Unknown bad thing / Help & advice needed

Discussion in 'other security issues & news' started by Erya, Jul 2, 2004.

Thread Status:
Not open for further replies.
  1. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    First of all Hi there , im a new here and just found out this great nice forum
    i am in my element since i ever loved computer security.

    Well here is the story : yesterday i've done partition delete then new partition and then a format , i reinstalled windows xp ,
    the first thing i done was to install outpost firewall pro and block every outgoing and incoming unknown connections (tcp udp and ohters)

    then i gone on microsoft web site to do the security updates for xp windows family (Yeahh yeahhh you probably laughing at loud but it is really a family computer :rolleyes: )

    i was happy because of the new start for my computer , when suddently
    my brain told me to have a look at outpost logs , and what did i saw ?

    A lot of damn outgoing connection using differents tcp ports
    the ips seems to be from personal european adsl users and maybe(i am not really sure right now) some servicies to redirect some info on an e-mail

    i tried a lot of things spysweeper, pest patrol , adaware and all of his friends
    tried a lot of different anti viruses by installing and uniinstalling em one by one(till multi anti viruses ****s your system up)
    i tried nod32/kaspersky/panda and some of their friends too (not norton till it is totally screwed and really sucks)
    and found nothing.

    i tried the best solution at the end : Hijackthis and found two strange registry keys who where doing this :
    O17 - HKLM\System\CCS\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3

    i cleaned them and all the outgoing connections are gone . god thanks !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    they where on differents ips and totally different than the range that is in this registry key

    The outgoing connections where done by system.exe (but the original one , not a clone or **** like else)

    my port explorer caught nothing about these outgoing connections.

    (i am really surprised because i did not surfed at all on the web and downloaded nothing) only staying on my connection talking on msn 6.2 and doing a little surf on official appz sites.

    Does any one of you know what is this ? i suppose there is still something on my hard drive , or can this done by any exploit ?

    i sniffed also the packets who where sent by system.exe , if you interested just tell me i will paste it .

    (sorry for my suxxy english im from a lost country called france , where people dont know what security is , i am not that good but have a little knowledge.)

    i found additionnal information and this Ip range is from my provider and not from my local network (untill i have none :D )

    (if moderators read this and think i posted at wrong place would you please help me to know where to put it Thanks ! )

    Additional info : while writing this message the two reg keys are back and i am really pissed outgoing connections are back too

    and now i feel really newb :mad:

    here is the rest of my hijack log
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Eset\nod32.exe
    C:\Documents and Settings\Erya\Bureau\HijackThis1977.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1\outpost.exe /waitservice
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: Trashcan (HKCU)
    O9 - Extra 'Tools' menuitem: Show Trashcan (HKCU)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3
    O17 - HKLM\System\CS1\Services\Tcpip\..\{237352F8-374B-4CC8-9805-6C9489A45B8B}: NameServer = 80.10.246.130 80.10.246.3
     
    Last edited: Jul 2, 2004
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Erya

    ... and welcome to Wilders :)

    Do you have any more details on the connections: protocol, source and destination ports?

    The IP's you posted look like they could be DNS servers. Is your ISP wanadoo.fr?

    07/02/04 17:19:56 dns 80.10.246.3
    nslookup 80.10.246.3
    Canonical name: dns-adsl-gpe2-a.wanadoo.fr
    Addresses: 80.10.246.3

    07/02/04 17:21:39 dns 80.10.246.130
    nslookup 80.10.246.130
    Canonical name: dns-adsl-gpe2-b.wanadoo.fr
    Addresses: 80.10.246.130

    Regards,

    CrazyM
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi Erya,

    welcome on the wilder security forums, I'm sure you will appreciate the people over here :)

    About your troubles, I may be wrong, but to me it sounds like legitimate outgoing DNS requests done by the windows service "DNS client", which is precisely "services.exe" on Windows 2000 and "svchost.exe" on Windows XP.

    If you want to get rid of them, just go into the service manager :
    Start button -> Execute -> services.msc

    then look at "DNS client" (I think it should be named like that, sorry I don't have an english OS) and set his start on "disabled" and stop it.

    Now the outgoing DNS requests should be coming from every single internet capable software, so you will need to allow them one by one.
    When the DNS client service is enabled, all of the DNS requests are done by it.

    regards,

    gkweb.
     
