Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Server Losing Sql Connectivity, Possible Malware


  • Please log in to reply
5 replies to this topic

#1 jbatka01

jbatka01

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 12 August 2008 - 03:54 PM

I have a Windows Server 2003 box that currently hosts almost 100 of my clients' websites. The symptom of my problem is very frustrating: the server will periodically lose connectivity to the database, and any sites hosted on the machine will not be able to connect to the database, rendering them useless. The odd thing is that once this happens, the server can't connect to any database: local, over the network, MSSQL, SQLExpress, even MySql. The only way to rectify the problem is to reboot the server. My webhosting company noticed the following errors in th error log that they thought were suspicious:

**************************************************************************
Error:
The euqznfmeworks service terminated with the following error:
The system cannot find the file specified.

Service:
C:\WINDOWS\system32\svchost.exe -k euqznfmeworks

-----------------

Error:
The lzijem service terminated with the following error:
The system cannot find the file specified.

Service:
C:\WINDOWS\system32\svchost.exe -k lzijem

-----------------

Error:
The NET Framework TPM service terminated with the following error:
The system cannot find the file specified.

Service command:
C:\WINDOWS\system32\svchost.exe -k NETFramework

-----------------

Error:
The NET Frameworks TPM service terminated with the following error:
The system cannot find the file specified.

Service:
C:\WINDOWS\system32\svchost.exe -k NETFrameworks

-----------------

Error:
The NET Frameworkzs service terminated with the following error:
The system cannot find the file specified.

Service:
C:\WINDOWS\System32\svchost.exe -k krnlsrvc

**************************************************************************


I also found a service called copSSHD with the following as it's run line: C:\Program Files\copSSH\bin\cygrunsrv.exe.

I noticed that sshd.exe is listening on a non-standard port:

C:\Documents and Settings\Administrator>netstat -anb

Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:65 0.0.0.0:0 LISTENING 1216
[sshd.exe]


Anyway, as per your forum guidelines I ran Deckard's Scan. Here are both sets of results. Any help is greatly appreciated!





Deckard's System Scanner v20071014.68
Run by ******* on 2008-08-12 16:22:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 3.28 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-12 16:23:14
Platform: Windows 2003 Service Pack 2 (5.02.3790)
MSIE: Internet Explorer (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Virtual Machine Additions\vmsrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\copSSH\bin\cygrunsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\copSSH\bin\sshd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\Program Files\copSSH\bin\sshd.exe
C:\Program Files\copSSH\bin\sftp-server.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Virtual Machine Additions\vmusrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\scrnsave.scr
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Virtual Machine Additions\vmusrvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\inetsrv\w3wp.exe
C:\Documents and Settings\dhunter\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [VMUserServices] C:\Program Files\Virtual Machine Additions\vmusrvc.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177601467250
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{182AE0A3-724E-4685-B06B-EACE4443D35F}: NameServer = ***.***.**.*,***.***.*.*
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe
O23 - Service: Openssh SSHD (copSSHD) - Unknown owner - C:\Program Files\copSSH\bin\cygrunsrv.exe
O23 - Service: MySQL - Unknown owner - C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt


--
End of file - 4775 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 IpInIp (IP in IP Tunnel Driver) - c:\windows\system32\drivers\ipinip.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 copSSHD (Openssh SSHD) - c:\program files\copssh\bin\cygrunsrv.exe
R2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-12 16:22:00 272 --a------ C:\WINDOWS\Tasks\ProcessUploaded*********Lists.job
2008-08-12 05:00:01 380 --a------ C:\WINDOWS\Tasks\TUESDAY_MYSQL_DUMP.job
2008-08-12 04:41:00 206 --a------ C:\WINDOWS\Tasks\Reboot.job
2008-08-12 00:52:03 204 --a------ C:\WINDOWS\Tasks\Scheduled SQL 2005 Procs.job
2008-08-11 05:00:01 288 --a------ C:\WINDOWS\Tasks\MONDAY_MYSQL_DUMP.job
2008-03-02 21:14:36 250 --a------ C:\WINDOWS\Tasks\INETPUB_BACKUP.job


-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-07-31 12:18:05 226 --a------ c:\reboot.vbs
2008-07-18 16:59:24 0 d-------- c:\CompChecker
2008-07-12 16:25:02 1046 --a------ c:\procs.vbs


-- Find3M Report ---------------------------------------------------------------

2008-07-08 17:10:14 59 --a------ c:\tuesday_dump.bat
2008-07-08 15:53:50 0 d-------- C:\Program Files\MySQL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VMUserServices"="C:\Program Files\Virtual Machine Additions\vmusrvc.exe" [08/29/2006 11:40 PM]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Servers\avp.exe" [05/28/2008 09:10 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [02/17/2007 10:03 AM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 02/17/2007 10:02 AM 19456 C:\WINDOWS\system32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
iissvcs w3svc
lzijem lzijem
NETFramework NETFramework
NETFrameworks NETFrameworks
krnlsrvc NETFrameworkzs
euqznfmeworks euqznfmeworks

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

7902 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-12 16:29:16 ------------














Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft® Windows® Server 2003, Enterprise Edition (build 3790) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Xeon® CPU E5320 @ 1.86GHz
Percentage of Memory in Use: 72%
Physical Memory (total/avail): 1023.48 MiB / 277.03 MiB
Pagefile Memory (total/avail): 2473.46 MiB / 1630.54 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1909.63 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 30 GiB total, 3.28 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - MS Virtual SCSI Disk Device - 30 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 30 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before install.
Windows Internal Firewall is enabled.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:Microsoft® Remote Desktop Help Session Manager"
"C:\\php\\php.exe"="C:\\php\\php.exe:*:Enabled:CLI"
"C:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe"="C:\\Program Files\\Microsoft SQL Server\\MSSQL.1\\MSSQL\\Binn\\sqlservr.exe:*:Enabled:sqlservr.exe"
"C:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe"="C:\\Program Files\\Microsoft SQL Server\\90\\Shared\\sqlbrowser.exe:*:Enabled:sqlbrowser.exe"
"C:\\WINDOWS\\system32\\ftp.exe"="C:\\WINDOWS\\system32\\ftp.exe:*:Disabled:File Transfer Program"
"C:\\Program Files\\FileZilla\\FileZilla.exe"="C:\\Program Files\\FileZilla\\FileZilla.exe:*:Disabled:FileZilla"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\dhunter\Application Data
CLIENTNAME=*******
ClusterLog=C:\WINDOWS\Cluster\cluster.log
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=VPS***********C
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=c:
HOMEPATH=\inetpub
LOGONSERVER=\\VPS***********C
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\PHP;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\MySQL\MySQL Server 5.0\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f07
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=RDP-Tcp#3
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\*******\LOCALS~1\Temp\3
TMP=C:\DOCUME~1\*******\LOCALS~1\Temp\3
USERDOMAIN=VPS***********C
USERNAME=*******
USERPROFILE=C:\Documents and Settings\*******
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

SvcCOPSSH (admin)
******* (admin)
******** (new local, admin)
************* (admin)
****************
PowerVPS (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
AspJpeg --> "C:\Program Files\Persits Software\AspJpeg\Uninstall.exe" "C:\Program Files\Persits Software\AspJpeg\install.log"
AspUpload --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Persits Software\AspUpload\Uninst.isu"
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
copSSH (remove only) --> "C:\Program Files\copSSH\uninstall.exe"
FileZilla (remove only) --> "C:\Program Files\FileZilla\uninstall.exe"
getPlus®_dll --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
IIS 6.0 Resource Kit Tools --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{F8FBDC28-C265-4F0D-8B91-6E92913E19F6}
JGsoft PowerGREP 3 v.3.4.1 --> C:\WINDOWS\UnDeploy.exe "C:\Program Files\JGsoft\PowerGREP3\Deploy.log"
Kaspersky Anti-Virus 6.0 for Windows Servers --> MsiExec.exe /I{6C8342CD-1489-4BF7-BB05-6CE70F2619DF}
Kaspersky Anti-Virus 6.0 for Windows Servers --> MsiExec.exe /I{6C8342CD-1489-4BF7-BB05-6CE70F2619DF}
Microsoft .NET Framework 2.0 Service Pack 1 --> MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1 --> MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5 --> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5 --> MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft SOAP Toolkit 3.0 --> MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft SQL Server 2005 --> "c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server 2005 (TECHMETHODS) --> MsiExec.exe /I{B0F9497C-52B4-4686-8E73-74D866BBDF59}
Microsoft SQL Server 2005 Tools --> MsiExec.exe /I{58D379F7-62BC-4748-8237-FE071ECE797C}
Microsoft SQL Server Management Studio Express --> MsiExec.exe /I{20608BFA-6068-48FE-A410-400F2A124C27}
Microsoft SQL Server Native Client --> MsiExec.exe /I{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}
Microsoft SQL Server Setup Support Files (English) --> MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer --> MsiExec.exe /I{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MySQL Connector/ODBC 3.51 --> MsiExec.exe /I{9856CFCC-6805-4567-8142-A68CF5B25F4C}
MySQL Server 5.0 --> MsiExec.exe /I{E5AED31E-3474-4C85-B492-42149DE37891}
Notepad++ --> C:\Program Files\Notepad++\uninstall.exe
PayPal ASP.NET SDK --> MsiExec.exe /I{659211A9-C390-4EB6-8FA8-3F6485905302}
PayPal Classic ASP SDK --> MsiExec.exe /I{098DD354-A78D-4DA8-B011-483575C60E4C}
SimpleMail 3.1 --> MsiExec.exe /I{1E82E5C5-91D1-4D1F-A6C2-EBAFFDF9E7C1}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins001.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
Virtual Machine Additions --> MsiExec.exe /X{543595B5-51FE-4E1D-9281-51F01E05D10F}
Windows Grep 2.3 --> "C:\Program Files\Windows Grep\unins000.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Server 2003 Service Pack 2 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type8937 / Warning
Event Submitted/Written: 08/12/2008 03:33:40 PM
Event ID/Source: 9 / Active Server Pages
Event Description:
Warning: IIS log failed to write entry, File /LM/W3SVC/103297371/Root/global.asa Line 11 Object required: 'Request'. .

