Svchost.exe and email exploit troubles... [Closed]

Hello,
First, I’d like to thank you all for comodo. (B)
but…
I have had a lot of trouble with svchost.exe. This is more or less a follow up of a recent problem that accord while I was running AVG 8.0. Because similar things are happening.

First, I encourage anyone to read my malware report at SpyBotS&D here:

In a nutshell, I have been receiving emails from 127.0.0.1 and sending out? about a thousand via svchost.
Tons of svchosts can be seen here:
http://img149.imageshack.us/img149/1812/svchostrt1.jpg

I can prove this via a simple tcp logging tool as well. Here was the log of all outcomming/incomming:
http://rapidshare.com/files/115911222/TCPLog.txt.html

Also, I know a lot about malware and protecting your computer. I do scans on a regular basis…

Please help, as we speak Comodo is reporting 108 outbound TCP and UDP from 2 svchost.exe’s… ???

Spybot is past its prime and shouldnt be trusted. svchost are mainly Windows services but sometimes malware can use them. Have you tried doing a full scan with SuperAntiSyware or MalwareBytesAntiMalware? Have you done a complete virus scan with something other then AVG? All my Windows services are set to outgoing only. There is a thread about this. AVG 8 also has alot of problems.

https://forums.comodo.com/empty-t14948.0.html

You’ve definitely got yourself a problem. Something has turned your PC into a spam zombie.

The best thing you can do is to disconnect your machine from the Internet until you get it cleaned up. If this is the only machine you’ve got, then you will need Internet access to get to the tools to do the cleanup, but you will need to block the spam zombie function and it’s command-and-control tunnel. With the following, I’m going to presume that you just have the one PC.

First off, lets try to stop any outbound email traffic. That will keep you from sending out any spam. In your Global rules, add a rule to block any outgoing TCP traffic to port 25 and to port 587.

To keep the zombie command-and-control at bay, in your Global Rules, add a rule to block all IP protocol traffic outbound from your PC to anywhere. Add a corresponding rule to block all IP protocol traffic inbound to your PC from anywhere. If the zombie controller has gotten into your TCP stack, that may or may not work in blocking all traffic. One thing is should do, which I’m counting on, is alerting you to any process that is trying to make a network connection. The zombie controller is invariably a hidden process, and can be a pain to find. The alert may give you the process name and filesystem path. Knowing that will go a long way toward getting this cleaned up.

Along those same lines, from a command prompt, run the command “netstat -anobv”. Be patient, as this can take a while. That should give you a full path and dll list of anything talking to the network. It’s going to be a long list, but if you could post it here, it would help a lot in identifying this malware version.

Keeping your machine offline for a while may be important. If the zombie controller process opens up a tunnel outbound to its control host, it can set up a remote control shell process, and then somebody somewhere else will be controlling your machine, and not you even if you’re sitting at the keyboard.

Hello Again,
Thanks for the reply. I have run BOClean and SuperAntiSpyware. No luck on catching anything… Also I ran a hijack this log:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:21:12 PM, on 5/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.17184) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Documents and Settings\Luke\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\PortableApps\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\PortableApps\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193630486466
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uniime32 - C:\WINDOWS\SYSTEM32\uniime32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 6509 bytes

I was unable to run netstat -anobv for an extended period of time. It kept closing itself. Here’s what I did manage to get while offline:

Active Connections

Proto Local Address Foreign Address State PID
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 736
C:\WINDOWS\System32\WS2_32.dll
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RPCRT4.dll
C:\WINDOWS\system32\ole32.dll
[alg.exe]

TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1344
[avgemc.exe]

UDP 0.0.0.0:4500 : 576
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\oakley.DLL
C:\WINDOWS\system32\LSASRV.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[lsass.exe]

UDP 0.0.0.0:500 : 576
C:\WINDOWS\system32\WS2_32.dll
C:\WINDOWS\system32\oakley.DLL
C:\WINDOWS\system32\LSASRV.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[lsass.exe]

UDP 127.0.0.1:1900 : 928
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
C:\WINDOWS\system32\ADVAPI32.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:123 : 820

Also, I used Sysinterals Process explorer and caught the svchost connection to another server. I also was able to catch it again via a packet reader. Here’s the sysinternals info:

http://img377.imageshack.us/img377/4002/svchostipcaughtos6.th.jpg

As you can see it is svchost.exe:720 and it has a stack of several programs. Also it is running 2 services DcomLaunch and TermService, which were in the services tab.

