Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Agent :(


  • Please log in to reply
No replies to this topic

#1 gRoberts84

gRoberts84

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 10 July 2012 - 12:00 AM

Hi there,

It seems somehow someone has uploaded and executed an application on to our web server that has resulted in it going ape.

1. Symptoms

  • DLL files reporting errors (in ASP.Net websites)
  • Internet Explorer fails to open
  • Firefox opens but fails to load any pages
  • Antivirus has been disabled

2. What I've tried

  • Attempted to install AVG, MalwareBytes and ClamAV. Issues either loading application or updating. (MBAM worked after changing the name, as chameleon failed)
  • Installed Spybot S&D but found nothing of interest.

3. Logs

a) Hijack This!

Logfile of HijackThis v1.99.1
Scan saved at 05:36:20, on 10/07/2012
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\VMware\VMware Tools\vmacthlp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\VMware\VMware Tools\VMwareService.exe
C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\logon.scr
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\VMware\VMware Tools\VMwareTray.exe
C:\Program Files\FileZilla Server\FileZilla Server Interface.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe
C:\Program Files\VMware\VMware Tools\VMwareUser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\MySQL\MySQL Tools for 5.0\MySQLSystemTrayMonitor.exe
c:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\PHP\php-cgi.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\PHP\php-cgi.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\Administrator\Local Settings\Application Data\nbjchubu\shxrrukm.exe,
O1 - Hosts: 213.171.216.50 smtp.fasthosts.co.uk
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VMware Tools] "C:\Program Files\VMware\VMware Tools\VMwareTray.exe"
O4 - HKLM\..\Run: [FileZilla Server Interface] "C:\Program Files\FileZilla Server\FileZilla Server Interface.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec Backup Exec System Recovery 8.0] "C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProTray.exe"
O4 - HKLM\..\Run: [VMware User Process] "C:\Program Files\VMware\VMware Tools\VMwareUser.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [ShxRrukm] C:\Documents and Settings\Administrator\Local Settings\Application Data\nbjchubu\shxrrukm.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Set The Wallpaper.lnk = C:\Utils\Bginfo.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware tools\vsock sdk\bin\win32\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{03BB5E99-A709-48D0-A650-0D963E9B6955}: NameServer = 194.168.4.123,194.168.8.123
O17 - HKLM\System\CS1\Services\Tcpip\..\{03BB5E99-A709-48D0-A650-0D963E9B6955}: NameServer = 194.168.4.123,194.168.8.123
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Backup Exec System Recovery - Symantec Corporation - C:\Program Files\Symantec\Backup Exec System Recovery\Agent\VProSvc.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: SQL Server FullText Search (MSSQLSERVER) (msftesql) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe" -s:MSSQL.1 -f:MSSQLSERVER (file missing)
O23 - Service: SQL Server (MSSQLSERVER) (MSSQLSERVER) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER (file missing)
O23 - Service: MySQL - Unknown owner - c:\Program.exe (file missing)
O23 - Service: MySQL1 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NetVault Process Manager - Unknown owner - C:/Program Files/BakBone Software/NetVault/bin/nvpmgr.exe" service (file missing)
O23 - Service: SQL Server Agent (MSSQLSERVER) (SQLSERVERAGENT) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE" -i MSSQLSERVER (file missing)
O23 - Service: SymSnapService - Symantec - C:\Program Files\Symantec\Backup Exec System Recovery\Shared\Drivers\SymSnapService.exe
O23 - Service: VMware Tools Service (VMTools) - VMware, Inc. - C:\Program Files\VMware\VMware Tools\VMwareService.exe
O23 - Service: VMware Upgrade Helper (VMUpgradeHelper) - Unknown owner - C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe" /service (file missing)
O23 - Service: VMware Physical Disk Helper Service - VMware, Inc. - C:\Program Files\VMware\VMware Tools\vmacthlp.exe
O23 - Service: WhosOn Gateway Server (WhosOnGateway) - Parker Software - C:\Program Files\WhosOnV5\WOGateway.exe
O23 - Service: WhosOn Query Server (WhosOnQuery) - Parker Software - C:\Program Files\WhosOnV5\WOQueryService.exe
O23 - Service: WhosOn Scheduled Reports (WhosOnReports) - Parker Software - C:\Program Files\WhosOnV5\WOScheduledReports.exe



B) Malware Bytes


Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.04.08

Windows Server 2003 Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator :: MEDIALOUNGE2K3 [administrator]

Protection: Disabled

09/07/2012 11:56:00
mbam-log-2012-07-09 (11-56-00).txt

Scan type: Flash scan
Scan options enabled: Memory | Startup | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: Registry | File System | P2P
Objects scanned: 233072
Time elapsed: 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 2
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MICORSOFT_WINDOWS_SERVICE (Trojan.Agent) -> Quarantined and deleted successfully.
HKLM\SYSTEM\CurrentControlSet\Services\Micorsoft Windows Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\Mozilla Firefox\0.7956427416797901.exe (Exploit.Dropper) -> Quarantined and deleted successfully.

(end)





I have noticed that when killing any SVCHost.exe processes created by my user, "C:\Documents and Settings\Administrator\Local Settings\Application Data\nbjchubu\shxrrukm.exe" runs and recreates them.

FYI, this is a remote web server, I am unable to reboot into safe mode reliably.

I'd appreciate your help ;)

Thanks

BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users