  4. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    Thanks a lot for your fast answer guys !

    here is what my outpost logs say :
    02:30:24 SYSTEM UDP xx.75.144.87 12925
    02:26:19 SYSTEM TCP xxx.13.149.119 4393
    02:25:50 SYSTEM TCP xxx.184.57.89 3432
    02:25:06 SYSTEM TCP xxx.184.57.89 2600
    02:24:47 SYSTEM TCP xxx.184.57.89 2172

    all these are outgoing conections (blocked by outpost)

    i just desactivated dns services to see i will tell the result in a while
    i am looking at my logs as if jesus christ were going back :rolleyes:
     
    Last edited: Jul 2, 2004
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Those entries does not seems to be DNS request at all :-/

    But SYSTEM really makes me thinking to a Windows service broadcasting his traffic.

    regards,

    gkweb.

    EDIT : hey, we are from the same country ;)
     
  6. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    Well i closed dns but still connections
    02:39:00 SYSTEM UDP xxx.238.245.10 1393 Paquet vers port fermé (translation :packet to closed port) (closed by outpost)
     
    Last edited: Jul 2, 2004
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Your two first entries are really near from my ISP DNS servers, so I'm sure it's belong to their servers too (they have different ones depending of the kind of connection you have).

    That's why I was thinking to DNS requests, but the later logs are something totally different, and I don't know what it is unfortunaly.

    regards,

    gkweb.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Erya

    Do you have complete logs available?
    What you are posting is incomplete. It would help to post protocol, source and destination IP's (just xxx out your public IP), source and destination ports in order to get a better idea of what may be going on.

    Regards,

    CrazyM
     
  9. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    CrazyM

    the ip adresses are distant adress and the ports too
    they are going out from my ip and from my system.exe using udp and tcp
    but i think i am not answering good to your queqtion right ?
    (feel so sleepy more than 15hours in quest of a solution)

    Regards.
     
  10. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I feel sleeping too, 3:00 AM in France for both of us :)

    It would help to know the local ports, services.exe is using, in addition of the remotes ports I think CrazyM wanted to say.

    gkweb.
     
  11. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    What are the xxx prefix? Also how many bytes of data?
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    The prefix protects the privacy of the IP holder.

    Nick
     
  13. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    @Gkweb : thanks for guiding me just understood the lack of informations

    so here are what my port explorer said : 3 system process .exe with a *
    on local ports : 1026/445/445 going to 0.0.0.0 and last one going to *.*.*.*
    distant port are 0 , 0 and *

    port explorer dont see any suspectious activity and dont see any bytes... the count is at 0 :'(

    i just found a strange system process in my system processes : he is doing only 220ko in used memory (but i am maybe going paranoid ;-) )

    @Sekuritas

    i cant find the bytes send , outpost dosent show em at all , same for port explorer (he doesent see any activity)

    here are others outgoing port connection that it try :
    03:18:57 SYSTEM TCP xxx.48.52.54 4341 Paquet vers port
    fermé (packet to closed port)
    03:11:03 NETBIOS UDP xxx.115.130.196 1024 Bloquer trafic NetBIOS (block netbios trafic)
    03:10:01 NETBIOS UDP xxx.20.69.194 1027 Bloquer trafic NetBIOS (block netbios trafic)
    (sorry just censored em after see the message above)

    @all

    i'd like to close outpost to see if port explorer see something but i really dont know what these connections want to do or what they try to do so i prefer not do it.

    i had an alg.exe service opened i closed it to see what happens next ill tell it soon
    (well nothing happened still connecting )
    Regards.
     
    Last edited: Jul 2, 2004
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Those would be normal listening connections for XP and nothing to worry about (providing you are behind a firewall).

    Are you sure those are blocked outbounds? Packet to closed port sounds more like a blocked inbound.

    Does Outpost have any logs that display firewall events:

    Action (block/allow), direction, protocol, local IP, local port, remote IP, remote port

    or

    Action (block/allow), direction, protocol, source IP, destination IP, source port, destination port

    I know the terminology local/remote or source/destination is confusing to some, but it helps when posting logs to include information about both ends of the connection (local and remote or source and destination depending on how your firewall displays it).

    Port Explorer should still see any outbound connection without having to shut down your firewall.

    alg.exe is a valid XP process associated with ICS and ICF.

    Regards,

    CrazyM
     
  15. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    Thanks a lot for your support everyone

    Micro$oft finally done a patch i understand now why it was unsolvable

    Critical Update for ADODB.stream (KB870669) my windows update just

    spotted it at 6h44 of the morning (in europe france)

    thanks again for helping me , this issue was unsolvable till kro$oft released that damn patch...