All times it is listening for info comming from the IP adress below.

Results of IP Tracking for 67.210.97.77
IP address 67.210.97.77
Hostname Not available
ISP ADDD2NET COM INC DBA LUNARPAGES
Country United States United States

How to handle an abusive or fraud mail
If you are tracking an abusive or fraud mail here is a possible list of email addresses to complain to.

* hostmaster[ at ]lunarpages.com

On another occassion it came from this address, but only once:

Results of IP Tracking for 8.15.231.163
IP address 8.15.231.163
Hostname Not available
ISP Level 3 Communications, Inc.
Country United States United States

How to handle an abusive or fraud mail
If you are tracking an abusive or fraud mail here is a possible list of email addresses to complain to.

* security[ at ]level3.com
* arin-contact[ at ]genuity.com
* ipaddressing[ at ]level3.com
* abuse[ at ]cwie.net
* noc[ at ]cwie.net
* ipadmin[ at ]cwie.net
* chris.mcduffie[ at ]enom.com
* bruce.bronczyk[ at ]enom.com
* chris.peeters[ at ]enom.com

Once I blocked port 25 in Comdo Global settings it began going through port 80, 443, and UDP port 53. I cannot block port 80 because FireFox (my web browser) also uses this.

The packet reader revealed a lot of strange information from port 80 as well. This is information included scanning of webpage headers and what appeared to be googlead click throughs. Not just a few mind you, but about several thousand click-throughs. I could see this also as some type of DoS… O_o

With Comodo on Block All mode, svchost proceeds to wait on the port and IP listed in SysInternals. soo…

Any other suggestions on what I can try and do from here?
Currently I am limiting my time on the internet because everytime I connect it begins this whole process. :THNK

Thank you for the HiJack log. That’s one of the things I was going to ask for. Having looked over it, though, there isn’t anything immediately obvious. That’s kind of expected, for reasons that will be apparent in a moment.

The packet reader revealed a lot of strange information from port 80 as well. This is information included scanning of webpage headers and what appeared to be googlead click throughs. Not just a few mind you, but about several thousand click-throughs. I could see this also as some type of DoS... O_o

Not a DoS, but click-fraud. That it would switch from email spam to click-fraud is a real strong indicator that this malware is professional criminal stuff, which tends to be a real pain to identify and remove. It also indicates that the zombie command-and-control channel is working. That means that staying offline as much as possible is going to be important.

The professional malware stuff is very good at hiding, and reinstalling itself. That’s why your HiJack log isn’t showing anything. Try renaming your HiJackThis.exe to some other name, like someothername.exe. Best to make up a name on your own. Then re-run, and see if the log is different. There’s a good chance that it will be different, as the malware is hiding itself by intercepting scans.

As you can see it is svchost.exe:720 and it has a stack of several programs. Also it is running 2 services DcomLaunch and TermService, which were in the services tab.

the DcomLaunch and TermService services might be in use by some of your legitimate applications. They are also used by malware to establish over-the-net command line tunnels. You can turn these services off, by using the “services.msc” command. Click Start → Run, enter “services.msc”, highlight the service, right click and select Properties, and choose a startup type of “disabled”. That should make the tunneling a little more difficult. Malware can still tunnel out using web traffic on port 80, so it won’t be stopped, just slowed down a lot with considerably reduced functionality (no remote admin login, for example)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe

Since you did a packet capture, I’m presuming that you know about this being present on your machine. Are you using Wireshark? If so, we can tailor some CFP rules based on the Wireshark data, which should make things easier for you to be on the net but block the malware. And could you post the packet capture file?

Hello Again,
Ok I renamed the hijak this to “FunSolitaire213.exe”, doesn’t seem to be any difference though.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:22:20 PM, on 5/19/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.17184) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Luke\Desktop\FunSolitaire213.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\COMODO\Firewall\cfp.exe” -h
O4 - HKLM..\Run: [BOC-426] C:\PROGRA~1\Comodo\CBOClean\BOC426.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User ‘Default user’)
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: NYKO Gamepad Mapping Tools.lnk = C:\Program Files\NYKO\Gamepad Mapping Tools\ngpmap.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: CallWave.lnk = C:\Program Files\CallWave\IAM.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\PortableApps\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra ‘Tools’ menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\PortableApps\WinHTTrack\WinHTTrackIEBar.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193630486466
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: uniime32 - C:\WINDOWS\SYSTEM32\uniime32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 6569 bytes


I also did a few scan for rootkits. No luck there either.

After disabling the 2 services in svchost:720, it left. A new one appeared called svchost:740.
It contains RpcSs Remote Procedure Call (RPC) C:\WINDOWS\system32\rpcss.dll
However, it is currently sending no information and I feel a little safer on the internet.

There is one svchost sending information on port 53 but it seems to be rather limited and contains no real data.
Here’s a list of the processes:

Process PID CPU Description Company Name System Idle Process 0 100.00 Interrupts n/a Hardware Interrupts DPCs n/a Deferred Procedure Calls System 4 smss.exe 440 Windows NT Session Manager Microsoft Corporation csrss.exe 496 Client Server Runtime Process Microsoft Corporation winlogon.exe 520 Windows NT Logon Application Microsoft Corporation services.exe 564 Services and Controller app Microsoft Corporation svchost.exe 740 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 768 Generic Host Process for Win32 Services Microsoft Corporation wuauclt.exe 2228 Windows Update Automatic Updates Microsoft Corporation svchost.exe 824 Generic Host Process for Win32 Services Microsoft Corporation svchost.exe 912 Generic Host Process for Win32 Services Microsoft Corporation spoolsv.exe 1044 Spooler SubSystem App Microsoft Corporation avgamsvr.exe 1188 AVG Alert Manager GRISOFT, s.r.o. avgupsvc.exe 1212 AVG Update Service GRISOFT, s.r.o. avgemc.exe 1248 AVG E-Mail Scanner GRISOFT, s.r.o. BOCore.exe 1316 COMODO BOClean - Anti-Malware COMODO cmdagent.exe 1332 Comodo Agent Service COMODO nvsvc32.exe 1384 NVIDIA Driver Helper Service, Version 71.89 NVIDIA Corporation pctspk.exe 1524 PCTSPK.EXE PCtel, Inc. svchost.exe 1668 Generic Host Process for Win32 Services Microsoft Corporation ULCDRSvr.exe 1764 ULCDRSvr Ulead Systems, Inc. alg.exe 232 Application Layer Gateway Service Microsoft Corporation lsass.exe 576 LSA Shell (Export Version) Microsoft Corporation explorer.exe 1200 Windows Explorer Microsoft Corporation avgcc.exe 400 AVG Control Center GRISOFT, s.r.o. cfp.exe 416 COMODO Firewall Pro COMODO ctfmon.exe 484 CTF Loader Microsoft Corporation procexp.exe 3140 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
svchost:768 seems to be doing nothing but it has 2 local address UDP protocols: localhost.ntp, g4j:ntp.

I am not using WireShark, but rather an Advanced Packet Sniffer from NetTools. It has many other tools too, not sure how safe they all are… you may want to look into this and see if this would be the cause of some of this. I’m not sure if it is or not because I have had the same problem once before on my old hard drive, it starts at random and as of yet no one has been able to find the cure. Also, if you would like me to sniff/read the packets I would need to re-enable the now disabled services… (:SAD)

Interestingly, an old problem I’ve had where explorer.exe had “memory” such as “read/write” errors also seems to be linked to this. After a lot of port 80 attacks were noticed (unfortunately unlogged) I restarted my computer and a bomb of 50 explorer.exe “write” crashes were reported. Here’s the same 'ol story I’ve had for years: http://www.jcxp.net/forums/index.php?showtopic=24059

Thanks again, let’s nail this thing. (:NRD)

Edit: Not sure if this means anything, but it just came on and I’m getting lot’s of them:

http://img225.imageshack.us/img225/4170/delayedtempao7.jpg

FAP3, FAP4,FAP5 so far. Still can’t seem to catch the file. If I can I’ll upload it.

Edit Again: I got the idea from this site: http://translate.google.com/translate?hl=en&sl=de&u=http://forum.hijackthis.de/showthread.php%3Ft%3D22461&sa=X&oi=translate&resnum=1&ct=result&prev=/search%3Fq%3DFAP2.tmp%26hl%3Den%26client%3Dfirefox-a%26rls%3Dorg.mozilla:en-US:official%26sa%3DG
To run a filelist.bat. It lists everything on my computer and in temp,unfortunately the temp is now apparently gone . Anyhow, Get it here:
http://rapidshare.com/files/116165311/filelist.txt.html

Running a difference check on your HJT logs, shows the only difference between the two is that in the second HJT log you’re running SuperAntiSpyware at that moment, and you were not running it at the time of the first log.

rpcss.dll should be only a listener process, meaning it should not try to initiate any outbound traffic. But anything inbound that talks to it could cause a process to run. You could create a rule in CFP to block any traffic from the Internet to that process/dll. That would help tighten things down a little more.

Port 53, either TCP or UDP, is used for domain name lookup. That’s how domain names get turned into Internet addresses, like looking up names in a telephone directory. Your PC should talk only to your router or to your ISP nameservers. Anything else is not legitimate traffic. If malware has gotten into your TCP stack, then you may have invalid addresses in your Windows registry. Check with your ISP, by voice or on their support web site, and get the IP addresses for the nameservers that your PC should be using. The create CFP rules to allow TCP and UDP to that IP addresses on port 53, and block any outbound traffic to any other Internet address on port 53. That will block any domain spoofing or tunnel attempts by malware on your machine.

Port 123, UDP only, is the Network Time Protocol service port. TCP is not used to keep network accessible time. Your choice to block all outbound connections to remote port 123 (in which case, your PC clock won’t be able to sync to any time servers), or to allow only connections to your ISP time server if they have one, or to the default Microsoft of time.windows.com which for me resolves to 207.46.232.182. That’s a load distributed domain name, so you could get a different address if there is a server closer to you.

Nettools looks to be an interesting package that has just about everything, including the proverbial kitchen sink. I doubt that it is the cause of anything, but it’s presence could be masking some stuff. I think it’s okay to leave it in place, and consider it a useful tool, but to be aware that something could be using it to hide behind.

I eyeballed the “memory read/write” thread in the other forum. My initial reaction was that of others there, in that you likely have (or had) a bad memory stick. It could also be a buffer overflow attack that just didn’t work. Does your CPU support the DEP hardware protection feature? If so, is it turned on?

Once you have these additional CFP rules in place, you should use Nettools to watch traffic both inbound, and especially outbound. I’m assuming you are connecting thru a router. If you disconnect your router from the Internet, but leave your LAN connection, malware will show itself by trying to make an a outbound connection to “call home”. If you can log traffic overnight while your router is disconnected from the Internet, you should be able to catch a tunnel attempt if it’s using anything besides port 80 web traffic.

Then to cut back the effectiveness of any web tunnel, create a Windows user running as a “limited user account” and do any web access thru that new user account. The lack of admin privileges won’t stop a tunnel from being connected, but will seriously slow down or stop cold anything that tries to download or change your machine. With Windows Internet Explorer zones set for max security, you should be able to get to the Internet safely enough to where we can start doing some cleanup.

Ok I’ve blocked all the ports. I’m still in my normal account, but I think I’ll get the limited account started.

DEP is turned on, but I read about an exploit on Wikipedia which may be of interest:
http://en.wikipedia.org/wiki/Data_Execution_Prevention

Also, does “netstat -anobv” by default close itself in about 3min? Everytime I run it, it closes in approx. 3mins… :-\

Lastly, I am not behind a router, but rather I have dial-up. It took me several hours to download WireShark but I wanted to check it out. Here’s what it produced with all those services still turned off:
http://rapidshare.com/files/116177599/mydump.pcap.html ← Click to download pcap file. :slight_smile:
As you can see there were 2 suspicious ones sent. It appeared the Unicode was sending out ads for a fake registry cleaner. If I turn those services (Dcom and Term) back on I have a hunch it will be flooding with port 25/80 TCPs and give us more information…

My ISP IP Ranges around 12.183.1.4, and 12.183.1.0.2 as you can see a few connections were not my ISP…
* Gaming4JC yawn. Get’s sleepy and thinks he’ll return tomorrow. If you have any more information and/or suggestions just let me know. (:WAV)

Thank you for the packet capture.

Also, does "netstat -anobv" by default close itself in about 3min? Everytime I run it, it closes in approx. 3mins...
Nope, it should run to completion. It should be run from a command prompt, as the output can be quite long, and it does take several minutes to gather all the data. If you're running it from Start->run, then it might open a window, flash at you with all the data, and then close. If you use the start ->run method, you'll need to run "cmd.exe" to get the command prompt first, then enter the "netstat -anobv". Sorry for any confusion in all that.

I looked at the pcap file. It’s showing 32 captured packets, mostly PPP and DHCP handshakes during a 3 minute login. It does show 6 inbound packets of typical “net send” spam that some machine out on the Internet is trying to send to your machine. I’m not seeing any outbound traffic from your machine to the Internet. The IGMP, SSDP, and DHCP packets look to be normal initialization stuff. Not having a router, the IGMP and SSDP packets aren’t doing anything, but your PC doesn’t know you don’t have a router so it is sending the packets out anyhow.

The packet captures can give a lot of information. Turning those services back on, and capturing all the traffic may be the quickest way to find out what’s going on. Particularly in the web traffic on port 80.

It’s past the end of my day here, also. I should be back online sometime around 1800 GMT.

Hello,
Sorry for the late reply. :frowning: I have ran avast all day in thorough scan and found 2 W32.Trojan-generics left over from Daemon Tools, and I also left the sniffer run for some time. Also, I can not access some tools on my computer now, these include Windows Defragmenter, when I click Anaylize or Defragment it does nothing. I should think this is one of the worms and or services that has been disabled… :-/

I allowed the services and it all started back up with a ■■■■.
On wow3.pcap I began netstat at the same time. This should give you a substantial amount of information on everything that is connecting an where it is connecting too.

Here’s the netstat and pcap file’s all zipped up:
http://rapidshare.com/files/116423640/Logs.zip.html
As you will see netstat keeps turning off even with it in cmd.exe window…

About the WireShark files:
I was running CallWave Internet Answering Machine, if you see those in the UDP. And another time when I couldn’t get anything to start connecting so I tried loading google.com. It would seem it “piggybacks” or knows if something is connected and then it will connect. If nothing is sending/recieving it hardly ever will send/recieve making it hard to sniff out…

I have once again disabled all services and closed the ports. All except port 53/80. When I close them my internet stops working… (-www-) :-TD

Hope this helps us find the culprit… I’ll go get some more zzz… for today.

Got it, and have done a real quick eyeball over the data. I’ll do a more thorough check tomorrow, when I’m more awake than I am now.

First thing that stands out, is that the nameservers you’re using seem to be okay, assuming you know who bwave.com is, and that you’re expecting to use their nameservers.

Second is that the command-and-control tunnel seems to be using normal web traffic, port 80 to make contact, and port 443 for an SSL encrypted channel. That would suggest creating a CFP rule to block port 443, leaving port 80 open. That might help to expose the details in the tunnel.

Third, is that this is professional malware written with a profit motive. It’s not likely it’s going to be easy to get rid of, and may be beyond my own skills. Comodo has a free malware removal service, but it uses remote services to let a tech get into your machine. Those services are disabled on your machine for now. My more immediate goal is going to be to get your machine to a point where you can safely use that removal service, and not have somebody on the other side of the Internet trying to pull the ladder out from under everything at the same time.

That defrag is not working raises a question in the back of my mind, in that the malware may have reserved some disk blocks for itself, like some of the very old copy-protection techniques used back in the floppy disk days. If a disk block gets changed, it replicates itself from elsewhere. Pure speculation on my part, but protective tripwire is something that professional malware is known to use.

I’ll post more when I’ve gone thru the capture files. And, thank you for the data. We’ll get this thing.

Yes, bwave.com is my ISP. I’ve closed port 443, but Comodo is still reporting UDP Out and an occasionaly UDP In from svchost on port 53.

The “tripwire” you spoke of seems like a good possibility…

I look forward to more information once you’ve ran through the data. :slight_smile: Let me know if you need anything else, and thnx.

Having had a chance to go thru the capture files, that was a lot of packets over just a very few minutes, but not a lot of variation in what it was doing: spam. Both email and, apparently web forum. The email is easy enough to control, but the forum stuff is going to be a little harder to herd.

About port 53 and the DNS server queries. The traffic in the capture files is normal stuff, so far. It’s going to your ISP nameservers. But we need to make sure that’s the only place that these queries are going. I don’t know what you’ve used in CFP rules, so I’ll outline what I think should work.

To simplify things a little, create a network zone. I’ll call it “DNS servers” in what follows. In this zone, you’ll list two host addresses: 12.183.0.2 and 12.183.1.4. These are your ISP nameservers, according to the capture files.

In Global Rules, you’ll need to add these 5 rules:

allow TCP/UDP out from anyhost anyport to zone[dns servers] port 53
block&log TCP/UDP out from anyhost anyport to anyhost port 53

allow TCP/UDP in from zone[dns servers] port 53 to anyhost anyport
block&log TCP/UDP in from anyhost port 53 to anyhost anyport

allow ICMP in from zone[dns servers] to anyhost

The first 2 rules will allow outbound queries only to your ISP, and the second 2 rules will only allow your ISP to answer back. Anything else gets blocked. The ICMP rule allows network error messages to come back from your ISP. These rules should make any DNS spoofing somewhat more difficult, and still allow you to have a working Internet name lookup service.

These rules should be at the top, or real close to the top, of your Global Rules.

In the capture files, it looks like the command-and-control host is 67.210.97.77, which seems to trace back to a co-lo box/router in Las Vegas NV. Blocking that host address likely wouldn’t work, as the malware would simply shift over to another host. The malware does have a list, and expects C&C machines to go offline as they are identified and cleaned up.

So the control tactic is going to have to be along the lines of “default deny” CFP rules, which follows the same form as the DNS nameserver rules I outlined above. It goes like this:

Edit “my port sets” for HTTP ports. The predefined set of ports is 80, 443, and 8080 on my machine. We want just ports 80 and 443.

Now create another network zone. I’ll call it “legit web sites”. In this zone you’ll add the names and addresses of web sites that you need to use, like www.comodo.com. You can use host names, as well as Internet addresses.

In Global Rules, you’ll need to ad these rules after the nameserver rules (otherwise hostname lookups won’t work)

allow TCP out from anyhost anyport to zone[legit web sites] portset[HTTP ports]
block&log TCP out from anyhost anyport to anyhost portset[HTTP ports]

Then it should be only a case of adding known good sites into the “legit web sites” zone. That may be tedious for a little while. That should let you get out on the web safely, and keep the bad guys at bay. Then we can get on with the cleanup, without the worry of having the rug pulled out from under in the process.

You can watch traffic with Wireshark. You’ll see a lot of DNS traffic, as the malware will be making efforts to find a way home. So long as it’s your ISP nameservers that it’s talking to, all those DNS queries will be noise and not a problem.

Your CFP log will likely get large, and quickly. If you could, upload the raw CFP binary logfile. I’ve got the tools available to read the file directly. The log is located, on a WinXP box, in \Documents and Settings\All Users\Application Data\Comodo\Firewall Pro\cfplogdb.sdb.

And, before I forget, a question for you. Your capture file showed an update download from avast.com, but the HiJack log is showing AVG from grisoft.com. Are you running both, or just one, or something entirely different? Standard practice is to run just one antivirus package, as two packages can get into a “deadly embrace” where each thinks the other is the bad guy and they wind up locking your machine.

Something to try, that might give some useful information. The Defense+ facility in CFP, under it’s Advanced settings, has an Image Execution Control. Try the max Aggressive setting. That might tag the malware process(es) that are running things in the background. You might be overwhelmed with alerts, so careful reading of any alert information would be in order so typo names don’t get by ( good guy spoolsv gets spoofed by bad guy spoclsv). If the background process can be identified, then it can be locked out, which would make cleanup a lot easier.

