hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
Full Version: I Need Some Help
GovernmentSecurity.org > The Archives > General Network Security
53r0
Aug 26 2003, 05:59 PM
hi there,

i have a problem ..
my sister has played with my pc and execute an file
with name ipchack.exe
now i have some unknown connections on port 80
and an app called IEXPLORE.EXE listen on port 6666 or so.
everytime i quit the process it starts again and in the
services i cant find anything.

so you maybe have an idea what happened?

thx 4 help. huh.gif
FLW
Aug 26 2003, 06:35 PM
1. Do you have a up todate Anti-virus Scanner, if so has it been updated lately? If so have you scanned all your drives since this began?

2. Do you have firewall in place and configured only to allow web surfing and email only?

3. Go to one of the many online port scanners and see what they see as open on your PC. Their are many good ones but at this moment off the top of my head I can only think of grc.com and use thier web based "shields up" and port tester app.

Note: If a app is coded to run at startup but not as a service then it won't be listed in services.
virus
Aug 26 2003, 06:40 PM
laugh.gif
I don't think u need a firewall for this app, cause IEXPLORE.exe is the executable file for MS InternetExplorer laugh.gif Obviously it will connect to port 80 when u browse the Net .....

*sorry, but it was really funny. can't help it tongue.gif
silos
Aug 26 2003, 06:48 PM
I think that should be IPCHECK.EXE. [i believe it's a tool that checks your to see if your IP has changed, not sure though].
53r0
Aug 26 2003, 06:54 PM
QUOTE (digger @ Aug 26 2003, 06:40 PM)
laugh.gif
I don't think u need a firewall for this app, cause IEXPLORE.exe is the executable file for MS InternetExplorer  laugh.gif Obviously it will connect to port 80 when u browse the Net .....

*sorry, but it was really funny. can't help it  tongue.gif

lol?!

the app starts auto (even if i dont browse or have the explorer open).
and the real inetexplore.exe is an other app.
i see it in active ports as another app in same folder 2 execute.

it seems that it connect to
CODE

mc9.bay6.hotmail.com:smtp
clusterd.icq.com:http


and listen on port 6666

and than i have many unknown tcp connections from
CODE

myPC:http

[edited by digger]
silos
Aug 26 2003, 07:35 PM
Have you looked in MSCONFIG to see if it's running there.Look in the Startup section and uncheck it.
I'd certainly run an AV and a Trojan scanner [SWATIT is a free one that's not to bad].
T3cHn0b0y
Aug 26 2003, 08:26 PM
Most likely a backdoor trojan with icq notification. Easiest way to find out if its a trojan:

Goto "start>run" and type "regedit"

goto "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version" and check inside these keys:

"Run"/"RunOnce"/"RunOnceEX"/"RunServices"

Now check to see if there are any entries listed inside with paths to executables such as "IEXPLORE.EXE" or the others you mentioned. There should be no references to the Internet Explorer executable as it is ran on user initiation. If you find an entry here goto google and search for an online virus scanner or trojan removal guide.

Hope this helps,
T3cHn0b0y.
53r0
Aug 26 2003, 10:28 PM
hi,

hm dont find there anything,
only i found is the mspxkr.com in system32 folder
so what can i do now ?

blink.gif
krackatoa
Aug 27 2003, 02:10 AM
go to trend www.trend.com and use the free online virus scanner. It will load an activex and you will be able to scan, detect, kill, and clean any known viruses including what's running in RAM.

To find out what's running in in almost all startup methods, go to sysinternals.com and find the utility that will display it. It's called "Autoruns"

http://www.sysinternals.com/ntw2k/source/misc.shtml

While you're there check out all the other great utilities that these people provide for free. No I don't work for them, but I sure the hell use the tools!
virus
Aug 27 2003, 05:11 AM
CODE

mc9.bay6.hotmail.com:smtp
clusterd.icq.com:http

This is because (most probably) you are using an email client to check your mail @ hotmail.

QUOTE
and than i have many unknown tcp connections from
bgp54**92bgs.******.nj.c*t.net:http

*smack.
That's the name assigned to your PC by your ISP, also called 'hostname'. Don't go about publishing this vital piece of info. as any script kiddie might use it to hack your system.

I still think its a false alarm dry.gif Theres no need to worry
53r0
Aug 27 2003, 06:40 AM
QUOTE (digger @ Aug 27 2003, 05:11 AM)
CODE

mc9.bay6.hotmail.com:smtp
clusterd.icq.com:http

This is because (most probably) you are using an email client to check your mail @ hotmail.

QUOTE
and than i have many unknown tcp connections from
bgp54**92bgs.******.nj.c*t.net:http

*smack.
That's the name assigned to your PC by your ISP, also called 'hostname'. Don't go about publishing this vital piece of info. as any script kiddie might use it to hack your system.

I still think its a false alarm dry.gif Theres no need to worry

nooope huh.gif

first i even dont @ hotmail
second *superrofl* isnt my name..

it is a trojan or somelike .. definetly. dry.gif

so what can i check out nav is nuked anyway -> even if i install nav again.
i think it has user initiation cause in the reg or in msconfig nothing to find
and IEXPLORE.EXE is an system service .. when i quit it starts again.
the "real" iexplore.exe has an override or somlike..

any more ideas ? sad.gif

PS: i have found an key whats looks strange ..

HKLM\SOFTWARE\Microsoft\Currentversion\ShellObjectDelayLoad\
PostBootReminder -> %SystemRoot%\system32\shell32.dll
CDBurn -> %SystemRoot%\system32\SHELL32.DLL
Webcheck -> %SystemRoot%\system32\webcheck.dll
SysTray -> c:\Windows\system32\stobject.dll
UPnPMonitor -> c:\windows\system32\upnpui.dll

any ideas about that ?

and:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
c:\Windows\msagent\msvnvm.com
silos
Aug 27 2003, 06:57 AM
If you believe it's a Trojan then you have to run a Trojan scanner like the one i mentioned earlier [SWATIT] or any of the numerous one's out there. AV's don't always find these things.

QUOTE
HKLM\SOFTWARE\Microsoft\Currentversion\ShellObjectDelayLoad\
PostBootReminder -> %SystemRoot%\system32\shell32.dll
CDBurn -> %SystemRoot%\system32\SHELL32.DLL
Webcheck -> %SystemRoot%\system32\webcheck.dll
SysTray -> c:\Windows\system32\stobject.dll
UPnPMonitor -> c:\windows\system32\upnpui.dll


I don't think thos keys mean anything - I have them too.Most are to do with microsoft.
53r0
Aug 27 2003, 08:40 AM
SWATIT has found an DLX downloader he removed it ..
but nothing more .. dry.gif

Think i must do an format to solve the problem rolleyes.gif
silos
Aug 27 2003, 11:33 AM
Yeah, Format is safest bet.
MpR
Aug 28 2003, 02:00 AM
port 6666 is commonly an IRC port do a search for iexplore, take note of the file path make sure yah dont toast the real Internet Explorer.. services.msc in run will bring up the services line if its appearing to run as a system service and restarts its self check there for it and disable it if you want a pretty interface and a little more info I swear by this program DameWare NT Utilities not just good for rooting but also good for the home PC . Also look to see if any other files runnin in background see if any other dependancies cleanout msconfig restart see whats running..

Also another great little program to see connections programs running and what IP they connect too Port Explorer google it yah can download a trial copy , found a many botnets with that program.



MpR
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.