svchost.exe in C:\windows\inf\5\nmc ?

Discussion in 'adware, spyware & hijack cleaning' started by FluxGFX, May 6, 2004.

Thread Status:
Not open for further replies.
  1. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Ok something is very wrong with this picture.

    See attach IMG....

    svchost.exe in C:\windows\inf\5\nmc\
    TCP local 0.0.0.0 TCP remote 0.0.0.0 port 2121?
     

    Attached Files:

  2. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Here's a quick snapshot of what I got.....

    remind you that del *.* returns not directory found and that a normal dir doesn list any files.

    You need to type dir /ah to see a list of files
    auth.bat
    .psw files
    rundll.32
    svchost.exe
     

    Attached Files:

  3. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Good old bootdisk.

    went in deleted the files
    reboot

    registry ( no entrys found )
    still puzzled has to how the process was executed....
    Possible DLL injection type of thing.... don't know problem seems to be fixed.
     
  4. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    You will also have these hidden files

    C:\windows\syscfg32.exe
    C:\windows\svchost.exe
    C:\windows\system32\wininet32.exe

    Wich need to be deleted also

    Start - Run - regedit

    Search registry for these
    C:\windows\inf\5\nmc
    ( delete de directory branch found in the search ) you should find 4 matchs

    Also do a search on wininet32.exe and you should find 2entry ( delete the folder also )

    Wich then you would reboot and be good has new

    ( darn freaking thing to get rid of ) the wininet32.exe will try to contact a server in japan unfortunately I don't have it on hand.
     
  5. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    It will be one of those XDCC bots.. TDS probably detects some parts of it

    First suggestion, zip the entire folder (the INF\5 folder) you found those files in FROM SAFE MODE. Then delete the whole folder since its not a Windows folder - and email us the zip :) submit@diamondcs.com.au

    I'd stress that you should go to the INF folder and check what folders exist under it - since there could be something like \INF\6 as well with a backup copy of the bot. There are often LEGIT folders in \INF such as "other" so be careful..
     
  6. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    I ran TDS it doesnt pick it up and sorry unfortunately the files are gone and they cannot be zipped, moved, rename, while in windows. You need to boot from an disk or cd and then the files attrib are UYMA ( wich makes no sens )

    and even there the files can't be moved but they can be delete.

    Sorry ( I have someone else with the same issue I'll ask him to zip the folder )

    So I'll be sure to collect a sample for you :) PM me and I'll give you my email
     
  7. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Hey Gavin,


    I found 3 more files ( I've safeguarded them )

    cmcfg.exe
    cmcfg.ini
    cmcfg.dll
    msconfig.exe ( found in c:\windows\system32\ +h attrib )
    services.exe ( found in c:\windows\ +h attrib )

    The INI file contains interesting information

    Hid>den Tab<le]

    cmcfg.exe

    cmcfg.ini

    cmcfg.sys

    rcmd.exe

    servu.exe

    servudaemon.ini

    msconfig.exe

    services.exe

    usbhost.exe

    rundl32.exe

    shell32.exe

    5

    nmc

    bnc*

    winbnc32.exe

    [Ro<ot Proce>sses]

    cmcfg.exe

    rcmd.exe

    servu.exe

    msconfig.exe

    services.exe

    usbhost.exe

    rundl32.exe

    shell32.exe

    winbnc32.exe

    [Hid<den Servic>es]

    cmCfg

    Serv-U

    usbhost

    wincfg

    instmgr

    winimgs

    windvc

    winbnc

    HDWCONF



    [Hid<den Reg>Keys]

    cmCfg

    LEGACY_CMCFG

    cmcfig

    LEGACY_CMCFIG

    Serv-U

    LEGACY_SERV-U



    [Hidden RegValues]



    [Startup Run]

    [Free Space]

    C:5000000000

    [Hidden Ports]

    TCP:24000,34000,2121,2122,26000,31000,55555,55556,32000,7777,7778,7779,7780,7781,7782

    UDP:24000,34000,2121,2122,26000,31000,55555,55556,32000,7777,7778,7779,7780,7781,7782

    [Settings]

    Password=letmeinnow

    BackdoorShell=cmcfgß$.exe

    FileMappingName=_.-=[CMCFG]=-._

    ServiceName=cmCfg

    ServiceDisplayName=Windows Config Driver

    ServiceDescription=Manages Drivers and Adaptors

    DriverName=cmcfig

    DriverFileName=cmcfg.sys



    [Comments]

     
  8. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    System IS NOW PURGED and CLEANED

    registry keys values have been eliminated
     
Thread Status:
Not open for further replies.