I'm Infected

GovernmentSecurity.org > System Security > Beginners Section

radien

Feb 20 2004, 01:28 PM

My PC(WinXP) is infected by:
http://www.governmentsecurity.org/forum/in...?showtopic=6746

I need your suggestions to clean up.

I used eTrust antivirus, before running that file it was not enough.

I've checked startup processes in registery, there is nothing strange there.

It still starts up a process named rundll16.exe and some other strange processes. It kills my antivirus Immediately.

I don't know what it was, a worm a virii and which of them.

I don't know if it's binded to other usual services, SVCHOST may be a guess!!
So I need your help.

Send your suggestion. I need to clean up.

radien

Feb 20 2004, 01:37 PM

I discovered this service: HXD Service

http://securityresponse.symantec.com/avcen...ckdefender.html

and this reg. keys:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HACKERDEFENDER021

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\HackerDefender021

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HACKERDEFENDER021

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\HackerDefender021

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HACKERDEFENDER021

I can't delete some of them (Those w/ capital name) - Can not delete 0000: error while deleting key

liquidSilver

Feb 20 2004, 01:44 PM

We have taken care of the uploader. What and idiot! ...

D3ADLiN3

Feb 20 2004, 04:01 PM

QUOTE (radien @ Feb 20 2004, 01:28 PM)

I used eTrust antivirus, before running that file it was not enough.

I think eTrust is useless, doesnt pick anythng up. We have it running on one of our servers at work, and it didnt even pickup msblaster (even after a full scan)

R0x0r

Feb 20 2004, 04:42 PM

Yep.. Don't like eTrust too.. Had the same problem with msblaster. Got Norton antivirus 2004 now.. Works just fine:)

Black Flag

Feb 20 2004, 11:26 PM

heh ues kasperskys anti virus professional. you can't even kill it from process list, gives you an access warning.

ComSec

Feb 20 2004, 11:44 PM

here is his IP to report him

62.166.76.24 ==== dslam24-76-166-62.adsl.zonnet.nl

and e-mail address

rundll32_8@hotmail.com

sylver

Feb 21 2004, 12:00 AM

u could try: net stop hackerDefender100, maybe he was silly enough to take the same service name, or u could try to start up windows in the last error-free version-press F8 to enter the bootmenu of win...had installed by myself and it was succeeded.....or u have to start win in safe modus
i hope i could helped you.....

MpR

Feb 21 2004, 01:42 AM

Ive got an idea ...
Back up And Format

Black Flag

Feb 21 2004, 03:54 AM

QUOTE (ComSec @ Feb 20 2004, 11:44 PM)

here is his IP to report him

62.166.76.24 ==== dslam24-76-166-62.adsl.zonnet.nl

hehe i say we (filtered) him up...

krackatoa

Feb 21 2004, 04:37 AM

It has to restart on a bootup, look for the ways that it does it.

Grab Autostart viewer at www.diamondcs.com.au It will help you tp pinpoint the method for restart.

From another post I think someone mentioned finding a service, kill it and set to disabled or locate it in the registry by searching for the sevice name. Delte all references.

You can also try the free virus scan at www.Trend.com

forza

Feb 21 2004, 11:09 AM

try SpyBot..
there are some good tools in it...

radien

Feb 21 2004, 06:28 PM

Thx so much guyz,

I've found a good guide to cleanup on,

If any one get infected by HackerDefender , I recommend

http://securityresponse.symantec.com/avcen...ckdefender.html

woodpecker_sjtu

Feb 22 2004, 11:57 AM

QUOTE (radien @ Feb 21 2004, 06:28 PM)

Thx so much guyz,

I've found a good guide to cleanup on,

If any one get infected by HackerDefender , I recommend

http://securityresponse.symantec.com/avcen...ckdefender.html

cool

radien

Feb 26 2004, 01:24 PM

after that tutorial from Symantec, I discoverd some more

My anti virus is killed everytime I logged on, I saw a rundll16.exe still in running process list.

Afterall, the system auditing helped:

QUOTE

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/26/2004
Time: 3:48:23 PM
User: [ censored ]
Computer: [ censored ]
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\rundll16.exe
Handle ID: -
Operation ID: {0,759919}
Process ID: 604
Image File Name: C:\WINDOWS\msagent\msujxp.com
Primary User Name: [ censored ]
Primary Domain: [ censored ]
Primary Logon ID: (0x0,0x9E0E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes

Privileges: -
Restricted Sid Count: 0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

and searching in registry:

QUOTE

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
Class Name: <NO CLASS>
Last Write Time: 12/31/2003 - 9:55 AM

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Class Name: <NO CLASS>
Last Write Time: 2/19/2004 - 10:17 PM
Value 0
Name: NoDriveTypeAutoRun
Type: REG_DWORD
Data: 0x91

Key Name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Class Name: <NO CLASS>
Last Write Time: 2/19/2004 - 10:17 PM
Value 0
Name: COM Service
Type: REG_SZ
Data: C:\WINDOWS\msagent\msujxp.com

and atlast the net:
-------------------------------------------------------------------------------------------
NoDriveTypeAutoRun
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

http://www.microsoft.com/windows2000/techi...entry/91525.asp
-------------------------------------------------------------------------------------------

Hope this will be helpfull, for infected guys in GSO sometime.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.