what's this antrexhost??
Page 1 of 3 123 LastLast
Results 1 to 10 of 28

Thread: what's this antrexhost??

  1. #1
    Member
    Join Date
    Aug 2003
    Posts
    38

    what's this antrexhost??

    hello pplz.

    lately[been a while now]... according to my fw traffic log, explorer.exe is trying to connect to antrexhost.com [80.86.190.22]
    I don't remember seeing this before... I googled "antrexhost" & it came up nothing.

    I did a whois on greektools[someone posted this link a while back in one of the previous threads]
    & the result is...

    Results:
    % This is the RIPE Whois query server #1.
    % The objects are in RPSL format.
    %
    % Note: the default output of the RIPE Whois server
    % is changed. Your tools may need to be adjusted. See
    % http://www.ripe.net/db/news/abuse-pr...-20050331.html
    % for more details.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Note: This output has been filtered.
    % To receive output for a database update, use the "-B" flag.

    % Information related to '80.86.190.0 - 80.86.191.255'

    inetnum: 80.86.190.0 - 80.86.191.255
    netname: LNC-AIHS-NET-GMBH2
    descr: AIHS.Net GmbH
    country: DE
    admin-c: ST1583-RIPE
    tech-c: ST1583-RIPE
    status: ASSIGNED PA
    mnt-by: LNC-MNT
    mnt-lower: LNC-MNT
    source: RIPE # Filtered

    person: Sergej Teverovski
    address: Hanauerlandstrasse 312a, DE-60314 Frankfurt am Main
    phone: +49 69 426 03 877
    fax-no: +49 69 - 941 46 746
    abuse-mailbox: abuse@aihs.net
    nic-hdl: ST1583-RIPE
    mnt-by: LNC-MNT
    source: RIPE # Filtered

    % Information related to '80.86.160.0/19AS13237'

    route: 80.86.160.0/19
    descr: Lambdanet Operations - German region
    origin: AS13237
    mnt-by: LNC-MNT
    source: RIPE # Filtered


    ... I'm getting paranoid heh-heh. not to mention the fact that when I opened up IE just now, just a simple webpage without too many pictures... the memory usage in the task manager kept on increasing.



    what's going on??
    [glowpurple]First you must decide. Then you must follow through.\" - Lacus Clyne[/glowpurple]

  2. #2
    Banned
    Join Date
    Apr 2003
    Posts
    1,146
    Your IE home page has been hijacked and you probably have some other issues. I recommend that you reboot to SafeMode with Networking (Press F8 while rebooting and select SafeMode with Networking from menu). Run an AV scan (you do have an anti-virus program, right?), and a spyware scan (Google SpyBot, download, install, update and run it).

    Get Hijackthis (www.merijn.org) and run it. If you feel comfortable with this, post the hijackthis results here so the experts here can look it over to help you nail the baddies.

    [edit]
    Yeah, fixed URL. Sorry
    [/edit]

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    I opened up IE just now, just a simple webpage without too many pictures...
    Now.. You just opened the link in IE or you [b]Just opened IE, and your normal webpage gave the prob[b], or when you opened IE the link opened automaticly

    So your firewal.. Software or hardware? if software in your gateway PC..or your workstation?

    And the program that is trying to access the site is EXPLORER.EXE? not IEXPLORE.EXE one is your windows core the other is your browser..

    HAve you checked running processes on your PC's? (AKA : rapier57's advice of HJT scan, other tools here.. processview, tcpview but these give you a relitivly live view.)

    HAve you considered giving Rootkit revealer a burl on your machines..

    personally I would have TCPVIEW running and looking for system traffic..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    Member
    Join Date
    Aug 2003
    Posts
    38
    Now.. You just opened the link in IE or you Just opened IE, and your normal webpage gave the prob[b], or [b]when you opened IE the link opened automaticly
    I meant when I open up IE... not "opened the link in IE" ... whatever websites I go to, it takes up alot of memory usage. I hope that made sense.


