|
Posted by Gary S. Terhune on September 28, 2006, 11:29 am
If you were Registered and logged in, you could reply and use other advanced thread options
It's a 017 item in HJT, Steve, (actually, three or four nearly identical
items)involving some entries that include the rogue IPs, in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces.
But I can't get to the machine until later today or this evening. Don't seem
to have saved a copy of the HJT report anywhere else. I figure I'm also
close to or past the line where I won't be able to do much on it simply
because I'm working on it remotely. David's Multi_AV was plenty fun already.
It came up with a few things, but not what I'm looking for. This one is
still trying to ping those DNS servers about once per second, each IP.
--
Gary S. Terhune
MS-MVP Shell/User
> Dan,
>
> Still haven't heard from Gary yet. If the malware is not a RootKit then
> we'll get that link posted here. If it is an RK, then we'll have to take
> this to a private thread to block RK writers from observing which tool and
> version is used to remove it. That's what it's come down to lately.
> But if Gary ever contacts us, we'll have him provide you with any info you
> need.
> Hope you understand ;)
>
> MowGreen [MVP 2003-2006]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Dan wrote:
>> MowGreen wrote:
>>>>> the ISA logs show this machine making repeated calls on DNS protocol,
>>>>> port 53, to two different IPs that belong to a web hosting company in
>>>>> the Ukraine. I can't help but think that this is malware in action,
>>>>> but can't determine what is doing it.
>>>
>>> Gary,
>>>
>>> As long as you can keep the malware blocked, post the log to the
>>> HijackThis Forum at AumHa:
>>> http://aumha.net/viewforum.php?f=30
>>>
>>> We'll call in the "Experts" if need be and at least identify the
>>> malware, the risk from it, and who's hosting it.
>>>
>>> I'll BCC this. Email me when you post the HJT log and please, provide us
>>> with the IPs, too.
>>>
>>>
>>> MowGreen [MVP 2003-2006]
>>> ===============
>>> *-343-* FDNY
>>> Never Forgotten
>>> ===============
>>>
>>>
>>> Gary S. Terhune wrote:
>>>> I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA
>>>> 2004,
>>>> two XP Pro clients.) The box was heavily infected by numerous viruses
>>>> and
>>>> other malware on 9/11. Issues with antivirus installation resulted in
>>>> its
>>>> not updating for some time, but I'm not certain just how it all got
>>>> started.
>>>> Far as I can tell, none of it got to any of the other machines on the
>>>> network,
>>>>
>>>> I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
>>>> Trend-Micro AV) and it seems to be healthy now, but the ISA logs show
>>>> this
>>>> machine making repeated calls on DNS protocol, port 53, to two
>>>> different IPs
>>>> that belong to a web hosting company in the Ukraine. I can't help but
>>>> think
>>>> that this is malware in action, but can't determine what is doing it.
>>>> The
>>>> ISA firewall is blocking the requests, but I'd like to know what's
>>>> going on.
>>>> Any ideas on how to trace this? I can't find anything in running
>>>> processes
>>>> that isn't supposed to be there. Note that these calls are being made
>>>> even
>>>> when nobody is logged on to the machine. They're averaging one per
>>>> second.
>>>>
>>
>> Well, I hope Gary will provide the link to the HiJack This website in
>> this newsgroup so that other users like me can see what potential malware
>> is in the HiJack This log. Gary, if you do not want to post here then
>> you know my email and please email me where you posted the Hijack This
>> log and thanks in advance because I appreciate all you do for these
>> newsgroups.
| 
XML site map