[Dshield] Hidden Process

Dave Garn dgarn at crucialsecurity.com
Wed Jan 17 19:36:27 GMT 2007


Perhaps use a bootable linux CD to access your Windows drive.  I'd think
you'd be able to see the file then, and delete it.

Of course, that may not fix all of the problems you were seeing, but it
would let you delete that file.

______________________
Dave Garn
Security Engineer
Crucial Security, Inc.


Paul Marsh wrote:
> 
> Hi All:
> 
> 	I've got a system that is on the fritz.  When ever a search is
> done the resulting links redirect to random sites mostly porn sites.  No
> matter what search engine is used, the links look fine when you roll
> over them but once they're clicked the browser is redirected.  I've run
> Ad-Aware and SpyBot on it and upgraded to IE7 which fires off Windows
> Defender but I've got the same problem.  The system was running an up to
> date PC-Cillin 2006 which has now been upgraded to 2007.  PC-Cillin 2007
> is capturing the following malicious proxy http:// 85 dot 255 dot 114
> dot 126/frame
> 
> 	When I first took a look at the system in question I noticed
> that it's DNS was changed to two servers in the same sub as above.
> 
>       FireFox runs without issues.
> 
> 	I ran F-Secure's Black Light on the box and found the following.
> 
> 01/17/07 08:59:59 [Info]: BlackLight Engine 1.0.55 initialized
> 01/17/07 08:59:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
> 01/17/07 09:00:00 [Note]: 7019 4
> 01/17/07 09:00:00 [Note]: 7005 0
> 01/17/07 09:01:02 [Note]: 7006 0
> 01/17/07 09:01:17 [Note]: 7011 3244
> 01/17/07 09:01:17 [Note]: 7026 0
> 01/17/07 09:01:18 [Note]: 7026 0
> 01/17/07 09:01:26 [Note]: FSRAW library version 1.7.1021
> 01/17/07 09:07:42 [Info]: Hidden file: c:\WINDOWS\system32\kdnjh.exe
> 01/17/07 09:07:42 [Note]: 7002 32
> 01/17/07 09:07:42 [Note]: 7003 1
> 01/17/07 09:07:42 [Note]: 10002 1
> 01/17/07 09:08:20 [Note]: 2000 1012
> 01/17/07 09:11:35 [Note]: 7007 0
> 
> 	I know the ultimate fix is to nuke the drive but does anyone
> have any other suggestions? Any tools I could use to find the nasty and
> kill it?  Any ideas where the IE hook might be hiding in the reg? 
> 
> Thanx, Paul
> 
> 
> 
> The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.
> 
> _________________________________________
> 
> SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
> taught by our top rated instructors plus a huge vendor tools expo.
> Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)
> 
> 


More information about the list mailing list