-
January 31st, 2004, 12:22 PM
#1
Junior Member
Got isetup, gettin suspicious portscans
Hi everybody, my first encounter with this security stuff started with 2 hijackers, one that set my homepage and one that would parrot google. I started getting security stuff, and spybot got rid of the homepage jacker, while I had to get rid of the other one with hijack this. However, spyhunter ( i heard its not to popular in some circles) still showed some stuff that it called "DyFuCA" (what kind of scewball thought of that name?) I cant find the stuff that spyhunter says is in C/old computer, but I found some with regHance and deleted, but it came back. This is what hijack-this calls it
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
One other problem, I got zone alarm pro free trial a few days ago, and there have been 2 times, 2 days apart, where i got scanned by some clown. I look up "Hacker identitiy" and it said..
"The Internet Assigned Numbers Authority (IANA) has reserved this address for its own use. Unless you are on a network that is actively involved in the development of the system for assigning IP addresses, this address was probably forged in order to hide the identity of the sender."
Here is the technical info...
Source IP Address 23.69.103.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 666 The port used by the source computer when sending the packet.
Destination IP 24.69.103.xxx The IP address of the computer to which the packet was sent.
Destination Port 135 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Alert Date Jan-31-2004 01:48:57 AM PST The time when ZoneAlarm Pro detected the alert on your computer."
this makes me paranoid, Im afraid im being targeted. If anyone could tell me if I should be paraniod your help would be most welcome.
-
January 31st, 2004, 01:39 PM
#2
DyFuCA is a porn dialing virus.
Try AdAware http://www.lavasoftusa.com/software/adaware/ to remove this completely, and any other similar dodgy software you have on your PC. It's free for home use ..
On the issue of scanning, this will happen from time to time, as the way scanning programmes work is that they usually select a range of IP addresses to scan, so you are probably being picked at random.
It's a good idea to run a firewall (and an anti virus scanner) - if you don't want to spend $ then use the free version of Zonealarm, or any of the other free software firewalls out there.
-
January 31st, 2004, 01:40 PM
#3
Lets get rid of the obvious first. It could just be some spyware or trojan trying to dial home too. Get TheCleaner, and run it. Try hijack this again, and run an AV. Also, run Spybot S&D and Ad-aware. Let us know how it goes, and we'll take it from there.
These are some of the trojan's that affect that port:
Port 666 - Attack FTP, Back Construction, BLA trojan, Cain & Abel, NokNok, Satans Back Door - SBD, ServU, Shadow Phyre, th3r1pp3rz (= Therippers)
"Cain & Abel is a password auditing tool too."
cheers,
edit: Oops, lol I spent too much time typing. Sorry dark.
-
January 31st, 2004, 02:06 PM
#4
Junior Member
Hi, thanks for the replies. My hijack log is below, and i ran both ad-aware and spybot, but they only show the usual cookie stuff. Spyhunter is the only one that is picking up this DyFuCA stuff, which leaves me wondering if it is a crock. But the regestry entry with the same name as the thing that spyhunter calls "DyFuCA" is back, even though i deleted it the last time I ran hijack this. Or did I deleted with rehance? I dont even remember. Maybe i imagined deleting it. MY pc is working ok, the only trouble is that when I open an IE window, esp if it is a link from another IE window, i comes up half size. Yes, im new at this, i dotn even know how to deal with that problem.
Logfile of HijackThis v1.97.7
Scan saved at 4:59:23 AM, on 1/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\DIGStream\digstream.exe
C:\Documents and Settings\All Users\Documents\SpyHunter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\webshots.scr
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Documents and Settings\All Users\Documents\SpyHunter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\SpyKiller\spykiller.exe /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...966.5995601852
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} - http://www.wildtangent.com/install/w...oft/wtinst.cab
-
January 31st, 2004, 04:08 PM
#5
Hi shelli,
G'day...late night by now?... in ANZAC land? I have 15.15hrsGMT here
Please try running all your antivirus and antibot/spy/ad stuff in safe mode.
If something opens and loads, it will not be deletable.............if it loads itself back on shutdown, it will be there next time?
Then we will look for the other stuff like the BHOs and the "Hosts" folder
Take care
Cheers
-
January 31st, 2004, 08:57 PM
#6
Shelli,
One or two tips on using Adaware if you are not familiar with this piece of software.
Firstly, make sure it is up to date by selecting the "Check for updates now" option.
After you choose Start, make sure "Activate in-depth scan" is checked (green)
Choose "Use custom scanning options" and make sure all 5 boxes have a check mark in them.
Finally go to settings (the gear like symbol at the top of the AdAware menu),
choose "Tweak", then the '+' sign under "Scanning engine" and make sure "Unload recognized processes during scanning" is ticked, and finally repeat the process with "Cleaning engine" and "Let windows remove files in use at next reboot".
AFAIK this will clean the porn dialing virus you have mentioned, and for this piece of software you don't have to use it in safe mode, but you will have to reboot your PC for it to take effect.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|