Something has been constantly trying to dial out to scorpionsearch.com and it starting to piss me off... it tries to connect like every few seconds.

My Outpost firewall is blocking it thus far, but I need to know how to remove it.

My firewall says that SVCHOST.exe is trying to connect to scorpionsearch.com

Scanned w/Nod32 and it didn't find anything. Looked on the net, and didn't find much.

Found this tho, maybe someone can put it to use.

http://securityresponse.symantec.com/avcenter/venc/data/w32.adclicker.c.trojan.html

Help!

Btw, here is my log:

StartupList report, 10/9/2003, 6:54:53 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Ben\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\System32\inetsrv\SVCHOST.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Outpost Firewall = C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
nod32kui = C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.306875

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
AMON: \??\C:\WINDOWS\System32\drivers\amon.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
NOD32 Kernel Service: C:\Program Files\Eset\nod32krn.exe (autostart)
Outpost Firewall Service: C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /service (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: c:\documents and settings\ben\cookies\ben@bilbo.counted[2].txt||c:\documents and settings\ben\cookies\ben@fastclick[2].txt


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,848 bytes
Report generated in 0.531 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

- - -

Please feel free to give me any hints and tips. Thanks.

Hi <dot>,

That log is a StartupList function from within HijackThis. Could you also run a default scan with HijackThis and post that log? ("Scan" button on main HijackThis screen.)

The first thing of concern is this file (see entries below)... That is not the normal place to have a copy of svchost.exe running. It is being started as a Service. You should be able to go into Control Panel > Administrative Tools > Services > scroll down to that entry in the list of services and select it. First "Stop" the service. Then right-click on the service and choose Properties and set it to disabled. (I'd reboot after this and see if it reenables itself.)

It'd be interesting to submit that file to some of the AV people (for example: samples@nod32.com ) and scan it with a few online AV scanners to see if they can identify it.

Running processes:
C:\WINDOWS\System32\inetsrv\SVCHOST.EXE

Enumerating Windows NT/2000/XP services
SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)

LowWaterMark, thanks for the quick reply.

Moments after posting, I booted to safemode and renamed that "inetsrv" directory, and voila, no more dialing to scorpionsearch.com!

In that directory, there was a svchost.exe, ntsvc.ocx, and ntsvc.oca

That instance of svchost was taking up ~13MB of ram, and was trying to connect out every 10secs! My logs were getting quite huge!

I wonder what else that instance was trying to do! Yikes!

SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)

I will rerun HijackThis for you in a bit. Strangely Housecall, Nod32, Adaware, and Spybot did not even bat an eye lash.

As promised, here is the log file.

PS: I disabled the service. Is it safe to delete that directory now, or would some people need copies?

- - -

Logfile of HijackThis v1.97.3
Scan saved at 7:36:02 PM, on 10/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ben\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.averatec.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: GetAnonymous Toolbar - {26CA4BD4-E63A-423D-AE08-933C2F8F0977} - C:\PROGRA~1\GETANO~1.2\ANONIE~1.DLL
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O9 - Extra button: GetAnonymous (HKLM)
O9 - Extra 'Tools' menuitem: GetAnonymous (HKLM)
O9 - Extra button: MVS (HKLM)
O9 - Extra 'Tools' menuitem: Run &MVSpoofer (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.306875
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi .

in addition to LWM's suggestion, you might want to download the freeware BinText and use it to show the ASCII strings in the SVCHOST file. It is probably a "legitimate" file that is being used illegitimately (possibly mIRC or SERV-U or something along those lines)

it can be downloaded here

http://www.foundstone.com/resources/termsofuse.htm?file=bintext.zip

Well, after confirming that your system works fine following a clean reboot, you could certainly delete the file.

However, first I think you should ZIP the file up and send it at least to Eset (via nod32 email address above) and pehaps you could also send a copy to submit@diamondcs.com.au (DCS, the makers of TDS-3 anti-trojan are also represented here at Wilders). On the email, include a link to this thread as a reference.

As Dan said, it may be a legit file just used in a bad way.

Thanks Dan and Mark...

Used that tool and found a few interesting lines:
*\AC:\Documents and Settings\Scorpion.SCORPION\Desktop\VB Code\Faker\downloader\Project1.vbp
http://www.scorpion-update.d01
C:\update.d01
twunk_64.exe
http://www.scorpion-tcpdetect.exe
http://www.scorpion-taskmgr.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

- - -

WAIT, the story is not over. I renamed the "inetsrv" directory, but guess what? I checked again, but the directory is there still... hmm, pretty tricky trojan... it's not over yet!

Hi .,

Could you also send a copy to the email address in my profile (http://www.wilderssecurity.com/index.php?action=viewprofile;user=Pieter_Arntz)?

TIA,

Pieter

Pieter,

I will rar it up and will send you the directory once I get home...

I will leave it up to you to decide who to pass it on to.

.