what's this antrexhost??

[tragicallyhip]

hello pplz.

lately[been a while now]... according to my fw traffic log, explorer.exe is trying to connect to antrexhost.com [80.86.190.22]
I don't remember seeing this before... I googled "antrexhost" & it came up nothing.

I did a whois on greektools[someone posted this link a while back in one of the previous threads]
& the result is...

Results:
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Note: the default output of the RIPE Whois server
% is changed. Your tools may need to be adjusted. See
% http://www.ripe.net/db/news/abuse-pr...-20050331.html
% for more details.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '80.86.190.0 - 80.86.191.255'

inetnum: 80.86.190.0 - 80.86.191.255
netname: LNC-AIHS-NET-GMBH2
descr: AIHS.Net GmbH
country: DE
admin-c: ST1583-RIPE
tech-c: ST1583-RIPE
status: ASSIGNED PA
mnt-by: LNC-MNT
mnt-lower: LNC-MNT
source: RIPE # Filtered

person: Sergej Teverovski
address: Hanauerlandstrasse 312a, DE-60314 Frankfurt am Main
phone: +49 69 426 03 877
fax-no: +49 69 - 941 46 746
abuse-mailbox: [email protected]
nic-hdl: ST1583-RIPE
mnt-by: LNC-MNT
source: RIPE # Filtered

% Information related to '80.86.160.0/19AS13237'

route: 80.86.160.0/19
descr: Lambdanet Operations - German region
origin: AS13237
mnt-by: LNC-MNT
source: RIPE # Filtered


... I'm getting paranoid heh-heh. not to mention the fact that when I opened up IE just now, just a simple webpage without too many pictures... the memory usage in the task manager kept on increasing.



what's going on??

[rapier57]

Your IE home page has been hijacked and you probably have some other issues. I recommend that you reboot to SafeMode with Networking (Press F8 while rebooting and select SafeMode with Networking from menu). Run an AV scan (you do have an anti-virus program, right?), and a spyware scan (Google SpyBot, download, install, update and run it).

Get Hijackthis (www.merijn.org) and run it. If you feel comfortable with this, post the hijackthis results here so the experts here can look it over to help you nail the baddies.

[edit]
Yeah, fixed URL. Sorry
[/edit]

[Und3ertak3r]

I opened up IE just now, just a simple webpage without too many pictures...

Now.. You just opened the link in IE or you [b]Just opened IE, and your normal webpage gave the prob[b], or when you opened IE the link opened automaticly

So your firewal.. Software or hardware? if software in your gateway PC..or your workstation?

And the program that is trying to access the site is EXPLORER.EXE? not IEXPLORE.EXE one is your windows core the other is your browser..

HAve you checked running processes on your PC's? (AKA : rapier57's advice of HJT scan, other tools here.. processview, tcpview but these give you a relitivly live view.)

HAve you considered giving Rootkit revealer a burl on your machines..

personally I would have TCPVIEW running and looking for system traffic..

[tragicallyhip]

Now.. You just opened the link in IE or you Just opened IE, and your normal webpage gave the prob[b], or [b]when you opened IE the link opened automaticly

I meant when I open up IE... not "opened the link in IE" ... whatever websites I go to, it takes up alot of memory usage. I hope that made sense.

So your firewal.. Software or hardware? if software in your gateway PC..or your workstation?

umm, it's a software firewall... Sygate personal firewall.. ¬ ¬ I'm afraid I do not understand "in your gateway PC.. "? please pardon me.

And the program that is trying to access the site is EXPLORER.EXE? not IEXPLORE.EXE one is your windows core the other is your browser..

I'd print screened these particular traffic.... here are the 2 links. http://img.photobucket.com/albums/v2.../boringppl.jpg

and...
http://img.photobucket.com/albums/v2...boringppl2.jpg

looks like they have different hostnames too? O.o

I'd also done a virus scan with avg 7.1 professional trial version ¬ ¬
no virus found. also run adaware & spybot... adaware didn't turn up anything critical.. just the MRU list..[negligible objects]... & spybot turned up directhit & something-avenue. Sorry, forgot to write down the 2 spywares.

lastly, here's the hijackthis result....

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.racewarkingdoms.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 192.168.0.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] a.exe
O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe
O4 - HKCU\..\Run: [Sygate Personal Port] crss.exe
O4 - HKCU\..\Run: [Sygate Personal Firewall Start] servic.exe
O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120877852091
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europ...vex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

[edit]
i've not heard of rootkit revealer before so no, i havent tried it.
[/edit]

[SirDice]

I believe you're 0wn3d my friend..

O4 - HKLM\..\Run: [Microsoftkeysds] lass32.exe

O4 - HKLM\..\Run: [Microsoft PCI Manager] mspci.exe

O4 - HKLM\..\RunServices: [Microsoftkeysds] lass32.exe
O4 - HKLM\..\RunServices: [Microsoft PCI Manager] mspci.exe
O4 - HKLM\..\RunServices: [Microsoft Windows System] a.exe
O4 - HKCU\..\Run: [Microsoftkeysds] lass32.exe

O4 - HKCU\..\Run: [Microsoft PCI Manager] mspci.exe

O4 - HKCU\..\RunServices: [Microsoft PCI Manager] mspci.exe

Look up SDBot..

[tragicallyhip]

umm... (just to make sure)do I click on "fix" on hijackthis?
i've also looked up on sdbot, and from symantec website, it adds those aforementioned values to the registry keys.

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

[SirDice]

Originally posted here by tragicallyhip
umm... (just to make sure)do I click on "fix" on hijackthis?

You could try it.. But if SDBot is active these values might automagicly reappear.. I suggest downloading Stinger (McAfee) or one of the Symantec removal tools.. Boot to safe mode and run them..

[Und3ertak3r]

Name: microsoftkeysds
Filename: lass32.exe
Command: Unknown at this time.
Description: Added by a variant of the WIN32.RBOT WORM!
File Location: Unknown
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry
Removal Instructions: How to remove a Trojan, Virus, Worm, or other Malware

Download the following:

Sysclean.com from this link: http://www.trendmicro.com/download/dcs.asp

LPTxxx.zip - the virus pattern file: http://www.trendmicro.com/download/viruspattern.asp

Save both in the same folder on your desktop: unzip the the pattern file.. be surethese files and the SYSCLEAN.COM are in the sime folder.

RESTART your PC in SafeMode
Open the folder you saved Sysclean and the Pattern files.

Run - Sysclean.. and wait..

This is the first stage of the cleanup....
..

One word of caution.. Be safest if any programs that your advised to download do so from a clean machine.. and burn these to a CD..DONT USE A USB DRIVE.. unless you have set it to READ ONLY..

[unhappy]

pwned...

http://www.hijackthis.de/ ... use this site to analyze you hijackthis logs

[thehorse13]

As you already know, you've got several exes that are known bots. What you haven't mentioned is if your firewall is allowing this traffic. This simple fact will reveal if you're truly owned or if you host just has the infections but cannot communicate back to the C&C server. Obviously if they can't talk back to the C&C, the criticality of this incident is reduced greatly.

--TH13