runtime.exe

Discussion in 'Trojan Defence Suite' started by sci, Apr 28, 2004.

Thread Status:
Not open for further replies.
  1. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    Hi!
    I hope im in the right thread since im too using TDS. I have recently scanned ports and found runtime.exe on port 4666 regarding as "serv-u ftp server" i mean woot and after that i have removed and killed the file + rebooted the system. When i loged in, the win2000 started crying of some file being deleted and must reinstall service pack 4. And so i did reinstalled the spack 4 and there it was again runtime.exe on port 4666 regarding as a serv-u ftp server.. any ideas ?

    regards!
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi I think you have a problem.

    Possibly: Backdoor.ServU-based Might be an idea to check to see that you have the processess running and if the files are there as shown below.

    Not sure if TDS3 with the latest updates removes it all as there are many variants. Please run a full scan with all options in Configuartion enabled.Right click any any findings and delete.

    Try this to remove Serv-U FTP Server from your machine manually if TDS does not.
    Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake.

    Stop Running Processes:
    Kill these running processes with Task Manager:

    servudaemon.exe
    windll16.exe

    Unregister DLLs:
    Unregister these DLLs with Regsvr32, then reboot:

    servuperfcount.dll

    Remove Files:
    Remove these files (if present) with Windows Explorer

    my.asm
    serv-u.hlp
    servudaemon.exe
    servudaemon.ini
    servuperfcount.dll
    servustartuplog.txt
    windll16.exe

    HTH Pilli
     
  3. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    hi and thx for fast answering.
    I have put the whole 100% scan through my computer but nothing has been found. I have manualy searched for servuperfcount.dll and others files but nothing has been found so now i dont know should i or should i not. I have checked many searchengines and found this "The Trojan attempts to terminate and disable various anti-virus and security
    related programs and modifies the HOSTS file located at
    %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites" , this is the problem that i had proly few months ago and then i formated. I will paste my hijackthis log to see if im missing something:

    Logfile of HijackThis v1.97.7
    Scan saved at 21:27:34, on 28.4.2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINNT\System32\smss.exe
    D:\WINNT\system32\winlogon.exe
    D:\WINNT\system32\services.exe
    D:\WINNT\system32\lsass.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\System32\svchost.exe
    D:\WINNT\system32\spoolsv.exe
    D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    D:\Program Files\Eset\nod32krn.exe
    D:\WINNT\System32\nvsvc32.exe
    D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    D:\WINNT\system32\regsvc.exe
    D:\WINNT\system32\runtime.exe
    D:\WINNT\System32\WBEM\WinMgmt.exe
    D:\Program Files\WinRoute Pro\winroute.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\Explorer.EXE
    D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    D:\Program Files\Eset\nod32kui.exe
    D:\PROGRA~1\PESTPA~1\PPControl.exe
    D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    D:\WINNT\system32\internat.exe
    D:\WINNT\system32\RUNDLL32.EXE
    D:\Program Files\WinRoute Pro\wrctrl.exe
    D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    D:\Program Files\WinZip\WZQKPICK.EXE
    D:\WINNT\system32\wuauclt.exe
    D:\Program Files\BPFTP Server\G6FTPSrv.exe
    D:\Program Files\defencez\tds-3.exe
    D:\WINNT\msagent\AgentSvr.exe
    D:\Documents and Settings\macura\Desktop\tools\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [nod32kui] D:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [ServiceLayer] D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe
    O4 - HKLM\..\Run: [Nokia Tray Application] D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
    O4 - HKLM\..\Run: [TDS3] D:\Program Files\defencez\TDS-3.exe
    O4 - HKCU\..\Run: [internat.exe] internat.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = D:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe
    O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = D:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38082.5403703704
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12
    O17 - HKLM\System\CS1\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12
    O17 - HKLM\System\CS2\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    OK, Ill het an HJT expert to take a look :)
     
  5. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I can't see anythging obvious

    prohblem with runtime.exe is that files of that name are used by many legitimate programs as well as several viruses/trojans

    can you right click the runtime.exe file and see waht is says in properties

    as Windows screamed last ti,me you deleted it I assume it's a M$ file but to be sure
    copy it & zip it up and send it to support@diamondcs.com.au with a short note refeerring to this thread
     
  6. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    ok this is where things become very very interesting
    following screenshot => http://users.volja.net/drugklas/runtime.jpg ; defencez was a costume choice of a directory for security purpose. Both files from both directories were sent to your email. runtime.zip is from the file from system32 and runtime2.zip from other one.

    regards
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Interesting indeed.
    The one in the TDS3\xdynamic\TDS.unpk folder is where TDS3 unpacks them for checking.
     
  8. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hmm, I do not have that file in my XP pro or Server 2003 system32 folder.

    Can you right click it and show us it's properties please
     
  10. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    rather than waiting for Gavin to reply tomorrow with what he finds in the file please send a copy of the runtime.exe to me as well submit@thespykiller.co.uk and I'll have a look inside it and see what I can find out about it tonight
     
  11. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Looks like you have a nasty there but let's see what dvk01 & or Gavin have to say.
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I have had a look inside it with a disassembler and it's definitely a baddie

    several strings saying you have been hacked by god & various XXXX words

    why windows screams when it's removed I don't know but it's a serv-u baddie

    where did you get youer Service pack 4 from, because if it's on a cd as you deleted runtime.exe and it was reinstalled with sp4 it's starting to look like the sp itself is a hacked copy and I wouldn't like to say what else is on that sp that shouldn't be.

    Due to the time zone problems you won't get a reply from Gavin for a few hours yet It's about 5.30 am in Australia where he is

    check the sp4 you have and let us know where that came from
     
  14. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    sp came from www.microsoft.com :)
    ok ill wait until the final opinion tommorow, no problem and thx for help (file is blocked with fw for incoming and outgoing so it isnt doing any harm atm)
     
  15. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    well runtime.exe is definitely not a legitimate windows file and why you can't delete it I don't know

    Best advice I can give is wait till the morning and Gavin's reply and see what he says. He is the EXPERT at these
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yep definitely a SERVU server.. question is HOW did it get there. Obviously not from the SP install.. Do you have STRONG passwords on all user accounts ? Check if any new accounts or shares have been put in place too

    You have a ZIP somewhere on your machine which has runtime.exe if it showed up in the UNPK folder.. the next database will detect this ServU server so you can remove the zip too. Something must be restoring the file. You may have an XDCC bot, TDS should reveal an IROFFER trojan if its one of the hack kits I would presume it would be. Please submit an ASViewer log since it could be using an exotic startup that HJT doesnt show

    http://www.diamondcs.com.au/index.php?page=asviewer

    You will need to enable viewing of all autostarts, the quick way is to just press F2 F3 F4 once each then choose SAVE :)
     
  17. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    ok it has been sent, from the log it can be seen very very much, even the trojans i had removed a month ago. Ok i have updated the TDS protection with the latest database and started a 100% scan, i believe its not going to find any xdcc or other process beacuse like i said runtime.exe was blocked by fw from the begining that i saw it.
    ok update .. it has found runtime.exe and described it as a servu trojan (yeah cool)

    regards
     
    Last edited: Apr 29, 2004
  18. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    good news every1 who helped and others who might have the same problem in the future! I have deleted runtime.exe as a filename and + with the help from that startup tool and rebooted the system and windows isnt crying for that file anymore. I believe that it was crying beacuse of that registry add which hasnt been removed for the 1st time ive deleted file and i had to reinstall servicepack. About servicepack it still remains a mistery, i have extracted all files and couldnt find runtime.exe. So thx again administrators for all support and help.

    regards
     
  19. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Glad to see, I pointed out a service entry for that nasty when I emailed you..

    I saw a LOT of entries, am awaiting your email back :) If those EXE's are gone, just remove the startups. I was wondering how you could have so many ! It makes sense if they are just leftover startups and the file is gone :)
     
  20. sci

    sci Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    10
    Yep thats the whole point the startup was "ready" for theze files if they appear anyday since i have removed them quite a long time ago.
     
Thread Status:
Not open for further replies.