Strange directories and hidden things

[SystemJunkie]

Actually I reinstalled a old backup and found a new behaviour I didn´t have seen before, many different directories a created through own files, program dir, windows and system32 dir. In Explorer it looks like usual directories but rootkit detector 2 reveals folders with ? and a hidden thing called: HIDDEN: C:\WINDOWS\system32\OPVOC

hxxp://i3.tinypic.com/11hcqip.png

hxxp://i3.tinypic.com/11h8etf.png

Neither I have something like oracle nor symantec on my system. Crazy isn´t it?

Maybe it is useful to mention, that a temp file is always created, in nearly all cases it has the same md5 hash, only the name changes regularly. It is always recreated or persistent even if you try to delete everything in temp folder, the file looks like this: ~DF7EAE.tmp and has 16 KB of size.

Probably nothing special but better to mention.

[StevieO]

Hi SJ i see you're back in town !

Those ~DF7EAE.tmp etc entries, i'm convinced anyway, are from ZoneAlarm. I also get sometimes several of them daily, depending how often i log and off the internet. So in that case they are nothing to worry about. I've just checked my TMP files and i have one in there which right now is 2kb. At the end of the day i Physically disconnect the modem plug from the wall socket, close down ZA and then i am able to delete those, and also fwpktlog.txt/fwdbglog.txt/tvDebug.log and the " your computer name ".ldb file too. They get newly recreated after a reboot.

Regarding the ? etc entries, can't help you there.


StevieO

[SystemJunkie]

Hi Stevie,

I noticed too that one Temp file was generated by Zone Alarm, good Info,
but still remains two Temps with 16 KB and unerasable.

[StevieO]

You could try the excellent FREE Unlocker to get rid of those "undeletable" files, it usually works for most people anyway !

http://ccollomb.free.fr/unlocker/


StevieO

[SystemJunkie]

I will try it! Beside is it usual that following functions of svchost are hooked? It´s a tool I really like to use called spybro.



And something I am keen of to know, if anyone has following clsids:

HKCR\Interface
{50EA08B0-DD1B-4664-9A50-C2F40F4BD79A}
{50EA08B1-DD1B-4664-9A50-C2F40F4BD79A}
{50EA08B2-DD1B-4664-9A50-C2F40F4BD79A}
.. until .. {50EA08BE-DD1B-4664-9A50-C2F40F4BD79A}

Symantec says that these are legitimated clsids but also used by spyware.

What about these CLSIDs are they essential or only spyware?

HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}

HKEY_CLASSES_ROOT\CLSID\{00020420-0000-0000-C000-000000000046}
{00020421-0000-0000-C000-000000000046}
{00020422-0000-0000-C000-000000000046}
{00020423-0000-0000-C000-000000000046}
{00020424-0000-0000-C000-000000000046}
{000204250-000-0000-C000-000000000046}

??

And are following files in system32 really Aureate Spy
or only windows internal files?: nscompat.tlb(23 KB), amcompat.tlb(17 KB) ?

So many questions.. beside I noticed in usertemp a file called mc21.tmp 71KB of size, spybro identified this one as a driver which temporarily appears.

I ask this because regular antivirus and antispy don´t alert but the keys and files are there and some google info indicates spyware.

Does anyone know if it is usual that clbcatq.dll, comres.dll, oleaut32.dll have no microsoft description?

[JRosenfeld]

XP SP2 all updates. Clean system.
I have all the \Interface, \CLSID and \Typelib keys you mention.

I also have both of the .tlb files you mention.

The .dll files you mention all say Unknown application on the general tab, but mention Microsoft on the version tab of their properties.

You can get info on Microsoft dll files at http://support.microsoft.com/dllhelp/

[IMM]

The mc21.tmp file is indicative of an older rootkit type of driver (Vanquish) but you have to watch out for the fact that there are actually a few legitimate utilities using this technique as well.

You will notice in your Windows Explorer list that you have two system32 folders listed.
The one which sorts last alphabetically in the display will be the one with the foreign character.
It's likely cyrillic http://www.fileformat.info/info/unic...0455/index.htm.
Such characters aren't available in your particular ansi codepage and therefore appear as undecipherable with something using ansi (ie. as a ques mark)

This latter (foreign char thing) is 'almost' a sure sign of infection - though you have so many there that I wonder if it wasn't an effect of the way you mounted the image?

------------
edit - there seem to be a lot of 'same-name' dirs. Is this a 64 bit system and the image is showing confusion between the 32bit and 64bit dirs ?

[SystemJunkie]

Thanks for reply, yeah the system is deeply infected but a very hidden thing. What about this? Normal or not?

[IMM]

No, that doesn't look normal. It looks terminal
That particular folder is one with a bogus view of the actual file structure (in explorer) anyway.
What does gmer.exe tell you about the system?
Does chkdsk (full) on a reboot do anyting for you?

[SystemJunkie]

It is a 64 bit CPU with 32 bit Win XP Pro.