Hello Again,
I’m pretty sure I got the rules set correctly now. Here’s what they look like, let me know if I misytpoed something since I got a little confused some where in the middle.
Rules:

http://img411.imageshack.us/img411/5697/globalrulesap6.th.jpg

Port Sets:

http://img508.imageshack.us/img508/2227/portsetsiz0.th.jpg

Funny it came out of Las Vegas, maybe they are gambling the money? lol… :smiley:

About avast, sorry I thought I mentioned. I have uninstalled AVG and installed avast now. That’s what caught those 2 win32 things I mentioned in a previous post. Here’s an updated log file if you need it: http://rapidshare.com/files/116639038/hijackthis.log.html
You can also notice svchost is running on this log. It’s only on port 53 and pointing at my ISP atm (at the moment)…

Lastly, I have IRC and Instant Messengers via Pidgin if you wanted to live chat. It might make this a little easier and quicker if we were both on at the same time. If you want just PM me. :slight_smile:

Update I see you just posted. Doing that on Defense+ now. :wink:

Now that you remind me about avast and avg, I remember your earlier posting. Sorry about my mixup on that.

Your Global Rules are almost correct. A couple of entries need to be rephrased, the rule order shuffled around a little, and one rule can be deleted. And I’ll try to match the wording that CFP uses to maybe minimize any confusion (which is what happens when I work with several different systems and products, each with a different syntax and terminology)

So the revised rules
`

  1. block TCP in/out from IP Any to IP Any where sourceport is any and destport is 25

(the DNS rules)

  1. allow TCP/UDP out from IP Any to In[DNS servers] where sourceport is any and destport is 53

  2. block&log TCP/UDP out from IP Any to IP Any where sourceport is any and desport is 53

  3. allow TCP/UDP in from In[DNS servers] to IP Any where sourceport is 53 and destport is any

  4. block&log TCP/UDP in from IP Any to IP Any where sourceport is 53 and destport is any

  5. allow ICMP in from In[DNS servers] to IP Any where ICMP message is any

(the web rules - this absorbs one old rule about port 443)

  1. allow TCP out from IP Any to In[legit sites] where sourceport is any and destport In[HTTP Ports]
  2. block&log TCP out from IP Any to IP Any where sourceport is any and destport In[HTTP Ports]
    `

Sorry for the crazy spacing, I’m trying to get things to line up, so it’s easier to see what the rules are doing.

In your HTTP Ports set, make sure you have only port 80 and port 443 in the set. You don’t want port 8080 in that set, per my PM.

Very interesting on the last PM you sent about a proxy. I have on only one occasion used that proxy via FoxyProxy plugin for Firefox in order to test it. However, this plugin has been turned off for over a month. ???
:BNC As for the Rules I think I fixed them all now:
http://xs227.xs.to/xs227/08214/new_global_rules356.jpg

The rules look good. Malware being what it is, it’ll try to find a way around the blocks. The CFP logs will help some in identifying where some of the C&C hosts are, and I’m sure there will be a lot of them. I’ve heard reports of rotating lists of a hundred or more, which is why blocking just one at a time doesn’t work.

If you’re able to get out on the web more or less normally, then we’re getting to the point of being able to do some cleanup. If you want to get a jump on things, eyeball the sticky topic at the top of this forum page titled “Free Spyware/Malware Cleaning”. If you follow the links, it will set up you up with a chat session on liveperson.net with a tech (not me, but someone else) who gets to do the heavy lifting. If you can’t get the session to work, then I’ll work with you to get things back to a working state. You’ll need to add liverperson.net and its various hosts to the CFP zone “legit sites”.

Since I’m coming up on the end of my day, we’ll have to pick this up tomorrow, probably after 1800 GMT. If you’re game, you can try the chat service in the sticky topic just to see what works and what doesn’t.

Ok, it’s getting close to the end of my day too. I’ll try and use that live chat thing though. And thanks for all the help you’ve been so far. (:WAV)