Hijacked

[mark]

Shop computer, several users, started getting boggy. About 2 weeks ago, someone noticed a window flickering on the screen of a Windows Installer saying 'Preparing to Install' and this would happen on computer start up and at random times. They mentioned this to me a couple of days ago. I looked for anything that had been downloaded recently that would account for it and found nothing. But there has been a lot of web surfing.

Starting two days ago, we began getting returned emails that were undeliverable. Dozens of them and we hadn't sent any of them. This is the text in one of the returned mails:

The original message was received at Mon, 19 Dec 2005 05:38:44 -0500 (EST)

from liaag2af.mx.compuserve.com [149.174.40.157]*** ATTENTION ***

Your e-mail is being returned to you because there was a problem with its

delivery. The address which was undeliverable is listed in the section

labeled: "----- The following addresses had permanent fatal errors -----".

The reason your mail is being returned to you is listed in the section

labeled: "----- Transcript of Session Follows -----".

The line beginning with "<<<" describes the specific reason your e-mail could

not be delivered. The next line contains a second error message which is a

general translation for other e-mail servers.

Please direct further questions regarding this message to your e-mail

administrator.

--AOL Postmaster

----- The following addresses had permanent fatal errors -----

<greemwood1@cs.com>

----- Transcript of session follows -----

... while talking to air-xn01.mail.aol.com.:

>>> RCPT To:<greemwood1@cs.com>

<<< 550 MAILBOX NOT FOUND

550 <greemwood1@cs.com>... User unknown

--------------------------------------------------------------------------------

Received: from liaag2af.mx.compuserve.com (liaag2af.mx.compuserve.com [149.174.40.157]) by rly-xn04.mx.aol.com (v108.32) with ESMTP id MAILRELAYINXN46-64643a68db139e; Mon, 19 Dec 2005 05:38:43 -0500

Received: (from mailgate@localhost)

by liaag2af.mx.compuserve.com (8.13.4/8.13.4/g1.1) id jBJAcdKf026316

for greemwood1@cs.com; Mon, 19 Dec 2005 05:38:39 -0500

Date: Mon, 19 Dec 2005 05:38:13 -0500

From: our email address

Subject: beauty asian hard action

Sender: our email address

To: greemwood1@cs.com

Reply-To: our email address

Message-ID: <200512190538_MC3-1-B3D4-2997@compuserve.com>

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Type: text/plain;

charset=us-ascii

Content-Disposition: inline

X-AOL-IP: 149.174.40.157

X-AOL-SCOLL-SCORE: 0:2:316108116:11811160

X-AOL-SCOLL-URL_COUNT: 0

--------------------------------------------------------------------------------

Internal Virus Database is out-of-date.

Checked by AVG Free Edition.

Version: 7.1.371 / Virus Database: 267.13.13/197 - Release Date: 12/9/2005

At this point I am unable to connect to our email. I will have to talk to my ISP tomorrow to see if they have blocked it.

We keep regular backups and today, I went in and started doing thorough backups of everything again. It was a pain. I couldn't just throw in a CD and burn the info. The Windows Installer window would flicker and there was no access to the CD drive. I figured out that I needed to pop a CD in before windows started, ran Nero and burned the files. When Nero finished it couldn't verify the data because it was now denied access to the CD drive. Restart the computer, toss a CD in before windows etc..... I checked the CDs on another comp and they are fine.

I ran hijackthis.

I ran Windows Live Safety Center: 1 virus=HTML/DialogArg.B @ c:\install.htm (deleted)

Avast: found nothing

AVG: found nothing (You will notice in the returned email it states that AVG is out of date. Come to find out that AVG was not able to connect to their server to update. I downloaded the most current version, installed it and was able to download a current update)

Kaspersky:found nothing

Spybot S&D: Got some cookies and nothing else. Had to turn it off to run other proggies.

MS AntiSpyware: found nothing (ten days ago it found CoolWebSearch Browser Modifier)

AdAware: found nothing

Sysinternals RootkitRevealer: found nothing

UnHackme: Clicked 'Check me now' and very quickly a window popped up saying 'That's alright. There is no trojan found'. It was too quick for the program to have done anything.

ewido: found 42 cookies and removed Worm.Myfip.l @ c:\program files\nlite\Data\modpe.exe (this copy of nlite was installed in June of 2004 and never run. It was when I discovered MSFN)

Whatever it is that I am searching for is still in this computer. A quick test is to put a CD in a try to access it. A CD sits in the CD drive, spins and gets read, but when you go into My Computer it states the drive is empty.

