Solved

Cannot see files netstat.exe, kill.exe, and probably others

Posted on 2004-09-21
22
2,762 Views
Last Modified: 2010-05-18
Hello,

I have run into a very strange issue here.  I have 10 servers running Windows 2000 Server with SP3.  I wanted to push SP4 onto them.  I ran the setup and I received an error that it could not find file netstat.exe.  I tried browsing and all that good stuff but it was persistent.

Here is what I discovered after all the troubleshooting.  There is one good machine out of those 10 that I was able to run the upgrade on.  From that machine, I browsed to \\badserver\C$\WINNT\System32\ and I could see netstat.exe.  From the bad server itself, I cannot see the file netstat.exe on C:\WINNT\System32.  I even copied that file and set permissions to Everyone F/C and attributes to nothing negative, and copied it to C:\Temp on the bad machine using explorer from the good machine.  I go back to the bad machine, and I cannot see a file with the name netstat.exe.  I even did a rename C:\temp.txt C:\netstat.exe and POOF, the file disappears.

I was unable to see the file called kill.exe either.  I had to rename it to kill1.exe to use it.

I discovered that there is a file in the running tasks on all the bad servers called rpcsvr.exe.  I couldn't end task it but I was able to kill it using command line.  I killed it but I still can't see those files.  I also deleted the file rpcsvr.exe from the file system to make sure it doesn't start up again.  It's not in the registery anywhere, and I'm not sure how it starts.  But that could be a different story.

I am running Symantec Corp Edition 8 with latest virus def and full scan did not discover any viruses.

I'd like to know if anyone has come across this issue where you could not see those files.  Please let me know if you were able to fix it and how.

Thank you,
JM
0
Comment
Question by:jmelika
  • 9
  • 8
  • 2
  • +2
22 Comments
 
LVL 24

Expert Comment

by:SunBow
Comment Utility
I dunno. But if you cannot see it, then how can you change attributes and know of its presence? If it is windows vs dos, possibly it is explorer being user friendly and hiding all executable files from you.  I assume you know that, but since you are probably a frequenter of other machines, perhaps it was less than expected. I vote for explorer hiding nothing, at least from admins.

For RPC stuff, it is something you may not use, which ought to be a services or two you can disable, and test, to see if anything in remote access fails. I don't think it relevant to hiding files though. I don't think it virus, or among the many Symantec problems, unless it came with increased capability to hide the important files, those not temporary or full of data. So I'd try explorer first, where it's views can change from one system to next, and it defaults to a hide mode.
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
Thanks Sunbow.  I am a command line fan and hardly go to explorer unless I'm going through a long list of files.  I can change attributes of files without seeing them by doing the attrib -r -h -s command from the machine that CAN see those files but pointing to \\otherserver\c$\whateverpath\netstat.exe.  I then go back to the other machine and cannot see them from DOS nor explorer.

The insteresting thing as I mentioned is the renaming of a text file from file.txt to netstat.exe and it immediately disappeared as if I just did a delete not a rename.  The name itself seems forbidden to this machine's Windows.  I am really thinking it has to be a clever virus that fools the OS into not seeing this filename, and kill.exe also.

I mentioned the RPCSVR.EXE file because it seemed to be a virus (LOVGATE).  If you search that file name on google, all links are about the virus.  The way they suggest you remove it though did not apply to me.  I couldn't find the registry key for it so I had to kill it using the kill.exe (after renaming it to kill1.exe so I can see the darn file) and then deleting the file from C:\WINNT\System32 folder.

Just wanted to mention the virus part to give as much information as possible.

JM
0
 
LVL 14

Expert Comment

by:spiderfix
Comment Utility
Panda has an online virii/Trojan scanner/killer and it's very good at dealing with running tasks.

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

You'll get the security warning popup to install the applet first, then it'll give you the option
after to scan "all disks".
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
spiderfix,

It did not find any viruses on my systems.  As I mentioned, I have Symantec Antivirus Corp 8 with the lates def that also could not find any viruses.

Any other ideas?

JM
0
 
LVL 14

Expert Comment

by:spiderfix
Comment Utility
>>I have Symantec Antivirus Corp 8<<

It would be a good idea to let Panda go over it anyway. It has found things other scanners
missed many times for me. The scan takes a bit of time but it's worth the second opinion.
0
 

Expert Comment

by:jon8034
Comment Utility
Sounds like you might have something like lb.exe running on your system if you do, removing this may take care of the problem - to see an interesting story on lb.exe you can read at

http://www.securityfocus.com/infocus/1618

This article mentions using linux/unix tools to tshoot windows problems and there is another interesting link on that you might like (excerpt below with link included)

As most readers know, a rootkit is generally a Unix concept that is spreading to other platforms in its increasingly sophisticated forms. This is a collection of tools used by an intruder to hide his presence in an attacked system. Typical goals include replacing or infecting binaries such as ps, find, ls, top, kill, passwd, netstat, hiding directories, files and even their portions  – for example, in  /etc/passwd. Moreover, catching passwords, deleting logins of attacker’s activity, placing backdoors in specific services (for example, Telnet), to get in without authorization at any time. There are plenty of rootkits in the Unix environment, and each new release is more “forward thinking” in terms of its functions. They are also available to attack Windows systems – less sophisticated but still powerful and also trendy. Some handy rootkit solutions deal with hiding or altering netstat commands, thereby making a previously planted backdoor invisible while listening in on any port.

from
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html

may wish to read full link

Try to make sure that you have show operating system files enabled under view options

Check the ownership of the file using your command prompt - sounds as if you are very adept at that - before and after you rename it - best guess is you have malware that is changing ownership on it as soon as it is spotted
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
Thanks guys for all the clues.

jon8034 - you're definitely leading me on the right track.  I do understand the issue is that the Rootkit was used to alter the kernel.  Do you know how I could undo that, though?

Thanks!
JM
0
 

Expert Comment

by:jon8034
Comment Utility
Let's try easy first.  Using our beloved command prompt envnrionment (no HAL here) let's use dir /ah to see if you can see the netstat command after it "disappears".  If you can see it, see if you can change the attribute - if you do not have permission then someone is marking it as hidden and probably changing ownership.  This can be a very clever thing for malware to do.

I had an xp situation recently where the malware created alternate ownerships on folders and files in a directory chain (ie folder a owned by X contained folder b owned by Y contained folder c owned by X....contained file MALWARE owned by Y) so that neither owner could readily access the affected file.  Had to change permissions on a folder up the line, set to show superhidden files in registry, indicate inherited ownership and still had to delete the folder chain to get rid of the file at the end of the chain that contained the malware.

Anyway, try this and if you can see it and manipulate it, examine the folder chain to verify that ownership is consistent.

Also audit your user list to make sure you have no unknow users, that none !unexpectedly! have admin privleges and that you do not have two entries different only in that one has some uppercase and the other does not (a hacker trick sometimes).  Also, if you have not, change your admin password - make a recovery disk first :).
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
The dir /ah did not work.  I have my Explorer setup to view hidden and system files so I can see them when they're hidden.  They are not hidden, but the "kernel" cannot see them.

Here is one more thing to add.  I realized Active Ports was affected as well.  This infection is causing my server to not be able to see the directory Active Ports nor the file aports.exe.  It was weird, but I just renamed the folder remotely by accessing the C$ share to Active Ports1 and aports1.exe and sure enough, I can see and run it now.  Running it did not reveal any suspecious ports though.

Now to summorize this:
1) Some files (i.e. netstat.exe, kill.exe, Active Ports) cannot be seen by the operating system neither locally or on remote machines.  I CAN view the files and folders on the infected machine by accessing it remotely from another machine.

2) It is not an attribute issue

3) No suspecious programs or DLL's running in my processes.

4) No suspecious ports are listening.  Just what my server is serving.

Thanks,
JM
0
 

Expert Comment

by:jon8034
Comment Utility
Ok, never hurts to try easy first.  Here is a link that explains rootkits reasonably well and ways to detect ant treat them
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Tools_in_a_Windows_Environment.html
This is a reasonably good article giving backround and approach - sometimes you have to stomp the grapes to get the wine :)
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 9

Author Comment

by:jmelika
Comment Utility
OK, I think I got one step further using the article you sent (thanks!).  I ran the drivers.exe program on my infected server and compared it to the same on a non-infected server.  Those two servers are almost identical in everything they do and run, except for the virus of course.

The infected server had a driver called ntio424.sys while the good one did not.  Searching the entire hard drive (even remotely) looking for that file and also the registry did not show anything.  On the other hand, once the bad server was rebooted, Symantec AV reported a virus it discovered called Backdoor.HackDefender in the following two files:
C:\WINNT\System32\Drivers\service.exe
C:\WINNT\System32\Drivers\ntio424.sys

The action it took was "Left Alone" so they are still there.  But when I search for them, they are no where to be found.  Again, I did the search from a remote machine pointing to \\badserver\c$ and I CAN see hidden and system files.

Now the question is, how do I get rid of the driver that's running or uninstall it if I cannot find it in the registry nor anywhere on the HD?

Thanks,
JM
0
 

Expert Comment

by:jon8034
Comment Utility
Good progress!  Ok, first change ownership on Drivers to another admin account and then back to the original allow everyone complete control (do this while noone is on if possible) and answer yes to affect child objects, (it is possible you may have to drop back to the system32 folder for this but don't unless you absolutely are getting nowhere trying just the drivers folder).  Then share out the drivers folder and verify permissions - important do NOT reboot during this time or permissions may be changed back again.  Also, if possible, disconnect the internet while doing this to avoid malware from uploading it's payload if it detects the attack (if attack is from inside the network that may not help, but you do what you can).  Then first trying remote machine then local machine only if necessary, logon and use dir /ah in command prompt to find files and then delete them.  If this is successful, completely disconnect the machine from all networks and reboot.  If there is something in startup pointing at these and it cannot reload them from the network/internet it should pop a dialogue box.  Then while logged in as admin do a complete norton scan, then log onto the internet and do a remote scan from pandasoftware.com.  Hopefully you are fixed - if not or if you are not able to locate files in above first step let me know - good hunting |)---->
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
We're definitely moving forward here.  Here is what I did:
Changed permissions of C:\Winnt\System32\Drivers and its contents to a dummy user account.  I also removed the inherited permissions.  Gave ownership to that user as well.  Did the remote file explorer and I saw the file!!!

Here is the good part:
I selected the file, and BAAM, it disappeared.  I think it disappeared because explorer tried to call its properties.  The virus is probably set to hide itself once this happens.  I tried refreshing, restarting Explorer and back to the share, I don't see the file at all now.  Still disappeared.  I think I need to reboot this remote machine to be able to see it again, but I can't do that now cause the machine I'm using is a production box.

I skipped the first few steps and started from browsing to the share of the drivers folder (on another bad server now) and I see the ntio42.sys file.  I did not select it this time, I just went to DOS and tried to delete it, but it gave me access denied message.  I'm sure that's because the file is in use by Windows.

How do I unregister the virus or even find out the process that's running this sys file to kill it so I can delete the file?  We're defintely close, let's not give up now ;)

Thanks!
JM
0
 

Expert Comment

by:jon8034
Comment Utility
ok, try to do everything from the dos prompt if possible.  Two ways to go

1) If you can make a dos boot floppy do these things from there

2) do from dos command promt with system running but nothing critical happening after killing off every extraneous process

Copy the system32 folder to another folder making sure you retain long filenames and get everything.  If bad file copies delete it from the new folder (ie system32copy).

Make sure ownership of system32 is granted to your current user (ie administrator) and set child perms, etc
Delete the system32 folder - even though the bad file would not let you delete it specifically by changing permission and inheriting to child etc, system may let you delete the folder and contents - a bit dicey removing the system 32 folder but that is why you make a copy first and boot off of a floppy if you can.  Then move the system32copy folder to system32, then grant correct ownership and privelages, inspect for bad file to make sure it is not present and reboot.
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
No go.  My drive is formatted in NTFS and DOS boot will not work.

I tried to boot in Safe Mode and got the blue screen of death saying inaccessible boot device.  This happened twice.  I can't try it on one of my other infected servers because they're heavily used and I can't affording bringing them down to test the safe mode thing unless I'll be able to actually get something done then.

I did a search for the virus name and came across this article.
http://www.experts-exchange.com/Security/Q_20995600.html

Very interesting stuff there.  I wasn't able to get PatchFinder nor klister to work on the server, though.  PF could not even start the service and klister was saying something about cannot open \\.klister.  Not sure what that means.

Any more ideas from here?

Thanks,
JM
0
 

Expert Comment

by:jon8034
Comment Utility
If you have or can setup another box that can access the file system, pull the drive and mount it as secondary on the other server and go in from there as administrator.  
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
I'm afraid I cannot do that.  These servers are on RAID 5 drives.  Moving the drive as a slave is not an option.  Besides, they are co-located across the country and I have to walk the tech through what needs to be done over the phone every time.

Here is what I did since my last post:
Reboot in Safe Mode (just plain ol' safe mode), I got the blue screen of death.
Reboot to the Recovery Console, same BSOD.  This recovery console is on the hard drive, so I am asking the tech right now to locate a bootable W2k AS CD to try and boot from that.

Is there any hope here or am I just wasting my time and should just format and start fresh?

JM
0
 

Expert Comment

by:jon8034
Comment Utility
Try to see if you can determine ownership of the files you are trying to delete either with dir command or through explorer.  If the system32 folder is shared out with full permisssions that user should be able to go to the system32 folder and delete it.  If that does not work, you could try and insert a startup command that deletes that file before windows actually loads.
0
 
LVL 9

Author Comment

by:jmelika
Comment Utility
I GOT IT!!!!!!

Here is a trail of what I did:
From a good machine, I browsed \\badmachine\c$\winnt\system32\drivers and found service.exe and service.ini.  I opened the service.ini file and I found the following:
====================================
[Hidden Table]
rpcsvc.exe
kbdsr.*
winman.dll
ntio424.sys
cnd.exe
.ja*
kill.exe
fport.exe
remboot.exe
uptime.exe
pulist.exe
ddhel*
services_.exe
service.*
MS0000031988865TMP
S-1-5-21-47866669-1409439266-720635935-7452
dxdiag.dll
wmvidsk*
xkey.dll
rstlman*
KB824015.log
Active Ports
aports.exe
netstat.exe
star.dll
cygwin1.dll
navap32.dll
navapi32.dll
scan.dat
clean.dat
names.dat
psexesvc.exe

[Root Processes]
rcmd.exe
kill.exe
rpcsvc.exe
rpcsvr.exe
ntio424.sys
ddhelp*
service.exe
fport.exe
services_.exe
pulist.exe
cnd.exe

[Hidden Services]
Alerter
RpcSvc
Help
       
[Hidden RegKeys]
Alerter
LEGACY_Alerter
TDXRV
LEGACY_TDXRV
RpcSvc
LEGACY_RpcSvc
Help
LEGACY_HELP
           
[Hidden RegValues]
           
[Startup Run]

[Free Space]

[Hidden Ports]
TCP:8001,20000,20001,20002,20003,20004,20005,20006,20007,20008,20009,20010,20011,20012,20013,20014,20015,20016,20017,20018,20019,20020,20021,20022,20023,20024,20025,20026,20027,20028,20029,20030,20031,20032,20033,20034,20035,20036,20037,20038,20039,20040,20041,20042,20043,20044,20045,20046,20047,20048,20049,20050,20051,20052,20053,20054,20055,20056,20057,20058,20059,20060

[Settings]  
Password=\/ictory!
BackdoorShell=cnd.exe
FileMappingName=RTYWHNOWAALZ
ServiceName=Alerter
ServiceDisplayName=Alerter
ServiceDescription=Notifies selected users and computers of administrative alerts.
DriverName=TDXRV
DriverFileName=ntio424.sys
           
[Comments]
====================================================

I cleared everything under the tags and rebooted.  I ran a full scan and I was able to quarantine the files this time.  I was now able to view the services that were executing this program that used to be hidden.  The only one I found was Alerter.  I removed it frmo the registry and also removed RPCSVC.  The file had already been quarantined a while ago I guess.

I am able to delete all the suspecious files and also able to see the files I need (netstat.exe, kill.exe, etc).  I am off on cleaning up the rest of the infected servers now.

Thanks so much for your efforts though.  I hope someone out there will benefit from my post and successfully remove the rootkit from his computer the way I did.

Best Regards,
JM
0
 

Expert Comment

by:jon8034
Comment Utility
NICE!! Glad you got it fixed - have a good day :)
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello I read in a discussion about a person who configured a very simple mirror RAID with two hard drives; the system and data were on the same partition. He asked how to repair the system as it was not booting up anymore. In his case running …
Just about everyone has an old PC laying around.  Ask anyone in the IT industry, whether they are a professional or play in it as a hobby.  From outdated Desktops to cheap "throwaway" laptops, they are all around and not as hard to "fix up" as you m…
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now