Solved

ISP say my system is compromised

Posted on 2006-11-14
9
767 Views
Last Modified: 2013-12-04
HI All - As always, I get here when all else fails.

I have a client's system (Win2k) on a baby network (12 sta.) that is attracting attention by sending out thousands of packets continuously.  The ISP is about to turn off service if we don't 'clean' the system. I have performed the usual due diligence:
NAV
AVG
SpyBot
Windows Defender
Hijackthis   (log follows)

But I'm at a loss

Any ideas appreciated
Thanks,  Pat

Logfile of HijackThis v1.99.1
Scan saved at 8:55:12 PM, on 11/14/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.njo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


0
Comment
Question by:PFSullivan
  • 4
  • 4
9 Comments
 
LVL 32

Expert Comment

by:r-k
ID: 17944990
The HJT log doesn't show anything unusual, except perhaps too few entries. Are you sure the above is a complete list as produced by HJT? Also, try renaming HiJackthis.exe to something else like temp.exe and run it again to see if something was hiding from it.

Is this Win2K workstation or Server?

Can you try the following:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
0
 
LVL 1

Accepted Solution

by:
Selvarien earned 500 total points
ID: 17948964
First, pull the ethernet plug on the PC if permissable. Then clear all the temp/internet file folders from various profiles, check the registry (especially the Run reg and the FilesnamedMRU folder for IE in the registry), write down the things which don't look right. Check the Start menu for All Users, make sure something isn't there that shouldn't be. By the way, Nod32 is good at scanning/detecting viruses, etc., you can use that to bolster AVG's scans. (Use a disc or flash drive to copy over to the infected system.)

After all that, go ahead and put the system back on the network while Task Manager is up and running. See what processes jump to the fore. Obviously this isn't much help if a rootkit's to blame but it's a start.

0
 
LVL 1

Expert Comment

by:Selvarien
ID: 17951220
P.S. If you can find which port the additional packets are being sent through (aside of some obvious/essential ones) you can just close that particular one. There's a command/utility for doing so but the name escapes me at this moment.
0
 

Author Comment

by:PFSullivan
ID: 17951723
Hi All - Thanks for the input

I renamed the HJT program and the following is an updated report:


Logfile of HijackThis v1.99.1
Scan saved at 6:47:03 PM, on 11/15/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\autoruns.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

This is the result from Autoruns - I don't see any evil.  Am I missing something important?

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run                  

+ AVG7_CC      AVG Control Center      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgcc.exe

+ QuickTime Task            Apple Computer, Inc.      c:\program files\quicktime\qttask.exe

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components                  

+ 0                  File not found: About:Home

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler                  

+ Network Neighborhood                  c:\windows\inf\d3ui32.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved                  

+ AVG7 Find Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgse.dll

+ AVG7 Shell Extension      AVG Shell Extension      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgse.dll

+ HyperTerminal Icon Ext      HyperTerminal Applet Library      Hilgraeve, Inc.      c:\windows\system32\hticons.dll

+ LDVP Shell Extensions      Norton AntiVirus      Symantec Corporation      c:\program files\common files\symantec shared\ssc\vpshell2.dll

+ Shell Extensions for RealOne Player      RealPlayer Shell Extensions      RealNetworks, Inc.      c:\program files\real\realone player\rpshell.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects                  

+ AcroIEHlprObj Class      Adobe Acrobat IE Helper Version 6.0 for ActivieX      Adobe Systems Incorporated      c:\program files\adobe\acrobat 6.0\reader\activex\acroiehelper.dll

+ {53707962-6F74-2D53-2644-206D7942484F}      Bad download blocker      Safer Networking Limited      c:\program files\spybot - search & destroy\sdhelper.dll

Task Scheduler                  

+ Symantec Drmc.job                  c:\program files\common files\symantec shared\symdrmc.exe

+ Tune-up Application Start.job                  File not found: walign

HKLM\System\CurrentControlSet\Services                  

+ Avg7Alrt      AVG Alert Manager      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgamsvr.exe

+ Avg7UpdSvc      AVG Update Service      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgupsvc.exe

+ AVGEMS      AVG E-Mail Scanner      GRISOFT, s.r.o.      c:\program files\grisoft\avg free\avgemc.exe

+ DefWatch      Virus Definition Daemon      Symantec Corporation      c:\program files\navnt\defwatch.exe

+ Norton AntiVirus Server      Norton AntiVirus      Symantec Corporation      c:\program files\navnt\rtvscan.exe

HKLM\System\CurrentControlSet\Services                  

+ Avg7Core      AVG Scanning Engine      GRISOFT, s.r.o.      c:\windows\system32\drivers\avg7core.sys

+ Avg7RsNT      AVG Resident Anti-Virus Shield      GRISOFT, s.r.o.      c:\windows\system32\drivers\avg7rsnt.sys

+ Avg7RsW      AVG Resident Shield Unload Helper      GRISOFT, s.r.o.      c:\windows\system32\drivers\avg7rsw.sys

+ AvgClean      AVG7 Clean Driver      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgclean.sys

+ AvgTdi      AVG Network connection watcher      GRISOFT, s.r.o.      c:\windows\system32\drivers\avgtdi.sys

+ dmio      NT Disk Manager I/O Driver      VERITAS Software Corp.      c:\windows\system32\drivers\dmio.sys

+ dmload      NT Disk Manager Startup Driver      VERITAS Software Corp.      c:\windows\system32\drivers\dmload.sys

+ E100B      NDIS 5 driver      Intel Corporation      c:\windows\system32\drivers\e100bnt5.sys

+ GEARAspiWDM      CDRom Class Filter Driver      GEAR Software Inc.      c:\windows\system32\drivers\gearaspiwdm.sys

+ NAVAP                  c:\program files\navnt\navap.sys

+ NAVAPEL                  c:\program files\navnt\navapel.sys

+ NAVENG      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20061108.024\naveng.sys

+ NAVEX15      AV Engine      Symantec Corporation      c:\program files\common files\symantec shared\virusdefs\20061108.024\navex15.sys

+ Ptilink      Direct Parallel Link Driver      Parallel Technologies, Inc.      c:\windows\system32\drivers\ptilink.sys

+ SymEvent      Symantec Event Library      Symantec Corporation      c:\program files\symantec\symevent.sys

+ tmcomm      TrendMicro Common Module      Trend Micro Inc.      c:\windows\system32\drivers\tmcomm.sys

+ Winacpci      Modem      Conexant      c:\windows\system32\drivers\winacpci.sys

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify                  

+ NavLogon                  c:\windows\system32\navlogon.dll

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors                  

+ hpzlnt09            HP      c:\windows\system32\hpzlnt09.dll

+ PDF Port      Acrobat ® PDF Port      Adobe Systems Incorporated.      c:\windows\system32\pdfports.dll

Thanks for your time

Pat
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 

Author Comment

by:PFSullivan
ID: 17951730
Almost forgot - I did pull the network cable
0
 

Author Comment

by:PFSullivan
ID: 17957625
Hi All - I ran the NOD32 package and while the otherprograms found nothing, this found:

W32/XScan

I deleted the file - Was this the cullprit??
Thanks,  Pat
0
 
LVL 1

Expert Comment

by:Selvarien
ID: 17958782
At this point you can attach it to the network (with the Task Manager up to see if any programs start'acting up',and probably the Local Area Connection Status window as well). See what happens. You may find everything's fine until you open up IE. In serveral cases of an infected PC I couldn't find anything until I rebooted the PC and opened up Tack managaer asap---then I'd see one or two programs pop up and disappear (same with the Startup folder in Start\Programs). Run in Safe Mode while connected to the network as well, to further test this. With such a small list of programs running, anything else will stick out like a sore thumb.

And if you want to look for a rootkit, go read this:

http://www.wikistc.org/wiki/Detecting_rootkits

In particular:
http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx


If all's well the system should be running at a low hum with no unusual rev-ups.
0
 
LVL 1

Expert Comment

by:Selvarien
ID: 17958811
Hmm, X-Scan is a tool for checking out vulnerabilities on a PC. A keylogger, too, IIRC. Not sure it would be sending a ton of packets unless it's sending in real-time.
0
 

Author Comment

by:PFSullivan
ID: 17961493
Hi Selvarian -
I have been running this system on the net for about 4 Hours - no problems and no internet activity that was uninvited.  I believe it was your NOD32 suggextion that turned the table

Thanks a million,  Pat


0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now