Regardless of the outcome, I am going to format and re-install as it has been a long time since XP was installed and to many users. In the mean time, I would really like to know what has gotten into the computer.

Any sugestions would be much appreciated.

I'm tired and going home to bed now.

DL

hijackthis.txt

[epic]

First things first... get rid of AVG, very unreliable software.

Alternative's:

Nod32 (ESET), has a free 30 day trial of there product and fully functional. However, you will need to uninstall and install it, every 30 days, to continue to use it.

Avast, also has a free version, basic, you need to register the product twice in the first year and once every year after, to continue using the product.

Secondly, I noticed several applications running at startup, which are suspicious files.

O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

What mouse and keyboard are you using? If this is a Microsoft keyboard, do you use the office functions? If not disable them from startup.

O17 - HKLM\System\CCS\Services\Tcpip\..\{550C92A7-A0C2-4D7A-A08C-08F01513D868}: NameServer = 65.199.236.17,65.199.236.10

What is this ip address? This could possibly be one of your problems (O17=domain hijackers).

Besides these mentioned I see nothing wrong. However, there are a few other items I would remove, besides the ones listed.

I also noticed you have several anti virus products, AVG and Kaspersky, installed on the same machine. Very bad... if you have doubts about a virus scanner not detecting malicious software, then uninstall the application and install an alternative.

Finally, if you are unable to detect malicious software, under the standard configurations, then you need to start the pc in safe mode and detect for the malicious threats. Rootkits are made for safe mode only, but do work under standard configurations (sometimes). Also, disconnect the infected pc from the network before scanning for malicious software. Use, software (ie. McAfee S.t.i.n.g.e.r.) that load only into memory and scan for virus if you know in fact your pc is infected.

Edited December 21, 2005 by epic

[mark]

Thanks epic.

First things first... get rid of AVG, very unreliable software.

Well, this has been proven true currently even though it has worked well in the past.

Alternative's:

Nod32 (ESET)

Avast

Avast is one of the programs I ran and didn't use NOD32 because of the sign up but I've gone ahead and downloaded it now. Will run it.

Secondly, I noticed several applications running at startup, which are suspicious files.

O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

What mouse and keyboard are you using? If this is a Microsoft keyboard, do you use the office functions? If not disable them from startup.

O17 - HKLM\System\CCS\Services\Tcpip\..\{550C92A7-A0C2-4D7A-A08C-08F01513D868}: NameServer = 65.199.236.17,65.199.236.10

What is this ip address? This could possibly be one of your problems (O17=domain hijackers).

Somebody else does use MS Office on this comp. Not sure about the IP addresses, I'll check.

I also noticed you have several anti virus products, AVG and Kaspersky, installed on the same machine. Very bad... if you have doubts about a virus scanner not detecting malicious software, then uninstall the application and install an alternative.

Yeah, I know. Odd thing is, is that we used to run Norton and it created all sorts of problems and with the pile of programs I have installed, there wasn't one single glitch. Not one. I did expect something but they ran as described. One would pick up a stray attachement that another had put in place or something but all went well. Yeah, I know it's a no-no.

start the pc in safe mode and detect for the malicious threats. Rootkits are made for safe mode only, but do work under standard configurations (sometimes). Also, disconnect the infected pc from the network before scanning for malicious software. Use, software (ie. McAfee S.t.i.n.g.e.r.) that load only into memory and scan for virus if you know in fact your pc is infected.

Yep, safe mode is the next step with restore disabled. I'll try the McAfee because I do know my computer is infected. Will report back captain.

DL

[mark]

epic -Ok, turned off system restore, entered safe mode with f8 because I couldn't do it through msconfig. Ran ewido, NOD32, highjackthis and Spybot S&D. Came up with nothing. Couldn't access the CD drive either. Reinstalled Kaspersky while in safemode and it found nothing also. Restarted computer and it automatically went into safemode. Restarted, f8, selected standard boot method and it still went into safemode. While in safemode, I could use msconfig to change the mode of startup!? Anyway, the virus is still present.

