Strange directories and hidden things

Discussion in 'malware problems & news' started by SystemJunkie, Jun 2, 2006.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Actually I reinstalled a old backup and found a new behaviour I didn´t have seen before, many different directories a created through own files, program dir, windows and system32 dir. In Explorer it looks like usual directories but rootkit detector 2 reveals folders with ? and a hidden thing called: HIDDEN: C:\WINDOWS\system32\OPVOC

    hxxp://i3.tinypic.com/11hcqip.png

    hxxp://i3.tinypic.com/11h8etf.png

    Neither I have something like oracle nor symantec on my system. Crazy isn´t it?

    Maybe it is useful to mention, that a temp file is always created, in nearly all cases it has the same md5 hash, only the name changes regularly. It is always recreated or persistent even if you try to delete everything in temp folder, the file looks like this: ~DF7EAE.tmp and has 16 KB of size.

    Probably nothing special but better to mention.
     

    Attached Files:

    Last edited by a moderator: Jun 2, 2006
  2. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi SJ i see you're back in town !

    Those ~DF7EAE.tmp etc entries, i'm convinced anyway, are from ZoneAlarm. I also get sometimes several of them daily, depending how often i log and off the internet. So in that case they are nothing to worry about. I've just checked my TMP files and i have one in there which right now is 2kb. At the end of the day i Physically disconnect the modem plug from the wall socket, close down ZA and then i am able to delete those, and also fwpktlog.txt/fwdbglog.txt/tvDebug.log and the " your computer name ".ldb file too. They get newly recreated after a reboot.

    Regarding the ? etc entries, can't help you there.


    StevieO
     
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Hi Stevie,

    I noticed too that one Temp file was generated by Zone Alarm, good Info,
    but still remains two Temps with 16 KB and unerasable.
     
  4. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    You could try the excellent FREE Unlocker to get rid of those "undeletable" files, it usually works for most people anyway !

    http://ccollomb.free.fr/unlocker/


    StevieO
     
  5. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I will try it! Beside is it usual that following functions of svchost are hooked? It´s a tool I really like to use called spybro.

    11i32g4.png

    And something I am keen of to know, if anyone has following clsids:

    HKCR\Interface
    {50EA08B0-DD1B-4664-9A50-C2F40F4BD79A}
    {50EA08B1-DD1B-4664-9A50-C2F40F4BD79A}
    {50EA08B2-DD1B-4664-9A50-C2F40F4BD79A}
    .. until .. {50EA08BE-DD1B-4664-9A50-C2F40F4BD79A}

    Symantec says that these are legitimated clsids but also used by spyware.

    What about these CLSIDs are they essential or only spyware?

    HKEY_CLASSES_ROOT\TypeLib\{00020430-0000-0000-C000-000000000046}

    HKEY_CLASSES_ROOT\CLSID\{00020420-0000-0000-C000-000000000046}
    {00020421-0000-0000-C000-000000000046}
    {00020422-0000-0000-C000-000000000046}
    {00020423-0000-0000-C000-000000000046}
    {00020424-0000-0000-C000-000000000046}
    {000204250-000-0000-C000-000000000046}

    ??

    And are following files in system32 really Aureate Spy
    or only windows internal files?: nscompat.tlb(23 KB), amcompat.tlb(17 KB) ?

    So many questions.. beside I noticed in usertemp a file called mc21.tmp 71KB of size, spybro identified this one as a driver which temporarily appears.

    I ask this because regular antivirus and antispy don´t alert but the keys and files are there and some google info indicates spyware.

    Does anyone know if it is usual that clbcatq.dll, comres.dll, oleaut32.dll have no microsoft description?
     
    Last edited: Jun 2, 2006
  6. JRosenfeld

    JRosenfeld Registered Member

    Joined:
    Jul 26, 2004
    Posts:
    117
    XP SP2 all updates. Clean system.
    I have all the \Interface, \CLSID and \Typelib keys you mention.

    I also have both of the .tlb files you mention.

    The .dll files you mention all say Unknown application on the general tab, but mention Microsoft on the version tab of their properties.

    You can get info on Microsoft dll files at http://support.microsoft.com/dllhelp/
     
  7. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    The mc21.tmp file is indicative of an older rootkit type of driver (Vanquish) but you have to watch out for the fact that there are actually a few legitimate utilities using this technique as well.

    You will notice in your Windows Explorer list that you have two system32 folders listed.
    The one which sorts last alphabetically in the display will be the one with the foreign character.
    It's likely cyrillic http://www.fileformat.info/info/unicode/char/0455/index.htm.
    Such characters aren't available in your particular ansi codepage and therefore appear as undecipherable with something using ansi (ie. as a ques mark)

    This latter (foreign char thing) is 'almost' a sure sign of infection - though you have so many there that I wonder if it wasn't an effect of the way you mounted the image?

    ------------
    edit - there seem to be a lot of 'same-name' dirs. Is this a 64 bit system and the image is showing confusion between the 32bit and 64bit dirs ?
     
    Last edited: Jun 11, 2006
  8. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Thanks for reply, yeah the system is deeply infected but a very hidden thing. What about this? Normal or not?
    15x8s28.gif
     
    Last edited: Jun 27, 2006
  9. IMM

    IMM Spyware Fighter

    Joined:
    May 6, 2004
    Posts:
    351
    No, that doesn't look normal. It looks terminal :)
    That particular folder is one with a bogus view of the actual file structure (in explorer) anyway.
    What does gmer.exe tell you about the system?
    Does chkdsk (full) on a reboot do anyting for you?
     
