HELP: Computer hacked... possibly to act as a xdcc bot

Let me first preface this with saying that i do understand alot about computers, and i'm the type of person in the family that people go to when they have computer problems. I've had extensive experience with spyware removal/trojen removal/ect. for a long time and I've always been good with computers.

That said... onto the problem.

I've been suspecting something has been wrong with my computer (specifically my laptop i've used at college) for quite some time. Everytime i've shutdown for the last couple of months i would have this program called sample which must be closed through clicking "end task" everytime i shut down. It never came up in a file search, and never was shown in task manager. So i always assumed it was part of a program i was running or something along those lines. I'm not even sure (at this time at least) if this file is related to the current situation that i have.

Well as it turns out i've apperently been hacked... not sure how recently this has occured but i realized it when NOD32 came up and mentioned that in C:\WINDOWS\system32\mui\721w\cache there was a file called lsass.exe (still not sure if its spelled with an l or an i but my guess is a capital I to make it seem like a system process in task manager). NOD 32 said it was quarantined and was to be deleted on the next restart. I did that and all seemed well. To make sure it was deleted i went to the directory it had listed as where it was found. However as it turns out when i browsed to that folder (in C:\WINDOWS\system32\mui\721w\) the folder cache didn't show up even though show hidden folders was turned on. So i manually typed in \cache hit enter and next thing i know i'm face to face with what looks like a bunch of files and a folder, one file looked like it had the Serv-U icon on it and it was listed as FTP Serv-U Daemon.

Heres a list of the files in the directory:

Directory of C:\WINDOWS\system32\mui\721w\cache

01/22/2005 02:25 PM 6,656 cygcrypt-0.dll
01/22/2005 02:25 PM 1,140,617 cygwin1.dll
10/27/2004 11:20 PM 213 d0
05/12/2005 03:01 PM 0 directory.txt
05/12/2005 03:01 PM 248 directorylist.txt
11/05/2004 09:25 AM 847,872 libeay32.dll
05/12/2005 02:24 PM 2,443 lsass.ocx
01/30/2005 12:06 AM 902 s0
05/12/2005 02:35 PM 1,416 ServUDaemon.ini
05/12/2005 02:35 PM 614 ServUStartUpLog.txt
07/08/2004 09:53 AM 1,043,968 spoolsv.exe
09/16/2000 01:30 PM 63,488 srunner.exe
05/12/2005 02:31 PM 3,559 system.lg
05/12/2005 02:33 PM 268 system.state
05/12/2005 02:30 PM 268 system.state~
05/12/2005 02:33 PM 214 system.xdcc
05/12/2005 02:30 PM 207 system.xdcc~
05/12/2005 02:24 PM <DIR> ul
dir ul has no files in it.

What surprises me is the creation date.. today... and very recently as well.

I highlighted and had nod 32 scan all the files at which point it detected now that:
C:\WINDOWS\system32\mui\721w\cache\spoolsv.exe - Win32/ServU-Daemon Application

and that it was in memory and nothing could be done to delete it.

What makes me believe that this infiltration might've been done before today is that i've been having some probably with what i think was spoolsv.exe taking up alot of memory a couple weeks back .
EDIT: i was wrong.. the file i was thinking of is svchost.exe and i noticed one of the many instances running was around 21mb... end tasking it works however as soon as i do i loose my windows xp theme and xp starts to look alot like win 2k. Not sure if this helps at all.

What it looks like (judgeing by whats in the serudaemon.ini file) is that i was hacked mostly due to the fact that i was on a .edu connection at the time (home from college now) and just looking over the .ini files in the directory that i was hacked to be a xdcc bot on an irc network... and also that the ftp program now allowed whoever has the login and password to the ftp to upload whatever they want to it.

