Getting pounded by malformed DNS requests

Discussion in 'adware, spyware & hijack cleaning' started by zmaint, May 8, 2004.

Thread Status:
Not open for further replies.
  1. zmaint

    zmaint Registered Member

    Joined:
    May 8, 2004
    Posts:
    9
    As of 4/23/04 my firewall (Black Ice Defender) started getting a ton of malformed DNS requests from the following IP address: 205.177.124.71. I can use the computer all day with no trouble, but as soon as I open an IE window the pounding begins. I have ran Adaware, Xcleaner, Panda Platinum, AVG, Trend Housecall, Trend Damage Control, Hijack This, Cool Web Shredder, TDS-3m, and I also run SpywareBlaster. I can find nothing wrong with my machine. The last virus I had arrived via pop-up and AVG cleaned it fine on 4/20/03. That was the StartPage.4.AB, and StartPage.3.BC. I don't think that these caused the problem, since it didn't start until 3 days later and AVG caught them immediately. I am running WinXP Home, always kept updated, behind a Netgear firewalled router (also updated).

    I would be happy to post my Hijack This log if needed, but it's pretty darn bare. I've been a system admin for the better part of 10 years and was pretty confident I could fix anything up until now. This is extremely frustrating. It has slowed IE down to a crawl on this machine only, the other 3 machines on my network are fine.

    I tried contacting the Sam Spade listed system administrator with no response. I have also contacted my ISP and they told me it is on the list as a known trojan address, but they are unable to blacklist it at this time for reasons they chose not to share with me.

    Help would be most appreciated, I am ready to pull my hair out.

    Thanks
     
  2. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  3. zmaint

    zmaint Registered Member

    Joined:
    May 8, 2004
    Posts:
    9
    I went ahead and followed your instructions even though I had already done all of it. Ran Adaware and Spybot, both came up empty. Here is my Hijack log. Nothing in there that I can see. I was hoping someone here might know which Trojan or Malware that IP address belonged to so I could do a more specific search. The help is appreciated, like I said I am at the end of all of my ideas.


    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:46 PM, on 5/8/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Network ICE\BlackICE\blackd.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Turtle Beach\AudioStation\tbaspi.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\SYSTEM32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\WINDOWS\System32\tbctray.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\mdm.exe
    C:\Program Files\KeirNet\K9\K9.exe
    C:\PROGRA~1\MICROS~3\Office\OUTLOOK.EXE
    C:\Program Files\Network ICE\BlackICE\blackice.exe
    C:\Global\Work\hijack\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\Program Files\ANONYMIZER\CORE\Anonymizer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Anonymizer Toolbar - {C14DC52F-B4D9-11D5-B1E6-0050DAD7AF62} - C:\Program Files\ANONYMIZER\TOOLBAR\AnonymizerBar.dll
    O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\System32\tbctray.exe
    O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab
    O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...ple.com/drakken/us/win/QuickTimeInstaller.exe
    O16 - DPF: {49A3DCEE-FC3C-11D4-83E5-0050DA33C619} (BVXPlayer Class) - http://www.biovirtual.com/xplayer/xplayer.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37861.9363541667
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
     
  4. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,429
    Location:
    Netherlands
    Hi zmaint,

    All unrelated but, check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.iwon.com/index.jsp?PG=home&SEC=bnav
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://my.iwon.com/index.jsp?PG=home&SEC=bnav

    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://my.uo.com/fonts/tdserver.cab

    O16 - DPF: {49A3DCEE-FC3C-11D4-83E5-0050DA33C619} (BVXPlayer Class) - http://www.biovirtual.com/xplayer/xplayer.cab

    Then reboot.

    205.177.124.66 is a known CWS domain. Not sure if they are related, but that looks like a mighty coincidence.

    Regards,

    Pieter
     
  5. zmaint

    zmaint Registered Member

    Joined:
    May 8, 2004
    Posts:
    9
    Pieter,

    Thanks for the reply. I use Iwon as my home page. Not the fastest or best, but I really want that money...... The tdserver.cab file is part of Ultima Online which I still play regularly. Biovirtual is legit also, its a 3d facial mapping program.

    I was reasonably certain I had seen that IP address listed in a forum somewhere as a known Trojan address, I just couldn't remember where. If it is CWS how do I get rid of it? I have already tried version 1.57 of CWS, Adaware, and SpyBot, and they all came up with a big fat 0. Any ideas what the reg keys, .dll's, or exe's I am looking for are? I could remove them manually.

    Thank you though, now I can narrow my search in for CWS cleaners. I finally have a place to start. Its much easier to hit the target when you know where it's at :)

    Zach
     
  6. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  7. zmaint

    zmaint Registered Member

    Joined:
    May 8, 2004
    Posts:
    9
    Well it sounded good. I went and checked every registry entry that symantec listed there. I had none of them. I also checked to see if I could find anything else in the IE registry keys while I was in there, but also came up empty. I didn't have the ctrlpan.dll, either. The IP was in the right range for it tho. Thank you.

    I also want to apologize for emailing you as well yesterday.... I was reading up on your website, and several others including Merijn's while I was posting here. I didn't realize that you were the same guy that had replied to me here. Whoops :)

    Here is a log of all the processes I currently have running. I do know that sometimes CWS won't show up in Hijack.


    Module information for 'iexplore.exe'
    MODULE BASE SIZE PATH
    iexplore.exe 400000 102400 C:\Program Files\Internet Explorer\iexplore.exe
    ntdll.dll 77f50000 684032 C:\WINDOWS\System32\ntdll.dll
    kernel32.dll 77e60000 942080 C:\WINDOWS\system32\kernel32.dll
    msvcrt.dll 77c10000 339968 C:\WINDOWS\system32\msvcrt.dll
    USER32.dll 77d40000 573440 C:\WINDOWS\system32\USER32.dll
    GDI32.dll 7e090000 266240 C:\WINDOWS\system32\GDI32.dll
    ADVAPI32.dll 77dd0000 577536 C:\WINDOWS\system32\ADVAPI32.dll
    RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll
    SHLWAPI.dll 70a70000 413696 C:\WINDOWS\system32\SHLWAPI.dll
    SHDOCVW.dll 71700000 1347584 C:\WINDOWS\System32\SHDOCVW.dll
    msvsres.dll 10000000 61440 C:\WINDOWS\System32\msvsres.dll
    WS2_32.dll 71ab0000 86016 C:\WINDOWS\System32\WS2_32.dll
    WS2HELP.dll 71aa0000 32768 C:\WINDOWS\System32\WS2HELP.dll
    comctl32.dll 71950000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
    SHELL32.dll 773d0000 8331264 C:\WINDOWS\system32\SHELL32.dll
    comctl32.dll 77340000 569344 C:\WINDOWS\system32\comctl32.dll
    ole32.dll 771b0000 1196032 C:\WINDOWS\system32\ole32.dll
    BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll
    browselc.dll 72430000 73728 C:\WINDOWS\System32\browselc.dll
    appHelp.dll 75f40000 126976 C:\WINDOWS\system32\appHelp.dll
    CLBCATQ.DLL 7c890000 528384 C:\WINDOWS\System32\CLBCATQ.DLL
    OLEAUT32.dll 77120000 569344 C:\WINDOWS\system32\OLEAUT32.dll
    COMRes.dll 77050000 806912 C:\WINDOWS\System32\COMRes.dll
    VERSION.dll 77c00000 28672 C:\WINDOWS\system32\VERSION.dll
    UxTheme.dll 5ad70000 212992 C:\WINDOWS\System32\UxTheme.dll
    AnonymizerBar.dll 930000 114688 C:\Program Files\ANONYMIZER\TOOLBAR\AnonymizerBar.dll
    WININET.dll 63000000 614400 C:\WINDOWS\system32\WININET.dll
    CRYPT32.dll 762c0000 557056 C:\WINDOWS\system32\CRYPT32.dll
    MSASN1.dll 762a0000 65536 C:\WINDOWS\system32\MSASN1.dll
    MSVCP60.dll 55900000 397312 C:\WINDOWS\System32\MSVCP60.dll
    cscui.dll 76620000 319488 C:\WINDOWS\System32\cscui.dll
    CSCDLL.dll 76600000 110592 C:\WINDOWS\System32\CSCDLL.dll
    SETUPAPI.dll 76670000 946176 C:\WINDOWS\System32\SETUPAPI.dll
    Secur32.dll 76f90000 65536 C:\WINDOWS\System32\Secur32.dll
    MSH_ZWF.dll 61220000 73728 C:\Program Files\Microsoft Hardware\Mouse\MSH_ZWF.dll
    Anonymizer.dll e40000 434176 C:\Program Files\ANONYMIZER\CORE\Anonymizer.dll
    rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll
    urlmon.dll 1a400000 499712 C:\WINDOWS\system32\urlmon.dll
    shdoclc.dll 76170000 557056 C:\WINDOWS\System32\shdoclc.dll
    mlang.dll 74770000 585728 C:\WINDOWS\System32\mlang.dll
    wsock32.dll 71ad0000 32768 C:\WINDOWS\System32\wsock32.dll
    mswsock.dll 71a50000 241664 C:\WINDOWS\system32\mswsock.dll
    wshtcpip.dll 71a90000 32768 C:\WINDOWS\System32\wshtcpip.dll
    RASAPI32.DLL 76ee0000 225280 C:\WINDOWS\System32\RASAPI32.DLL
    rasman.dll 76e90000 69632 C:\WINDOWS\System32\rasman.dll
    NETAPI32.dll 71c20000 319488 C:\WINDOWS\System32\NETAPI32.dll
    TAPI32.dll 76eb0000 176128 C:\WINDOWS\System32\TAPI32.dll
    rtutils.dll 76e80000 53248 C:\WINDOWS\System32\rtutils.dll
    WINMM.dll 76b40000 180224 C:\WINDOWS\System32\WINMM.dll
    serwvdrv.dll 5cd70000 28672 C:\WINDOWS\System32\serwvdrv.dll
    umdmxfrm.dll 5b0a0000 28672 C:\WINDOWS\System32\umdmxfrm.dll
    POINT32.dll 61210000 61440 C:\Program Files\Microsoft Hardware\Mouse\POINT32.dll
    sensapi.dll 722b0000 20480 C:\WINDOWS\System32\sensapi.dll
    USERENV.dll 75a70000 675840 C:\WINDOWS\system32\USERENV.dll
    msi.dll 1650000 2101248 C:\WINDOWS\System32\msi.dll
    SXS.DLL 75e90000 684032 C:\WINDOWS\System32\SXS.DLL
    DNSAPI.dll 76f20000 151552 C:\WINDOWS\System32\DNSAPI.dll
    winrnr.dll 76fb0000 28672 C:\WINDOWS\System32\winrnr.dll
    WLDAP32.dll 76f60000 180224 C:\WINDOWS\system32\WLDAP32.dll
    rasadhlp.dll 76fc0000 20480 C:\WINDOWS\System32\rasadhlp.dll
    mshtml.dll 63580000 2818048 C:\WINDOWS\System32\mshtml.dll
    PDM.DLL 4a000000 180224 C:\WINDOWS\System32\PDM.DLL
    MSDBG.DLL 4aa00000 86016 C:\WINDOWS\System32\MSDBG.DLL
    msimtf.dll 746f0000 155648 C:\WINDOWS\System32\msimtf.dll
    MSCTF.dll 74720000 278528 C:\WINDOWS\System32\MSCTF.dll
    MSLS31.DLL 746c0000 159744 C:\WINDOWS\System32\MSLS31.DLL
    IMM32.DLL 76390000 114688 C:\WINDOWS\System32\IMM32.DLL
    msohev.dll 32520000 73728 C:\Program Files\Microsoft Office\Office10\msohev.dll
    wdmaud.drv 72d20000 36864 C:\WINDOWS\System32\wdmaud.drv
    msacm32.drv 72d10000 32768 C:\WINDOWS\System32\msacm32.drv
    MSACM32.dll 77be0000 81920 C:\WINDOWS\System32\MSACM32.dll
    midimap.dll 77bd0000 28672 C:\WINDOWS\System32\midimap.dll
    scrauth.dll 25a0000 110592 C:\Program Files\Common Files\Symantec Shared\Script Blocking\scrauth.dll
    ScrBlock.dll 26d0000 122880 C:\Program Files\Common Files\Symantec Shared\Script Blocking\ScrBlock.dll
    wintrust.dll 76c30000 176128 C:\WINDOWS\System32\wintrust.dll
    IMAGEHLP.dll 76c90000 139264 C:\WINDOWS\system32\IMAGEHLP.dll
    cryptnet.dll 73d50000 65536 C:\WINDOWS\System32\cryptnet.dll
    jscript.dll 6b700000 589824 c:\windows\system32\jscript.dll
    mshtmled.dll 74cb0000 454656 C:\WINDOWS\System32\mshtmled.dll
     
  8. zmaint

    zmaint Registered Member

    Joined:
    May 8, 2004
    Posts:
    9
    You know, I realize you guys are busy but I really need some help getting this fixed. It takes forever to load web pages, its actually worse than 14.4 dial-up.

    Thanks
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.