runtime.exe

[sci]

Hi!
I hope im in the right thread since im too using TDS. I have recently scanned ports and found runtime.exe on port 4666 regarding as "serv-u ftp server" i mean woot and after that i have removed and killed the file + rebooted the system. When i loged in, the win2000 started crying of some file being deleted and must reinstall service pack 4. And so i did reinstalled the spack 4 and there it was again runtime.exe on port 4666 regarding as a serv-u ftp server.. any ideas ?

regards!

[Pilli]

Hi I think you have a problem.

Possibly: Backdoor.ServU-based Might be an idea to check to see that you have the processess running and if the files are there as shown below.

Not sure if TDS3 with the latest updates removes it all as there are many variants. Please run a full scan with all options in Configuartion enabled.Right click any any findings and delete.

Try this to remove Serv-U FTP Server from your machine manually if TDS does not.
Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

Stop Running Processes:
Kill these running processes with Task Manager:

servudaemon.exe
windll16.exe

Unregister DLLs:
Unregister these DLLs with Regsvr32, then reboot:

servuperfcount.dll

Remove Files:
Remove these files (if present) with Windows Explorer

my.asm
serv-u.hlp
servudaemon.exe
servudaemon.ini
servuperfcount.dll
servustartuplog.txt
windll16.exe

HTH Pilli

[sci]

hi and thx for fast answering.
I have put the whole 100% scan through my computer but nothing has been found. I have manualy searched for servuperfcount.dll and others files but nothing has been found so now i dont know should i or should i not. I have checked many searchengines and found this "The Trojan attempts to terminate and disable various anti-virus and security
related programs and modifies the HOSTS file located at
%WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites" , this is the problem that i had proly few months ago and then i formated. I will paste my hijackthis log to see if im missing something:

Logfile of HijackThis v1.97.7
Scan saved at 21:27:34, on 28.4.2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
D:\Program Files\Eset\nod32krn.exe
D:\WINNT\System32\nvsvc32.exe
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\runtime.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\Program Files\WinRoute Pro\winroute.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
D:\Program Files\Eset\nod32kui.exe
D:\PROGRA~1\PESTPA~1\PPControl.exe
D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
D:\WINNT\system32\internat.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\WinRoute Pro\wrctrl.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\WinZip\WZQKPICK.EXE
D:\WINNT\system32\wuauclt.exe
D:\Program Files\BPFTP Server\G6FTPSrv.exe
D:\Program Files\defencez\tds-3.exe
D:\WINNT\msagent\AgentSvr.exe
D:\Documents and Settings\macura\Desktop\tools\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nod32kui] D:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ServiceLayer] D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
O4 - HKLM\..\Run: [Nokia Tray Application] D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [TDS3] D:\Program Files\defencez\TDS-3.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = D:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = D:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...082.5403703704
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12

[Pilli]

OK, Ill het an HJT expert to take a look

[dvk01]

I can't see anythging obvious

prohblem with runtime.exe is that files of that name are used by many legitimate programs as well as several viruses/trojans

can you right click the runtime.exe file and see waht is says in properties

as Windows screamed last ti,me you deleted it I assume it's a M$ file but to be sure
copy it & zip it up and send it to support@diamondcs.com.au with a short note refeerring to this thread

[sci]

ok this is where things become very very interesting
following screenshot => http://users.volja.net/drugklas/runtime.jpg ; defencez was a costume choice of a directory for security purpose. Both files from both directories were sent to your email. runtime.zip is from the file from system32 and runtime2.zip from other one.

regards

[Pilli]

Interesting indeed.
The one in the TDS3\xdynamic\TDS.unpk folder is where TDS3 unpacks them for checking.

[sci]

another 2 screenshots to prove about serv-u ftp runing:

http://users.volja.net/drugklas/port.jpg
http://users.volja.net/drugklas/port2.jpg

[Pilli]

Hmm, I do not have that file in my XP pro or Server 2003 system32 folder.

Can you right click it and show us it's properties please

[dvk01]

rather than waiting for Gavin to reply tomorrow with what he finds in the file please send a copy of the runtime.exe to me as well submit@thespykiller.co.uk and I'll have a look inside it and see what I can find out about it tonight

[sci]

ok mail has been sent and here are the requested properties:

http://users.volja.net/drugklas/properties.jpg

as it can be seen the file doesnt have any personal info wich bothers me beacuse all windows system files have them.

[Pilli]

Looks like you have a nasty there but let's see what dvk01 & or Gavin have to say.

[dvk01]

I have had a look inside it with a disassembler and it's definitely a baddie

several strings saying you have been hacked by god & various XXXX words

why windows screams when it's removed I don't know but it's a serv-u baddie

where did you get youer Service pack 4 from, because if it's on a cd as you deleted runtime.exe and it was reinstalled with sp4 it's starting to look like the sp itself is a hacked copy and I wouldn't like to say what else is on that sp that shouldn't be.

Due to the time zone problems you won't get a reply from Gavin for a few hours yet It's about 5.30 am in Australia where he is

check the sp4 you have and let us know where that came from

[sci]

sp came from www.microsoft.com
ok ill wait until the final opinion tommorow, no problem and thx for help (file is blocked with fw for incoming and outgoing so it isnt doing any harm atm)

[dvk01]

well runtime.exe is definitely not a legitimate windows file and why you can't delete it I don't know

Best advice I can give is wait till the morning and Gavin's reply and see what he says. He is the EXPERT at these

[Gavin - DiamondCS]

Yep definitely a SERVU server.. question is HOW did it get there. Obviously not from the SP install.. Do you have STRONG passwords on all user accounts ? Check if any new accounts or shares have been put in place too

You have a ZIP somewhere on your machine which has runtime.exe if it showed up in the UNPK folder.. the next database will detect this ServU server so you can remove the zip too. Something must be restoring the file. You may have an XDCC bot, TDS should reveal an IROFFER trojan if its one of the hack kits I would presume it would be. Please submit an ASViewer log since it could be using an exotic startup that HJT doesnt show

http://www.diamondcs.com.au/index.php?page=asviewer

You will need to enable viewing of all autostarts, the quick way is to just press F2 F3 F4 once each then choose SAVE

[sci]

ok it has been sent, from the log it can be seen very very much, even the trojans i had removed a month ago. Ok i have updated the TDS protection with the latest database and started a 100% scan, i believe its not going to find any xdcc or other process beacuse like i said runtime.exe was blocked by fw from the begining that i saw it.
ok update .. it has found runtime.exe and described it as a servu trojan (yeah cool)

regards

[sci]

good news every1 who helped and others who might have the same problem in the future! I have deleted runtime.exe as a filename and + with the help from that startup tool and rebooted the system and windows isnt crying for that file anymore. I believe that it was crying beacuse of that registry add which hasnt been removed for the 1st time ive deleted file and i had to reinstall servicepack. About servicepack it still remains a mistery, i have extracted all files and couldnt find runtime.exe. So thx again administrators for all support and help.

regards

[Gavin - DiamondCS]

Hi,

Glad to see, I pointed out a service entry for that nasty when I emailed you..

I saw a LOT of entries, am awaiting your email back If those EXE's are gone, just remove the startups. I was wondering how you could have so many ! It makes sense if they are just leftover startups and the file is gone

[sci]

Yep thats the whole point the startup was "ready" for theze files if they appear anyday since i have removed them quite a long time ago.