Re: DNS calls to Ukraine destinations

It's a 017 item in HJT, Steve, (actually, three or four nearly identical
items)involving some entries that include the rogue IPs, in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces.

But I can't get to the machine until later today or this evening. Don't seem
to have saved a copy of the HJT report anywhere else. I figure I'm also
close to or past the line where I won't be able to do much on it simply
because I'm working on it remotely. David's Multi_AV was plenty fun already.
It came up with a few things, but not what I'm looking for. This one is
still trying to ping those DNS servers about once per second, each IP.

--

Gary S. Terhune
MS-MVP Shell/User

"MowGreen" <mowgreen@xxxxxxxxxxxxx> wrote in message
news:ONLMGmw4GHA.3604@xxxxxxxxxxxxxxxxxxxxxxx
Dan,

Still haven't heard from Gary yet. If the malware is not a RootKit then
we'll get that link posted here. If it is an RK, then we'll have to take
this to a private thread to block RK writers from observing which tool and
version is used to remove it. That's what it's come down to lately.
But if Gary ever contacts us, we'll have him provide you with any info you
need.
Hope you understand ;)

MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============


Dan wrote:
MowGreen wrote:
the ISA logs show this machine making repeated calls on DNS protocol,
port 53, to two different IPs that belong to a web hosting company in
the Ukraine. I can't help but think that this is malware in action,
but can't determine what is doing it.

Gary,

As long as you can keep the malware blocked, post the log to the
HijackThis Forum at AumHa:
http://aumha.net/viewforum.php?f=30

We'll call in the "Experts" if need be and at least identify the
malware, the risk from it, and who's hosting it.

I'll BCC this. Email me when you post the HJT log and please, provide us
with the IPs, too.


MowGreen [MVP 2003-2006]
===============
*-343-* FDNY
Never Forgotten
===============


Gary S. Terhune wrote:
I have an XP Pro box on an SBS network (one SBS Premium server w/ ISA
2004,
two XP Pro clients.) The box was heavily infected by numerous viruses
and
other malware on 9/11. Issues with antivirus installation resulted in
its
not updating for some time, but I'm not certain just how it all got
started.
Far as I can tell, none of it got to any of the other machines on the
network,

I cleaned up using various AV and anti-spyware tools (AdAware, Spybot,
Trend-Micro AV) and it seems to be healthy now, but the ISA logs show
this
machine making repeated calls on DNS protocol, port 53, to two
different IPs
that belong to a web hosting company in the Ukraine. I can't help but
think
that this is malware in action, but can't determine what is doing it.
The
ISA firewall is blocking the requests, but I'd like to know what's
going on.
Any ideas on how to trace this? I can't find anything in running
processes
that isn't supposed to be there. Note that these calls are being made
even
when nobody is logged on to the machine. They're averaging one per
second.


Well, I hope Gary will provide the link to the HiJack This website in
this newsgroup so that other users like me can see what potential malware
is in the HiJack This log. Gary, if you do not want to post here then
you know my email and please email me where you posted the Hijack This
log and thanks in advance because I appreciate all you do for these
newsgroups.


.

Relevant Pages

  • Re: DNS calls to Ukraine destinations
    ... protocol, port 53, to two different IPs that belong to a web hosting company in the Ukraine. ... I can't help but think that this is malware in action, but can't determine what is doing it. ... Email me when you post the HJT log and please, provide us with the IPs, too. ... if you do not want to post here then you know my email and please email me where you posted the Hijack This log and thanks in advance because I appreciate all you do for these newsgroups. ...
    (microsoft.public.security.virus)
  • Re: Help to identify what my PC is infected with
    ... NTFS via a DOS NTFS driver, then this may not be unexpected mileage. ... Create a HJT log file and post it in one of the below locations... ... If you have an intrafile infector, or malware has replaced an existing ...
    (microsoft.public.security.virus)
  • Re: Any site but Microsoft?
    ... I've got a HJT over in the other forum which may now be irrelevant as ... So that leads me to beleive it must be the router or my ISP. ... Noel Paton ... often enough, and well enough, and removal of some malware can cause more ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Possible Zombie?
    ... HJT is a tool which allows a skilled person to remove malware but it also shows what malware is running on the system. ... copy/pasting logs with HiJackThis to their forums and wait another day ... If you want to see how an HJT log is used, read through the tutorials at the links that Siljaline gave the OP or go to one of the HJT forums and pick a thread. ...
    (microsoft.public.security)
  • Re: Any idea which bug this is?
    ... | Is there a particular malware responsible for the above, ... Download and execute HiJack This! ... Then post the contents of the HJT log in your post in one of the below expert forums... ... Forums where you can get expert advice for HiJack This! ...
    (alt.comp.anti-virus)