Solved

I have a Trojan Horse -- CENF.EXE -help

Posted on 2003-11-27
17
447 Views
Last Modified: 2016-03-23
Apparently, my PC works fine.

I have detected a program called CENF.EXE, who was accesing to IP  81.176.66.26 port 119.  

When I cancel this program from the task manager, it reactivates automatically when I run any program.

Also, when I'm trying to access to REGEDIT, appears an error message "Memory access violation in module kernel 2 at 4849: ..." etc..etc

I think it's like a virus.. or a trojan horse.

I don't want to reinstall my Windows. Any help ?

Meanwhile I change the routing of that IP to anywhere.
0
Comment
Question by:carlosmolina100
  • 7
  • 4
  • 3
  • +1
17 Comments
 
LVL 6

Expert Comment

by:Sebo2000
ID: 9833693
Is it CENF.exe or CONF.EXE ???
0
 

Author Comment

by:carlosmolina100
ID: 9833718
C:\winnt\CENF.EXE

14/11/2003  05:08p             106,496 cenf.exe
0
 
LVL 6

Expert Comment

by:Sebo2000
ID: 9833734
it is something new, that I guess is pretending to be NetMeeting, and is connecting to some news server, you can run net monitor and see what data is beeing posted to that server. I was accually able to find the guy that usedthis IP to post to usenet, that was his last post:

Thank you Red. I locate the MGWIN.INI and edit it as listed here but no
luck. The program keeps on asking for UserName and Code. I think I may not
do it correctly since I am not a computer expert. Please give me further
guidiance.
"Red Rackham" <astaga@pirate.com> wrote in message
news:Xns942CC2C02290Fastagapiratecom@81.176.66.26...
> The correct registration code is stored in the MGWIN.INI
> as follows :
> [REG]
> UserName=PIRATES ORDER
> RegCode=VYHH7EUG
>
> MGUTIL_WIN.INI
> [REG]
> UserName=PIRATES ORDER
> RegCode=6D7X4CHA
>
> PRIVACY_WIN.INI
> [REG]
> Times=1
> 1=1049773538
> UserName=PIRATES ORDER
> RegCode=A6GJJEF9
>
>
>
>
>
> "Free Hui" <fhui01@oacbell.net> wrote in
> news:7vFqb.3313$7g2.2390@newssvr29.news.prodigy.com:
>
> > Andy, Thank you for your code. When I enter the User Name and code, I
> > have to restart the program to verify. When I restart the program, the
> > program requests to enter user name and code again. Any further help?
> > "Andy" <Andy@nomail.com> wrote in message
> > news:ejilqv8ih3d5fva5uiu68qiqm0ogadvqnt@4ax.com...
> >> On Thu, 06 Nov 2003 21:55:45 GMT, "Free Hui" <fhui01@oacbell.net>
> >> wrote:
> >>
> >> >Can any one post a register code for me? Thank you.
> >> >
> >> Free Hui
> >> F3DC3C3A

it's good that you redirected the traffic, so far no fix from the symantec for that.

Take Care
Sebo
0
 

Author Comment

by:carlosmolina100
ID: 9834026
Thanks for answer Sebo.  How do you obtained the information about the guy who posted to Usenet ?.

I found that IP with Nslookup --> news.rt.ru (from Russia ??)

C:\WINNT>nslookup
> 81.176.66.26
..
...

Name:  news.rt.ru
Address:  81.176.66.26

Nobody have the same problem ?
What I have to do ?
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9834624
Try to use regedt32 instead of regedit to see if you can get to the registry to locate the launch for CENF.EXE.

Since it can put itself back, it's checking for its .EXE and rebuild as needed.  What you may want to try is to boot to recovery console and remove it from there.  Use your CD to do a repair install or to install the recovery console by running from your CD...i\386\winnt32.exe /cmdcons.....

Please send me the CENF.EXE for analysis and for my cybersecurity class....
Digitrash@hotmail.com or nguyentd@pgcc.edu.

cheers
0
 

Author Comment

by:carlosmolina100
ID: 9835008
When I run regedt32 appears a message box saying something like "Administrator has disabled the modification of the Registry"   :(

Using the console, when I rename cenf.exe to cenf.exxxx, and then cancel the process with the task manager, then I can't run any command or program (appears a message like: "can't find the program or some of the components")    :(

I'll wait some days before repair my Windows.  

I sent you the cenf.exe file.  Maybe you can find a clue to avoid repair the Windows.
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9835252
You have a client installed on your machine!


C entral  E urope  N ews  F lash     - cenf.exe

Whois results for: news.rt.ru (rt.ru)

news://news.rt.ru/ *****this is interesting*****

domain:     RT.RU
type:       CORPORATE
nserver:    ns.rt.ru. 195.161.0.135
nserver:    ns2.rt.ru. 195.161.3.22
nserver:    ns.rtcomm.ru.
nserver:    ns2.rtcomm.ru.
state:      REGISTERED, DELEGATED
org:        OJSC "Rostelecom"
phone:      +7 095 9732139
phone:      +7 095 7872849
fax-no:     +7 095 9733074
fax-no:     +7 095 7872850
e-mail:     uit@nmc.rospac.ru
e-mail:     ved@nmc.rospac.ru
e-mail:     registry@rt.ru
e-mail:     for@nmc.rospac.ru
registrar:  RUCENTER-REG-RIPN
created:    1997.01.14
paid-till:  2004.02.01
source:     RIPN


Last updated on 2003.11.28 08:35:46 MSK/MSD

I would email them and find out everything you can!

good luck
wtrmk74
0
 
LVL 6

Expert Comment

by:Sebo2000
ID: 9837703
I got that info from www.deja.com its web that holds all the recors of the messages that were posted in the news groups, I think some russian dude is testing new exploit, check your firewall , and try to think of the software that you installed lately.
Take Care
Sebo
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:carlosmolina100
ID: 9838813
Thanks wtrmk74.. i'll be waiting.

Also, thanks Sebo for the info.  I have installed some software from unknown people... :S..
I know it.

Carlos Molina

0
 
LVL 13

Expert Comment

by:Gnart
ID: 9840363
>> "Administrator has disabled the modification of the Registry"

It sounds like you have been rooted.... Which account are you using?  Go into the User and group to see if there is any administrator account that should NOT be there.  The intruder may have created dummy account for you and took over the administrator's account.  The intruder may have set registry entry to relaunch or check for cenf.exe process, so he didn't want you to access the registry.  

Accessing and cleaning up the registry may be the key to solving the problem.  When did you run an ERD or SP?  If it's recent you can try the following:

1. You can mount the drive as slave to another system.
2. Make the backup of the current files c:/winnt/system32/config
3. Copy the registry files from c:/repair/regback
4. Reinstall drive and reboot your system

>> I sent you the cenf.exe file.
Which account did you send it to ?

cheers.....
0
 

Author Comment

by:carlosmolina100
ID: 9841375
I sent CENF.EXE  file to both addresses: Digitrash@hotmail.com <Digitrash@hotmail.com>
nguyentd@pgcc.edu <nguyentd@pgcc.edu>

There's no more account names.   I think he had the rights because my default account is administrator, and I ran many programs I downloaded from kazaa.

Sorry,  I don't understand how to "mount the drive as slave to ...".      Also, I can't find the c:/repair folder.   I found c:\winnt\repair, but not regback.

What means "reinstall drive"...   I believe that I need more details    :(    

Thank you.
0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9842886
did you get a chance to email the developers yet!

I think Gnart is talking about pulling your hard drive out of that computer and adding  it as a slave to another functioning computer.

This is done by changing the jumper settings on the back of the drive.

wtrmk74
0
 
LVL 13

Accepted Solution

by:
Gnart earned 20 total points
ID: 9843446
>> I sent CENF.EXE  file to both addresses: Digitrash@hotmail.com
>> nguyentd@pgcc.edu
Thanks, I checked digitrash and didn't see it.  I will check again.  I have not had the chance to check nguyentd because they are down for service.

>> I think he had the rights because my default account is administrator, and I ran many programs I downloaded from kazaa.
He sure did.  Did you have a password on it?  If you did, he probably installed a backdoor to your machine with a keystroke logger and emailed your password to himself.  After that you are done.

>> Also, I can't find the c:/repair folder.   I found c:\winnt\repair, but not regback.
Look like you never did a service pack or create a Emergency Repair Disk for your machine, else the \regback would be there.  The files in c:\winnt\repair are the registry files when you first installed your Windows.  You can take control of your system by restoring them, but the registry entries for your software would not be there.  Let's try something else "see below"

>> Sorry,  I don't understand how to "mount the drive as slave to ...".
If you are using two IDE drives whether they are zip, HD, or CD on the same IDE controller you will need to jumper one drive as master and the other as slave.  So if you are to put that drive in another computer you will need to jumpered it as slave.  

The options are:
1) put your current drive in another Win2K computer as slave.
2) put an old drive in your current system as master and jumpered your current drive as slave.  Install the OS on the newly inserted drive and create additional administrative accounts.  Rename the "SAM" file in your olddrive:\winnt\system32\config to SAM-BAD.  Copy the "SAM" in the newdrive:\winnt\repair into olddrive:\winnt\system32\config

Restore the old configuration - boot up and login as administrator and see if you can get your administrative control back.....after that you should be able to correct the problem.  It's just a matter of how much time do you want to spend verses the time to reinstall the OS.  Remember to disconnect the system from the Internet - he has keystroke logger in your machine.

Good luck - it can be done... just planned it out and take the correct steps.

cheers
0
 
LVL 13

Expert Comment

by:Gnart
ID: 9846833
Carlos,

Would you please send CENF.exe again?  It didn't get to either one of my addresses.  Send to the following, take out the "AT" and replace it with @:

digitrashAThotmail.com, nguyentdATpgcc.edu, tdn4itATyahoo.com, tdn4itAThotmail.com,
gnartAThotmail.com, INetmailerATgmx.net.

Hopefully one of them will get through.

TIA - cheers....
0
 

Author Comment

by:carlosmolina100
ID: 9855118

Sorry for the delay to response.  Searching the web, last Saturday I downloaded a demo version from http://www.innosetup.com of the "Trojan Remover". Then it found and removed the "Worm/Swen" virus or trojan.

Thanks to all for help me, specially to Gnart  
-- Someday, I will use your procedure :)) --
I sent the CENF.EXE file to the other address.

Regards,

Carlos


***** NORMAL SCAN FOR ACTIVE TROJANS *****
Trojan Remover Ver 6.1.3. For information, email simplysupsupport@aol.com
[Unregistered version]
Scan started at: 29/11/2003 12:53:33
Using Database v6056
Operating System: Microsoft Windows 2000 Version: 5.0 (Build: 2195 )
-----------------------------------
Checking Registry exefile command for modifications
The exefile\shell\open\command Registry Key loads the following program:
C:\WINNT\cenf.exe - this file appears to contain Worm/Swen.
Trojan Remover has restored the Registry exefile\shell\open key.
C:\WINNT\cenf.exe has been renamed to C:\WINNT\cenf.ex$.
--------------------
Checking for traces of the Internet Worm VBS/LifeStages
------------------------------
12:54:21 : Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINNT
------------------------------
12:54:21 : Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINNT
------------------------------
12:54:21 : Scanning -----WINDOWS REGISTRY-----
Checking HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Vxd ...
..
..


0
 
LVL 7

Expert Comment

by:wtrmk74
ID: 9864154
Glad everything worked out for you !

Remember to assign your points and close this thread !


Have a great holiday season
and New Year !

wtrmk74
0
 

Author Comment

by:carlosmolina100
ID: 9864387
I assigned the points to Gnart, because I can't assign to the Trojan Remover...ha..ha...

Thank you for your efforts Gnart (and for all). I learned a bit more.

I forgot to recommend Active Ports, a freeware software, because it helped me to know on-line (better to use netstat -a) about TCP and UDP connections, and the process related to each listen port and established connections.  If somebody knows something better (and freeware), pls tell me.

~~~~~~~~~~~~~~~~~~~~
Program information
~~~~~~~~~~~~~~~~~~~
Program Archive Name:
 aports.zip
Program Name:
 Active Ports
Target OS:
 Windows NT/2000/XP
Program Description:
 Shows all open TCP/IP and UDP ports
Software type:
 Freeware
Company Name:
  SmartLine Inc.
Contact WWW URL:
  http://www.ntutility.com

Regards,

Carlos
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
So, a cyberiminal’s ultimate goal and motivation has to involve financial gain, right?—not necessarily. There are at least five other motivations behind cybercriminal activities.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now