[Dshield] Hidden Process

Castle, Shane scastle at co.boulder.co.us
Wed Jan 17 19:43:51 GMT 2007

You've checked %SystemRoot%\system32\drivers\etc\hosts ?  Sounds like a
hosts file hijack to me, but if the DNS servers have been redirected
that would explain it as well.  Don't forget other tools: Process
Explorer, HiJackThis, Ad-Aware, etc - there several lists that can be
found for free/low cost cleaning tools.  Some tools won't run properly
unless you disable system restore, and maybe even run in safe mode.

If you are wanting to exercise your forensics skills, then by all means,
do your best to clean it up without reinstalling, but if you are
interested in saving time and you don't have any irretreivable data on
the disk, reformat and reinstall instead - it's generally a lot quicker.

Shane Castle

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Paul Marsh
Sent: Wednesday, January 17, 2007 11:43
To: General DShield Discussion List
Subject: [Dshield] Hidden Process

Hi All:

	I've got a system that is on the fritz.  When ever a search is
done the resulting links redirect to random sites mostly porn sites.  No
matter what search engine is used, the links look fine when you roll
over them but once they're clicked the browser is redirected.  I've run
Ad-Aware and SpyBot on it and upgraded to IE7 which fires off Windows
Defender but I've got the same problem.  The system was running an up to
date PC-Cillin 2006 which has now been upgraded to 2007.  PC-Cillin 2007
is capturing the following malicious proxy http:// 85 dot 255 dot 114
dot 126/frame

	When I first took a look at the system in question I noticed
that it's DNS was changed to two servers in the same sub as above.

      FireFox runs without issues.

	I ran F-Secure's Black Light on the box and found the following.

01/17/07 08:59:59 [Info]: BlackLight Engine 1.0.55 initialized
01/17/07 08:59:59 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/17/07 09:00:00 [Note]: 7019 4
01/17/07 09:00:00 [Note]: 7005 0
01/17/07 09:01:02 [Note]: 7006 0
01/17/07 09:01:17 [Note]: 7011 3244
01/17/07 09:01:17 [Note]: 7026 0
01/17/07 09:01:18 [Note]: 7026 0
01/17/07 09:01:26 [Note]: FSRAW library version 1.7.1021
01/17/07 09:07:42 [Info]: Hidden file: c:\WINDOWS\system32\kdnjh.exe
01/17/07 09:07:42 [Note]: 7002 32
01/17/07 09:07:42 [Note]: 7003 1
01/17/07 09:07:42 [Note]: 10002 1
01/17/07 09:08:20 [Note]: 2000 1012
01/17/07 09:11:35 [Note]: 7007 0

	I know the ultimate fix is to nuke the drive but does anyone
have any other suggestions? Any tools I could use to find the nasty and
kill it?  Any ideas where the IE hook might be hiding in the reg? 

Thanx, Paul

The information in this transmittal (including attachments, if any) is
privileged and confidential and is intended only for the recipient(s)
listed above. Any review, use, disclosure, distribution or copying of
this transmittal is prohibited except by or on behalf of the intended
recipient. If you have received this transmittal in error, please notify
me immediately by reply email and destroy all copies of the transmittal.
Thank you.


SANS 2007 March 29 - April 6 in San Diego, CA offers 52 Courses
taught by our top rated instructors plus a huge vendor tools expo.
Register Today! http://www.sans.org/info/2501 (BROCHURECODE: ISC)

More information about the list mailing list