Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got hacked (need a svchost expert!)


  • Please log in to reply
11 replies to this topic

#1 Stranger2k

Stranger2k

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 December 2013 - 06:47 PM

Hi all, to make a long story short, we definitely had an intruder in our system.  Currently, I have two server machines running a continuous scan of random IP addresses all over, trying to find IPs with TCP port 3389 open.

 

The curious thing is that the scan is coming from a "svchost.exe -k netsvcs" process in both cases.  Looking at Process Explorer for that particular instance of svchost, I stopped every service it was hosting that could be stopped (which included server, workstation, task scheduler, and a big bunch of others), leaving me with the following services which I could not stop:

 

 AeLookupSvc (aelupsvc.dll)

EventSystem (es.dll)

RasMan (rasmans.dll)

RemoteAccess (mprdim.dll)

wuauserv (wuauserv.dll)

 

All of the above are located in c:\windows\system32, and looking at their file properties, they look like legit Microsoft Corp files.  The svchost.exe file itself also verifies successfully using Process Explorer's verification tool.

 

My question is: where is the port scan coming from, given that I've verified all the services running under this PID?  I don't think he ever got administrator access.  Could he have used task scheduler to launch a task - if so, wouldn't it show up as a separate process rather than as svchost itself? 

 

Any help would be GREATLY appreciated!


Edited by hamluis, 23 December 2013 - 07:03 PM.
Moved from MRL to AII - Hamluis.


BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:03:49 AM

Posted 23 December 2013 - 08:48 PM

Hello -

 

Please follow all directions from cryptodan  -

See below -

 

 

Thank You -

EDITED -


Edited by noknojon, 23 December 2013 - 08:57 PM.


#3 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:49 PM

Posted 23 December 2013 - 08:52 PM

Noknojon,
 
I had requested this thread moved to AII so some preliminary scans can be done to determine if this is just the case of paranoia or otherwise.

The scans were done to remove suspected malware.

Please perform the following, so that we can get the exact specs of your computer. This will better assist us in helping you more.

Publish a Snapshot using Speccy

The below is for those who cannot get online

Please take caution when attaching a text file to your post if you cannot copy/paste the link to your post, you will need to edit it to make sure that your Windows Key is not present.

Please download MiniToolBox, and save it to your desktop and run it, and checkmark the following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Reset IE Proxy Settings
  • Report FF Proxy Settings
  • Reset FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List Winsock Entries
  • List last 10 Event Viewer log
  • List Installed Programs
Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.
Note: When using "Reset FF Proxy Settings" option Firefox should be closed.

Edited by cryptodan, 23 December 2013 - 08:56 PM.


#4 Stranger2k

Stranger2k
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 December 2013 - 09:43 PM

To provide additional detail relevant to the paranoia question:

- We had a RDP port open to the internet ( yes, I know :( ).  This morning, a user reported that his PC said it was "locked and in use" with a test account which no one uses; no one had access to the PC overnight.

- Looking at the Security event log on his PC and two other servers, I found hundreds of failed login attempts, a constant barrage that had lasted 3 days, with usernames that were obviously guesses.  They were coming from the PC that had RDP exposure to the internet.

- I have disabled the test account, but the attempts to guess passwords are continuing, and this PC and two servers are making thousands of outgoing RDP connection attempts all over the world.  

- I shut down every device on the network simultaneously, but the port scans resumed immediately after everything was powered back on, so they must have some sort of backdoor.

- I do have complete firewall syslogs, which grew from 300MB per day normally to between 2 and 3 GB per day in the last three days.  

I hope this will clarify the paranoia issue.

 

 

MiniToolBox results.txt:

MiniToolBox by Farbar  Version: 18-12-2013
Ran by administrator (administrator) on 23-12-2013 at 21:40:55
Running from "C:\Documents and Settings\Administrator.XYZ\Local Settings\Temporary Internet Files\Content.IE5\JX5JC23H"
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86)
Boot Mode: Normal
***************************************************************************
 
========================= Flush DNS: ===================================
 
 
Windows IP Configuration
 
 
 
Successfully flushed the DNS Resolver Cache.
 
