Possible Trojan? (nc.exe)

Hi,

I came home lastnight to find that NAV2005 was telling me that a program (C:\nc.exe) was trying to access the internet - I blocked it.

On further investigation, I found that all the files in "My Documents" were gone - not the subfolders (or files in them)folders, just files directly in My Docs.

I know that I didn't put nc.exe there, & I was the only one using the PC (or was I?)

I include a hjackthis log for anyones interest. I also have NIS 2005 installed & up to date - port 80 is open because I run a server. I scanned with NIS 2005 & AdAware, & both reported me clean.

Was I hacked? And if so what can I do to prevent it happening again?

Thanks in advance.

KF


Hijackthis log file:
Logfile of HijackThis v1.99.0
Scan saved at 12:28:58, on 24/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PGPsdkServ.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Broadband Wizard\bbwiz.exe
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\WINDOWS\Explorer.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [MOD] C:\Program Files\Microangelo\muamgr.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: Broadband Wizard.lnk = C:\Program Files\Broadband Wizard\bbwiz.exe
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: PGPtray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - C:\Program Files\Apache Group\Apache2\bin\Apache.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Unknown - C:\WINDOWS\system32\CTSvcCDA.EXE (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: ISSvc - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PGPsdkService - PGP Corporation - C:\WINDOWS\system32\PGPsdkServ.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

This log is clean. I am more concerned that you got hacked rather than a virus or spyware. NC.exe is probably netcat. Do you still have the program? If you want to submit it to me I will tell you if it is. If it is netcat, then I would do a total audit of your machine to see if there is anything else left behind.

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

c:\nc.exe

To copy the files simply navigate to the directory they are in and right click on them and then click on copy. Then paste these files into the c:\submit directory. Once the files are all copied I need you to zip the folder and rename submit.zip to yourmembername.zip (for example grinler.zip). If you are using XP or ME right-click on the folder and click on the Send To option and then send it to a compressed folder. You will now see a file called submit.zip. If you are using another version of Windows, please download a program called Winzip and zip it using that. Then go to http://www.bleepingcomputer.com/submit-malware.php fill in the required fields, and browse to the file. Then click on the Send File button.

Hi Grinler,

Thanks for replying - I don't have the file on my PC anymore - I permanetely deleted it, as soon as I found it :-(

If it was netcat, are there any other indicators?

Many thanks again,


KF

Unfortunately not. Netcat is a standalone program. I would look in your %windir%\system32 directory and sort by date. See if there any strange files that have been added recently.

Actually, NC.exe could be numerous things. It could be NetCat, NetCaputure (Netcat), Netware client, or No Cheat 2004...Or, it could be a randomly generated trojan, virus, worm or something along those lines. If your antivirus and Spyware does not detect it, then it's probably clean.

As for your HJT log, that's clean...No instances of any sort of malicious software..

No cheat 2004 or netware client would not be located in the root of the c:\ drive.

As for going by what your antivirus and spyware tools report; i just would not do it. There are many malware files that neither spybot, spysweeper, or ad-aware detect.

Also you are using symantec which is not known to be the best AV software. Do what I said and check around in your %windir% and %windir%\system32 directories for new files.

Also give yourself permission to view the c:\system volume information folder and poke around in there. Very popular place for script kiddies to setup pubstros. Do not forget to put the permissions back the way they were after.

Last, definitely make sure you are using a up to date version of apache and mysql that do not have any security holes.

Hi all,

many thanks for the suggestions - I had a look around, but nothing out of the ordinary - until today. I came home from work & here was nc.exe in my C:\ drive again. I checked files for same creation date/ time - the only other one I found was in Windows\system32 dir called shell64.dll - exact same time of creation as nc.exe!

I have submitted the file to Grinler as requested.

Many thanks

KingFisher

Its Netcat. Just confirmed it. Even more disturbing was that it upx compressed (used by hackers/malware writers to make it smaller and harder to detect by av software). This is not a good thing to have on your computer as it makes me believe that you have been hacked in some way.

