svchost.exe in C:\windows\inf\5\nmc ?

Ok something is very wrong with this picture.

See attach IMG....

svchost.exe in C:\windows\inf\5\nmc\
TCP local 0.0.0.0 TCP remote 0.0.0.0 port 2121?

 

Here's a quick snapshot of what I got.....

remind you that del *.* returns not directory found and that a normal dir doesn list any files.

You need to type dir /ah to see a list of files
auth.bat
.psw files
rundll.32
svchost.exe

 

Good old bootdisk.

went in deleted the files
reboot

registry ( no entrys found )
still puzzled has to how the process was executed....
Possible DLL injection type of thing.... don't know problem seems to be fixed.

 

You will also have these hidden files

C:\windows\syscfg32.exe
C:\windows\svchost.exe
C:\windows\system32\wininet32.exe

Wich need to be deleted also

Start - Run - regedit

Search registry for these
C:\windows\inf\5\nmc
( delete de directory branch found in the search ) you should find 4 matchs

Also do a search on wininet32.exe and you should find 2entry ( delete the folder also )

Wich then you would reboot and be good has new

( darn freaking thing to get rid of ) the wininet32.exe will try to contact a server in japan unfortunately I don't have it on hand.

 

It will be one of those XDCC bots.. TDS probably detects some parts of it

First suggestion, zip the entire folder (the INF\5 folder) you found those files in FROM SAFE MODE. Then delete the whole folder since its not a Windows folder - and email us the zip submit@diamondcs.com.au

I'd stress that you should go to the INF folder and check what folders exist under it - since there could be something like \INF\6 as well with a backup copy of the bot. There are often LEGIT folders in \INF such as "other" so be careful..

 

I ran TDS it doesnt pick it up and sorry unfortunately the files are gone and they cannot be zipped, moved, rename, while in windows. You need to boot from an disk or cd and then the files attrib are UYMA ( wich makes no sens )

and even there the files can't be moved but they can be delete.

Sorry ( I have someone else with the same issue I'll ask him to zip the folder )

So I'll be sure to collect a sample for you PM me and I'll give you my email

 

Hey Gavin,


I found 3 more files ( I've safeguarded them )

cmcfg.exe
cmcfg.ini
cmcfg.dll
msconfig.exe ( found in c:\windows\system32\ +h attrib )
services.exe ( found in c:\windows\ +h attrib )

The INI file contains interesting information

Hid>den Tab<le]

cmcfg.exe

cmcfg.ini

cmcfg.sys

rcmd.exe

servu.exe

servudaemon.ini

msconfig.exe

services.exe

usbhost.exe

rundl32.exe

shell32.exe

5

nmc

bnc*

winbnc32.exe

[Ro<ot Proce>sses]

cmcfg.exe

rcmd.exe

servu.exe

msconfig.exe

services.exe

usbhost.exe

rundl32.exe

shell32.exe

winbnc32.exe

[Hid<den Servic>es]

cmCfg

Serv-U

usbhost

wincfg

instmgr

winimgs

windvc

winbnc

HDWCONF



[Hid<den Reg>Keys]

cmCfg

LEGACY_CMCFG

cmcfig

LEGACY_CMCFIG

Serv-U

LEGACY_SERV-U



[Hidden RegValues]



[Startup Run]

[Free Space]

C:5000000000

[Hidden Ports]

TCP:24000,34000,2121,2122,26000,31000,55555,55556,32000,7777,7778,7779,7780,7781,7782

UDP:24000,34000,2121,2122,26000,31000,55555,55556,32000,7777,7778,7779,7780,7781,7782

[Settings]

Password=letmeinnow

BackdoorShell=cmcfgß$.exe

FileMappingName=_.-=[CMCFG]=-._

ServiceName=cmCfg

ServiceDisplayName=Windows Config Driver

ServiceDescription=Manages Drivers and Adaptors

DriverName=cmcfig

DriverFileName=cmcfg.sys



[Comments]

 

System IS NOW PURGED and CLEANED

registry keys values have been eliminated