 
========================= IE Proxy Settings: ============================== 
 
Proxy is not enabled.
No Proxy Server is set.
 
"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
 
 
127.0.0.1       localhost
 
========================= IP Configuration: ================================
 
Broadcom NetXtreme Gigabit Ethernet = Local Area Connection (Connected)
 
 
# ---------------------------------- 
# Interface IP Configuration         
# ---------------------------------- 
pushd interface ip
 
 
# Interface IP Configuration for "Local Area Connection"
 
set address name="Local Area Connection" source=static addr=192.168.0.9 mask=255.255.255.0
set address name="Local Area Connection" gateway=192.168.0.1 gwmetric=0
set dns name="Local Area Connection" source=static addr=192.168.0.17 register=PRIMARY
add dns name="Local Area Connection" addr=192.168.0.15 index=2
set wins name="Local Area Connection" source=static addr=192.168.0.8
 
 
popd
# End of interface IP configuration
 
 
 
 
Windows IP Configuration
 
 
 
   Host Name . . . . . . . . . . . . : XYZ04
 
   Primary Dns Suffix  . . . . . . . : XYZs.int
 
   Node Type . . . . . . . . . . . . : Hybrid
 
   IP Routing Enabled. . . . . . . . : Yes
 
   WINS Proxy Enabled. . . . . . . . : No
 
   DNS Suffix Search List. . . . . . : XYZs.int
 
 
 
Ethernet adapter Local Area Connection:
 
 
 
   Connection-specific DNS Suffix  . : 
 
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
 
   Physical Address. . . . . . . . . : 00-18-8B-FD-89-0A
 
   DHCP Enabled. . . . . . . . . . . : No
 
   IP Address. . . . . . . . . . . . : 192.168.0.9
 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
 
   Default Gateway . . . . . . . . . : 192.168.0.1
 
   DNS Servers . . . . . . . . . . . : 192.168.0.17
 
                                       192.168.0.15
 
   Primary WINS Server . . . . . . . : 192.168.0.8
 
Server:  XYZ24.XYZs.int
Address:  192.168.0.17
 
Name:    google.com
Addresses:  74.125.226.233, 74.125.226.232, 74.125.226.238, 74.125.226.228
 74.125.226.226, 74.125.226.229, 74.125.226.224, 74.125.226.225, 74.125.226.227
 74.125.226.231, 74.125.226.230
 
 
 
Pinging google.com [173.194.43.40] with 32 bytes of data:
 
 
 
Reply from 173.194.43.40: bytes=32 time=10ms TTL=58
 
Reply from 173.194.43.40: bytes=32 time=15ms TTL=58
 
 
 
Ping statistics for 173.194.43.40:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 10ms, Maximum = 15ms, Average = 12ms
 
Server:  XYZ24.XYZs.int
Address:  192.168.0.17
 
Name:    yahoo.com
Addresses:  98.139.183.24, 206.190.36.45, 98.138.253.109
 
 
 
Pinging yahoo.com [98.139.183.24] with 32 bytes of data:
 
 
 
Reply from 98.139.183.24: bytes=32 time=23ms TTL=55
 
Reply from 98.139.183.24: bytes=32 time=24ms TTL=55
 
 
 
Ping statistics for 98.139.183.24:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 23ms, Maximum = 24ms, Average = 23ms
 
 
 
Pinging 127.0.0.1 with 32 bytes of data:
 
 
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
Reply from 127.0.0.1: bytes=32 time<1ms TTL=128
 
 
 
Ping statistics for 127.0.0.1:
 
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
 
Approximate round trip times in milli-seconds:
 
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
 
 
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 18 8b fd 89 0a ...... Broadcom NetXtreme Gigabit Ethernet - Teefer2 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1      192.168.0.9     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.0.0    255.255.255.0      192.168.0.9      192.168.0.9     10
      192.168.0.9  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.0.255  255.255.255.255      192.168.0.9      192.168.0.9     10
        224.0.0.0        240.0.0.0      192.168.0.9      192.168.0.9     10
  255.255.255.255  255.255.255.255      192.168.0.9      192.168.0.9      1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None
========================= Winsock entries =====================================
 
Catalog5 01 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog5 02 C:\WINDOWS\system32\winrnr.dll [17408] (Microsoft Corporation)
Catalog5 03 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
ATTENTION: The LibraryPath should be "%SystemRoot%\system32\NLAapi.dll"
 
Catalog9 01 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 02 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 03 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 04 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 05 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 06 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 07 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 08 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 09 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 10 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
Catalog9 11 C:\WINDOWS\system32\mswsock.dll [256000] (Microsoft Corporation)
 
========================= Event log errors: ===============================
 
Application errors:
==================
Error: (12/23/2013 09:29:22 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Attempt to determine whether user and machine accounts are in the same forest failed (The interface is unknown. ).
 
Error: (12/23/2013 09:24:15 PM) (Source: Userenv) (User: NT AUTHORITY)
Description: Attempt to determine whether user and machine accounts are in the same forest failed (The interface is unknown. ).
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32) (User: )
Description: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
 
 
System errors:
=============
Error: (12/23/2013 09:35:22 PM) (Source: DCOM) (User: )
Description: The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout.
 
Error: (12/23/2013 09:29:41 PM) (Source: TermServDevices) (User: )
Description: Driver Brother QL-1060N required for printer !!XYZ24!LABEL (Brother QL-1060N) is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:41 PM) (Source: TermServDevices) (User: )
Description: Driver Gestetner MPC2500/DSc525 PCL 6 required for printer !!XYZ03!Color Copier 1 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:41 PM) (Source: TermServDevices) (User: )
Description: Driver Brother QL-1060N required for printer !!192.168.0.8!LABEL (Brother QL-1060N) is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:40 PM) (Source: TermServDevices) (User: )
Description: Driver Brother HL-6050D/DN series required for printer !!XYZ03!Brother HL6050DN (MC) is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:40 PM) (Source: TermServDevices) (User: )
Description: Driver EPSON Stylus Pro 9900 required for printer !!XYZ03!EPSON Stylus Pro 9900 Direct is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:38 PM) (Source: TermServDevices) (User: )
Description: Driver Graphtec FC7000 required for printer !!XYZ24!Graphtec FC7000 Vinyl Cutter is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:25 PM) (Source: TermServDevices) (User: )
Description: Driver Graphtec FC7000 required for printer !!XYZ03!Graphtec FC7000 Vinyl Cutter is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 09:29:25 PM) (Source: TermServDevices) (User: )
Description: Driver Gestetner MP C3001 PCL 6 required for printer !!XYZ24!Color Copier 2 PCL6 is unknown. Contact the administrator to install the driver before you log in again.
 
Error: (12/23/2013 06:37:35 PM) (Source: Service Control Manager) (User: )
Description: The Workstation service terminated with the following error: 
%%1794
 
 
Microsoft Office Sessions:
=========================
Error: (12/23/2013 09:29:22 PM) (Source: Userenv)(User: NT AUTHORITY)
Description: The interface is unknown.
 
Error: (12/23/2013 09:24:15 PM) (Source: Userenv)(User: NT AUTHORITY)
Description: The interface is unknown.
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
Error: (12/23/2013 07:55:17 PM) (Source: crypt32)(User: )
 
