DNS calls to Ukraine destinations

DNS calls to Ukraine destinations
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
DNS calls to Ukraine destinations Gary S. Terhune 09-24-2006
Posted by Stephen Howe on September 24, 2006, 11:48 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Download MULTI_AV.EXE from the URL --
> http://www.ik-cs.com/programs/virtools/Multi_AV.exe

Is there a version number for this David?
I can't see anything on the URLs you show

Thanks

Stephen Howe



Posted by David H. Lipman on September 25, 2006, 5:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
From: "Stephen Howe" <sjhoweATdialDOTpipexDOTcom>

>> Download MULTI_AV.EXE from the URL --
>> http://www.ik-cs.com/programs/virtools/Multi_AV.exe
|
| Is there a version number for this David?
| I can't see anything on the URLs you show
|
| Thanks
|
| Stephen Howe
|

In what respect ?

Each AV module has its version tied to the AV vendor. Each time you run a
respective module
it will download the latest Engine and/or Signature files of that vendor as
needed.

As for the Multi AV front-end utility, the version is not published. It is
available only
by running the menu and hitting the letter "v" or "V" which will show the
current version
such as; Multi-AV v4.05. The included README.TXT has revison information
(posted at the
end of this reply). This is the first time since the release of my utility this
topic has
come up. If this is something that could have some value, I can have Ian
Kenefick (web
master and host of my utilities at http://IK-CS.Com ) update the web site to
post the
version and revision information.

----------------------------

v2.0
- Corrected a problem where on some platforms the script did not properly
identify that
it was running in Normal Mode of operation.

v2.1
- Added the ability to scan a folder or particular location for both the McAfee
and Sophos
scanners.
{ not availble in Sophos scanner in Win9x/ME }

v2.2
- Added Sophos scanner for Win9x/ME

v2.21
- Improved the Sophos scanner's capability in Win9x/ME

v2.22
- Added the ability to scan a folder or particular location in Sophos for
Win9x/ME

v2.23
- Added simplistic TEMP and TIF file clearing capabilities.
- The Folders in the TIF cache will not be deleted but the files will be deleted.
- The files in the root of the TEMP folder will be deleted but not files in
subfolders.

v2.24
- Due to problems encountered on a Win98SE PC, added a WMI verification process
to the
scripts in case WMI is not installed or working properly.

v2.25
- Due to problems encountered by some individuals with their FireWall software
using the
native OS based FTP.EXE utility for the McAfee module, the scripts were recoded
to use the
WGET.EXE utility to perform the needed FTP operation.

v2.26
- Trend Micro changed the URL that pointed to the latest Pattern File and thus
the latest
Pattern File was not being downloaded. Updated the script for the new URL to
reflect that
change by Trend Micro.

v2.27
- Updated the Multi AV Scanner PDF Help File.

v2.28
- Optimized the coding for downloading engine and signature files for the Trend
Micro and
Sophos modules.

v3.00
- Added the Kaspersky scanner to the menu of available scanners.

v3.01
- Added a the ability to repair; EXE, COM, BAT file associations and REG and SCR
loading
fixes as well as some local System and Explorer policy repairs.

v3.02
- Added the ability to repair the Registsry settings for WinXP if the WinXP
System Restore
cache has been disabled by malware.
- Updated the Multi AV Scanner PDF Help File.

v3.11
- Added the ability examine the WIN.INI and SYSTEM.INI and Registry locations
for malware
being loaded and to kill the processes found.

v3.15
- Updated the Kaspersky script for the 'extended database folder'.

v4.00
- For NT based platforms, added a GUI based "browse" capability when choosing a
specific
location to scan.
- Updated the Multi AV Scanner PDF Help File.

v4.01
- Updated the McAfee module with a HTTP fallback. If FTP fails it will perform
a HTTP get
process.

v4.05
- Updated PDF Help File.
- Added a "fix" for WMI on NT if the Boot State comes back "Undetermined".
- Fixed bug in using Sophos Sweep.exe on NT Based OS.



--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Posted by MowGreen on September 28, 2006, 12:41 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>> the ISA logs show this machine making repeated calls on DNS protocol, port
53,
>> to two different IPs that belong to a web hosting company in the Ukraine. I
can't
>> help but think that this is malware in action, but can't determine what is
doing it.

Gary,

As long as you can keep the malware blocked, post the log to the
HijackThis Forum at AumHa:
http://aumha.net/viewforum.php?f=30

We'll call in the "Experts" if need be and at least identify the
malware, the risk from it, and who's hosting it.

I'll BCC this. Email me when you post the HJT log and please, provide us
with the IPs, too.


MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============


Gary S. Terhune wrote:
> I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA 2004,
> two XP Pro clients.) The box was heavily infected by numerous viruses and
> other malware on 9/11. Issues with antivirus installation resulted in its
> not updating for some time, but I'm not certain just how it all got started.
> Far as I can tell, none of it got to any of the other machines on the
> network,
>
> I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
> Trend-Micro AV) and it seems to be healthy now, but the ISA logs show this
> machine making repeated calls on DNS protocol, port 53, to two different IPs
> that belong to a web hosting company in the Ukraine. I can't help but think
> that this is malware in action, but can't determine what is doing it. The
> ISA firewall is blocking the requests, but I'd like to know what's going on.
> Any ideas on how to trace this? I can't find anything in running processes
> that isn't supposed to be there. Note that these calls are being made even
> when nobody is logged on to the machine. They're averaging one per second.
>

Posted by Dan on September 28, 2006, 2:08 am
If you were  Registered and logged in, you could reply and use other advanced thread options
MowGreen wrote:
>>> the ISA logs show this machine making repeated calls on DNS protocol,
>>> port 53, to two different IPs that belong to a web hosting company in
>>> the Ukraine. I can't help but think that this is malware in action,
>>> but can't determine what is doing it.
>
> Gary,
>
> As long as you can keep the malware blocked, post the log to the
> HijackThis Forum at AumHa:
> http://aumha.net/viewforum.php?f=30
>
> We'll call in the "Experts" if need be and at least identify the
> malware, the risk from it, and who's hosting it.
>
> I'll BCC this. Email me when you post the HJT log and please, provide us
> with the IPs, too.
>
>
> MowGreen [MVP 2003-2006]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Gary S. Terhune wrote:
>> I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA
>> 2004,
>> two XP Pro clients.) The box was heavily infected by numerous viruses and
>> other malware on 9/11. Issues with antivirus installation resulted in its
>> not updating for some time, but I'm not certain just how it all got
>> started.
>> Far as I can tell, none of it got to any of the other machines on the
>> network,
>>
>> I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
>> Trend-Micro AV) and it seems to be healthy now, but the ISA logs show
>> this
>> machine making repeated calls on DNS protocol, port 53, to two
>> different IPs
>> that belong to a web hosting company in the Ukraine. I can't help but
>> think
>> that this is malware in action, but can't determine what is doing it. The
>> ISA firewall is blocking the requests, but I'd like to know what's
>> going on.
>> Any ideas on how to trace this? I can't find anything in running
>> processes
>> that isn't supposed to be there. Note that these calls are being made
>> even
>> when nobody is logged on to the machine. They're averaging one per
>> second.
>>

Well, I hope Gary will provide the link to the HiJack This website in
this newsgroup so that other users like me can see what potential
malware is in the HiJack This log. Gary, if you do not want to post
here then you know my email and please email me where you posted the
Hijack This log and thanks in advance because I appreciate all you do
for these newsgroups.

Posted by MowGreen on September 28, 2006, 10:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Dan,

Still haven't heard from Gary yet. If the malware is not a RootKit then
we'll get that link posted here. If it is an RK, then we'll have to take
this to a private thread to block RK writers from observing which tool
and version is used to remove it. That's what it's come down to lately.
But if Gary ever contacts us, we'll have him provide you with any info
you need.
Hope you understand ;)

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============


Dan wrote:
> MowGreen wrote:
>>>> the ISA logs show this machine making repeated calls on DNS
>>>> protocol, port 53, to two different IPs that belong to a web hosting
>>>> company in the Ukraine. I can't help but think that this is malware
>>>> in action, but can't determine what is doing it.
>>
>> Gary,
>>
>> As long as you can keep the malware blocked, post the log to the
>> HijackThis Forum at AumHa:
>> http://aumha.net/viewforum.php?f=30
>>
>> We'll call in the "Experts" if need be and at least identify the
>> malware, the risk from it, and who's hosting it.
>>
>> I'll BCC this. Email me when you post the HJT log and please, provide
>> us with the IPs, too.
>>
>>
>> MowGreen [MVP 2003-2006]
>> ===============
>> *-343-* FDNY
>> Never Forgotten
>> ===============
>>
>>
>> Gary S. Terhune wrote:
>>> I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA
>>> 2004,
>>> two XP Pro clients.) The box was heavily infected by numerous viruses
>>> and
>>> other malware on 9/11. Issues with antivirus installation resulted in
>>> its
>>> not updating for some time, but I'm not certain just how it all got
>>> started.
>>> Far as I can tell, none of it got to any of the other machines on the
>>> network,
>>>
>>> I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
>>> Trend-Micro AV) and it seems to be healthy now, but the ISA logs show
>>> this
>>> machine making repeated calls on DNS protocol, port 53, to two
>>> different IPs
>>> that belong to a web hosting company in the Ukraine. I can't help but
>>> think
>>> that this is malware in action, but can't determine what is doing it.
>>> The
>>> ISA firewall is blocking the requests, but I'd like to know what's
>>> going on.
>>> Any ideas on how to trace this? I can't find anything in running
>>> processes
>>> that isn't supposed to be there. Note that these calls are being made
>>> even
>>> when nobody is logged on to the machine. They're averaging one per
>>> second.
>>>
>
> Well, I hope Gary will provide the link to the HiJack This website in
> this newsgroup so that other users like me can see what potential
> malware is in the HiJack This log. Gary, if you do not want to post
> here then you know my email and please email me where you posted the
> Hijack This log and thanks in advance because I appreciate all you do
> for these newsgroups.

The site map in XML format XML site map

Contact Us | Privacy Policy