Help with Exploit



Hello List,

We're experiencing a serious problem on our networking with an exploit. After running the Microsoft rootkit detector we found the following:

Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAC*
Key name contains embedded nulls (*),8/13/2001 12:06,0
bytes,HKLM\SECURITY\Policy\Secrets\SAI*
Key name contains embedded nulls (*),3/24/2005 11:56,0
bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d*
Hidden from Windows API.,1/31/2007 15:25,13.00
KB,C:\WINNT\system32\pfplgflt.dll
Hidden from Windows API.,1/31/2007 16:32,7.50
KB,C:\WINNT\system32\pfplgnfo.dll
Hidden from Windows API.,1/31/2007 16:32,9.50
KB,C:\WINNT\system32\pfplgprx.dll
Hidden from Windows API.,1/31/2007 16:32,12.50
KB,C:\WINNT\system32\pfplgscn.dll

Did some research on the pfplgflt.dll files and found this:
http://vil.nai.com/vil/content/v_122073.htm

All of the files and registry settings listed on the McAfee site were found on the system, and also a strange a.exe file. Found some general info about the a.exe file, but all of it was useless and did not relate at all to this exploit IMHO. I guess it uses a.exe just because. The boxes had the latest AV updates and engines, and also the latest OS updates (Windows 2000). Even worst, after reinstalling one of the boxes, and updating to the latest everything once more, the box was infected once more. I am know trying to find a way to end this email with a "professional" sounding question, but to be honest, I don't know how to proceed with this one. Please help!

Thanks in advance.
Vic
-- _____________________
__/ \
/ Vic Brown |
| Comp Supp Spec |
| FSU-Panama |
| Phone: (507)-314-0367 |
| vabrown@xxxxxxxxxxxxxx |
\________________________/





----------------------------------------------------------------



Relevant Pages

  • RE: Windows Updates
    ... ohh by the way these are all 2000 boxes not XP ... >> You can setup Automatic Updates to Download and Schedule an install. ... >> Download the update wuau.adm file located here, it is in Windows Server ... >> Shain Wray ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Delayed Startup
    ... select the Hide All Microsoft Services check ... After Windows starts, determine whether the symptoms still occur. ... Note Look closely at the General tab to make sure that the check boxes ... clear the Load System Services check box on the General tab. ...
    (microsoft.public.windowsxp.general)
  • RE: Sinking combobox events for multiple documents
    ... I have couple of buttons and combos on my toolbar. ... > the rest of the windows got updated. ... >> I created an ATL COM addin for Microsoft Word. ... I create the combo boxes with the application first start and I ...
    (microsoft.public.office.developer.com.add_ins)
  • Re: It is almost certain now, INTEL will have 64bit x86 !!
    ... For 32-bit Windows boxes it is a problem. ... Since Sun has sold very few Opteron boxes, to date, can I assume that ... the positive quarters and $4.58B in losses in the negative quarters ...
    (comp.os.vms)
  • Re: fedora as a gateway / server
    ... boxes and one Linux box. ... I would like to change this to have a Linux box ... Is Samba still what I should use to store Windows files? ... The SMEserver disro can do this too, all configured with a simple web interface, and on the same or a different box than the internet gateway although the canned appliance-like configs can make it difficult to add things it doesn't include. ...
    (Fedora)