The IP addresses in the highjackthis log are to a local isp, no concern.

Is there a program that can be used to track what might be active in the background? Something I could have running and when I see the Windows 'Installer window' pop up, look at a log file of somekind to see what the activity was?

Any suggestions are appreciated.

DL

PS I will try to get back in here tomorrow but will be heading out to see family and won't be back until next week. Cheers and a festive holiday.

[CptMurphy]

Well, to see what you've got running, there's Alt+Ctrl+Delete.

[epic]

Is there a reason for the IP address set in the hosts file? I see no point in having an IP set in host unless the user uses it as a simple name resolution to an outside source, but from you're saying it's not. Try removing it and see what happens in a few days.

Well, windows task manager does not show everything and not a very useful tool. Most all virus' hide themselves from the system task manager and are undetectable by simple applications. Sysinternals have devleloped advanced tools that all admins should have. Autoruns, PMon, Handle, PsList, Portmon, check the description on their site for more detail (Processes & Threads).

You also stated the user notices an installer running or an msi installer. The only way you can detect it is by monitoring file access to the drive(s). Diskmon, Filemon, PsFile, located under (File and Disk).

Security Task Manager is also a great tool.

Edited December 22, 2005 by epic

[mark]

Is there a reason for the IP address set in the hosts file? I see no point in having an IP set in host unless the user uses it as a simple name resolution to an outside source, but from you're saying it's not. Try removing it and see what happens in a few days.

It's tied in with our machine's ISP.

admins should have. Autoruns, PMon, Handle, PsList, Portmon, check the description on their site for more detail (Processes & Threads).

Great! Thanks. Not an admin, just pretending to be one.

monitoring file access to the drive(s). Diskmon, Filemon, PsFile, located under (File and Disk).

Maybe with this, I can get down to the meat and potatoes. Thank you.

Security Task Manager is also a great tool.

I'll take a good look at that also.

Sweet.

Typing on the run. Will get back on this and back here as soon as possible.

Again, thank you.

DL

[mark]

@ epic Downloaded the tools. Going to take a little time to do these things. (I have a real job to attend to aswell and since I'm heading out of town, I'm running out of time today)

Your assistance is much appreciated.

DL

[Tarun]

Since you had CWS, you should run CWShredder as well. Update MSAS, Ad-Aware, Spybot, and ewido defs to ensure you can nail everything.

I don't like what epic said. epic dude, please leave this to the pros.

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

Those are not suspicious. Point32.exe is for the Microsoft Mouse, it's part of the software. Though it's not needed, it's not suspicious. Intellitype is for the MS keyboard.

About point32: Microsoft Intellipoint software for their Intellimouse series of mice - required if you use non-standard Windows driver features

About Intellitype: For MS programmable keyboards. If you disable Intellitype in Startup, any "Hot Keys" that are changed by the user to perform functions other than default settings, defer back to their default settings unless you have changed them.

While Avast and AVG are good for free antivirus programs. Avast is better, but there's one far superior. eTrust EZ AntiVirus which is free for a year to Microsoft SP2 customers.

You also have two antivirus programs running on the computer (AVG and Kaspersky). If you like you can switch to eTrust, or simply update and continue using Kaspersky.

Here's an analysis of your HijackThis log. After this, run the scans recommended above and then post a new log.

Generated by Tarun's HijackThis Converter v0.50 Beta.

Default-color items are optional, red are known to be malicious.

Created registry value

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Win Fax Client] "C:\WINDOWS\system32\fxsclnt.exe"

O4 - Global Startup: hpoddt01.exe.lnk = ?

Downloaded Program Files item

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab

Edited December 22, 2005 by Tarun

[epic]

Since you had CWS, you should run CWShredder as well. Update MSAS, Ad-Aware, Spybot, and ewido defs to ensure you can nail everything.

I don't like what epic said. epic dude, please leave this to the pros.

Really now... Quite interesting from someone who does not even know who I am.

O4 - HKLM\..\Run: [POINTER]point32.exe

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

Those are not suspicious. Point32.exe is for the Microsoft Mouse, it's part of the software. Though it's not needed, it's not suspicious. Intellitype is for the MS keyboard.

Hmm... You must have missed the point where I stated "If this is a Microsoft keyboard, do you use the office functions? If not disable them from startup."

Definition (Common language for administrators)

sus·pi·cious Pronunciation (s-spshs)

adj.

1. Arousing or apt to arouse suspicion; questionable: suspicious behavior.

2. Tending to suspect; distrustful: a suspicious nature.

3. Expressing suspicion: a suspicious look.

Apparently you are not aware that there are viruses (freely available) which copycat these exact files. Besides, disabling, if not all, 3rd party applications (that includes startup applications!!!) while detecting for viruses is the most crucial part of administration, which is why it's suggested 100% of the time to scan virus' in safe mode, hence no 3rd party applications load. If you're at all a professional you would have already known that. Heh.

So, please step down from your self appointed professional status. It's people like you that give REAL administrators a bad name.

About point32: Microsoft Intellipoint software for their Intellimouse series of mice - required if you use non-standard Windows driver features

About Intellitype: For MS programmable keyboards. If you disable Intellitype in Startup, any "Hot Keys" that are changed by the user to perform functions other than default settings, defer back to their default settings unless you have changed them.

I also assumed DL knew this information and assume most people do, but since your laying out the most obvious information, i'll just let it be.

If you have any insightful information, post it, which you have not.

My appologies DL.

Edited December 22, 2005 by epic

[Martin L]

people people... why always the agruments about what people reply? DL asked something, you two (Tarun and epic) replied. Now it isnt forbidden to discuss replies but, hey respect each other inhere ok? I am sure that DL is able to get his facts from this post so dont say "i am good, and you're not"

and btw its nearly christmas... so keep the peace on earth

[mark]

Ok, was out of town for several days and back now. I appreciate all the replies, arguments and all because I will learn something but just don't go for the throat!

I will get back to this later. I have other things I have to attend to first.

Thank you,

DL

[mark]

Ok, back. I'm going to uninstall all of the virus/trojan/whatever progs I have on the comp. I am going to install EZ Antivirus, keep hijackthis and run CWShred. Then I am going to check out Diskmon and PsFile.

I ran Filemon last week and to say that was interesting would be an understatement. What a bunch of stuff goes on inside the box! It's really cool when you have a computer that will run x number of process and so forth, but when you see a list just stream by, it gives you a completely different view. Using Filemon, I took a snapshot (text, not a pic) of the processes that ran at the time of opening and closing the CD drive. That is one thing that triggers the activity. I pared down the text file by more than 90% and am attaching it, if you want to bother looking at it. spoolsv.exe starts the activity off and hpotdd01.exe, msiexec.exe, csrss.exe, svchost.exe and rundll32.exe are all heavily involved, then it ends with hpotdd01.exe (we have a hp scanner).

Having fun,

DL

Edit: @Tarun,

Created registry value

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [KernelFaultCheck]%systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Win Fax Client] "C:\WINDOWS\system32\fxsclnt.exe"

O4 - Global Startup: hpoddt01.exe.lnk = ?

Downloaded Program Files item

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab

I don't know what I am supposed to do with this. Some of it, I know what it is and some not. There is the hpoddt01.exe.lnk that definately looks suspicious now that I have had a look at the log from Filemon.

DL

FilemonLog.txt

Edited December 30, 2005 by DL

[mark]

Ran CWShredder and nothing. It gave a link to a 30 trial of TrendMicro AV. Downloaded, installed, ran it, it found one cookie, uninstalled.

Downloaded EZ Antivirus, ran it, it found nothing.

After dinner time now, long after, going home. I'll get back on this tomorrow.

Thank you,

DL

[Tarun]

Edit: @Tarun,

Created registry value

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

Enumeration of suspicious auto-loading registry entries

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [Win Fax Client] "C:\WINDOWS\system32\fxsclnt.exe"

O4 - Global Startup: hpoddt01.exe.lnk = ?

Downloaded Program Files item

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - https://scan.safety.live.com/resource/downl...lscbase3401.cab

I don't know what I am supposed to do with this. Some of it, I know what it is and some not. There is the hpoddt01.exe.lnk that definately looks suspicious now that I have had a look at the log from Filemon.

DL

Those are items to check off in HijackThis and then click Fix.

Edited December 30, 2005 by Tarun