It is currently Mon Nov 19, 2018 11:11 pm


welchia_ICMP_scan

Discuss security related topics in here (Hacking, Cracking, and Protecting)
Do not post HJT Logs here

Moderator: PCguy

welchia_ICMP_scan

Postby lilpinkflower » Thu May 06, 2004 9:51 pm

i had an alert from my Norton b4 sayin 'welchia_ICMP_scan'

the IP addy was one similar to mine.... n the comps name was my name??

seemed weird...or coincidence?

ive googled it very quikly...n it seems its a worm.... but i'm not well up on pingin n all dat stuff
hehe

not sure i understand half of what i'm reading!

has anyone else had an alert like this b4?
ta

lilpink x

also...my norton will have protected me won't it?
:|
User avatar
lilpinkflower
Moderator
Moderator
 
Posts: 1603
Joined: Wed Apr 07, 2004 1:00 am
Location: manchester, U.K

Thanks given:0
Thanks received:0
Top

Postby brad » Fri May 07, 2004 2:19 am

You would know if you'd run HijackThis.....
brad
"Duty is a matter of the mind. Commitment is a matter of the heart".
brad
Geek Alumni
 
Posts: 2079
Joined: Sat Jul 19, 2003 1:00 am
Location: Charlotte, NC

Thanks given:0
Thanks received:0
Top

Postby Cactus » Fri May 07, 2004 2:47 am

Hey Lilpinkflower...
Download and run HiJackThis like Brad suggests.
Here's the link:
http://www.spychecker.com/download/down ... kthis.html

After you run save the log to yourdesktop and cut and paste back here.
Brad is an expert with these logs and he'll tell what needs to be removed.
User avatar
Cactus
Geek Alumni
 
Posts: 1330
Joined: Sat Nov 30, 2002 1:00 am
Location: Somewhere...

Thanks given:0
Thanks received:0
Top

Postby lilpinkflower » Fri May 07, 2004 5:05 pm

oi !! Cactus lol.....i HAVE alredy got Hijackthis on me comp ya kno :wink:
ya shud kno me betta dan that lol

rite...here's me log...

(i ran Spybot n AdAware n removed a small handful of things b4 Hijackthis... there was nothin but the usual stuff that gets on ya comp)

Logfile of HijackThis v1.97.7
Scan saved at 17:01:48, on 07/05/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 2\MSGPLUS.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPROXY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GENIUS NETSCROLL+ SERIES\GNETMOUS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\MHOTKEY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\EPROMPTER\EPROMPTER.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Lilpinkflower :oP
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [mouseElf] C:\PROGRA~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [dxm6patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Real.com (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... tor/sw.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/sh ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetupml.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C ... 3912847222
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/part ... nstall.cab
O16 - DPF: LiveWorld EZTalk 3.0 - http://bizchat.liveworld.com/java/ezmed/ezmed.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... Client.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... owdown.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/c ... potc_x.cab
O16 - DPF: {9F637568-E5F7-4CB2-BD01-818CF6C561F9} (PhotosCtrlUK Class) - http://uk.f1.pg.photos.yahoo.com/ocx/uk ... r1_9uk.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/se ... loader.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
O16 - DPF: {20AD521D-3A3E-11D4-BC32-0050040D952B} (SwIcdInstall Class) - http://www.picturebuzz.com/common/programs/swicdad.cab
O16 - DPF: {4DB79B88-84B2-11D3-81B4-525400E7AB54} (Axe Control) - http://www.picturebuzz.com/picturebuzz/ ... se/axe.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/Aut ... dwnldr.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB



ta

lilpink x
User avatar
lilpinkflower
Moderator
Moderator
 
Posts: 1603
Joined: Wed Apr 07, 2004 1:00 am
Location: manchester, U.K

Thanks given:0
Thanks received:0
Top

Postby brad » Sat May 08, 2004 12:07 am

You know the routine...Turn off System Restore. (Until this is completed) Close all other open Windows and have HiJackThis Fix:
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/part ... nstall.cab

Reboot, and delete:

C:\WINDOWS\System32\msgked.exe
and:
C:\Program Files\LiveUpdate

brad
"Duty is a matter of the mind. Commitment is a matter of the heart".
brad
Geek Alumni
 
Posts: 2079
Joined: Sat Jul 19, 2003 1:00 am
Location: Charlotte, NC

Thanks given:0
Thanks received:0
Top

Postby lilpinkflower » Sat May 08, 2004 12:46 am

u see stuff i didnt even notice !!