 
=========================== Installed Programs ============================
 
Adobe Reader 8.1.2 (Version: 8.1.2)
ATI Display Driver (Version: 8.24.3-060405a-041210C-Dell)
Dell Online Diagnostics 2.15.0 (Version: 2.15.0)
Dell OpenManage Management Station (Version: 5.4.0)
Dell OpenManage Server Administrator (Version: 5.4.0)
Emsisoft Anti-Malware (Version: 8.1)
EZ GPO Power Management Config Tool (Version: 2.0.14)
FileZilla Client 3.5.3 (Version: 3.5.3)
getPlus®_ocx
Java™ 6 Update 17 (Version: 6.0.170)
LiveUpdate 3.0 (Symantec Corporation) (Version: 3.0.0.160)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Extended (Version: 4.0.30319)
Microsoft SQL Server 2008 R2 Native Client (Version: 10.50.1600.1)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.59193)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Module SDK (Version: 1.0.1)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB2758696) (Version: 6.20.2016.0)
Shadow Copy Client (Version: 5.2.01)
Speccy (Version: 1.24)
Symantec Backup Exec Remote Agent for Windows Systems (Version: 13.0.5204)
Symantec Endpoint Protection (Version: 12.1.1000.157)
UltraVNC v1.0.2 (Version: 1.1.0.2)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Server 2003 (KB2345886) (Version: 1)
Update for Windows Server 2003 (KB2661254) (Version: 1)
Update for Windows Server 2003 (KB2736233) (Version: 1)
Update for Windows Server 2003 (KB2748349) (Version: 1)
Update for Windows Server 2003 (KB2749655) (Version: 1)
Update for Windows Server 2003 (KB927891) (Version: 5)
Update for Windows Server 2003 (KB936357) (Version: 1)
Update for Windows Server 2003 (KB948496) (Version: 1)
Update for Windows Server 2003 (KB955759) (Version: 1)
Update for Windows Server 2003 (KB968389) (Version: 1)
Update for Windows Server 2003 (KB971029) (Version: 1)
Update for Windows Server 2003 (KB973815) (Version: 1)
Update for Windows Server 2003 (KB973825) (Version: 1)
Windows Imaging Component (Version: 3.0.0.0)
Windows Management Framework Core
Windows Server 2003 Service Pack 2 Administration Tools Pack (Version: 5.2.3790.3959)
Windows Support Tools (Version: 5.2.3790.3959)
 
**** End of log ****
 
Speccy has been stuck on "analyzing network" for the past 15 minutes or so, I will publish as soon as it's done.


#5 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:49 PM

Posted 23 December 2013 - 09:51 PM

Please download TDSSKiller exe version to your desktop. Double-click on TDSSKiller.exe to run the tool for known TDSS variants. Vista/Windows 7 users right-click and select Run As Administrator.

  • Click on Change Parameters and click Detect TDLFS File System.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A TDSSKiller text file would be saved in Local Disk C.
  • Copy and paste the contents of that file in your next reply.
ADW Cleaner


Please download AdwCleaner by Xplode onto your desktop.
  • Close all open programs and internet browsers.
  • Double click on adwcleaner.exe to run the tool.
  • Click on Clean.
  • Confirm each time with Ok.
  • You will be prompted to restart your computer. A text file will open after the restart.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[S1].txt as well.
thisisujrt.gif Please download Junkware Removal Tool to your desktop.
  • Shut down your protection software now to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
p22002970.gif Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


#6 Stranger2k

Stranger2k
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 December 2013 - 10:23 PM

Speccy is still stuck on "Network - Analyzing". 

 

No threats found by TDSSKiller.

 

After running ADWCleaner, it rebooted to a dark gray screen with a movable mouse cursor but no logon prompt.  Ctrl-alt-del does nothing.



#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:49 PM

Posted 23 December 2013 - 10:27 PM

Can you reboot again and see if you can get to safe mode with network to post the log?

#8 Stranger2k

Stranger2k
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 December 2013 - 10:28 PM

After a few minutes, the system rebooted (back to BIOS test and everything).  I hit F8 and selected Last Known Good Config.  The ADWCleaner log displayed, here it is:

# AdwCleaner v3.016 - Report created 23/12/2013 at 22:14:33
# Updated 23/12/2013 by Xplode
# Operating System : Microsoft Windows Server 2003 Service Pack 2 (32 bits)
# Username : administrator - XYZ04
# Running from : C:\Documents and Settings\Administrator.XYZ\Local Settings\Temporary Internet Files\Content.IE5\HADOCV3P\AdwCleaner[1].exe
# Option : Clean
 
***** [ Services ] *****
 
 
***** [ Files / Folders ] *****
 
 
***** [ Shortcuts ] *****
 
 
***** [ Registry ] *****
 
Key Deleted : HKLM\SOFTWARE\Classes\S
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
 
***** [ Browsers ] *****
 
-\\ Internet Explorer v6.0.3790.3959
 
 
*************************
 
AdwCleaner[R0].txt - [1084 octets] - [23/12/2013 22:11:58]
AdwCleaner[S0].txt - [1014 octets] - [23/12/2013 22:14:33]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [1074 octets] ##########
 
Going to run the rest now.

Edited by Stranger2k, 23 December 2013 - 10:33 PM.


#9 Stranger2k

Stranger2k
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 23 December 2013 - 11:00 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Microsoft Windows Server 2003 x86
Ran by administrator on Mon 12/23/2013 at 22:36:20.85
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
FSS:
Farbar Service Scanner Version: 05-12-2013
Ran by administrator (administrator) on 23-12-2013 at 23:03:49
Running from "C:\Documents and Settings\Administrator.XYZ\My Documents\Downloads"
Microsoft® Windows® Server 2003, Standard Edition Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
Nsi Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open Nsi registry key. The service key does not exist.
 
nsiproxy Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open nsiproxy registry key. The service key does not exist.
Checking LEGACY_nsiproxy: ATTENTION!=====> Unable to open LEGACY_nsiproxy\0000 registry key. The key does not exist.
 
tdx Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open tdx registry key. The service key does not exist.
Checking LEGACY_tdx: ATTENTION!=====> Unable to open LEGACY_tdx\0000 registry key. The key does not exist.
 
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
mpsdrv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open mpsdrv registry key. The service key does not exist.
Checking LEGACY_mpsdrv: ATTENTION!=====> Unable to open LEGACY_mpsdrv\0000 registry key. The key does not exist.
 
MpsSvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open MpsSvc registry key. The service key does not exist.
 
bfe Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open bfe registry key. The service key does not exist.
 
 
Firewall Disabled Policy: 
==================
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=DWORD:0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=DWORD:0
 
 
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open SDRSVC registry key. The service key does not exist.
 
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
 
 
Windows Update:
============
 
Windows Autoupdate Disabled Policy: 
============================
 
 
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open WinDefend registry key. The service key does not exist.
 
 
Windows Defender Disabled Policy: 
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
 
 
Other Services:
==============
Checking Start type of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ImagePath of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
Checking ServiceDll of iphlpsvc: ATTENTION!=====> Unable to open iphlpsvc registry key. The service key does not exist.
 
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Defaults\FirewallPolicy\FirewallRules" registry key. The key does not exist.
Checking FirewallRules of SharedAccess: ATTENTION!=====> Unable to open "SharedAccess\Parameters\FirewallPolicy\FirewallRules" registry key. The key does not exist.
 
Checking ServiceDll of PolicyAgent: ATTENTION!=====> Unable to open PolicyAgent registry key. The service key does not exist.
 
 
 
File Check:
========
 
ATTENTION!=====> C:\WINDOWS\system32\nsisvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
 
 
ATTENTION!=====> C:\WINDOWS\system32\Drivers\nsiproxy.sys FILE IS MISSING AND SHOULD BE RESTORED.
 
C:\WINDOWS\system32\Drivers\afd.sys
[2007-02-18 07:00] - [2011-12-27 09:13] - 0150528 ____A (Microsoft Corporation) 317E75D96065AC6AF5EF8857CE2E399B
 
 
ATTENTION!=====> C:\WINDOWS\system32\Drivers\tdx.sys FILE IS MISSING AND SHOULD BE RESTORED.
 