  10. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    It is a 64 bit CPU with 32 bit Win XP Pro.

    Look what RKRevealer tells me while surfing:
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Internet Explorer\Main\Window_Placement
    10.07.2006 02:17 44 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {92780B25-18CC-41C8-B9BE-3C9C571A8263}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\iexplore\Count 10.07.2006 02:05 4 bytes Data mismatch between Windows API and raw hive data.
    HKLM\S-1-5-21-1409082233-1425521274-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\
    {BBE59AF5-EE22-4A3A-AB26-3F774D1B4216}\iexplore\Time 10.07.2006 02:05 16 bytes Data mismatch between Windows API and raw hive data.
    S-1-5-21-1409082233-1425521274-682003330-1005 01.01.1601 02:00 0 bytes Error dumping hive: Internal error.
    HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 10.07.2006 02:19 80 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\B6D4FBE3DS33AAE46B232812EC773FFA\
    Usage\Core 10.07.2006 02:19 4 bytes Data
    HKLM\SOFTWARE\Zone Labs\ZoneAlarm\BlockCount 10.07.2006 02:19 4 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Zone Labs\ZoneAlarm\IncomingCount 10.07.2006 02:19 4 bytes Data mismatch between Windows API and raw hive data.

    I get everyday red alert attacks (zone alarm) from same IP (82.113.20.xxx), they try to connect on Port 1080

    And I still noticed a lot ? in folder names, e.g. System32\Oracle (explorer view) but in reality on Dos cmd level it looks like System32\?racle.

    Stealth by Design Virus or hidden file infector virus?

    1zg435s.png

    PS: The size of both exe files remained on 640 KB of size only the hashes and content changed as seen above.

    May this also be the result of a system instability or driver conflict after rebooting the computer?
    But normally windows is not able to destroy exe files, especially it is always the same only the last part of the exe file will be corrupted with 0000s. The very very strange thing is, that does happen irregularly and not that often, but it happened now and already the 5th time within approx. 6 Months. It´s not a mass file destruction only very specifically and focussed on very less files.
     
    Last edited by a moderator: Jul 10, 2006
  11. controler

    controler Guest

  12. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    SJ,

    You're supposed to run RKR with the minimal amount of background tasks and apps running, and not touch the PC at all until RKR has completely finished it's scan. So that includes surfing etc, and that's why you see those IE entries !

    If you do a search on the Sysinternals forum for "Data mismatch between Windows API and raw hive data" you should find plenty of answers.

    Also any files like the ones you often mention that you think might be suspicious, can be uploaded to these free online sites for examination.

    http://www.virustotal.com/vt/

    http://virusscan.jotti.org/

    http://scanner.virus.org/

    What are the missing x's from this 82.113.20.xxx ?

    Getting lots of incoming probes etc is nothing unusual in itself, even to the same ports every day from the same IP's. I get plenty from all sorts of IP's, some you wouldn't believe !

    With regard to the 640 KB .exe file, please see my PM.

    controler

    If i'd remembered about Boot Deleter earlier i could have tried to use it to get rid of the file in this thread https://www.wilderssecurity.com/showthread.php?t=138403

    Saved it for a rainy day though, Thanks


    StevieO
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Okay so far everything is usual, except the exe file modifications and the directories starting with ?.

    Just for info does anyone know what is Akamai Tech?
    I noticed often lots of connections I never could explain, I never surfed
    to such IPs, only yahoo I noticed often gets involved with Akamai Tech IPs:
    Ips like that: 213.254.212.64, 194.25.136.0, 84.53.160.. - 84.53.163..,
    212.243.221.222, 213.200.97..., all these IPs come from Akamai Tech.
    (.. or xx means the ip range or that it´s not important to know the last few numbers, because ISP is recognizable without the last numbers)

    I tried to block all of them with Zone Alarm, I made rules to stop connecting on my http port, but once I saw that Akamai Tech still managed to connect to my system and zone alarm remained quiet.

    Some more suspicious shots here:
    http://tinypic.com/1zgz0i9.png
    Ipswitch browser reveals the ? that Explorer disguise as normal letter.

    Beside the mc..tmp file seems to be generated also from Spybro.exe or other Anti-Spyware tools. Just for info.

    That was the best answer so far. But what kind of infection. I guess a file infector.
     
    Last edited: Jul 10, 2006
  14. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    http://en.wikipedia.org/wiki/Akamai:

    [SIZE=-1]www.akamai.com/[/SIZE]

    Nothing to worry about.

    Gerard
     
  15. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Beside chkdsk showed nothing special, ups, I tried Gmer but resultet in black screen and reboot. So here I am back.

    Great to hear! Thanks.

    Then I´d like to know the thing about Inproc COM Servers. Everyone who
    uses Tiny Firewall or once used tiny firewall can monitor most things that happens in the system.

    What about this:
    http://i6.tinypic.com/1zgzukp.png

    This 0000.. COM server is generated with most exe files, but is temporary of nature, can never get caught, when I am trying to find it in the registry.

    http://i6.tinypic.com/1zgzvde.png

    Google finds 0 about this CUri.

    http://i6.tinypic.com/1zgzxwy.png

    This session information I never understood its function. Maybe someone remembers when I told that this windows image had a strange behaviour e.g. when I used a new security tool with a trial of 30 days, e.g. it expired within 2 days, a kind of trial turbo killer that prevented me from testing the tools over usual period and I often noticed this session information thing.
     
    Last edited: Jul 10, 2006
Thread Status:
Not open for further replies.