Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 29

Thread: Help me investigate trojan from 206.58.237.248

  1. #11
    Switching to firefox, though a good idea won't fix this in my opinion
    Switching alone won't fix anything, although a browser switch would be helpful along with regular updates.

    markml: Can you post a "Hijack This" log?
    http://www.spywareinfo.com/~merijn/downloads.html

  2. #12
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    First of all, I do not use any email clients with HTML renderers (like Outlook Express for instance). I am also familiar with the security epidemic in IE. These days, I usually disable scripting when I am at all uncertain about the integrity of a website. Not perfect, I know. But I'm not really looking for a Firefox VS IE sermon. I understand the pitfalls and advantages of IE compared to Mozilla.

    What I am interested in, as mentioned in my initial post, is determining the nature of the specific outbreak I have discovered on my system. Oh yeah, I should mention that ever since I disabled the kbdus.exe process and deleted its registry key, the symptoms of Google being redirected have not shown up again. This does not mean that my system is clean. And to tell you the truth, I am not positive that it's the Download.Trojan mentioned above, because my AV, AntiVir, was never able to detect anything wrong with it. Neither were Trend Micro or eTrust, which detected the 77_156_i.abc file as SillyDl. I only conjectured that it might be the same after manually inspecting it and noticing the string "http://www.gloogle.com" inside of it, which is apparently a site that SillyDl tries to connect to.

    As such I am not convinced that my system is clean, since A. kbdus.exe has not been positively identified, B. Download.Trojan/SillyDl seems to have the main purpose of downloading other trojans, which have not been identified, C. My research has not identified any trojan matching the specific symptoms I mentioned as being on my system, D. I do not know how my system was infected in the first place. It is not enough for me to conjecture that it might have been a malicious script in IE. I'd like to know the exact exploit used to know whether it has been patched or not since I've been infected.

    I can try TheCleaner and maybe even ClamAV, if I want to bother mounting my Win2K partition in Linux. But it's ultimately hit-and-miss whether these scanners identify things that the others don't, and if they don't, I will not be satisfied. I am far more interested in knowledge that is specifically useful to my situation. Knowledge is power. More so than AV, which just gives a false sense of security to many users. I think it is a fairly good hypothesis that the trojan was downloaded from 206.58.237.248, at least if it is in fact SillyDl. But I do not have expert knowledge about this trojan, nor have I disassembled it to understand its inner workings.

    But I have the same inclinations as you guys -- I do not want to cover territory that has already been covered. As such, I came here to ask if anyone else has knowledge, specific to my situation, that would be helpful. Thanks!

  3. #13
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    HiJackThis Log:
    Logfile of HijackThis v1.97.7
    Scan saved at 10:09:47 PM, on 10/27/2004
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\AVPersonal\AVWUPSRV.EXE
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\WINNT\system32\notepad.exe
    C:\WINNT\system32\svchost.exe
    C:\Documents and Settings\MML\Desktop\HijackThis.exe
    C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
    O16 - DPF: {A8658086-E6AC-4957-BC8E-8D54A7E8A790} (GDIChk Object) - http://www.microsoft.com/security/co...I/0/GDIChk.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
    O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

  4. #14
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Hmm...well I guess counter.cab looks suspicious.

  5. #15
    ClamAV is an awesome AV, but you do not need to mount it in linux. There is a windows port of clam, called ClamWin. You can run that in safe mode as well. Clam has had excellent, quick release defs, IMO.

    Since you are more interested in actually finding the exploit, or where you're box is vulnerable, lets look at a few things.

    1. What version of IE are you running?
    I assume it was some Windows/IE exploit, but I system should have all the recent MS patches on it.
    2. What OS, service pack? You mention 2k, but make sure all the critical updates are installed (windows update) so we aren't chasing our tails.
    3. Do you have your firewall enabled? You don't mention one.
    4. Does anyone else use this computer besides yourself?

    If you want to do a little more forensic work on your box, try checking out the tools at sysinternals.com, and also the sniffer, ethereal. Filemon, regmon, tcpview are all relevent to what you are trying to do.

  6. #16
    C:\Program Files\AVPersonal\AVWUPSRV.EXE // What AV is this? There is a rapidly growing amount of bogus AV/Adware programs, such as eacceleration.
    C:\WINNT\system32\NOTEPAD.EXE // Were you running these? There are trojans that replace notepad...
    C:\WINNT\system32\NOTEPAD.EXE

    Don't forget to keep updating your scanners... They usually come out with sigs a day or too after a new infection.

  7. #17
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    Yes, I was running that many copies of Notepad when I ran HiJackThis. AVWUPSRV.EXE is in fact my AV, AntiVir.

    My System currently has Win2K Service Pack 3 and IE 6.0.2600.0000 with the following patches: KB819696, KB823182, KB823559, KB823980, KB824105, KB825119, KB826232, KB828035, KB828741, KB828749, KB835732, KB837001, KB839643, KB839645, KB840315, KB840987, KB841356, KB841533, KB841533, KB841872, KB841873, KB842526, Q323172 (Pre-SP4), Q324096 (Pre-SP4), Q326830 (Pre-SP4), Q326886 (Pre-SP4), Q329115 (Pre-SP4), Q329834 (Pre-SP4), Q329170 (Pre-SP4), Q810833 (Pre-SP4), KB817606 (SP4), Q329553 (SP4), Q814033 (SP4).

    I am the sole user of this computer. The network connection I'm using has a hardware firewall on it, though I'm not running any software firewalls.

  8. #18
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    I am also familiar with the security epidemic in IE
    Are you sure..............if so why are you running v6.00.2600.0000,
    when you should have SP1 installed and be patched to 6.00.2800.1106.

    I would also recommend running Windows Update to see if you are missing anything there. AFAIK Win2k is at SP4 these days.

    I know that it is a pain, but it is really essential. You see the slimeballs watch for MS patches and then go and write exploits for the vulnerabilities, knowing that many people don't keep their stuff up to date.

    just a thought

  9. #19
    Junior Member
    Join Date
    Oct 2004
    Posts
    14
    True. So maybe my assertion was a little over-zealous when I said that my system had all the MS patches. I guess I could compare the security updates in IE SP1 and Win2K SP4 with the patches my system currently has to see if there are any exploits that might have been taken advantage of.

  10. #20
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hey, don't get me wrong.........................I am not saying load anything and everything that MS put out. I usually take a look every couple of weeks (unless there is an alert out) and only bother with those that affect the services and applications that I actually use or might use.

    I am not sure about SP3 v. SP4 but there have certainly been several security patches in IE regarding trojan activity.

    Might I also suggest that you download a copy of Belarc Advisor (it is free) and run it. Down the bottom left of the report you will see all the MS patches you have got and their STATUS.

    My point being that you can download a patch that does not install properly. MS update thinks that you have it, so does not offer it again. Belarc will tell you of any of those so you can uninstal them and try again. It is obviously very dangerous if you think that you have a patch and it hasn't worked (could also make your system unstable)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •