Got isetup, gettin suspicious portscans
Results 1 to 6 of 6

Thread: Got isetup, gettin suspicious portscans

  1. #1
    Junior Member
    Join Date
    Jan 2004
    Posts
    2

    Got isetup, gettin suspicious portscans

    Hi everybody, my first encounter with this security stuff started with 2 hijackers, one that set my homepage and one that would parrot google. I started getting security stuff, and spybot got rid of the homepage jacker, while I had to get rid of the other one with hijack this. However, spyhunter ( i heard its not to popular in some circles) still showed some stuff that it called "DyFuCA" (what kind of scewball thought of that name?) I cant find the stuff that spyhunter says is in C/old computer, but I found some with regHance and deleted, but it came back. This is what hijack-this calls it

    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab


    One other problem, I got zone alarm pro free trial a few days ago, and there have been 2 times, 2 days apart, where i got scanned by some clown. I look up "Hacker identitiy" and it said..

    "The Internet Assigned Numbers Authority (IANA) has reserved this address for its own use. Unless you are on a network that is actively involved in the development of the system for assigning IP addresses, this address was probably forged in order to hide the identity of the sender."

    Here is the technical info...


    Source IP Address 23.69.103.xxx The IP address of the computer that sent the packet which caused the alert.
    Source Port 666 The port used by the source computer when sending the packet.
    Destination IP 24.69.103.xxx The IP address of the computer to which the packet was sent.
    Destination Port 135 The port on the destination computer used to receive the packet.
    Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
    Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
    Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
    Alert Date Jan-31-2004 01:48:57 AM PST The time when ZoneAlarm Pro detected the alert on your computer."

    this makes me paranoid, Im afraid im being targeted. If anyone could tell me if I should be paraniod your help would be most welcome.

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    DyFuCA is a porn dialing virus.

    Try AdAware http://www.lavasoftusa.com/software/adaware/ to remove this completely, and any other similar dodgy software you have on your PC. It's free for home use ..

    On the issue of scanning, this will happen from time to time, as the way scanning programmes work is that they usually select a range of IP addresses to scan, so you are probably being picked at random.

    It's a good idea to run a firewall (and an anti virus scanner) - if you don't want to spend $ then use the free version of Zonealarm, or any of the other free software firewalls out there.

  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,836
    Lets get rid of the obvious first. It could just be some spyware or trojan trying to dial home too. Get TheCleaner, and run it. Try hijack this again, and run an AV. Also, run Spybot S&D and Ad-aware. Let us know how it goes, and we'll take it from there.


    These are some of the trojan's that affect that port:

    Port 666 - Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (= Therippers)


    "Cain & Abel is a password auditing tool too."


    cheers,



    edit: Oops, lol I spent too much time typing. Sorry dark.

  4. #4
    Junior Member
    Join Date
    Jan 2004
    Posts
    2
    Hi, thanks for the replies. My hijack log is below, and i ran both ad-aware and spybot, but they only show the usual cookie stuff. Spyhunter is the only one that is picking up this DyFuCA stuff, which leaves me wondering if it is a crock. But the regestry entry with the same name as the thing that spyhunter calls "DyFuCA" is back, even though i deleted it the last time I ran hijack this. Or did I deleted with rehance? I dont even remember. Maybe i imagined deleting it. MY pc is working ok, the only trouble is that when I open an IE window, esp if it is a link from another IE window, i comes up half size. Yes, im new at this, i dotn even know how to deal with that problem.




    Logfile of HijackThis v1.97.7
    Scan saved at 4:59:23 AM, on 1/31/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Documents and Settings\All Users\Documents\SpyHunter.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\webshots.scr
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [SpyHunter] C:\Documents and Settings\All Users\Documents\SpyHunter.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\SpyKiller\spykiller.exe /startup
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...966.5995601852
    O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
    O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/w...oft/wtinst.cab

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi shelli,

    G'day...late night by now?... in ANZAC land? I have 15.15hrsGMT here

    Please try running all your antivirus and antibot/spy/ad stuff in safe mode.

    If something opens and loads, it will not be deletable.............if it loads itself back on shutdown, it will be there next time?

    Then we will look for the other stuff like the BHOs and the "Hosts" folder

    Take care

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    Shelli,

    One or two tips on using Adaware if you are not familiar with this piece of software.

    Firstly, make sure it is up to date by selecting the "Check for updates now" option.

    After you choose Start, make sure "Activate in-depth scan" is checked (green)

    Choose "Use custom scanning options" and make sure all 5 boxes have a check mark in them.

    Finally go to settings (the gear like symbol at the top of the AdAware menu),

    choose "Tweak", then the '+' sign under "Scanning engine" and make sure "Unload recognized processes during scanning" is ticked, and finally repeat the process with "Cleaning engine" and "Let windows remove files in use at next reboot".

    AFAIK this will clean the porn dialing virus you have mentioned, and for this piece of software you don't have to use it in safe mode, but you will have to reboot your PC for it to take effect.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides