Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows 2003 Server with Backdoor Trojan


  • Please log in to reply

#76
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.


If you know the name of the service that is not starting you can use regseeker to find it in the registry:

http://www.hoverdesk.net/freeware.htm
The download is where it says:
DOWNLOAD RegSeeker 1.55 (>20 languages included !)
It's a zip file so you have to save it then right click on it and Extract All then run regseeker.exe.

Select Find in Registry then have it look for "name of service that gives the error". You can then select all and then right click and Export. It puts a copy of the stuff it exports in the backups folder which it creates below the folder it is in. I think it uses the date and time plus search term as the name. See if you can find the file, rename it tfrom .reg to .txt and then attach it.

RegSeeker also has a registry cleaner but I don't really trust registry cleaners so I'd rather you didn't use it.
  • 0

Advertisements


#77
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron ... I need to pickup my son and will be back in 45 minutes ...

Please check your email as I will connect back with you as soon as I get home ...

Thanks,
  • 0

#78
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

This is what I got from Vino Event Viewer Tool


Vino's Event Viewer v01c run on Windows 2003 in English
Report run at 06/09/2012 7:15:39 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#79
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
No events? VEW seems to be win 2003 aware. Can you do a screen shot of the error?
  • 0

#80
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
I take there is currently no sign of the infection?

Could you explain how this server is used? I gather it acts as a terminal server but what else does it do? Is it a Domain Controller? File Server?

What authentication are you using for your remote users? Do they dial up or do they come in via VPN? Is there a separate firewall?

This is starting to smell like an infected user, reinfecting the server when he logs on.
  • 0

#81
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I am helping a friend who works in that company and has limited IT experience ... So, my information is based on what I dig in and find as there is no records of what the network infrastructure looks like from the fired IT guy ...

This is a File Server and their is a Domain Controller that acts as an Exchange Server and handles DHCP, DNS, VPN ...

You might be right that a User is the cause of the infection, but I have noticed that that things get irritated when the Server restarts ...

Do you think the infection might be transferred from the Domain Controller or a Local or Remote User ??? ... How can we know ???

I have attached for you some screenshots for the Event Viewer as I restarted the Server yesterday around 11:45pm

While the Server was loading, several services crashed around 11:50pm ...

Take a look and tell me what you think ...

Attached Thumbnails

  • Error_01.JPG
  • Error_02.JPG
  • Error_03.JPG
  • Error_04.JPG

  • 0

#82
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Two of the services are those that were screwed up by the malware. TrkSvr and WMDM PMSP Service. They should have been disabled via Autoruns.

Ias File not found: C:\WINDOWS\Temp\ntshrui.dll.
Iprip File not found: C:\WINDOWS\Temp\ntshrui.dll.
Irmon File not found: C:\WINDOWS\Temp\ntshrui.dll.
NWCWorkstation File not found: C:\WINDOWS\Temp\ntshrui.dll.
Nwsapagent File not found: C:\WINDOWS\Temp\ntshrui.dll.
TrkSvr File not found: C:\WINDOWS\Temp\ntshrui.dll.
VPREMOTE File not found: C:\TEMP\Clt-Inst\vpremote.exe
WinHttpAutoProxySvc File not found: winhttp.dll
WmdmPmSp File not found: C:\WINDOWS\Temp\ntshrui.dll.
ºì³¾Íø°² File not found: C:\WINDOWS\Temp\ntshrui.dll.

If they keep coming back then we need to fix the registry entries so that they are correct. If you have another Win 2003 server or if nothing else an XP go into regedit and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

and then scroll down until you find TrkSvr. Right click on it and Export (to your desktop), call it TrkSvr, OK.
Repeat for WmdmPmSp but call it WmdmPmSp.

Copy both files to the sick server and then right click on them and Merge.

If neither is found on a good server then just delete them with

sc delete TrkSvr
sc delete WmdmPmSp

Not sure why it is trying to start the Computer Browser service. Does it show up in the Services menu (Start, Run, services.msc , OK) If so right click on it and change Startup Type to Disabled. Apply

While in Services, look for the System Event Notification Service and see if it is started and if not what error you get.
  • 0

#83
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

The Domain Controller is a Windows 2003 server ...

I did find on it TrkSvr and did export it to the Desktop as TrkSvr.reg (See attached screenshots)

As for the WmdmPmSp I found on the other server WmdmPmSN so it is not the same one ...

I have Disabled the [ Computer Browser ] service ... As for the System Event Notification service seems to be running fine ...

Should I delete it from the sick server using ...... sc delete WmdmPmSp ???

What do you think ???

Attached Thumbnails

  • Service_TrkSrv.JPG

  • 0

#84
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
It sounds like the same service but it's not something you really need anyway.

http://www.neuber.co...pmspsv.exe.html

Go ahead and sc delete it.
  • 0

#85
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Addition to last reply:

Since you have access to another server, see if any of these are in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services on it:

Ias File not found: C:\WINDOWS\Temp\ntshrui.dll.
Iprip File not found: C:\WINDOWS\Temp\ntshrui.dll.
Irmon File not found: C:\WINDOWS\Temp\ntshrui.dll.
NWCWorkstation File not found: C:\WINDOWS\Temp\ntshrui.dll.
Nwsapagent File not found: C:\WINDOWS\Temp\ntshrui.dll.


and Export them the same way.
  • 0

Advertisements


#86
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Ias ............. Couldn't find it on the other Win 2003 Server

Iprip ........... Couldn't find it on the other Win 2003 Server

Irmon ........... Couldn't find it on the other Win 2003 Server

NWCWorkstation .. Couldn't find it on the other Win 2003 Server

Nwsapagent ...... Couldn't find it on the other Win 2003 Server

I have also checked on a Windows XP machine and they don't exist under

HHLM\System\CurrentControlSet\Services


Should I [ sc delete ] all the above services ???
  • 0

#87
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
Yes. SC delete them. If they are not on your good server then we don't need them.
  • 0

#88
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

Some of the deleted and others gave me an error 1060 (See attached)

Should I restart the Server now ???
  • 0

#89
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,788 posts
  • MVP
For IPRIP: Control Panel > Add or Remove Programs > Add/Remove Windows Components > Select “Networking Services” > Details button > UnCheck “RIP Listener “.

Also check in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

They will have the word LEGACY_ in front of the servicename.
See if any of the ones that sc can't find are there.

Then reboot.
  • 0

#90
rahanna

rahanna

    Member

  • Topic Starter
  • Member
  • PipPip
  • 96 posts
Ron,

I cannot find RIP Listener under the Network Services (See attached)

Also, I have checked for the services that couldn't be deleted by [ sc delete ] under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\

and none exist ...

So, the only Registry update was the TrkSvr.reg that we got from the other Windows 2003

Should I restart now or wait until I am physically on site 4pm tomorrow ???

I am trying to play it safe since so far the server seems stable ...

Thanks,

Attached Thumbnails

  • NetworkServices.JPG

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP