Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

hacktool.dfind - page file issue? 1

Status
Not open for further replies.
nickpin

nickpin

Technical User
Joined
Jun 11, 2002
Messages
26
Location
GB
Hi all,

Long description I'm afraid... please bear with me!

I have Windows 2003 Server running Symantec Antivirus. About a month ago we got a message saying it had quarantined dfind.exe (hacktool.dfind) - from what I gather this scans all ports on the server to look for security holes. At the same time the page file usage went up to 1.5gb (normally 500mb), and our internet connection pings to google went off the scale, with lots of time outs too. A third party checked our firewall and it had 2000+ connections on it - normally it should have about 100 I'm told, for 8 of us in the office.

So, I deleted the quarrantined dfind.exe files and rebooted - all hunky dory. But it has now happened again twice - same symptoms. The problem I have is that while Symantec is finding and quarrantining these files, something else must be going on to cause the page file usage and internet issue, I just can't find what, and virii really aren't my bag... I've obviously made sure I've updated Symantec and run a full scan, plus tried Spybot to no avail.

Anyone else had a similar issue? Reccomendations on next steps? Help!!!

Cheers,
Nick
 
Sort by date Sort by votes
I would possibly suspect that someone has used this tool to gain entry into the server. I would take a look at posting a hijack this log and we will see what is up here.

Download here:



Run and scan and post back here.

Also, some good tools in the future.

Webroot Spysweeper

Download it here:


Webroot Spysweeper 14 day Trial

Update the defs and do a sweep.

Also check this out:

Ewido download:


Update it and run a complete scan.


I would also check it with some other virus scanners just to make sure.



But, first, let's see what HJT looks like.

Erik
 
Upvote 0 Downvote
Hi both,

Thanks for the replies... I ran hijack this and the log is as follows:

**************************************
Logfile of HijackThis v1.99.1
Scan saved at 09:33:03, on 15/05/2006
Platform: Windows 2003 SP1 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
C:\Program Files\SAV\DefWatch.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\dns.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\inetsrv\inetinfo.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$BKUPEXEC\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe
C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
C:\WINNT\system32\ntfrs.exe
C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
C:\WINNT\system32\MsgSys.EXE
C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
C:\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe
C:\WINNT\System32\snmp.exe
C:\Program Files\SAV\Rtvscan.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
C:\WINNT\System32\wins.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\tcpsvcs.exe
C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
C:\WINNT\system32\ams_ii\iao.exe
C:\WINNT\system32\cba\xfr.exe
C:\Program Files\Exchsrvr\bin\exmgmt.exe
C:\Program Files\Exchsrvr\bin\mad.exe
C:\Program Files\Common Files\System\MSSearch\Bin\mssearch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Exchsrvr\bin\store.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SAV\VPTray.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\SAV\VPC32.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\rdpclip.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\UltraVNC\WinVNC.exe
c:\winnt\system32\inetsrv\w3wp.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = O1 - Hosts: 69.93.97.2 ftp.mxdigital.co.uk
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 
O4 - HKLM\..\Run: [DWPersistentQueuedReporting] C:\PROGRA~1\COMMON~1\MICROS~1\DW\DWTRIG20.EXE -a
O4 - HKLM\..\Run: [VxTaskbarMgr] C:\Program Files\VERITAS\VxUpdate\VxTaskbarMgr.exe
O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SAV\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O4 - Global Startup: Ultr@VNC Server.lnk = C:\Program Files\UltraVNC\WinVNC.exe
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://companyweb
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MXD.local
O17 - HKLM\Software\..\Telephony: DomainName = MXD.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C07710D-EAB4-4831-90B8-2A74B36233BD}: NameServer = 192.168.15.10,62.105.161.10,62.105.165.10
O17 - HKLM\System\CCS\Services\Tcpip\..\{D70B020B-B2FD-44C0-B32C-9CDB21B0F15F}: NameServer = 193.84.87.10,62.105.161.10,216.218.195.243,62.105.165.10,192.168.15.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MXD.local
O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beremote.exe
O23 - Service: Backup Exec Agent Browser (BackupExecAgentBrowser) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benetns.exe
O23 - Service: Backup Exec Device & Media Service (BackupExecDeviceMediaService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\pvlsvr.exe
O23 - Service: Backup Exec Job Engine (BackupExecJobEngine) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\bengine.exe
O23 - Service: Backup Exec Naming Service (BackupExecNamingService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\benser.exe
O23 - Service: Backup Exec Server (BackupExecRPCService) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\beserver.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Systems Management Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcevt32.exe
O23 - Service: Systems Management Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\OpenManage\dataeng\bin\dcstor32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\SAV\DefWatch.exe
O23 - Service: ExecView Communication Module (ECM) (ECM Service) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\NT\ECM\ECM.exe
O23 - Service: Symantec Quarantine Agent (IcePack) - IBM Corp. - C:\PROGRA~1\Symantec\QUARAN~1\Server\IcePack.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINNT\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINNT\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINNT\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINNT\system32\cba\pds.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: mr2kserv - Unknown owner - C:\Program Files\Dell\OpenManage\Array Manager\mr2kserv.exe
O23 - Service: MSSQL$SHAREPOINT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlservr.exe" -sSHAREPOINT (file missing)
O23 - Service: Symantec System Center Discovery Service (NSCTOP) - Symantec Corporation - C:\PROGRA~1\Symantec\SYMANT~1\NSCTOP.EXE
O23 - Service: OM Common Services (omsad) - Dell Inc. - C:\Program Files\Dell\OpenManage\oma\bin\omsad32.exe
O23 - Service: Symantec Central Quarantine (qserver) - Symantec Corporation - C:\PROGRA~1\Symantec\QUARAN~1\Server\qserver.exe
O23 - Service: Symantec Quarantine Scanner (ScanExplicit) - IBM Corp. - C:\PROGRA~1\Symantec\QUARAN~1\Server\ScanExplicit.exe
O23 - Service: Secure Port Server (Server Administrator) - Unknown owner - %SystemDrive%\Program Files\Dell\OpenManage\iws\bin\win32\omaws32.exe (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SQLAgent$SBSMONITORING - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SBSMONITORING\Binn\sqlagent.EXE" -i SBSMONITORING (file missing)
O23 - Service: SQLAgent$SHAREPOINT - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL$SHAREPOINT\Binn\sqlagent.EXE" -i SHAREPOINT (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\SAV\Rtvscan.exe
O23 - Service: Disk Management Service (VxSvc) - VERITAS Software Corp. - C:\Program Files\Dell\OpenManage\Array Manager\VxSvc.exe
*************************************

This morning Symantec has again found items. Both were in a sub directory of c:\system volume information. The first was hacktool.dfind (with a file name of svchost.exe), the second hacktool.hidewindow (file name hidden32.exe). Both had multiple instances, which Symantec managed to delete.

So it definitely looks like there is a backdoor or something installed on the box.

Thanks for your time with this,
Nick
 
Upvote 0 Downvote
This one I would look into:

c:\winnt\system32\inetsrv\w3wp.exe

O1 - Hosts: 69.93.97.2 ftp.mxdigital.co.uk (do you know what this is?)

O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)

O20 - Winlogon Notify: dimsntfy - C:\WINNT\SYSTEM32\dimsntfy.dll (possibly bad, not sure look into it)

 
Upvote 0 Downvote
Those files are in system restore so they won't be going anywhere!


Turn off spybot's teatimer!


Download the Hoster from:


UnZip the file and press "Restore Original Hosts" and press "OK". Exit
Program.

download cleanup:




* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set
when the Slide Bar to the left is set to Standard Cleanup.
* Click OK
* Run cleanup






have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder
O4 - HKLM\..\Run: [AuFlag] 



Run an online antivirus check from


choose extended database for the scan!


Run ActiveScan online virus scan here


When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!



post another hijack this log, the kaspersky and active scan logs



Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote

you should also post the ewido and spysweeper logs!

Erik, missing files in the 09, 20s and 023 is a flaw in hijack this. If the file is legit leave them alone!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
pechenegs,

The 020 I was unsure of, that is what I said. They are not always legit and I just said look into it. That's all. Thanks for the clarification.
 
Upvote 0 Downvote
Yes,no problem! I am just informing you and others of this glitch in hijack this! Obviously some of the 020s are pests with Vundo, haxdoor and l2me among the main culprits!

Member of ASAP Alliance of Security Analysis Professionals

under the name khazars
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mscallisto
  • Locked
  • Question Question
Can I get a virus in a picture file (like .jpg etc.)?
Replies
5
Views
499
mscallisto
mscallisto
OsakaWebbie
  • Locked
  • Question Question
PHP file found on flash drive - how could it have been used?
Replies
12
Views
905
OsakaWebbie
OsakaWebbie
stduc
  • Locked
  • Helpful tip Helpful tip
Avast v6.0.1000 causes networked files issue
Replies
1
Views
231
stduc
stduc
jlockley
  • Locked
  • Helpful tip Helpful tip
The Crawler/Spyware terminator issue
Replies
5
Views
418
jlockley
jlockley
amanua
  • Locked
  • Question Question
vpn7x32.exe in program files folder
Replies
5
Views
528
goombawaho
goombawaho

Part and Inventory Search

Sponsor

Back
Top