just to be borin lol...cud u tell me wot the things r that i have to delete

i mean...explain why they have to be deleted

its not that i dont trust u !!! far from it.... i just like to kno

i like to learn as i go along :P

ta sweet

lilpink x
User avatar
lilpinkflower
Moderator
Moderator
 
Posts: 1603
Joined: Wed Apr 07, 2004 1:00 am
Location: manchester, U.K

Thanks given:0
Thanks received:0
Top

Postby Geekgirl » Sat May 08, 2004 5:20 am

i agree wit da lilpinkflower

let us no wot we lookin at and y we gotsta delete it. next time we mite not hafta bodder ya :wink:
Geekgirl
Geek Alumni
 
Posts: 1214
Joined: Mon Apr 12, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Postby brad » Sat May 08, 2004 10:43 am

Just do a search for each line item. Check out 4, 5, or six of the links found for each. Then research each problem. Do this for 3 or 4 hrs. every day and you'll become familar with what's supposed to be there and what is suspicious.
Also, have a look at this HiJackThis Tutorial

I'm sorry I don't give exact details for everything I find. If I did, I wouldn't be able to help hardly anybody for the time I'd spend.

brad
"Duty is a matter of the mind. Commitment is a matter of the heart".
brad
Geek Alumni
 
Posts: 2079
Joined: Sat Jul 19, 2003 1:00 am
Location: Charlotte, NC

Thanks given:0
Thanks received:0
Top

Postby Cactus » Sat May 08, 2004 2:40 pm

Wow!!
What a great tutorial Brad!
Sure gives an idea as to what all the entries are for in the Log.
Definintly a link to bookmark for future use.

But I'll still be posting my log as I don't have no where near the knowhow that you do...(how many hours did you say?) :|


:)
User avatar
Cactus
Geek Alumni
 
Posts: 1330
Joined: Sat Nov 30, 2002 1:00 am
Location: Somewhere...

Thanks given:0
Thanks received:0
Top

Postby Geekgirl » Sat May 08, 2004 6:34 pm

If you read each line its easy to understand what it is. and like brad said I did do google searches for ones I didnt know what they were and found out.

great reply brad thx
Geekgirl
Geek Alumni
 
Posts: 1214
Joined: Mon Apr 12, 2004 1:00 am

Thanks given:0
Thanks received:0
Top

Postby lilpinkflower » Sat May 08, 2004 10:12 pm

thanks for ur words of wisdom everyone lolz
hehe

esp geekgirl :|

one thing tho Brad..... n i may be bein daft here i dunno (no comments plz) lol

windows/system32/msgked.exe

it doesnt actually exist on my comp???

ta

lilpink x
User avatar
lilpinkflower
Moderator
Moderator
 
Posts: 1603
Joined: Wed Apr 07, 2004 1:00 am
Location: manchester, U.K

Thanks given:0
Thanks received:0
Top

Postby brad » Sat May 08, 2004 10:27 pm

Well, if you've got "Show Hidden Files" and "Show System Files" selected in Windows Explorer / Tools / Options / View then that's a good thing.
Have all your problems been corrected? (With the Computer, I mean. :) )
brad
"Duty is a matter of the mind. Commitment is a matter of the heart".
brad
Geek Alumni
 
Posts: 2079
Joined: Sat Jul 19, 2003 1:00 am
Location: Charlotte, NC

Thanks given:0
Thanks received:0
Top

Postby lilpinkflower » Sat May 08, 2004 10:38 pm

ive not started deletin anythin...been chasin round after my lil girl all day lol

hehe

i havnt actually got probs wid my nobby...me comp is called nobby by the way lol

he may av the odd bit of lingerin spyware but he's runnin like a dream lolz

i was jus a bit spooked by that welchia fing...but rationality sez to me...it scanned me n dint jump on me ...if ya kno wut i mean

i jus panik...wen my kingdom is under attack lolz

hmmmm problems lolz

fink i av a problem beginnin wid 'g' n endin wid 'l'

lmao

i will get shot for sayin dat lol

but tis tru

i may not be a tru geek goddess but im not a........

i'll leave that to ur imagination

i'll get banned now lolz

i will delete wut u sed.... but i am happy to say i avnt got the .exe

i will do it tomos tho cos tonite im chillin wid a bottle lolz

ta sweet

lilpink x
User avatar
lilpinkflower
Moderator
Moderator
 
Posts: 1603
Joined: Wed Apr 07, 2004 1:00 am
Location: manchester, U.K

Thanks given:0
Thanks received:0
Top


Return to Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron