Hi! I hope im in the right thread since im too using TDS. I have recently scanned ports and found runtime.exe on port 4666 regarding as "serv-u ftp server" i mean woot and after that i have removed and killed the file + rebooted the system. When i loged in, the win2000 started crying of some file being deleted and must reinstall service pack 4. And so i did reinstalled the spack 4 and there it was again runtime.exe on port 4666 regarding as a serv-u ftp server.. any ideas ? regards!
Hi I think you have a problem. Possibly: Backdoor.ServU-based Might be an idea to check to see that you have the processess running and if the files are there as shown below. Not sure if TDS3 with the latest updates removes it all as there are many variants. Please run a full scan with all options in Configuartion enabled.Right click any any findings and delete. Try this to remove Serv-U FTP Server from your machine manually if TDS does not. Begin by backing up your registry and your system, and/or setting a Restore Point, to prevent trouble if you make a mistake. Stop Running Processes: Kill these running processes with Task Manager: servudaemon.exe windll16.exe Unregister DLLs: Unregister these DLLs with Regsvr32, then reboot: servuperfcount.dll Remove Files: Remove these files (if present) with Windows Explorer my.asm serv-u.hlp servudaemon.exe servudaemon.ini servuperfcount.dll servustartuplog.txt windll16.exe HTH Pilli
hi and thx for fast answering. I have put the whole 100% scan through my computer but nothing has been found. I have manualy searched for servuperfcount.dll and others files but nothing has been found so now i dont know should i or should i not. I have checked many searchengines and found this "The Trojan attempts to terminate and disable various anti-virus and security related programs and modifies the HOSTS file located at %WINDOWS%\System32\Drivers\etc\HOSTS, mapping selected anti-virus websites" , this is the problem that i had proly few months ago and then i formated. I will paste my hijackthis log to see if im missing something: Logfile of HijackThis v1.97.7 Scan saved at 21:27:34, on 28.4.2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: D:\WINNT\System32\smss.exe D:\WINNT\system32\winlogon.exe D:\WINNT\system32\services.exe D:\WINNT\system32\lsass.exe D:\WINNT\system32\svchost.exe D:\WINNT\System32\svchost.exe D:\WINNT\system32\spoolsv.exe D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe D:\Program Files\Eset\nod32krn.exe D:\WINNT\System32\nvsvc32.exe D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe D:\WINNT\system32\regsvc.exe D:\WINNT\system32\runtime.exe D:\WINNT\System32\WBEM\WinMgmt.exe D:\Program Files\WinRoute Pro\winroute.exe D:\WINNT\system32\svchost.exe D:\WINNT\Explorer.EXE D:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe D:\Program Files\Eset\nod32kui.exe D:\PROGRA~1\PESTPA~1\PPControl.exe D:\PROGRA~1\PESTPA~1\PPMemCheck.exe D:\PROGRA~1\PESTPA~1\CookiePatrol.exe D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe D:\WINNT\system32\internat.exe D:\WINNT\system32\RUNDLL32.EXE D:\Program Files\WinRoute Pro\wrctrl.exe D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe D:\Program Files\WinZip\WZQKPICK.EXE D:\WINNT\system32\wuauclt.exe D:\Program Files\BPFTP Server\G6FTPSrv.exe D:\Program Files\defencez\tds-3.exe D:\WINNT\msagent\AgentSvr.exe D:\Documents and Settings\macura\Desktop\tools\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [nod32kui] D:\Program Files\Eset\nod32kui.exe /WAITSERVICE O4 - HKLM\..\Run: [PestPatrol Control Center] D:\PROGRA~1\PESTPA~1\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] D:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] D:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [ServiceLayer] D:\Program Files\Common Files\Nokia\Services\ServiceLayer.exe O4 - HKLM\..\Run: [Nokia Tray Application] D:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe O4 - HKLM\..\Run: [TDS3] D:\Program Files\defencez\TDS-3.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: PCSuiteForNokia3650 Detect.lnk = D:\Program Files\Nokia\PC Suite for Nokia 3650\connmngmntbox.exe O4 - Global Startup: PCSuiteForNokia3650 TS.lnk = D:\Program Files\Nokia\PC Suite for Nokia 3650\ectaskscheduler.exe O4 - Global Startup: WinZip Quick Pick.lnk = D:\Program Files\WinZip\WZQKPICK.EXE O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O10 - Broken Internet access because of LSP provider 'imon.dll' missing O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38082.5403703704 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12 O17 - HKLM\System\CS1\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12 O17 - HKLM\System\CS2\Services\Tcpip\..\{25290725-CD34-43E8-AFED-831099ED3163}: NameServer = 213.143.65.11,213.143.65.12
I can't see anythging obvious prohblem with runtime.exe is that files of that name are used by many legitimate programs as well as several viruses/trojans can you right click the runtime.exe file and see waht is says in properties as Windows screamed last ti,me you deleted it I assume it's a M$ file but to be sure copy it & zip it up and send it to support@diamondcs.com.au with a short note refeerring to this thread
ok this is where things become very very interesting following screenshot => http://users.volja.net/drugklas/runtime.jpg ; defencez was a costume choice of a directory for security purpose. Both files from both directories were sent to your email. runtime.zip is from the file from system32 and runtime2.zip from other one. regards
Interesting indeed. The one in the TDS3\xdynamic\TDS.unpk folder is where TDS3 unpacks them for checking.