    So your firewal.. Software or hardware? if software in your gateway PC..or your workstation?
    umm, it's a software firewall... Sygate personal firewall.. ¬ ¬ I'm afraid I do not understand "in your gateway PC.. "? please pardon me.


    And the program that is trying to access the site is EXPLORER.EXE? not IEXPLORE.EXE one is your windows core the other is your browser..
    I'd print screened these particular traffic.... here are the 2 links. http://img.photobucket.com/albums/v2.../boringppl.jpg

    and...
    http://img.photobucket.com/albums/v2...boringppl2.jpg

    looks like they have different hostnames too? O.o

    I'd also done a virus scan with avg 7.1 professional trial version ¬ ¬
    no virus found. also run adaware & spybot... adaware didn't turn up anything critical.. just the MRU list..[negligible objects]... & spybot turned up directhit & something-avenue. Sorry, forgot to write down the 2 spywares.

    lastly, here's the hijackthis result....

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Winamp\winampa.exe
    C:\WINDOWS\System32\LXSUPMON.EXE
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Winamp\winamp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.racewarkingdoms.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.0
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe
    O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
    O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System] a.exe
    O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe
    O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
    O4 - HKCU\..\Run: [Sygate Personal Firewall Start] servic.exe
    O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe
    O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120877852091
    O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

    [edit]
    i've not heard of rootkit revealer before so no, i havent tried it.
    [/edit]
    [glowpurple]First you must decide. Then you must follow through.\" - Lacus Clyne[/glowpurple]

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I believe you're 0wn3d my friend..
    O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe

    O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe

    O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
    O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
    O4 - HKLM\..\RunServices: [Microsoft Windows System] a.exe
    O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe

    O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe

    O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe
    Look up SDBot..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Member
    Join Date
    Aug 2003
    Posts
    38
    umm... (just to make sure)do I click on "fix" on hijackthis?
    i've also looked up on sdbot, and from symantec website, it adds those aforementioned values to the registry keys.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    RunServices
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    [glowpurple]First you must decide. Then you must follow through.\" - Lacus Clyne[/glowpurple]

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by tragicallyhip
    umm... (just to make sure)do I click on "fix" on hijackthis?
    You could try it.. But if SDBot is active these values might automagicly reappear.. I suggest downloading Stinger (McAfee) or one of the Symantec removal tools.. Boot to safe mode and run them..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    Name: microsoftkeysds
    Filename: lass32.exe
    Command: Unknown at this time.
    Description: Added by a variant of the WIN32.RBOT WORM!
    File Location: Unknown
    Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
    HijackThis Category: O4 Entry
    Removal Instructions: How to remove a Trojan, Virus, Worm, or other Malware
    Download the following:

    Sysclean.com from this link: http://www.trendmicro.com/download/dcs.asp

    LPTxxx.zip - the virus pattern file: http://www.trendmicro.com/download/viruspattern.asp

    Save both in the same folder on your desktop: unzip the the pattern file.. be surethese files and the SYSCLEAN.COM are in the sime folder.

    RESTART your PC in SafeMode
    Open the folder you saved Sysclean and the Pattern files.

    Run - Sysclean.. and wait..

    This is the first stage of the cleanup....
    ..

    One word of caution.. Be safest if any programs that your advised to download do so from a clean machine.. and burn these to a CD..DONT USE A USB DRIVE.. unless you have set it to READ ONLY..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  9. #9
    Banned
    Join Date
    Aug 2004
    Posts
    534
    pwned...

    http://www.hijackthis.de/ ... use this site to analyze you hijackthis logs

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    As you already know, you've got several exes that are known bots. What you haven't mentioned is if your firewall is allowing this traffic. This simple fact will reveal if you're truly owned or if you host just has the infections but cannot communicate back to the C&C server. Obviously if they can't talk back to the C&C, the criticality of this incident is reduced greatly.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •