Unknown bad thing / Help & advice needed

First of all Hi there , im a new here and just found out this great nice forum
i am in my element since i ever loved computer security.

Well here is the story : yesterday i've done partition delete then new partition and then a format , i reinstalled windows xp ,
the first thing i done was to install outpost firewall pro and block every outgoing and incoming unknown connections (tcp udp and ohters)

then i gone on microsoft web site to do the security updates for xp windows family (Yeahh yeahhh you probably laughing at loud but it is really a family computer )

i was happy because of the new start for my computer , when suddently
my brain told me to have a look at outpost logs , and what did i saw ?

A lot of damn outgoing connection using differents tcp ports
the ips seems to be from personal european adsl users and maybe(i am not really sure right now) some servicies to redirect some info on an e-mail

i tried a lot of things spysweeper, pest patrol , adaware and all of his friends
tried a lot of different anti viruses by installing and uniinstalling em one by one(till multi anti viruses ****s your system up)
i tried nod32/kaspersky/panda and some of their friends too (not norton till it is totally screwed and really sucks)
and found nothing.

i tried the best solution at the end : Hijackthis and found two strange registry keys who where doing this :
O17 - HKLM\System\CCS\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3

i cleaned them and all the outgoing connections are gone . god thanks !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

they where on differents ips and totally different than the range that is in this registry key

The outgoing connections where done by system.exe (but the original one , not a clone or **** like else)

my port explorer caught nothing about these outgoing connections.

(i am really surprised because i did not surfed at all on the web and downloaded nothing) only staying on my connection talking on msn 6.2 and doing a little surf on official appz sites.

Does any one of you know what is this ? i suppose there is still something on my hard drive , or can this done by any exploit ?

i sniffed also the packets who where sent by system.exe , if you interested just tell me i will paste it .

(sorry for my suxxy english im from a lost country called france , where people dont know what security is , i am not that good but have a little knowledge.)

i found additionnal information and this Ip range is from my provider and not from my local network (untill i have none )

(if moderators read this and think i posted at wrong place would you please help me to know where to put it Thanks ! )

Additional info : while writing this message the two reg keys are back and i am really pissed outgoing connections are back too

and now i feel really newb

here is the rest of my hijack log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Eset\nod32.exe
C:\Documents and Settings\Erya\Bureau\HijackThis1977.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: Trashcan (HKCU)
O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3

 

Hi Erya

... and welcome to Wilders

Do you have any more details on the connections: protocol, source and destination ports?

The IP's you posted look like they could be DNS servers. Is your ISP wanadoo.fr?

07/02/04 17:19:56 dns 80.10.246.3
nslookup 80.10.246.3
Canonical name: dns-adsl-gpe2-a.wanadoo.fr
Addresses: 80.10.246.3

07/02/04 17:21:39 dns 80.10.246.130
nslookup 80.10.246.130
Canonical name: dns-adsl-gpe2-b.wanadoo.fr
Addresses: 80.10.246.130

Regards,

CrazyM

 

Hi Erya,

welcome on the wilder security forums, I'm sure you will appreciate the people over here

About your troubles, I may be wrong, but to me it sounds like legitimate outgoing DNS requests done by the windows service "DNS client", which is precisely "services.exe" on Windows 2000 and "svchost.exe" on Windows XP.

If you want to get rid of them, just go into the service manager :
Start button -> Execute -> services.msc

then look at "DNS client" (I think it should be named like that, sorry I don't have an english OS) and set his start on "disabled" and stop it.

Now the outgoing DNS requests should be coming from every single internet capable software, so you will need to allow them one by one.
When the DNS client service is enabled, all of the DNS requests are done by it.

regards,

gkweb.

 

Thanks a lot for your fast answer guys !

here is what my outpost logs say :
02:30:24 SYSTEM UDP xx.75.144.87 12925
02:26:19 SYSTEM TCP xxx.13.149.119 4393
02:25:50 SYSTEM TCP xxx.184.57.89 3432
02:25:06 SYSTEM TCP xxx.184.57.89 2600
02:24:47 SYSTEM TCP xxx.184.57.89 2172

all these are outgoing conections (blocked by outpost)

i just desactivated dns services to see i will tell the result in a while
i am looking at my logs as if jesus christ were going back

 

Those entries does not seems to be DNS request at all :-/

But SYSTEM really makes me thinking to a Windows service broadcasting his traffic.

regards,

gkweb.

EDIT : hey, we are from the same country

 

Well i closed dns but still connections
02:39:00 SYSTEM UDP xxx.238.245.10 1393 Paquet vers port fermé (translation acket to closed port) (closed by outpost)

 

Your two first entries are really near from my ISP DNS servers, so I'm sure it's belong to their servers too (they have different ones depending of the kind of connection you have).

That's why I was thinking to DNS requests, but the later logs are something totally different, and I don't know what it is unfortunaly.

regards,

gkweb.

 

Hi Erya

Do you have complete logs available?
What you are posting is incomplete. It would help to post protocol, source and destination IP's (just xxx out your public IP), source and destination ports in order to get a better idea of what may be going on.

Regards,

CrazyM

 

CrazyM

the ip adresses are distant adress and the ports too
they are going out from my ip and from my system.exe using udp and tcp
but i think i am not answering good to your queqtion right ?
(feel so sleepy more than 15hours in quest of a solution)

Regards.

 

I feel sleeping too, 3:00 AM in France for both of us

It would help to know the local ports, services.exe is using, in addition of the remotes ports I think CrazyM wanted to say.

gkweb.

 

What are the xxx prefix? Also how many bytes of data?

 

The prefix protects the privacy of the IP holder.

Nick

 

@Gkweb : thanks for guiding me just understood the lack of informations

so here are what my port explorer said : 3 system process .exe with a *
on local ports : 1026/445/445 going to 0.0.0.0 and last one going to *.*.*.*
distant port are 0 , 0 and *

port explorer dont see any suspectious activity and dont see any bytes... the count is at 0

i just found a strange system process in my system processes : he is doing only 220ko in used memory (but i am maybe going paranoid ;-) )

@Sekuritas

i cant find the bytes send , outpost dosent show em at all , same for port explorer (he doesent see any activity)

here are others outgoing port connection that it try :
03:18:57 SYSTEM TCP xxx.48.52.54 4341 Paquet vers port
fermé (packet to closed port)
03:11:03 NETBIOS UDP xxx.115.130.196 1024 Bloquer trafic NetBIOS (block netbios trafic)
03:10:01 NETBIOS UDP xxx.20.69.194 1027 Bloquer trafic NetBIOS (block netbios trafic)
(sorry just censored em after see the message above)

@all

i'd like to close outpost to see if port explorer see something but i really dont know what these connections want to do or what they try to do so i prefer not do it.

i had an alg.exe service opened i closed it to see what happens next ill tell it soon
(well nothing happened still connecting )
Regards.

 

Those would be normal listening connections for XP and nothing to worry about (providing you are behind a firewall).

Are you sure those are blocked outbounds? Packet to closed port sounds more like a blocked inbound.

Does Outpost have any logs that display firewall events:

Action (block/allow), direction, protocol, local IP, local port, remote IP, remote port

or

Action (block/allow), direction, protocol, source IP, destination IP, source port, destination port

I know the terminology local/remote or source/destination is confusing to some, but it helps when posting logs to include information about both ends of the connection (local and remote or source and destination depending on how your firewall displays it).

Port Explorer should still see any outbound connection without having to shut down your firewall.

alg.exe is a valid XP process associated with ICS and ICF.

Regards,

CrazyM

 

Thanks a lot for your support everyone

Micro$oft finally done a patch i understand now why it was unsolvable

Critical Update for ADODB.stream (KB870669) my windows update just

spotted it at 6h44 of the morning (in europe france)

thanks again for helping me , this issue was unsolvable till kro$oft released that damn patch...