Event Record #/Type8913 / Warning
Event Submitted/Written: 08/12/2008 02:23:33 PM
Event ID/Source: 9 / Active Server Pages
Event Description:
Warning: IIS log failed to write entry, File /LM/W3SVC/103297371/Root/global.asa Line 11 Object required: 'Request'. .

Event Record #/Type8910 / Warning
Event Submitted/Written: 08/12/2008 01:32:14 PM
Event ID/Source: 9 / Active Server Pages
Event Description:
Warning: IIS log failed to write entry, File /LM/W3SVC/103297371/Root/global.asa Line 11 Object required: 'Request'. .

Event Record #/Type8905 / Warning
Event Submitted/Written: 08/12/2008 11:44:44 AM
Event ID/Source: 9 / Active Server Pages
Event Description:
Warning: IIS log failed to write entry, File /LM/W3SVC/103297371/Root/global.asa Line 11 Object required: 'Request'. .

Event Record #/Type8900 / Warning
Event Submitted/Written: 08/12/2008 11:16:03 AM
Event ID/Source: 9 / Active Server Pages
Event Description:
Warning: IIS log failed to write entry, File /LM/W3SVC/1037312254/Root/global.asa Line 35 Type mismatch: 'Session'. .



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2984 / Error
Event Submitted/Written: 08/12/2008 04:16:48 PM
Event ID/Source: 1111 / TermServDevices
Event Description:
Driver Lexmark T420 required for printer !!************!Lexmark T420 is unknown. Contact the administrator to install the driver before you log in again.

Event Record #/Type2980 / Error
Event Submitted/Written: 08/12/2008 03:43:38 PM
Event ID/Source: 1111 / TermServDevices
Event Description:
Driver Lexmark 7100 Series required for printer !!*****!Lexmark 7100 Series is unknown. Contact the administrator to install the driver before you log in again.

Event Record #/Type2979 / Error
Event Submitted/Written: 08/12/2008 03:43:38 PM
Event ID/Source: 1111 / TermServDevices
Event Description:
Driver Lexmark T420 required for printer Lexmark T420 is unknown. Contact the administrator to install the driver before you log in again.

Event Record #/Type2976 / Error
Event Submitted/Written: 08/12/2008 02:46:21 PM
Event ID/Source: 1111 / TermServDevices
Event Description:
Driver Lexmark 7100 Series required for printer !!*****!Lexmark 7100 Series is unknown. Contact the administrator to install the driver before you log in again.

Event Record #/Type2975 / Error
Event Submitted/Written: 08/12/2008 02:46:21 PM
Event ID/Source: 1111 / TermServDevices
Event Description:
Driver Lexmark T420 required for printer Lexmark T420 is unknown. Contact the administrator to install the driver before you log in again.



-- End of Deckard's System Scanner: finished at 2008-08-12 16:29:16 ------------


Thanks for any advice you guys may have for me!
-Rick Batka

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 14 August 2008 - 09:11 AM

If you did not install CopSSH on your server, then you have been hacked and the suggest action would be to reinstall. A remote user having SSH access to your computer would make it possible for them to make any change they want and we would be unable to find them all. In these situations, a rebuild is the only safe option. Let's dig down a big and see what they may have done.

First download the attached bc_reg.bat and save it to your desktop. Double-click on the bat file to run it and then paste the contents of the notepad that opens as a reply to this topic.

When done, please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

When following the instructions please install the Windows XP Recovery Console if you are using XP.

After running ComboFix, please post the ComboFix log as well as a brand new HijackThis as a reply to this topic.

Attached Files



#3 jbatka01

jbatka01
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 14 August 2008 - 09:48 AM

Sorry about that, but I talked to my boss and he did indeed install CopSSH. He confirmed that it's not from a hacker and the SSH tunneling he's using is locked down tight.

I think you forgot to attach bc_reg.bat . Unless I'm just blind, I don't see the link.

He also vetoed my running of ComboFix, since it doesn't have a "just scan" mode. He doesn't want it changing anything automatically. It makes sense, this is a critical server hosting paying clients' dynamic websites, some with eCommerce. Downtime is not an option, even though it is happening periodically already - we just can't afford to "break it" any worse than it already is.

I appreciate your help so far, but if there's nothing else you can think of without running ComboFix I understand. We may have to somehow migrate the sites off the server and rebuild it, but that's also going to be a nightmare.

Thanks anyway guys!

-Rick

Edited by jbatka01, 14 August 2008 - 09:49 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 14 August 2008 - 10:00 AM

NO we can dig down further without making changes. I attached the batch file to my original message, sorry about that.

#5 jbatka01

jbatka01
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:27 AM

Posted 14 August 2008 - 11:55 AM

Just thought I'd post the results of bc_reg.bat.

Let me know if there's anything helpful, otherwise thanks anyway!

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lzijem
Type REG_DWORD 0x110
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_SZ C:\WINDOWS\system32\svchost.exe -k lzijem
DisplayName REG_SZ lzijem
ObjectName REG_SZ LocalSystem
Description REG_SZ Microsoft .NET Framework TPM

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lzijem\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lzijem\Security
Security REG_BINARY 01001480B8000000C4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020088000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lzijem\Enum
0 REG_SZ Root\LEGACY_LZIJEM\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\euqznfmeworks
Type REG_DWORD 0x110
Start REG_DWORD 0x2
ErrorControl REG_DWORD 0x1
ImagePath REG_SZ C:\WINDOWS\system32\svchost.exe -k euqznfmeworks
DisplayName REG_SZ euqznfmeworks
ObjectName REG_SZ LocalSystem
Description REG_SZ Microsoft .NET Framework TPM

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\euqznfmeworks\Parameters

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\euqznfmeworks\Security
Security REG_BINARY 01001480B8000000C4000000140000003000000002001C000100000002801400FF010F00010100000000000100000000020088000600000000001400FD01020001010000000000051200000000001800FF010F0001020000000000052000000020020000000014008D010200010100000000000504000000000014008D010200010100000000000506000000000014000001000001010000000000050B00000000001800FD01020001020000000000052000000023020000010100000000000512000000010100000000000512000000

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\euqznfmeworks\Enum
0 REG_SZ Root\LEGACY_EUQZNFMEWORKS\0000
Count REG_DWORD 0x1
NextInstance REG_DWORD 0x1

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,660 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:27 AM

Posted 14 August 2008 - 12:20 PM

These appears to be a backdoor/rootkit, but appear to be inactive as there is no ServiceDll under their Parameters section. More info here:

http://www.threatexpert.com/report.aspx?ui...f8-8cf9da6ed8aa

Those services can be delete by removing the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\euqznfmeworks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lzijem

Then you need to remove the keys that tell SVCHOST to start them:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\lzijem
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\NETFramework
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\NETFrameworks
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\krnlsrvc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\euqznfmeworks

if you do not feel comfortable removing these keys manually in the registry, let me know and I will make a reg file.

Alternately, you can delete these two keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\euqznfmeworks
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lzijem

by running the following commands from a command prompt:


sc delete euqznfmeworks
sc delete lzijem


You will still, though, need to remove the SVCHOST keys listed above in order to stop getting the event log errors.

Other than that, I am not seeing anything else. These are backdoor/rootkits, so you may want to consider reinstalling anyway if that is an option.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users