C:\WINDOWS\system32\Drivers\tcpip.sys
[2007-02-18 07:00] - [2009-08-15 04:57] - 0393216 ____A (Microsoft Corporation) 238DC2B879D1B37B91F8D5D44F3815D3
 
C:\WINDOWS\system32\dnsrslvr.dll
[2009-04-20 13:38] - [2009-04-20 13:38] - 0045568 ____A (Microsoft Corporation) E927F3B46F85D934C8F420FE08593D1B
 
 
ATTENTION!=====> C:\WINDOWS\system32\mpssvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
 
 
ATTENTION!=====> C:\WINDOWS\system32\bfe.dll FILE IS MISSING AND SHOULD BE RESTORED.
 
 
ATTENTION!=====> C:\WINDOWS\system32\Drivers\mpsdrv.sys FILE IS MISSING AND SHOULD BE RESTORED.
 
 
ATTENTION!=====> C:\WINDOWS\system32\SDRSVC.dll FILE IS MISSING AND SHOULD BE RESTORED.
 
C:\WINDOWS\system32\vssvc.exe
[2007-02-18 07:00] - [2007-02-18 07:00] - 0836096 ____A (Microsoft Corporation) 74A6820792E5BCA5EE4D0CC4595C6916
 
 
ATTENTION!=====> C:\WINDOWS\system32\wscsvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
 
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2008-05-14 10:44] - [2007-02-18 03:00] - 0143360 ____A (Microsoft Corporation) F8D5B9C1A26C933B9EA7740BAB35BCF5
 
C:\WINDOWS\system32\wuaueng.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll
[2008-05-14 10:45] - [2007-02-18 03:00] - 0380928 ____A (Microsoft Corporation) 9D7A318B2C7AE51E9D5374F8EEDE856C
 
C:\WINDOWS\system32\es.dll
[2008-04-29 16:33] - [2008-04-29 16:33] - 0247296 ____A (Microsoft Corporation) C17C56E91045E14DF45D62DD89AED50C
 
C:\WINDOWS\system32\cryptsvc.dll
[2007-02-18 07:00] - [2007-02-18 07:00] - 0056320 ____A (Microsoft Corporation) FEB85DA744DD3F41A427CF6D2BC04FE4
 
 
ATTENTION!=====> C:\Program Files\Windows Defender\MpSvc.dll FILE IS MISSING AND SHOULD BE RESTORED.
 
C:\WINDOWS\system32\ipnathlp.dll
[2007-02-18 07:00] - [2007-02-18 07:00] - 0343552 ____A (Microsoft Corporation) 27C6B8C2AFED21C10429A56DB95735F6
 
 
ATTENTION!=====> C:\WINDOWS\system32\iphlpsvc.dll FILE IS MISSING.
 
C:\WINDOWS\system32\svchost.exe
[2007-02-18 07:00] - [2007-02-18 07:00] - 0014848 ____A (Microsoft Corporation) C09CCFE81DEC9B162533D7184D705682
 
C:\WINDOWS\system32\rpcss.dll
[2012-03-23 13:58] - [2009-02-09 06:02] - 0486912 ____A (Microsoft Corporation) 305A8757D66B5D416B47C497C27A01FE
 
 
 
**** End of log ****


#10 Stranger2k

Stranger2k
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 24 December 2013 - 06:49 AM

Update - I did some Googling, and this thread appears to describe exactly what I'm seeing:

http://social.technet.microsoft.com/Forums/windowsserver/en-US/31cf740c-818c-4863-8df9-0d9a1d6de6fc/ton-of-outgoing-tcp-3389-from-svchostexe?forum=winserversecurity

 

Another part of the lesson: can't trust the DLL "properties" to validate the file's origin - they (company, copyright, etc.) apparently can be easily faked.
 


Edited by Stranger2k, 24 December 2013 - 07:55 AM.


#11 Stranger2k

Stranger2k
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:49 PM

Posted 24 December 2013 - 12:11 PM

Issue has been resolved.



#12 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:05:49 PM

Posted 24 December 2013 - 05:23 PM

Glad you found the resolution and posted it.


You now have to find out who is responsible for infecting the machine.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users