Something has been constantly trying to dial out to scorpionsearch.com and it starting to piss me off... it tries to connect like every few seconds. My Outpost firewall is blocking it thus far, but I need to know how to remove it. My firewall says that SVCHOST.exe is trying to connect to scorpionsearch.com Scanned w/Nod32 and it didn't find anything. Looked on the net, and didn't find much. Found this tho, maybe someone can put it to use. http://securityresponse.symantec.com/avcenter/venc/data/w32.adclicker.c.trojan.html Help!
Btw, here is my log: StartupList report, 10/9/2003, 6:54:53 PM StartupList version: 1.52 Started from : C:\Documents and Settings\Ben\Desktop\HijackThis.EXE Detected: Windows XP SP1 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe C:\WINDOWS\System32\inetsrv\SVCHOST.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\System32\notepad.exe C:\Documents and Settings\Ben\Desktop\HijackThis.exe -------------------------------------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe Outpost Firewall = C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice nod32kui = C:\Program Files\Eset\nod32kui.exe /WAITSERVICE -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP [>{26923b43-4d38-484f-9b9e-de460746276c}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] * StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] * StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [{306D6C21-C1B6-4629-986C-E59E1875B8AF}] * StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [{7790769C-0471-11d2-AF11-00C04FA35D02}] * StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [{89820200-ECBD-11cf-8B85-00AA005B4340}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = %SystemRoot%\system32\ie4uinit.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=*Registry value not found* drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry key not found* HKLM\..\Policies: Shell=*Registry value not found* -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Browser Helper Objects: (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -------------------------------------------------- Enumerating Download Program Files: [HouseCall Control] InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx CODEBASE = http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab [Update Class] InProcServer32 = C:\WINDOWS\System32\iuctl.dll CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.306875 [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab -------------------------------------------------- Enumerating Windows NT/2000/XP services AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart) AMON: \??\C:\WINDOWS\System32\drivers\amon.sys (autostart) Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart) Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) NOD32 Kernel Service: C:\Program Files\Eset\nod32krn.exe (autostart) Outpost Firewall Service: C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /service (autostart) Plug and Play: %SystemRoot%\system32\services.exe (autostart) IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart) Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart) Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart) Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart) Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart) Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart) -------------------------------------------------- Enumerating Windows NT logon/logoff scripts: *No scripts set to run* Windows NT checkdisk command: BootExecute = autocheck autochk * Windows NT 'Wininit.ini': PendingFileRenameOperations: c:\documents and settings\ben\cookies\ben@bilbo.counted[2].txt||c:\documents and settings\ben\cookies\ben@fastclick[2].txt -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll -------------------------------------------------- End of report, 7,848 bytes Report generated in 0.531 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only - - - Please feel free to give me any hints and tips. Thanks.
Hi <dot>, That log is a StartupList function from within HijackThis. Could you also run a default scan with HijackThis and post that log? ("Scan" button on main HijackThis screen.) The first thing of concern is this file (see entries below)... That is not the normal place to have a copy of svchost.exe running. It is being started as a Service. You should be able to go into Control Panel > Administrative Tools > Services > scroll down to that entry in the list of services and select it. First "Stop" the service. Then right-click on the service and choose Properties and set it to disabled. (I'd reboot after this and see if it reenables itself.) It'd be interesting to submit that file to some of the AV people (for example: samples@nod32.com ) and scan it with a few online AV scanners to see if they can identify it. Running processes: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE Enumerating Windows NT/2000/XP services SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)
LowWaterMark, thanks for the quick reply. Moments after posting, I booted to safemode and renamed that "inetsrv" directory, and voila, no more dialing to scorpionsearch.com! In that directory, there was a svchost.exe, ntsvc.ocx, and ntsvc.oca That instance of svchost was taking up ~13MB of ram, and was trying to connect out every 10secs! My logs were getting quite huge! I wonder what else that instance was trying to do! Yikes! SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart) I will rerun HijackThis for you in a bit. Strangely Housecall, Nod32, Adaware, and Spybot did not even bat an eye lash.
As promised, here is the log file. PS: I disabled the service. Is it safe to delete that directory now, or would some people need copies? - - - Logfile of HijackThis v1.97.3 Scan saved at 7:36:02 PM, on 10/9/2003 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Eset\nod32krn.exe C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Ben\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.averatec.com/ O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: GetAnonymous Toolbar - {26CA4BD4-E63A-423D-AE08-933C2F8F0977} - C:\PROGRA~1\GETANO~1.2\ANONIE~1.DLL O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE O9 - Extra button: GetAnonymous (HKLM) O9 - Extra 'Tools' menuitem: GetAnonymous (HKLM) O9 - Extra button: MVS (HKLM) O9 - Extra 'Tools' menuitem: Run &MVSpoofer (HKLM) O9 - Extra button: Trashcan (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU) O10 - Broken Internet access because of LSP provider 'imon.dll' missing O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.306875 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Hi . in addition to LWM's suggestion, you might want to download the freeware BinText and use it to show the ASCII strings in the SVCHOST file. It is probably a "legitimate" file that is being used illegitimately (possibly mIRC or SERV-U or something along those lines) it can be downloaded here http://www.foundstone.com/resources/termsofuse.htm?file=bintext.zip
Well, after confirming that your system works fine following a clean reboot, you could certainly delete the file. However, first I think you should ZIP the file up and send it at least to Eset (via nod32 email address above) and pehaps you could also send a copy to submit@diamondcs.com.au (DCS, the makers of TDS-3 anti-trojan are also represented here at Wilders). On the email, include a link to this thread as a reference. As Dan said, it may be a legit file just used in a bad way.
Thanks Dan and Mark... Used that tool and found a few interesting lines: *\AC:\Documents and Settings\Scorpion.SCORPION\Desktop\VB Code\Faker\downloader\Project1.vbp http://www.scorpion-update.d01 C:\update.d01 twunk_64.exe http://www.scorpion-tcpdetect.exe http://www.scorpion-taskmgr.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Run - - - WAIT, the story is not over. I renamed the "inetsrv" directory, but guess what? I checked again, but the directory is there still... hmm, pretty tricky trojan... it's not over yet!
Pieter, I will rar it up and will send you the directory once I get home... I will leave it up to you to decide who to pass it on to. .