Contents of ServUDaemon.ini:
[GLOBAL]
Version=5.1.0.0
ProcessID=1228

[DOMAINS]
Domain1=0.0.0.0||2004|r00t3d|1|0|0

[Domain1]
User1=nutz87|1|0
User2=upload|1|0
User3=leech|1|0
SignOn=c:\WINDOWS\system32\mui\721w\cache\s0
DirChangeMesFile=c:\WINDOWS\system32\mui\721w\cache\d0
DirChangeMesFile2=c:\WINDOWS\system32\mui\721w\cache\d0
SocketRcvBuffer=65534
SocketSndBuffer=65534


Password=uy52A999AA9936D3737AEC77C76900B43E
HomeDir=c:\
TimeOut=600
Maintenance=System
Access1=C:\|RWAMELCDP
Access2=D:\|RWAMELCDP
Access3=E:\|RWAMELCDP
Access4=F:\|RWAMELCDP
Access5=G:\|RWAMELCDP
Access6=H:\|RWAMELCDP
Access7=I:\|RWAMELCDP
Access8=J:\|RWAMELCDP
Access9=K:\|RWAMELCDP
Access10=L:\|RWAMELCDP
Access11=M:\|RWAMELCDP
Access12=N:\|RWAMELCDP
Access13=O:\|RWAMELCDP
Access14=P:\|RWAMELCDP
Access15=Q:\|RWAMELCDP
Access16=R:\|RWAMELCDP
Access17=S:\|RWAMELCDP
Access18=T:\|RWAMELCDP
Access19=U:\|RWAMELCDP
Access20=V:\|RWAMELCDP
Access21=W:\|RWAMELCDP
Access23=X:\|RWAMELCDP
Access24=Y:\|RWAMELCDP
Access25=Z:\|RWAMELCDP


Password=gd79FBB6854962875DA4562E35BD604856
HomeDir=c:\WINDOWS\system32\mui\721w\cache\ul
RelPaths=1
TimeOut=180
Access1=c:\WINDOWS\system32\mui\721w\cache\ul|WALCP


Password=zpB7067C16FF9AEFE4FA70A7F5C72C2254
HomeDir=c:\WINDOWS\system32\mui\721w\cache\ul
RelPaths=1
TimeOut=180
Access1=c:\WINDOWS\system32\mui\721w\cache\ul|RALP


Also other files i found that have intresting contents:
d0 (no extention):
====================================
Current Bandwidth............: %Serverkbps KB/s
Average Bandwidth............: %ServerAvg KB/s
Free Disk Space..............: %DFree KB
====================================

Apperently a script that tells you when you login to the ftp whoever hacked my system setup that tells you info one might use to determine how much they can upload on my computer.

Also, s0 (no extention) has some similar info on it, with more info on my ip ect all in script form.

Most intresting though is system.xdcc which has some damning evidence that shows who did this:

** 0 packs ** 2 of 2 slots open, Min: 10.0KB/s
** Bandwidth Usage ** Current: 0.0KB/s,
** To request a file, type "/msg [REMOVED SO I CAN FIGURE OUT WHAT IRC CHANNEL DID THIS] xdcc send #x" **
Total Offered: 0.0 MB Total Transferred: 0.00 MB


Anyway long story short I know what it is but i have no idea how to get rid of all of this and how (if i can) log some even more incriminateing evidence so i can inform authorities about it and hopefully something is done (doubtful).

My guess on removal is something along on the lines of how one would remove VX2 but i want some other opinions on it first.

I also want to make sure this isn't the only access they have to my system, and any advice on how to figure that out would be very helpful.

Currently the only protection i have is through nod32 which is my primary scanner and runs all the time, and norton corporate edition (i think) as my backup scanner(was provided by my university).

Thanks a ton for reading all that (if you got through it all) and any advice and help that you might have for me.

-matt

 

Hmm, I am not sure which infection this is, maybe the experts can but I will recommend that you follow the cleaning instructions here: https://www.wilderssecurity.com/showthread.php?t=50662

Please note that we do not do HiJackThis analysis but links to sites that do are in the cleaning thread.

Thanks & good luck. Pilli

 

thanks.. don't think i need to do a hijack this scan though... its definately not malware.

it seems to be a custom type of hack that is pretty common on irc networks so they can setup bots to put files on and then send those files out to other people... i actually do remember it happening to my friend once but thats because he was running an ftp server (g3 i think it was but since its been renamed to bulletproof ftp server) and it had some well known security hole that was often exploited. he reformated to fix his problem.... i'm hopeing to avoid that.

 

hi
marcuri, i've cleaned this kind of infection many times. it is malware, most antiviruses detect the files. this hack consists of several files. usually thers an app to kill security software, an app to hide files/windows, a backdoor server ( usually iroffer, sometimes radmin ) and the ftp server. often those are started as services via srvany.exe or firedaemon.exe. very often theres an sd/r/spy/my/poe/for/ago-bot worm too

try tds-3 follow these instructions:


Download the trial version of TDS-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/tds3setup.exe
Install it, but do not launch it yet

Update it: right click the link below, select "save as"
http://www.diamondcs.com.au/tds/radius.td3

Save it to the directory where you installed TDS-3, overwriting the previous radius.td3 if prompted.

