backdoor irc floodh?

Discussion in 'malware problems & news' started by mot, Feb 19, 2004.

Thread Status:
Not open for further replies.
  1. mot

    mot Guest

    Hoping someone can help me out here.

    I recently used TDS-3 and it found rat.mircbased
    c:\winnt\system32\dllcache\lmxstart.exe

    and also " " \msngr.exe

    The above is found only when scanning a power user profile.

    When I scan in administrator, it does not detect anything. I have tried deleteing, changing read only attributes, cut and paste, and renaming "dllcache" folder. I can't touch it. Can't find it in Taskmanager\processes either.

    a search for this file under administrator account does not find "dllcache"

    below is the hijack this file, as run under administrator. I will post another after this from the poweruser profile.

    Logfile of HijackThis v1.97.7
    Scan saved at 2:13:00 PM, on 2/19/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37881.4881018519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  2. MOT

    MOT Guest

    forgot to mention I used Spybot Search and destroy, and AVG anti virus as well as several sobig removal tools today as well.

    Below is the log from "poweruser" account. when I run hijack this, it states " can't gain access to "hosts file"

    Logfile of HijackThis v1.97.7
    Scan saved at 2:19:40 PM, on 2/19/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINNT\system32\SxgTkBar.exe
    C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINNT\system32\internat.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\GoZilla\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SxgTkBar] SxgTkBar.exe
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [Internat.exe] internat.exe
    O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37881.4881018519
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi mot,

    There is nothing I can find wrong in your logs, so I moved your thread to this forum, wher it will get some more attention of the specialists.

    Regards,

    Pieter
     
  4. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    to enable dllcache to be viewed as it is a hidden protected system file
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files". Now click "Apply to all folders"
    Click "Apply" then "OK"
     
  6. mot

    mot Guest

    thank you for the help.

    all very good advice, but I had already found and tried all tips, I will re-read tips and double check tommorrow to make sure I didn't overlook or make a mistake.

    I am hoping I missed a step somewhere and can clean it up.
     
  7. MOT

    MOT Guest

    thankyou for all the help,

    it appears this is a false positive in TDS-3 when run under limited privilege accounts like user or poweruser.
    I am waiting for confirmation on this from DCS.

    this morning I have looked for all associated files in various locations and can not find any evidence of this backdoor bug.
     
  8. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi MOT

    Great detective work ! Keep us informed :)
     
  9. MOT

    MOT Guest

    thanks,

    but it was re-inventing the wheel, running TDS-3 in user or power user on win2000 creates false alarm- must ran under admin or "run as" admin.

    it appears this error has been know for some time- just couldn't find it posted in public and or i wasn't using the right search parameters.

    just annoys me to have wasted many hours and stress to find out it was know about last Oct.2003 or before.

    thankyou to everyone
     
  10. JMK

    JMK Guest

    I had the I-Worm.MTX indentified by the virus scan that kept reloading until I unchecked the Point32.exe in msconfig startup. It kept creating directories and files that I could not delete. Now the virus scan is clean, John :D
     
Loading...
Thread Status:
Not open for further replies.