Look what RKRevealer tells me while surfing:
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Internet Explorer\Main\Window_Placement
10.07.2006 02:17 44 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
{BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
S-1-5-21-1409082233-1425521274-682003330-1005 01.01.1601 02:00 0 bytes Error dumping hive: Internal error.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10.07.2006 02:19 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B6D4FBE3DS33AAE46B232812EC773FFA\
Usage\Core 10.07.2006 02:19 4 bytes Data
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 10.07.2006 02:19 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 10.07.2006 02:19 4 bytes Data mismatch between Windows API and raw hive data.

I get everyday red alert attacks (zone alarm) from same IP (82.113.20.xxx), they try to connect on Port 1080

And I still noticed a lot ? in folder names, e.g. System32\Oracle (explorer view) but in reality on Dos cmd level it looks like System32\?racle.

Stealth by Design Virus or hidden file infector virus?



PS: The size of both exe files remained on 640 KB of size only the hashes and content changed as seen above.

May this also be the result of a system instability or driver conflict after rebooting the computer?
But normally windows is not able to destroy exe files, especially it is always the same only the last part of the exe file will be corrupted with 0000s. The very very strange thing is, that does happen irregularly and not that often, but it happened now and already the 5th time within approx. 6 Months. It´s not a mass file destruction only very specifically and focussed on very less files.

[controler]

SteveO here is another one. Boot Deleter, bottom of page.

http://nod32sse.hotserv.dk/scanners.php

[StevieO]

SJ,

You're supposed to run RKR with the minimal amount of background tasks and apps running, and not touch the PC at all until RKR has completely finished it's scan. So that includes surfing etc, and that's why you see those IE entries !

If you do a search on the Sysinternals forum for "Data mismatch between Windows API and raw hive data" you should find plenty of answers.

Also any files like the ones you often mention that you think might be suspicious, can be uploaded to these free online sites for examination.

http://www.virustotal.com/vt/

http://virusscan.jotti.org/

http://scanner.virus.org/

What are the missing x's from this 82.113.20.xxx ?

Getting lots of incoming probes etc is nothing unusual in itself, even to the same ports every day from the same IP's. I get plenty from all sorts of IP's, some you wouldn't believe !

With regard to the 640 KB .exe file, please see my PM.

controler

If i'd remembered about Boot Deleter earlier i could have tried to use it to get rid of the file in this thread http://www.wilderssecurity.com/showthread.php?t=138403

Saved it for a rainy day though, Thanks


StevieO

[SystemJunkie]

Okay so far everything is usual, except the exe file modifications and the directories starting with ?.

Just for info does anyone know what is Akamai Tech?
I noticed often lots of connections I never could explain, I never surfed
to such IPs, only yahoo I noticed often gets involved with Akamai Tech IPs:
Ips like that: 213.254.212.64, 194.25.136.0, 84.53.160.. - 84.53.163..,
212.243.221.222, 213.200.97..., all these IPs come from Akamai Tech.
(.. or xx means the ip range or that it´s not important to know the last few numbers, because ISP is recognizable without the last numbers)

I tried to block all of them with Zone Alarm, I made rules to stop connecting on my http port, but once I saw that Akamai Tech still managed to connect to my system and zone alarm remained quiet.

Some more suspicious shots here:
http://tinypic.com/1zgz0i9.png
Ipswitch browser reveals the ? that Explorer disguise as normal letter.

Beside the mc..tmp file seems to be generated also from Spybro.exe or other Anti-Spyware tools. Just for info.

Quote:

You will notice in your Windows Explorer list that you have two system32 folders listed.
The one which sorts last alphabetically in the display will be the one with the foreign character.
It's likely cyrillic http://www.fileformat.info/info/unic...0455/index.htm.
Such characters aren't available in your particular ansi codepage and therefore appear as undecipherable with something using ansi (ie. as a ques mark)

This latter (foreign char thing) is 'almost' a sure sign of infection

That was the best answer so far. But what kind of infection. I guess a file infector.

[gerardwil]

http://en.wikipedia.org/wiki/Akamai:

Quote:

Akamai's customers include American Express, Yahoo!, AOL Radio, Symantec, Match.com, Google, Microsoft, FedEx, BBC News website, the Canadian Broadcasting Corporation, Xerox, iVillage, Apple Computer, Music Television (MTV), the United States Geological Survey, the White House, Reuters, Newegg.com, and XM Radio. A list of more customers can be found on [1] Akamai's Website

www.akamai.com/

Nothing to worry about.

Gerard

[SystemJunkie]

Beside chkdsk showed nothing special, ups, I tried Gmer but resultet in black screen and reboot. So here I am back.

Great to hear! Thanks.

Then I´d like to know the thing about Inproc COM Servers. Everyone who
uses Tiny Firewall or once used tiny firewall can monitor most things that happens in the system.

What about this:
http://i6.tinypic.com/1zgzukp.png

This 0000.. COM server is generated with most exe files, but is temporary of nature, can never get caught, when I am trying to find it in the registry.

http://i6.tinypic.com/1zgzvde.png

Google finds 0 about this CUri.

http://i6.tinypic.com/1zgzxwy.png

This session information I never understood its function. Maybe someone remembers when I told that this windows image had a strange behaviour e.g. when I used a new security tool with a trial of 30 days, e.g. it expired within 2 days, a kind of trial turbo killer that prevented me from testing the tools over usual period and I often noticed this session information thing.