98rmtd.exe (file missing)
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINNT\system32\CpqRcmc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Synergy/DE License Manager (SynLM) - Synergex - C:\Program Files\Synergex\SynergyDE\dbl\bin\synd.exe
O23 - Service: Synergy/DE xfServer (SynSrv) - Synergex - C:\Program Files\Synergex\SynergyDE\dbl\bin\rsynd.exe
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINNT\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHp) - Hewlett-Packard Company - C:\hp\hpsmh\bin\smhstart.exe
O23 - Service: Yahoo Services (YS) - Unknown owner - C:\WINNT\system32\yahoo.exe

--
End of file - 9159 bytes

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 PM

Posted 24 October 2007 - 04:53 PM

Hi Kevin,

Looks like a mess. My suggestion, reinstall. I know that is a major pita when it comes to Terminal Services and setting up all the apps again, but with a hack you never know what they did. Can we clean up all the running malware, yes, but we will not be able to tell if any policy changes have been made, registry settings that lower your sam account enumeration, etc etc. So with all of that said, I seriously suggest you reinstall.

If on the other hand, you want me to move forward and help you clean up the machine, I will be more than happy to.

Regardless of what you do, do me a favor and submit a file for me.

This file :

C:\WINNT\system32\yahoo.exe

Please submit it at http://www.bleepingcomputer.com/submit-malware.php?channel=3

Just a note, if you want to do this right, you will have to disable terminal services while we fix it as the users logged on will make it difficult to properly clean. Also it is going to be nigh impossible to make sure that you do not get reinfected from programs running on other users profiles. I am willing to give it a try though. Up to you.

#3 Kevin Sproule

Kevin Sproule
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:47 PM

Posted 26 October 2007 - 10:18 AM

Grinler,

Thanks for the reply. We are planning to scratch the C: drive and do a basic install and then restore the C: drive from a backup before the attack. Does this seem reasonable? I will upload the C:\WINNT\system32\yahoo.exe per your request.

Kevin

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:09:47 PM

Posted 26 October 2007 - 12:00 PM

Thanks...the yahoo.exe is a trojan. It connect to a hostname that no longer resolves.

I think that a reformat, restore should work, but be sure to have all the users change their passwords. It is possible they were sniffed out.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users