Jump to content


Photo

hijacker is back, starting new thread


  • Please log in to reply
16 replies to this topic

#1 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 07:30 PM

Hi,

I was working with rubber ducky last night. Ducky had me clean up things with Hijack This and remove items in the temp directory via "local settings". Everything looked fine at the time, but the "thing" has come back many times since then.

Some observations:

1. At some point later, I'll open Outlook, or Norton Antivirus, etc, and I'll get a "virtual memory low" message. That's generally tells me that it has returned (i.e. if I run Hijack This, it's there).

2. When running Hijack This, I started noticing the '&' character appearing in the name string of HBOs like Google Toolbar (e.g. "Google T&oolbar"), as if it was being "marked". I've since removed all such things in Hijack This.

3. This think seems to recognize anti-hijack tools and disables them. I'm running "Browser Hijack Blaster" and it was working initially but now fails to warn me when something has changed. I also have it set to start on system boot and it doesn't. I also mentioned last night that I installed SpywareBlaster and it has never run. I always get a "this program is corrupted..." message.

4. Along the same line, when I first started looking at this, I noticed that there was a notepad.exe.bak file, as if maybe someone made a backup and rewrote the notepad.exe file. Given that Hijack This loads the log into notepad, I thought it may be playing with the file. I replaced notepad.exe with a known good copy.

5. I could easily think I imagined this, but when I started the browser just now, a small icon appeared on the task bar, to the right of the browser, for just a moment. It looked like a pale yellow square, with a crack running through it. That's the best I can describe it. I've never seen it before.

5. At the moment, Hijack This is clean.

Any ideas? I'm about to go insane... :-)

Thanks,
Ken

#2 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 08:00 PM

Just did netstat and noticed this, not sure what it means

Proto Local Address Foreign Address State
TCP mothership:netbios-ssn 192.168.1.101:3754 ESTABLISHED
TCP mothership:1128 192.168.1.101:netbios-ssn ESTABLISHED

#3 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 08:27 PM

And this!!! That last one (host06) displays the search engine page and pop ups that your system is infected...

Proto Local Address Foreign Address State
TCP mothership:1205 192.168.1.101:netbios-ssn TIME_WAIT
TCP mothership:1206 192.168.1.101:netbios-ssn TIME_WAIT
TCP mothership:1209 host06.ipslink.com:http ESTABLISHED
TCP mothership:1210 host06.ipslink.com:http ESTABLISHED

#4 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 09:49 PM

okay, I've figured out that something remaining on my pc is connecting out to various servers to re-infect the pc. If I put the addresses in the restricted list of IE, will that affect all outgoing accesses? Do all outgoing accesses us IE functionality?

#5 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 09:51 PM

Can we please get a new hjt log.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#6 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 09:55 PM

Clean at the moment, I just blocked an attempt to install an HBO called "die.dll" (that's pretty scary...)


Logfile of HijackThis v1.97.7
Scan saved at 10:54:26 PM, on 6/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
d:\Program Files\qbooks\online backup\OLRegCap.EXE
D:\Program Files\Norton AntiVirus\SAVScan.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\System32\MsPMSPSv.exe
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Browser Hijack Blaster\bhblaster.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Documents and Settings\Ken\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = D:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Translate into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)

#7 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 09:58 PM

Ok rerun About:Buster in Safe Mode. Check if you have v 1.21.

Once done reboot and disable all protection. Open ie. Tell me if it reinstalls the hijack or if its gone.

Now dont forget to re-enable all protection.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#8 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 10:07 PM

umm, I don't have About:Buster. Do you have a download site?

#9 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 10:18 PM

Hmm never mind take that back. Can you describe the symptoms immediately when you open Ie.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#10 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 10:19 PM

btw, I've run SD, Spy Sweeper, and CSWShredder in safe mode and it didn't help...

#11 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 10:30 PM

If you mean when their BHO is installed, it takes me to some generic search page and starts popping windows that say "you system is infected, click here for software to get rid of it" or something like that. Actually, it's the "host06.ipslink.com" site I mentioned above. You can't tell that from the window, but I saw that address in netstat and connected to see what it was (yikes!)

Since then, I've been monitoring netstat and my linksys outbound log and have spotted a number of addresses that it connects to.

What I don't understand is - is this something that happens only when I have the browser open, or is there an independent process running to cause it? I haven't tried monitoring netstat with the browser closed yet...

#12 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 10:33 PM

come to think of it, since it keeps trying to connect to host6.whatever, that string must be in a file somewhere. I'm searching all .dlls now to see if I can find it...

#13 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 11:08 PM

this search is going to take forever...

At least putting the address in the IE restricted list seems to be helping since I've seen it connect to host6.whatever several times since then and it doesn't seem to be able to download anything... a small victory...

#14 RubbeR DuckY

RubbeR DuckY

    Marcin

  • Developer
  • PipPipPipPipPip
  • 878 posts

Posted 25 June 2004 - 11:10 PM

Whats your hosts file look like.

Open Spybot Search and Destroy goto tools and hit hosts file see if there are entries in there. Other than local host.
Marcin Kleczynski
Chief Executive Officer
Malwarebytes Corporation

Follow me on Twitter or check out my Blog!

#15 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 25 June 2004 - 11:20 PM

no .dlls, checked the registry, nothing, checking .exe now

#16 kcates

kcates

    Member

  • Full Member
  • Pip
  • 20 posts

Posted 26 June 2004 - 12:02 AM

host file is fine, just local host 127.0.0.1

#17 shiron

shiron

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 12:22 AM

host file is fine, just local host 127.0.0.1

I would make my HOSTS file read only!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button