Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Windows 2003 Server with Backdoor Trojan

Started by rahanna , Sep 01 2012 12:09 PM

Please log in to reply

#136
rahanna

Posted 09 September 2012 - 09:56 AM

Member

Topic Starter
Member
96 posts

Ron,

Good morning ... Just logged to the Server, and yes I use TeamViewer 3 for that, I got a message from Malwarebytes that it has blocked a outgoing connection to the IP [121.10.121.96] ...

2012/09/09 03:43:58 -0700 ST-SERVER st_admin IP-BLOCK 193.107.16.92 (Type: incoming)
2012/09/09 03:44:01 -0700 ST-SERVER st_admin IP-BLOCK 193.107.16.92 (Type: incoming)
2012/09/09 04:42:54 -0700 ST-SERVER st_admin IP-BLOCK 121.10.121.95 (Type: outgoing)
2012/09/09 04:42:57 -0700 ST-SERVER st_admin IP-BLOCK 121.10.121.96 (Type: outgoing)

As for your last post, here are my findings:

I don't see the User [ siweb$ ] under the list of users although their is a folder C:\Documents and Settings\siweb$

When I googled [ siweb$ ] yesterday it came back with a number of Chinese hacking web pages ...

Under the bad Server their is a C:\Windows\System32\Sens32.dll with size 37Kb dated 2/17/2007 @ 7:03am

There is also a C:\Windows\System32\Sens.dll with size 37Kb dated 2/18/2007 @ 5:00am

But under the good server their is only a C:\Windows\System32\Sens.dll with size 37Kb dated 2/17/2007 @ 7:03am

As for the C:\Windows\Offline Web Pages I didn't find the file [Cache.txt] on both Servers

For the Bad Services, I have attached a screenshot for the permissions for one of them ...

Which services should I permanently delete under HKLM\System\CurrentControlSet\Services since I cannot do it using AutoRuns ???

I am know fully inclined that the [Sens32.dll] is what is causing all of that ...

Let me what's next ...

Thanks,

Attached Thumbnails

#137
rahanna

Posted 09 September 2012 - 10:01 AM

Member

Topic Starter
Member
96 posts

Ron,

Just did a search on the IP address that has been blocked and they are pointing to ChinaNet

General IP Information

IP: 121.10.121.96
Decimal: 2030729568
Hostname: 121.10.121.96
ISP: ChinaNet Guangdong Province Network
Organization: ChinaNet Guangdong Province Network
Services: None detected
Type: Broadband
Assignment: Static IP
Blacklist:
Geolocation Information

Country: China
State/Region: Guangdong
City: Guangzhou
Latitude: 23.1167
Longitude: 113.25

#138
RKinner

Posted 09 September 2012 - 10:10 AM

Malware Expert

Expert
24,624 posts

Aha!

Close regedit if it is open.

In a command prompt:

net stop sens

Delete the sens32.dll. Then go back into a command prompt and:

mkdir  \windows\system32\sens32.dll

(This will keep it from coming back as windows won't allow a file and a folder of the same name in the same folder.)

Then go into regedit and see if you can delete the key (with the squiggles) that you are pointing at in the second picture.

Then close regedit. Run Autoruns and see if the squiggle service is still there. If not. Run regedit again and see if the squiggle service comes back.

#139
rahanna

Posted 09 September 2012 - 10:11 AM

Member

Topic Starter
Member
96 posts

Ron,

Need to go with my son to a soccer game so I will check back with you in a couple of hours ...

Thanks again for all your help ... I think we are very close ...

#140
rahanna

Posted 09 September 2012 - 02:38 PM

Member

Topic Starter
Member
96 posts

Ron,

I am back and we won 5-3 in soccer ... Hope we do the same with that Trojan ...

Anyway, I did [ net stop sens ] which stopped successfully

Then went to delete [ Sens32.dll ] under C:\Windows\System32 and it gave me Access Denied 9see attached)

I have a program on the Server called Unlocker that shows that Sens32.dll is running under the process svchost.exe

Should I [ Kill Process ] or [ Unlock ] or [ Delete ] ... See attached

Let me know ...

Attached Thumbnails

#141
rahanna

Posted 09 September 2012 - 02:39 PM

Member

Topic Starter
Member
96 posts

Sorry .. .Here is the screenshot for the unlocker

Attached Thumbnails

#142
RKinner

Posted 09 September 2012 - 03:07 PM

Malware Expert

Expert
24,624 posts

High scoring soccer game! Glad he won. Two of mine were big soccer players so I know the importance of going to their games.

svchost is a generic thing that MS uses. There are many of them. I would run Process Explorer and see which one is using sens32.dll: Hit Space and it will stop jumping around. Use the Find button at the top to look for sens32.dll and it should show you the correct svchost. Note the PID number. Click on the found svchost in the find window and it should select the correct one for you and in the bottom of the main window will appear a list of all dlls used by that svchost with sens32.dll highlighted. (Close the find window.) Check the Description of the dll. That will tell you what service is using it (look for the name in the parens). If you go up to the top half and hover over the associated svchost it will give you a list of all services involved so you will know what will stop if you just kill the process (like maybe you will lose your network). Double click on the svchost and a new window will open. Click on the service tab and find your service and click on it then click on Stop. OK. If it can stop the service then you should be able to delete the evil file.

#143
rahanna

Posted 09 September 2012 - 03:49 PM

Member

Topic Starter
Member
96 posts

Ron ...

OK ... Ran Process Explorer and searched for [ Sens32.dll ]

Came to be links to svchost.exe with PID [1008] ... See attached

Then hovered over svchost.exe [1008] and checked the list of services which didn't really include Sens.32.dll (See attached)

Then double clicked on svchost.exe [1008] and check the Services tab ... Again no Sens32 ... See attached

Where is it ???

Attached Thumbnails

#144
RKinner

Posted 09 September 2012 - 04:00 PM

Malware Expert

Expert
24,624 posts

My bet is it is hiding as TrkWks. That was one of the bad services and last time I looked it was not supposed to be running. Certainly won't hurt to stop it and see.

IF that doesn't work I think it would be better to use OTL to remove the service tho it will have to reboot. Otherwise I fear you will knock yourself off and not get back in.

It should be safe enough.

Copy the text in the code box by highlighting and Ctrl + c




:files
C:\windows\system32\sens32.dll
     
:Commands
[Reboot]

then run OTL and Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the Run Fix button at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it to a reply. Then check if it is still there.

I'm going to take a nap. We had visitors this weekend and haven't gotten as much sleep as I need. Probably back in an hour and a half or so.

#145
rahanna

Posted 09 September 2012 - 04:40 PM

Member

Topic Starter
Member
96 posts

Ron,

Not sure if I want to take that risk specially that I cannot go to the office this evening ...

Probably I will wait until tomorrow evening as I am worried of being kicked off ...

If there is anything else you might think of, please let me know ...

Thanks and I will keep you posted ...

#146
RKinner

Posted 09 September 2012 - 06:38 PM

Malware Expert

Expert
24,624 posts

Get RegSeeker.
http://www.hoverdesk.net/freeware.htm
The download is where it says:
DOWNLOAD RegSeeker 1.55 (>20 languages included !)
It's a zip file so you have to save it then right click on it and Extract All then run regseeker.exe.

Select Find in Registry then have it look for sens32.dll. You can then select all and then right click and Delete Selected. It puts a copy of the stuff it deletes as a .reg file in the backups folder which it creates below the folder it is in. I think it uses the date and time plus sens32.dll as the name. See if you can find the file, rename it from .reg to .txt and then attach it.

RegSeeker also has a registry cleaner but I don't really trust registry cleaners so I'd rather you didn't use it.

#147
rahanna

Posted 09 September 2012 - 10:46 PM

Member

Topic Starter
Member
96 posts

Ron,

I took a snapshot of what I found using RegSeeker ...

Also, the backup of deleted files is attached as txt file ...

Unfortunately, even after deleting it using RegSeeker, the file still exists in the C:\Windows\System32\Sens32.dll

Let me know what's next ...

Good night !!!

Attached Thumbnails

Attached Files

sens32.dll-9-9-2012-9.38.57 PM.txt 322bytes 145 downloads

Edited by rahanna, 09 September 2012 - 10:48 PM.

#148
RKinner

Posted 09 September 2012 - 11:00 PM

Malware Expert

Expert
24,624 posts

Apparently it's still in the sens service. Removing it from the registry won't remove the file as the service is still active. You would have to reboot the server and then if it doesn't rewrite the registry again then you could remove it.

#149
rahanna

Posted 09 September 2012 - 11:06 PM

Member

Topic Starter
Member
96 posts

Ron,

If I reboot in Safe Mode, will that allow me to delete the Sens32.dll ???

What do you think ???

#150
RKinner

Posted 09 September 2012 - 11:22 PM

Malware Expert

Expert
24,624 posts

I think if you reboot into safe mode you had better be there on site since your teamviewer is not going to work.

Go into services.msc and right click on System Event Notification Service (SENS) and select Properties and change the Startup to Disabled and then Apply and then reboot. IF the sens service does not start then you can delete the sens32.dll file.