Yeah guys another damn exploit


Regards

-A guy whos is going to do his multimedia work on mac now , pissed off all that bulls**t-

 

I got it this morning too but from the google news. My windows update tell me about that much much later. I knew a patch is ready but my window update always delayed in letting me know. I tried to push windows update to refresh itself but invain. I know this is o/t now but does anyone know how to force windows update to start and refresh? I tried to use Tools+Windows Update from explorer but invain.

But to nick_s response

I can understand if the IP is Erya's PC. But if it the outgoing, surely we can display it here so that we can do a reverse lookup to determine if it belongs to a suspicious web site. Pls do correct me if I am incorrect.

 

The reverse lookup gave me a lot of europe adsl users and a lot of unresolveable ips

coming from a european website (still can find wich one)
that used this exploit + combination of a binder.

i used to be a kiddy 8 years ago but i stopped war , i wont be bad with these ips
my slackware is dead too i did not updated it since a long long time , its taking dust right now.

 

Hi Ron,

Thanks for the links. Good enough for me.

What I was trying to do was that I actually went to http://v4.windowsupdate.microsoft.com/en/default.asp
And then I clicked on "Scan for Updates".
It did show me the critical patch that I need in the "Review and Install Updates"
However, there is no "Download" button, only the "Install now" button is available. I really want to download to a shared drive so that the exe can be shared by other PCs. Interesting enough, the "Download" button is available only if you use the "Windows Update Catalog". M$ is so inconsistent :-(

 

Ha! ha! I hope I didn't try to start a war. I only want to seek an answer or an explanation. Nowaday, like you, I am more pro-active but much much mellowed .

 

By the way Erya, if u are interested, i asked our Spywarefighters about your HijackThis log and they said it is clean.

Also they said those 017 entries are harmless.


snowbound

 

Actually those 017 entries are your ISP more than likely...

a lot of people get those in HJT... I have the same, get 2 listings and the IP resolves to my ISP provider.

Here is yours, you should recognise it.

% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 80.10.246.0 - 80.10.247.255
netname: FR-FT-SERV-WANADOO
descr: France Telecom IP backbone
country: FR
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
status: ASSIGNED PA
remarks: for hacking, spamming or security problems send mail to
remarks: abuse@wanadoo.fr
mnt-by: FT-BRX
changed: gestionip.ft@francetelecom.com 20030526
source: RIPE

role: Wanadoo France Technical Role
address: WANADOO FRANCE
address: 48 rue Camille Desmoulins
address: 92791 ISSY LES MOULINEAUX CEDEX 9
address: FR
phone: +33 1 58 88 50 00
e-mail: abuse@wanadoo.fr
e-mail: technical.contact@wanadoo.com
admin-c: WITR1-RIPE
tech-c: WITR1-RIPE
nic-hdl: WITR1-RIPE
mnt-by: FT-BRX
changed: gestionip.ft@francetelecom.com 20010504
changed: gestionip.ft@francetelecom.com 20010912
changed: gestionip.ft@francetelecom.com 20011204
changed: gestionip.ft@francetelecom.com 20030428
changed: gestionip.ft@francetelecom.com 20031124
source: RIPE

======================

sekuritas, re MS patches downloads, no you cannot dl it from the WU page...

But those patches ARE downloadable elsewhere...

Try here.....

http://www.microsoft.com/technet/security/current.aspx

type in the # and search for it.

I have dl'd this way for quite a while, so I have back-ups of each patch to reinstall if needed. *Sometimes I cannot find it here, so search the entire MS database you will eventually find it.

Cheers, TAS

 

Tas, thank you very much. This link is now in my favorites . Just noted your name and your origin. Didn't know that Tassie Devil is found in Qld. Ha! ha! ha! (Just pulling your leg).

Back to the System case, there is a program from the M$ website (processSpy.exe). I found it very useful to investigate dll loaded in an exe esp for those "dll injections" trojans. Works for NT, W2K, XP only though.