Then launch tds-3. In the top bar of TDS window click System Testing> Full System Scan.
Detections will appear in the lower pane of TDS window. right click the list> select delete! Delete everything labelled positive identification

i'd like to see your hijackthis log if its ok with Pilli ?

 

alright cool.. after looking over it all it seems more and more like a script kiddy over someone hacking me for possible personal info like i first thought (guess i was fearing the worst). i have seen this before but i think the virus scanner fixed it or i just reformated and i didn't have to deal with it.

i'll run a hijack this scan and get back to you on the results via a PM so that way it won't be an issue.... i doubt much will come up though because i run spy bot fairly frequently and have giant anti-spyware (the micrsoft anti-spyware beta) running all the time... plus i use firefox.

either way i appreciate your help

-matt

 

When the Announcement was written concerning Wilders no longer allowing unsolicited HJT logs from being posted....a note was added that allows You to request an HJT log

You....fit that description without a doubt

marcuri can post the HJT log in this thread....or PM you as was mentioned....ya'lls choice

 

my problem right now is not removing it (well not my main problem).. but its more finding out how i got it installed on my computer in the first place. i have this feeling its another deep underlying infection that i haven't found yet cause i couldn't imagine how i could've possible have gotten infected without the person having access to my system to begin with (yea and i ruled out anyone going on my computer in my dorm and installing it... thats very unlikely).

i could be wrong though.. we'll see as soon as i update to the latest version of nod32 (the beta) and do a full system scan with everything checked.

i'm going to include the hijack this log even though i already pmed it to illukka just so if anyone else wants to help out they can take a look. plus it might help someone doing a google search on file names (to remove a similar virus) to have some of the processes listed

Logfile of HijackThis v1.99.1
Scan saved at 7:06:25 PM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
c:\windows\system32\srunner.exe
C:\WINDOWS\system32\mui\721w\cache\srunner.exe
C:\WINDOWS\System32\inetsvc.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\system32\mui\721w\cache\srunner.exe
C:\WINDOWS\System32\mui\721w\cache\spoolsv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Matt1\Desktop\ndntenst.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUMENTS AND SETTINGS\MATT1\DESKTOP\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: BJ Status Monitor Canon PIXMA iP1500.lnk = C:\Documents and Settings\Matt1\cnmss Canon PIXMA iP1500 (Local).exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Link Target in Firefox - file://C:\Documents and Settings\Matt1\Application Data\Mozilla\Firefox\Profiles\default.ci0\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewlink.html
O8 - Extra context menu item: View This Page in Firefox - file://C:\Documents and Settings\Matt1\Application Data\Mozilla\Firefox\Profiles\default.ci0\extensions\{5D558C43-550F-4b12-84AB-0D8ABDA9F975}\firefoxviewpage.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Inet Service (inetsvc) - Unknown owner - c:\windows\system32\srunner.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Local Security Authority Service (lsass) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Microsoft Printer Spooler Service (ssv) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe

 

it found some file that seems related to the infection but wasn't positively identified (in bold) so lettme know what you think so i can figure out weither or not to delete it:


Trojan Client\EditServer found: Netcat.a (Utility)
File: c:\windows\system32\inetsvc.exe

EDIT: This file turned out to be spyware which i think was unrelated to the infection.

Heres a full list of what TDS found, those marked "positive identification" were removed:

Scan Control Dumped @ 19:41:44 12-05-05
Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\srunner.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\mui\721w\cache\srunner.exe

Trojan Client\EditServer found: Netcat.a (Utility)
File: c:\windows\system32\inetsvc.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\mui\721w\cache\srunner.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\srunner.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\mui\721w\cache\srunner.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\mui\721w\cache\srunner.exe

Positive identification: Hidden32 Trojan Tool
File: c:\windows\system32\h.exe

Trojan Client\EditServer found: Netcat.a (Utility)
File: c:\windows\system32\inetsvc.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\srunner.exe

Positive identification: Riskware.Tool.SRunner
File: c:\windows\system32\mui\721w\cache\srunner.exe

 

figured it all out (ie how to clean it all) and also found out how i had all that stuff installed in the first place. i guess i've gotten too reliant on virus scanners to pick up everything and i didn't even look at the extention of the file.... turned out to be a .exe instead of what it was suppose to be.

what i found surprising though is that the old version of nod32 (not beta) only picked up 1 file... and that was after it was extracted and already running in my memory. in the compressed file there were about 3 other files that weren't even detected(they were however by TDS-3). submitted some files to nod32 cause the beta version wanted me to... hopefully it'll pick them up alot better now once they add them to the definitions and maybe some good will come out of all this.

thanks for your help.

-matt

 

Hey matt,

Would you mind sharing with us more of what you found Please. We do not take lightly the posting of HJT logs when one has been requested by a specially titled forum expert....if for no other reason than it allows us to find items that may be new in regards to badware.

Regards,
Bubba

 

i'll copy here the fix instructions:

open a command prompt( click start> run >type in cmd and hit enter)
into the command prompt window type sc stop ssv
and hit enter

then type sc delete ssv
and hit enter

reboot

i want you to go to this forum:
http://www.thespykiller.co.uk/forum/index.php?board=1.0
no need to register.
start a new topic called for illukka from wilders
upload these files (attach):
C:\WINDOWS\System32\mui\721w\cache\spoolsv.exe
C:\WINDOWS\system32\mui\721w\cache\srunner.exe

then you can delete the files

reboot and post a new log

 

files were posted so you could look over them

what i ended up doing after i deleted all files that were positively identified by TDS-3 was deleteing the entire directory C:\WINDOWS\System32\mui\721w\ through a cmd prompt, as follows:

start > run > type: cmd > hit enter

type cd C:\WINDOWS\System32\mui\ (or folder containing infected files here)

type del 721w

before you do that make sure there aren't any other files that might be important(more than likely there won't be)... i choose a directory up from the \cache\ folder just to make sure that any files hidden within the cache folder would be removed.

and that seemed to get rid of most everything else left over...

[if you have a similar infection don't follow these insuctions, instead see 3 paragraphs down in red]
There were some left over services entries for the files once i deleted them, i simply followed the instuctions found here:
http://www.tech-recipes.com/windows_installation_tips504.html

looked for the names of the services in device manager, made sure they weren't legit services (unknown authors seem to give this away), and deleted them. specifically in my case they were:

O23 - Service: Microsoft Printer Spooler Service (ssv) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe
O23 - Service: Inet Service (inetsvc) - Unknown owner - c:\windows\system32\srunner.exe
O23 - Service: Local Security Authority Service (lsass) - Unknown owner - C:\WINDOWS\system32\mui\721w\cache\srunner.exe

If you have a similar infection follow a different method, such as illukka's method posted above. but just needs to repeated 2 more times with lsass and inetsvc everywhere it says "ssv" (or substitute the names of the services involved in your perticular infection), for example:
open a command promptclick start> run >type in cmd and hit enter)
into the command prompt window type sc stop lsass
and hit enter

then type sc delete lsass
then repeat with inetsvc in place of lsass...

my method is ok (i think) but i had already deleted and stopped the services through TDS's trojen scanner.

AGAIN: If anyone else has this infection follow illukka's method.

I'll post the clean hijack this log as soon as i run a rootkit scanner to make sure i don't have any "residual" files left over... the computer seems like its clean though.

 

It looks like its not a trojan but a badly behaved Intel wireless app:

http://www.helpforums.co.uk/forum/viewtopic.php?t=20423

Drove me mad too.

 

Just to clarify, the "Ending Program - SAMPLE" hang that occurs on Laptops, primarilly Dells with Intel wireless etc, and usually occurs twice when shutting down, is the behaviour of a badly coded ProSet program.

To stop it happening I did:

1. If that still does not solve the problem and you have Windows XP/2003, try setting the “Wireless Zero Configuration” service to Disabled.

and

2. If that still does not solve the problem, then try renaming the C:WindowsSystem32ZCfgSvc.exe file to ZCfgSvc.exe.old as ZCFGSVC is seemingly not necessary for the part of the ProSET utilities which enable you to connect to your wireless network.

 

thanks for the advice on how to get rid of it.

i did have a trojen though, but that sample program made me believe i had it for longer than i really did.... damn that thing is a POS program.