Help - Search - Members - Calendar
Full Version: ssh and dns problems-hijack file
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
bathroomwh
May 6 2004, 07:42 PM
herfe we go, first tiime on this forum so i hope it works out. can you tell me if any of the junk below is related to recent impossible ssh login problems with my website, and dns related problems with a site I have placed online.

Logfile of HijackThis v1.97.7
Scan saved at 7:47:15 AM, on 5/7/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\DSE\ADSL\CnxDslTb.exe
C:\Program Files\Password Shield\pwshield.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\PROGRA~1\MOZILLA.ORG\FIREBIRD\MOZILL~1.EXE
C:\Documents and Settings\Administrator\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 02
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TosHKCW.exe] C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AVGCtrl] C:\Program Files\AVPersonal\AVGNT.EXE /min
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\DSE\ADSL\CnxDslTb.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [pwshield.exe] C:\Program Files\Password Shield\pwshield.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: Siemens SpeedStream Wireless PC Card Utility.lnk = C:\Program Files\Siemens\Siemens SpeedStream Wireless PC Card\SSCPCCfg.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...37875.778900463
O16 - DPF: {A48D0309-8DA3-41AA-98E4-89194D471890} (Pulse V5 ActiveX Control) - http://a320.g.akamai.net/7/320/1456/v50245...layer5AxWin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11704272-B67C-4A3D-ADB8-397CB7589E58}: NameServer = 203.109.252.42,203.109.252.43
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F7EF44C-4B05-4585-BAE2-B2BCF032E5A1}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{D60A6769-4046-47ED-AD49-8A5A47803E07}: NameServer = 202.27.184.3,202.27.184.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{ED51A5A4-72EF-4C93-8EDE-58C1D5A0F828}: NameServer = 203.109.252.42,203.109.252.43
LoPhatPhuud
May 6 2004, 07:56 PM
Your HiJackThis log is clean.

Your problem may stem from a corrupted Hosts file. Instructions follow to resset it, but if you have custom entries you can remove any erroneous ones instead. The program is self explanatory.

Hoster Instructions:
1. Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
2. Install the program and run it.
3. Press 'Restore Original Hosts' and press 'OK'
5. Exit Program.


Also you have four TCP Nameserver entries in your registry. These are the O17 entries in your log. There are two each, for separate ISP's. Please check them over and if one set is not needed, use HiJackThis to remove them.

Here is the information on each pair.
203.109.252.42

<owner>
The Internet Group Ltd.
IHUG/StarNet/VIPNet/PrintOnline/TravelOnline
New Zealand

and

202.27.184.3
<owner>
Telecom Online Service
Auckland
New Zealand
bathroomwh
May 6 2004, 10:12 PM
hey thanks, have removed the isp and left only the two i am using right now. seems strange though, as I still cannot use SSH software to login to my website. It is definately a problem related to my network as my other pc is not allowing ssh login either yet other people on other pc's have tested and logged in without difficulty.

here is the ssh program wording when I try to login via SSH :

i Session 00002 established for quick connect
i SecureFX version 2.2.4.216 (Official Release - April 13, 2004)
i Discarding invalid state change from STATE_NOT_CONNECTED to STATE_CLOSED.
i Connected for 5 seconds, 0 bytes sent, 0 bytes received
LoPhatPhuud
May 6 2004, 10:38 PM
Since you are on a home Lan, it may be an issue with your router. Since it is occurring on two computers on your netwrok, but not elsewhere, it has to be on your end.

You might try connecting with one computer directly to see if that makes any difference.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.