scorpionsearch

Discussion in 'NOD32 version 2 Forum' started by ., Oct 9, 2003.

Thread Status:
Not open for further replies.
  1. .

    . Guest

    Something has been constantly trying to dial out to scorpionsearch.com and it starting to piss me off... it tries to connect like every few seconds.

    My Outpost firewall is blocking it thus far, but I need to know how to remove it.

    My firewall says that SVCHOST.exe is trying to connect to scorpionsearch.com

    Scanned w/Nod32 and it didn't find anything. Looked on the net, and didn't find much.

    Found this tho, maybe someone can put it to use.

    http://securityresponse.symantec.com/avcenter/venc/data/w32.adclicker.c.trojan.html

    Help!
     
  2. .

    . Guest

    Btw, here is my log:

    StartupList report, 10/9/2003, 6:54:53 PM
    StartupList version: 1.52
    Started from : C:\Documents and Settings\Ben\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Showing rarely important sections
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINDOWS\System32\inetsrv\SVCHOST.EXE
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\notepad.exe
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    Outpost Firewall = C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
    nod32kui = C:\Program Files\Eset\nod32kui.exe /WAITSERVICE

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present
    C:\WINDOWS\Fonts\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Download Program Files:

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.306875

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------

    Enumerating Windows NT/2000/XP services

    AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
    AMON: \??\C:\WINDOWS\System32\drivers\amon.sys (autostart)
    Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
    Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    NOD32 Kernel Service: C:\Program Files\Eset\nod32krn.exe (autostart)
    Outpost Firewall Service: C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /service (autostart)
    Plug and Play: %SystemRoot%\system32\services.exe (autostart)
    IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
    Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
    Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
    Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
    Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
    SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)
    Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: c:\documents and settings\ben\cookies\ben@bilbo.counted[2].txt||c:\documents and settings\ben\cookies\ben@fastclick[2].txt


    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 7,848 bytes
    Report generated in 0.531 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only

    - - -

    Please feel free to give me any hints and tips. Thanks.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi <dot>,

    That log is a StartupList function from within HijackThis. Could you also run a default scan with HijackThis and post that log? ("Scan" button on main HijackThis screen.)

    The first thing of concern is this file (see entries below)... That is not the normal place to have a copy of svchost.exe running. It is being started as a Service. You should be able to go into Control Panel > Administrative Tools > Services > scroll down to that entry in the list of services and select it. First "Stop" the service. Then right-click on the service and choose Properties and set it to disabled. (I'd reboot after this and see if it reenables itself.)

    It'd be interesting to submit that file to some of the AV people (for example: samples@nod32.com ) and scan it with a few online AV scanners to see if they can identify it.

    Running processes:
    C:\WINDOWS\System32\inetsrv\SVCHOST.EXE

    Enumerating Windows NT/2000/XP services
    SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)
     
  4. .

    . Guest

    LowWaterMark, thanks for the quick reply.

    Moments after posting, I booted to safemode and renamed that "inetsrv" directory, and voila, no more dialing to scorpionsearch.com!

    In that directory, there was a svchost.exe, ntsvc.ocx, and ntsvc.oca

    That instance of svchost was taking up ~13MB of ram, and was trying to connect out every 10secs! My logs were getting quite huge!

    I wonder what else that instance was trying to do! Yikes!

    SVCHOST: C:\WINDOWS\System32\inetsrv\SVCHOST.EXE (autostart)

    I will rerun HijackThis for you in a bit. Strangely Housecall, Nod32, Adaware, and Spybot did not even bat an eye lash.
     
  5. .

    . Guest

    As promised, here is the log file.

    PS: I disabled the service. Is it safe to delete that directory now, or would some people need copies?

    - - -

    Logfile of HijackThis v1.97.3
    Scan saved at 7:36:02 PM, on 10/9/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Ben\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.averatec.com/
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: GetAnonymous Toolbar - {26CA4BD4-E63A-423D-AE08-933C2F8F0977} - C:\PROGRA~1\GETANO~1.2\ANONIE~1.DLL
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O9 - Extra button: GetAnonymous (HKLM)
    O9 - Extra 'Tools' menuitem: GetAnonymous (HKLM)
    O9 - Extra button: MVS (HKLM)
    O9 - Extra 'Tools' menuitem: Run &MVSpoofer (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37896.306875
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi .

    in addition to LWM's suggestion, you might want to download the freeware BinText and use it to show the ASCII strings in the SVCHOST file. It is probably a "legitimate" file that is being used illegitimately (possibly mIRC or SERV-U or something along those lines)

    it can be downloaded here

    http://www.foundstone.com/resources/termsofuse.htm?file=bintext.zip
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Well, after confirming that your system works fine following a clean reboot, you could certainly delete the file.

    However, first I think you should ZIP the file up and send it at least to Eset (via nod32 email address above) and pehaps you could also send a copy to submit@diamondcs.com.au (DCS, the makers of TDS-3 anti-trojan are also represented here at Wilders). On the email, include a link to this thread as a reference.

    As Dan said, it may be a legit file just used in a bad way.
     
  8. .

    . Guest

    Thanks Dan and Mark...

    Used that tool and found a few interesting lines:
    *\AC:\Documents and Settings\Scorpion.SCORPION\Desktop\VB Code\Faker\downloader\Project1.vbp
    http://www.scorpion-update.d01
    C:\update.d01
    twunk_64.exe
    http://www.scorpion-tcpdetect.exe
    http://www.scorpion-taskmgr.exe
    SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    - - -

    WAIT, the story is not over. I renamed the "inetsrv" directory, but guess what? I checked again, but the directory is there still... hmm, pretty tricky trojan... it's not over yet!
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi .,

    Could you also send a copy to the email address in my profile?

    TIA,

    Pieter
     
  10. .

    . Guest

    Pieter,

    I will rar it up and will send you the directory once I get home...

    I will leave it up to you to decide who to pass it on to.

    .
     
Thread Status:
Not open for further replies.