    Yeah guys another damn exploit :mad:


    Regards

    -A guy whos is going to do his multimedia work on mac now , pissed off all that bulls**t-
     
  16. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    I got it this morning too but from the google news. My windows update tell me about that much much later. I knew a patch is ready but my window update always delayed in letting me know. I tried to push windows update to refresh itself but invain. I know this is o/t now but does anyone know how to force windows update to start and refresh? I tried to use Tools+Windows Update from explorer but invain.

    But to nick_s response
    I can understand if the IP is Erya's PC. But if it the outgoing, surely we can display it here so that we can do a reverse lookup to determine if it belongs to a suspicious web site. Pls do correct me if I am incorrect.
     
  17. Erya

    Erya Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    10
    Location:
    South of france in Toulouse
    The reverse lookup gave me a lot of europe adsl users and a lot of unresolveable ips

    coming from a european website (still can find wich one)
    that used this exploit + combination of a binder.

    i used to be a kiddy 8 years ago but i stopped war , i wont be bad with these ips :D
    my slackware is dead too i did not updated it since a long long time , its taking dust right now.
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas

    You can check for updates
    here.

    and here
     
  19. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    Hi Ron,

    Thanks for the links. Good enough for me.

    What I was trying to do was that I actually went to http://v4.windowsupdate.microsoft.com/en/default.asp
    And then I clicked on "Scan for Updates".
    It did show me the critical patch that I need in the "Review and Install Updates"
    However, there is no "Download" button, only the "Install now" button is available. I really want to download to a shared drive so that the exe can be shared by other PCs. Interesting enough, the "Download" button is available only if you use the "Windows Update Catalog". M$ is so inconsistent :-(
     
  20. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    Ha! ha! I hope I didn't try to start a war. I only want to seek an answer or an explanation. Nowaday, like you, I am more pro-active but much much mellowed :).
     
  21. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    By the way Erya, if u are interested, i asked our Spywarefighters about your HijackThis log and they said it is clean.

    Also they said those 017 entries are harmless.


    snowbound
     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,779
    Location:
    Texas

    I see. You can't right click and "save as" either?
     
  23. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Actually those 017 entries are your ISP more than likely...

    a lot of people get those in HJT... I have the same, get 2 listings and the IP resolves to my ISP provider.

    Here is yours, you should recognise it.

    % This is the RIPE Whois server.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/ripencc/pub-services/db/copyright.html

    inetnum: 80.10.246.0 - 80.10.247.255
    netname: FR-FT-SERV-WANADOO
    descr: France Telecom IP backbone
    country: FR
    admin-c: WITR1-RIPE
    tech-c: WITR1-RIPE
    status: ASSIGNED PA
    remarks: for hacking, spamming or security problems send mail to
    remarks: abuse@wanadoo.fr
    mnt-by: FT-BRX
    changed: gestionip.ft@francetelecom.com 20030526
    source: RIPE

    role: Wanadoo France Technical Role
    address: WANADOO FRANCE
    address: 48 rue Camille Desmoulins
    address: 92791 ISSY LES MOULINEAUX CEDEX 9
    address: FR
    phone: +33 1 58 88 50 00
    e-mail: abuse@wanadoo.fr
    e-mail: technical.contact@wanadoo.com
    admin-c: WITR1-RIPE
    tech-c: WITR1-RIPE
    nic-hdl: WITR1-RIPE
    mnt-by: FT-BRX
    changed: gestionip.ft@francetelecom.com 20010504
    changed: gestionip.ft@francetelecom.com 20010912
    changed: gestionip.ft@francetelecom.com 20011204
    changed: gestionip.ft@francetelecom.com 20030428
    changed: gestionip.ft@francetelecom.com 20031124
    source: RIPE

    ======================

    sekuritas, re MS patches downloads, no you cannot dl it from the WU page...

    But those patches ARE downloadable elsewhere...

    Try here.....

    http://www.microsoft.com/technet/security/current.aspx

    type in the # and search for it.

    I have dl'd this way for quite a while, so I have back-ups of each patch to reinstall if needed. *Sometimes I cannot find it here, so search the entire MS database you will eventually find it.

    Cheers, TAS
     
  24. sekuritas

    sekuritas Registered Member

    Joined:
    Jun 30, 2004
    Posts:
    19
    Tas, thank you very much. This link is now in my favorites :). Just noted your name and your origin. Didn't know that Tassie Devil is found in Qld. Ha! ha! ha! (Just pulling your leg).

    Back to the System case, there is a program from the M$ website (processSpy.exe). I found it very useful to investigate dll loaded in an exe esp for those "dll injections" trojans. Works for NT, W2K, XP only though.
     
Loading...
Thread Status:
Not open for further replies.