Download fport from here:

http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm

Run it and copy and paste its output into a reply here. You will need to run it from a cmd prompt

Hi Grinler,

Here's the output ffrom Fport

C:\>Fport.exe
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
3736 Skype -> 80 TCP C:\Program Files\Skype\Phone\Skype.exe
1444 -> 135 TCP
4 System -> 139 TCP
3736 Skype -> 443 TCP C:\Program Files\Skype\Phone\Skype.exe
4 System -> 445 TCP
1896 ccProxy -> 1025 TCP C:\Program Files\Common Files\Symantec Shar
ed\ccProxy.exe
2800 -> 1028 TCP
3736 Skype -> 1035 TCP C:\Program Files\Skype\Phone\Skype.exe
3256 ccApp -> 1037 TCP C:\Program Files\Common Files\Symantec Shar
ed\ccApp.exe
1472 iexplore -> 1839 TCP C:\Program Files\Internet Explorer\iexplore
.exe
1896 ccProxy -> 1840 TCP C:\Program Files\Common Files\Symantec Shar
ed\ccProxy.exe
0 System -> 1858 TCP
0 System -> 1861 TCP
0 System -> 1862 TCP
0 System -> 1864 TCP
0 System -> 1866 TCP
0 System -> 1868 TCP
0 System -> 1872 TCP
3836 WCESCOMM -> 5679 TCP C:\Program Files\Microsoft ActiveSync\WCESC
OMM.EXE
3736 Skype -> 49112 TCP C:\Program Files\Skype\Phone\Skype.exe

0 System -> 123 UDP
3736 Skype -> 137 UDP C:\Program Files\Skype\Phone\Skype.exe
1896 ccProxy -> 138 UDP C:\Program Files\Common Files\Symantec Shar
ed\ccProxy.exe
3736 Skype -> 445 UDP C:\Program Files\Skype\Phone\Skype.exe
1444 -> 500 UDP
3736 Skype -> 1026 UDP C:\Program Files\Skype\Phone\Skype.exe
0 System -> 1135 UDP
0 System -> 1211 UDP
4 System -> 1473 UDP
0 System -> 1900 UDP
3836 WCESCOMM -> 4500 UDP C:\Program Files\Microsoft ActiveSync\WCESC
OMM.EXE
3736 Skype -> 49112 UDP C:\Program Files\Skype\Phone\Skype.exe


C:\>Fport.exe

Thanks for the help

KF

Looks good. I suggest you check your apache version and mysql version and see if there any updates for it that may have security fixes. Also go www.windowsupdate.com and check there

Hi there,

I have the same problems as desciribed above.

The file nc.exe keeps coming back in my c:\ and I also have the file shell64.dll (14k) in my \system32 which cannot be deleted

I am running:
WINDOWS 2003 web edition (+ all updates)
IIS6. (secured I thought)

No viruses or trojans found + checked all security settings

Unfortunately FPort somehow doesn't work when using remote desktop. It complains about not having administrator rights. :s


Did someone find some more information how to stop this hack attack??

thx,

jvk

Hi,

I did as Grinler suggested & updated MySQL & Apache - that seemed to do the trick - no more occurances of nc.exe. I also renamed shell64.dll to shell64.old - I haven't had any problems trying to run programs, so you might try that. If you don't have admin rights you might try deleting it through DOS. I hope that's of some help.

BTW - I just want to say thanks to Grinler for all his help - THANKS GRINLER!!

KF

Not a problem NC, when not installed by yourself, is almost exclusively used by a hacker to gain a remote shell to your computer. It is usually put on your system through unpatched IIS/APACHE/Windows.

Be warned though, that since they potentially had full access to your box there may be other things running. You should download fport from foundstone tools and see if there is anything listening on the tcp stack.

That info really helped me too. Thanks.
What I don't understand, is how the trojan got in, and why.
I've salvaged some info from my temp internet files, and submitted to the link above; I'd really appreciate if you could take a look.

Thanks again!

Hi there,

I just want to say that my problems R solved by updating MySql 4.0 to 4.1 (as advised). No more nc.exe after this update.

many thanks!

JVK