[Dshield] Hidden Process

Deb Hale haled at pionet.net
Wed Jan 17 19:35:02 GMT 2007

Paul, What does the computers host file look like? Has it been changed?
What BHO's do you see in the registry?  Check for hidden/system files in the
Windows(Winnt)/system32 directory.  Best way I have found to really see the
files is to shell out to a command prompt, change to the directory and do
attrib *.* /p or |more.  I have seen this type of activity with a badboy
program called LOP.


-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Paul Marsh
Sent: Wednesday, January 17, 2007 12:43 PM
To: General DShield Discussion List
Subject: [Dshield] Hidden Process

Hi All:

	I've got a system that is on the fritz.  When ever a search is done
the resulting links redirect to random sites mostly porn sites.  No matter
what search engine is used, the links look fine when you roll over them but
once they're clicked the browser is redirected.  I've run Ad-Aware and
SpyBot on it and upgraded to IE7 which fires off Windows Defender but I've
got the same problem.  The system was running an up to date PC-Cillin 2006
which has now been upgraded to 2007.  PC-Cillin 2007 is capturing the
following malicious proxy http:// 85 dot 255 dot 114 dot 126/frame

	When I first took a look at the system in question I noticed that
it's DNS was changed to two servers in the same sub as above.

      FireFox runs without issues.

	I ran F-Secure's Black Light on the box and found the following.

01/17/07 08:59:59 [Info]: BlackLight Engine 1.0.55 initialized
01/17/07 08:59:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/17/07 09:00:00 [Note]: 7019 4
01/17/07 09:00:00 [Note]: 7005 0
01/17/07 09:01:02 [Note]: 7006 0
01/17/07 09:01:17 [Note]: 7011 3244
01/17/07 09:01:17 [Note]: 7026 0
01/17/07 09:01:18 [Note]: 7026 0
01/17/07 09:01:26 [Note]: FSRAW library version 1.7.1021
01/17/07 09:07:42 [Info]: Hidden file: c:\WINDOWS\system32\kdnjh.exe
01/17/07 09:07:42 [Note]: 7002 32
01/17/07 09:07:42 [Note]: 7003 1
01/17/07 09:07:42 [Note]: 10002 1
01/17/07 09:08:20 [Note]: 2000 1012
01/17/07 09:11:35 [Note]: 7007 0

	I know the ultimate fix is to nuke the drive but does anyone have
any other suggestions? Any tools I could use to find the nasty and kill it?
Any ideas where the IE hook might be hiding in the reg? 

Thanx, Paul

The information in this transmittal (including attachments, if any) is
privileged and confidential and is intended only for the recipient(s) listed
above. Any review, use, disclosure, distribution or copying of this
transmittal is prohibited except by or on behalf of the intended recipient.
If you have received this transmittal in error, please notify me immediately
by reply email and destroy all copies of the transmittal. Thank you.


SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses taught by
our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list