[Dshield] Strange Windows Behavior
pmarsh at nmefdn.org
Tue Jan 23 14:55:16 GMT 2007
Sounds the same. Have you tried BlackLight? I'm sure the kdnjh in my
file is just randomly generated. The AV vendors are just now coming out
with def's for the file. FixWareOut found it and killed it long before
any of the AV's had defs for it so I guess it a WareOut. The system in
question is running 100% better but I'm still going to flatten it.
From: Jon R. Kibler [mailto:Jon.Kibler at aset.com]
Sent: Tuesday, January 23, 2007 9:46 AM
To: General DShield Discussion List
Subject: Strange Windows Behavior
I have a client that has a few of apparently infected systems, but I
cannot find anything wrong. All are Win XP/SP2, fully patched. I have
run a full nmap scan (all 64K TCP and UDP ports), sniffed the network
for any bogus traffic, ran spybot, hijackthis, AV, RootKitRevealer,
netstat, fport, processexplorer, etc. and found nothing unexpected.
Following Paul Marsh's posting, I looked for a 'kdnjh.exe' file but
found none. (Paul, was this file the 'wareout' file?) I have not run
fixwareout, and that may be my next step unless someone can give me some
System 1: Runs slow. Task Manager shows a consistent 15% to 25% CPU
utilization on the Performance tab, but shows the system idle process
consuming 98% to 99% of the CPU on the Processes tab. Apparently it has
a hidden process, but what and where? Cannot really take this system
down and rebuild until after all of the EOY processing is completed.
Systems 2-6: Runs a ktelnet application for industry-specific software.
Initially, systems kept dropping their telnet sessions at random. Switch
logs would show a 5 to 10 second period between logging 'protocol down'
and 'protocol up' for the system that lost its telnet session, thus it
appears the telnet session drops because the network connection drops.
At present, systems are 'winking out' (screen goes solid black
[sometimes solid white] and even mouse cursor disappears) at the same
time the network connection bites the dust. If this was only one system,
I would thought it was a hardware issue, but it is 5 systems and it
happens at random and to usually only one system at a time.
Other than nuke the boxes and rebuild (which could not be done until the
weekend for systems 2-6, or until Feb for system 1), I haven't a clue
where to proceed from here.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
The information in this transmittal (including attachments, if any) is privileged and confidential and is intended only for the recipient(s) listed above. Any review, use, disclosure, distribution or copying of this transmittal is prohibited except by or on behalf of the intended recipient. If you have received this transmittal in error, please notify me immediately by reply email and destroy all copies of the transmittal. Thank you.
More information about the list