another 2 screenshots to prove about serv-u ftp runing: http://users.volja.net/drugklas/port.jpg http://users.volja.net/drugklas/port2.jpg
Hmm, I do not have that file in my XP pro or Server 2003 system32 folder. Can you right click it and show us it's properties please
rather than waiting for Gavin to reply tomorrow with what he finds in the file please send a copy of the runtime.exe to me as well submit@thespykiller.co.uk and I'll have a look inside it and see what I can find out about it tonight
ok mail has been sent and here are the requested properties: http://users.volja.net/drugklas/properties.jpg as it can be seen the file doesnt have any personal info wich bothers me beacuse all windows system files have them.
I have had a look inside it with a disassembler and it's definitely a baddie several strings saying you have been hacked by god & various XXXX words why windows screams when it's removed I don't know but it's a serv-u baddie where did you get youer Service pack 4 from, because if it's on a cd as you deleted runtime.exe and it was reinstalled with sp4 it's starting to look like the sp itself is a hacked copy and I wouldn't like to say what else is on that sp that shouldn't be. Due to the time zone problems you won't get a reply from Gavin for a few hours yet It's about 5.30 am in Australia where he is check the sp4 you have and let us know where that came from
sp came from www.microsoft.com ok ill wait until the final opinion tommorow, no problem and thx for help (file is blocked with fw for incoming and outgoing so it isnt doing any harm atm)
well runtime.exe is definitely not a legitimate windows file and why you can't delete it I don't know Best advice I can give is wait till the morning and Gavin's reply and see what he says. He is the EXPERT at these
Yep definitely a SERVU server.. question is HOW did it get there. Obviously not from the SP install.. Do you have STRONG passwords on all user accounts ? Check if any new accounts or shares have been put in place too You have a ZIP somewhere on your machine which has runtime.exe if it showed up in the UNPK folder.. the next database will detect this ServU server so you can remove the zip too. Something must be restoring the file. You may have an XDCC bot, TDS should reveal an IROFFER trojan if its one of the hack kits I would presume it would be. Please submit an ASViewer log since it could be using an exotic startup that HJT doesnt show http://www.diamondcs.com.au/index.php?page=asviewer You will need to enable viewing of all autostarts, the quick way is to just press F2 F3 F4 once each then choose SAVE
ok it has been sent, from the log it can be seen very very much, even the trojans i had removed a month ago. Ok i have updated the TDS protection with the latest database and started a 100% scan, i believe its not going to find any xdcc or other process beacuse like i said runtime.exe was blocked by fw from the begining that i saw it. ok update .. it has found runtime.exe and described it as a servu trojan (yeah cool) regards
good news every1 who helped and others who might have the same problem in the future! I have deleted runtime.exe as a filename and + with the help from that startup tool and rebooted the system and windows isnt crying for that file anymore. I believe that it was crying beacuse of that registry add which hasnt been removed for the 1st time ive deleted file and i had to reinstall servicepack. About servicepack it still remains a mistery, i have extracted all files and couldnt find runtime.exe. So thx again administrators for all support and help. regards
Hi, Glad to see, I pointed out a service entry for that nasty when I emailed you.. I saw a LOT of entries, am awaiting your email back If those EXE's are gone, just remove the startups. I was wondering how you could have so many ! It makes sense if they are just leftover startups and the file is gone
Yep thats the whole point the startup was "ready" for theze files if they appear anyday since i have removed them quite a long time ago.
