Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1729
  • Last Modified:

hacktool.dfind among others

Did the ultimate no no and disabled firewall to let customers software vendor get in to server to do some training and db repair. Customer calls in says they have no internet,router is flooded. Norton corporate 10.0.02 latest stuff finds hacktool.dfind as of right now. Initially upon visit ran norton in safe mode and found hacktool.hidewin, hacktool.dfind,hacktool, backdoor.hacktool and maybe a couple of others.It said it killed several and quarantined the rest. Server ran ok for about a day and a half then same thing upon arrival norton has found hacktool.dfind in subdirectory c:\recycler\many #s\me cannot find this anywhere norton says it partially repaired it. Norton is no help on killing a virus none of the registry entries in the initial virus's that were supposed to be there were. This dude is bogging my server messing with my sql and obviously internet. Virus found few minutes ago hacktool.dfind 2 files both in the c:\recycler\many #s\me that i cant find anywhere. assistance would be appreciated suppossed to go back at closing time so i can bring server down an run a scan in safe mode. ran hijack this and do not find anything out of the norm but i could be missing something.kind a got me in a bind.
thanks
0
scoot63
Asked:
scoot63
  • 7
  • 7
  • 5
2 Solutions
 
rpggamergirlCommented:
In order to see that directory you need to show hidden files and folders and Uncheck “Hide protected operating system files” (Recommended)


reconfigure Windows to show hidden files:
Doubleclick My Computer | Tools | Folder Options | View tab
Select “Show Hidden Files and Folders”
Uncheck “Hide extensions for known file types”
Uncheck “Hide protected operating system files” (Recommended)
Select Apply to All Folders | Yes | Apply | OK

0
 
rpggamergirlCommented:
Can we look at your hijackthis log please?
paste the log to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

Or paste the log at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Post the link to the saved list here.


For the lose of internet connection, download winsockfix:
http://www.majorgeeks.com/download4372.html



0
 
scoot63Author Commented:
I will have to get onsite this evening to get u that log file i printed it forgot to email it to myself. Maybe i can tell more after doing the suggestin above. Forgot to mention this is a sbs server 2003 and to get internet back normally i run norton scan in safemode then bring server backu up and everything ok for a day or two.
appreciate the response will get this done asap.
thanks
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
scoot63Author Commented:
ok heres my hijack log
http://www.rafb.net/paste/results/hC8u2x91.html
i can now see those hidden files should i delete them
0
 
r-kCommented:
I posted your HJT log to http://www.hijackthis.de/ and the saved analysis is at:

 http://www.hijackthis.de/logfiles/d880dd381ffdf443f9c09f5265107384.html

The only thing that appears bad is this entry:

O23 - Service: MSIn Task Manager (MSItsk) - Unknown owner - C:\WINDOWS\system32\MSIntskmngr.exe

If you don't know what that service is, you should have HJT fix it.

Then reboot and run HJT again and check the entry is really gone.

Another thing I would recommend is the following:

Download and run RootkitRevealer from: http://www.sysinternals.com/Utilities/RootkitRevealer.html
Check the resulting log, and if unsure of the results, then paste it here (but if log is very long then post just the first 100 lines or so).

Re. the formerly hidden files (in the Recycler?) yes I would delete them unless you need them later to track the extent of the infiltration in which case I would leave them alone. In any case save a list of the files with dates and times before deleting them.

Good luck.

0
 
r-kCommented:
Also locater the file C:\WINDOWS\system32\MSIntskmngr.exe and right-click on it, select Properties, and note the date/time created and also the Version tab. It will give you some idea of the time of the break-in and possibly more info.
0
 
scoot63Author Commented:
removed entry with hijack rebooted and entry came back
ran online scan with kapersky and found that entry to be possible bad news,also found hacktool in c:\windows\system32 clearlog.exe
symantec dont find diddly safe mode of normal on scan but it will find it eventually.when i got here it had found the trojan.dropper,hacktool said it deleted both but kapersky found it again(online scan)
very frustrating. attempting to run rootreveal it has been running for awhile says cleaning up(what?)
0
 
scoot63Author Commented:
the msintskmngr.exe is also running as a process
what else can we do..
0
 
r-kCommented:
OK, some of these are persistent.

If RootkitRevealer has shown anything interesting so far please post a sumary of the first few lines. It does take a while to finish, so if you don't think it'll find anything more of interest you can terminate it also. The more interesting stuff is usually in the first 15 minutes.

Here is what I suggest to neutralize the two known bad files (clearlog.exe and MSIntskmngr.exe)

(1) Right click on the file (e.g. MSIntskmngr.exe) in Windows Explorer or My Computer, select Properties

(2) Click on the Security tab.

(3) Click on the Advanced button.

(4) Uncheck the box labeled "Inherit from Parent...", then click "Remove"

(5) Repeat steps (1) to (4) for the other file

(6) Close all windows.

(7) Reboot.

This should diable all access to those files and prevent them from running. Run your AV programs and let them clean up the remainder.

0
 
r-kCommented:
After you do the steps suggested in my last post, you should be able remove that "O23 - Service: MSIn Task Manager (MSItsk..." entry with HJT and it should stay removed. Moreover, MSIntskmngr.exe will no longer be in the process list. Run scans with a couple of AV programs to be sure they show up as clean.

If RootkitRevealer showed anything of interest do save the log to a text file because you may need it later to clean up.

Post back if the above is successful, I have a couple of other suggestions at the end. Thanks.
0
 
scoot63Author Commented:
working on it now i will let u know
thanks
0
 
scoot63Author Commented:
ok ran 2 av norton corperate found nothing
panda active scan found application servubased.a  windows\system32\jacheck.dll
application killapp.b system32\ktask.exe
listed them as being potentionally unwanted
changing the files got rid of the process but no i get the error on boot that the service failed to start the msin task manager service
also removed entry with hijack and it came back
have not deleted the above files
0
 
rpggamergirlCommented:
to get rid of this entry:
O23 - Service: MSIn Task Manager (MSItsk) - Unknown owner - C:\WINDOWS\system32\MSIntskmngr.exe

You can go START > RUN > type in;
 
services.msc

In the next window, look on the right hand side for this service name:
MSIn Task Manager

Double click on it and STOP the service
In the drop down menu, change the startup type to "Disabled"

Open Hijackthis > Open Misc Tools Section > Open" Delete an NT Service"
In the new window, type this --> MSItsk
into the Open field and hit OK

Maybe scan with Rootkit Revealer or Blacklight as already suggested.
You can also scan your system with Kaspersky's online scanner just to get all the infected files, Kaspersky won't delete them but at least you get to know where they are located.
0
 
r-kCommented:
Sorry, I was offline for a while.

That is OK, so long as you are removing all permissions from those bad files, that is as good or better than deleting them.

Overall it looks encouraging.

"i get the error on boot that the service failed to start the msin task manager service"

This is that MSIntskmngr.exe file which you disabled, so this message is a good sign.

The thing to do is get rid of that service altogether.

I would start by disabling it as follows:

Control Panel -> Admin Tasks -> Services

Then find the service named "MSIn Task Manager (MSItsk)" in the list, right-click -> Properties
and change the "Startup Type" from "Automatic" to "Disabled".

Then you will no longer see that error message on startup.
0
 
r-kCommented:
Welcome back, rpgg :)
0
 
rpggamergirlCommented:
Hi r-k!
I nearly sent you an email last night, it's about another thread! but I thought maybe nevemind lol
0
 
scoot63Author Commented:
sorry guys i got run out of the customers office i will tackle it again tomorrow
i will post and let u know
one more question why does norton not pick up any of these errors that the online
scan does.
starting to wonder about it been selling this stuff for years  but a free online scan ends up telling me what i need to know
should i be pushin something else
anyway i really appreciate the help!
0
 
r-kCommented:
No problem with the delay. I feel like the system is basically clean, just some tidying up left.

Re. Norton, its not a bad program, a bit obtrusive in the number of things it installs, and no program will spot every malware out there. People on this list have recommended almost as many as there are people posting. rpggamergirl has a good link to a site that recently compared the top 10 programs, I can't remember the link (though mean to save it next time) so hopefully she'll post that again.

Also, keep in mind that traditional AV programs like Norton tend to ignore Adware/Spyware type programs, even though that is changing. I personally recommend one AV program plus Windows Defender (http://www.microsoft.com/athome/security/spyware/software/default.mspx) which is very decent for anti-spyware considering its free.

rpggamergirl, I don't have an email address in my profile, but will get that rectified.
0
 
rpggamergirlCommented:
>>need to know
should i be pushin something else<<
I certainly would get another antivirus if I were you. We got infected while we were using Norton with auto-protect and fully updated virus definitions, so now I don't like Norton anymore.

On r-k's suggestion, BitDefender is number one on the top ten antivirus.
http://anti-virus-software-review.toptenreviews.com/


>>rpggamergirl, I don't have an email address in my profile, but will get that rectified.<<
oh I didn't check, but anyway it would've been a "ranting" email that you don't want, lol
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 7
  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now