Hi Vic-are the timestamps/datestamps here significant to you? >> Key name contains embedded nulls (*),8/13/2001 12:06,0 bytes,HKLM\SECURITY\Policy\Secrets\SAC* Key name contains embedded nulls (*),8/13/2001 12:06,0 bytes,HKLM\SECURITY\Policy\Secrets\SAI*
I've done some googling and am finding that the new RR version checks the security hive(which I believe to be 'invisible' to regedit-can someone correct me if I'm wrong?). These two keys maybe some password store perhaps and are the timestamps indicative of some s/w install date? Or even the OS? You might find it useful to post on the Sysinternals forums too http://forum.sysinternals.com/ -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vic Brown Sent: Saturday, February 03, 2007 5:25 AM To: [email protected] Subject: Help with Exploit Hello List, We're experiencing a serious problem on our networking with an exploit. After running the Microsoft rootkit detector we found the following: Key name contains embedded nulls (*),8/13/2001 12:06,0 bytes,HKLM\SECURITY\Policy\Secrets\SAC* Key name contains embedded nulls (*),8/13/2001 12:06,0 bytes,HKLM\SECURITY\Policy\Secrets\SAI* Key name contains embedded nulls (*),3/24/2005 11:56,0 bytes,HKLM\SECURITY\Policy\Secrets\XATM:148d93c5-f0a9-4110-8d38-f44f341e286d * Hidden from Windows API.,1/31/2007 15:25,13.00 KB,C:\WINNT\system32\pfplgflt.dll Hidden from Windows API.,1/31/2007 16:32,7.50 KB,C:\WINNT\system32\pfplgnfo.dll Hidden from Windows API.,1/31/2007 16:32,9.50 KB,C:\WINNT\system32\pfplgprx.dll Hidden from Windows API.,1/31/2007 16:32,12.50 KB,C:\WINNT\system32\pfplgscn.dll Did some research on the pfplgflt.dll files and found this: http://vil.nai.com/vil/content/v_122073.htm All of the files and registry settings listed on the McAfee site were found on the system, and also a strange a.exe file. Found some general info about the a.exe file, but all of it was useless and did not relate at all to this exploit IMHO. I guess it uses a.exe just because. The boxes had the latest AV updates and engines, and also the latest OS updates (Windows 2000). Even worst, after reinstalling one of the boxes, and updating to the latest everything once more, the box was infected once more. I am know trying to find a way to end this email with a "professional" sounding question, but to be honest, I don't know how to proceed with this one. Please help! Thanks in advance. Vic -- _____________________ __/ \ / Vic Brown | | Comp Supp Spec | | FSU-Panama | | Phone: (507)-314-0367 | | [EMAIL PROTECTED] | \________________________/ ----------------------------------------------------------------
