virus or what: many DNS calls

[Berra]

Hi, I have been trying to find out why my Pentium
1100MHz/1500MBram/40+120GBHDD is booting up sloooow 60 minutes.
This is only when I am online to the (freeSCO firewall and ADSL-modem). When
I disconnect or shut down the ADSL-modem, it starts up ok.

Checking the freeSCO:s message-log tells me something, like this:

Nov 19 09:08:59 - dnsmasq[1251]: query jupitersatellites.biz from
192.168.1.1
Nov 19 09:08:59 - dnsmasq[1251]: forwarded jupitersatellites.biz to
195.67.199.21
Nov 19 09:09:00 - dnsmasq[1251]: query jupitersatellites.biz from
192.168.1.1
Nov 19 09:09:00 - dnsmasq[1251]: forwarded jupitersatellites.biz to
195.67.199.22
Nov 19 09:09:01 - dnsmasq[1251]: query jupitersatellites.biz from
192.168.1.1
Nov 19 09:09:01 - dnsmasq[1251]: forwarded jupitersatellites.biz to
195.67.199.23
Nov 19 09:09:01 - dnsmasq[1251]: reply jupitersatellites.biz is
69.50.190.163
Nov 19 09:10:12 - dnsmasq[1251]: query www.hprofit.com from 192.168.1.1
Nov 19 09:10:12 - dnsmasq[1251]: forwarded www.hprofit.com to 195.67.199.23
Nov 19 09:10:12 - dnsmasq[1251]: reply www.hprofit.com is 200.60.37.206
Nov 19 09:10:12 - dnsmasq[1251]: reply hprofit.com is 200.60.37.206
Nov 19 09:10:49 - dnsmasq[1251]: query profitcluballiance.com from
192.168.1.1
Nov 19 09:10:49 - dnsmasq[1251]: forwarded profitcluballiance.com to
195.67.199.23
Nov 19 09:10:49 - dnsmasq[1251]: reply profitcluballiance.com is 69.64.40.55

And so on....

Sometimes I can log in on the computer, and the taskmonitor tells me that
"winlogon.exe" is using 99-100% CPU!

 

[Duane Arnold]

Hi, I have been trying to find out why my Pentium
1100MHz/1500MBram/40+120GBHDD is booting up sloooow 60 minutes.
This is only when I am online to the (freeSCO firewall and
ADSL-modem). When I disconnect or shut down the ADSL-modem, it starts
up ok.

Then obviously the modem is shut down and whatever is running cannot make a
connection out and send data.

The modem online connected to the Internet, the computer is on and whatever
is doing it can make an outbound connection.

Sometimes I can log in on the computer, and the taskmonitor tells me
that "winlogon.exe" is using 99-100% CPU!

And winlogon.exe may not be the culprit and malware can use it on its
behalf.

You may have to go look for yourself with the proper tools like PE and look
inside a running process and see what's running with it.

http://www.pcworld.com/downloads/file_description/0,fid,23780,00.asp

Menu option Show Lower Pane and Show all DLL(s) will show all hidden
processes that are running with a process when you click on the process in
the Upper Pane. You can also right-click/Properties on a line in the Upper
and Lower Panes to get even more information with PE.

The link below talks about PE and other free tools that can be used to
track something down.

Long

http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_R
ootkit_Tools_in_a_Windows_Environment.html

Short

http://tinyurl.com/klw1

Duane

 

[David H. Lipman]

From: "Berra" <[email protected]>

| Hi, I have been trying to find out why my Pentium
| 1100MHz/1500MBram/40+120GBHDD is booting up sloooow 60 minutes.
| This is only when I am online to the (freeSCO firewall and ADSL-modem). When
| I disconnect or shut down the ADSL-modem, it starts up ok.
|
| Checking the freeSCO:s message-log tells me something, like this:

< snip >


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.


* * * Please report back your results * * *

 

[Berra]

Thanks guys!

I seem to have work to do!

So, I will download the toosl with my laptop instead.

I will be back and report!

/Bertil

 

[Berra]

Hi!
Now, I am done!
It was the file "msupdate32.dll" that was responsible.
Checking around a little in the net, I saw that there is a virus/trojan
using the "msupdate32.exe" version. I just killed the process, and all was
ok. Checking inside the file with Notepad, I could read the first url,
probably the master in the DDoS atack.
There also was the file "mspostsp.exe" with the samd date and timestamp:
also renamed. Also, I found it in the registery at the key:
[......\Winlogon\Notify\msupdate] "Dllname"="msupdate32.dll"...........
deleted!

I installed the ProcessExplorer in autostart. the I restarted with the
network connected. Whe I saw the first dns call from the computer in the
freeSCO firewall, I disconnected the LAN cable and let the machine work by
it self.
I took more that six hours before it was up and running!!! Then I could
easyli see wich process that was taking all the cpu!

Thanks for the help, David

/Bertil

From: "Berra" <[email protected]>

| Hi, I have been trying to find out why my Pentium
| 1100MHz/1500MBram/40+120GBHDD is booting up sloooow 60 minutes.
| This is only when I am online to the (freeSCO firewall and ADSL-modem). When
| I disconnect or shut down the ADSL-modem, it starts up ok.
|
| Checking the freeSCO:s message-log tells me something, like this:

< snip >


For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.


* * * Please report back your results * * *

 

[Duane Arnold]

Hi!
Now, I am done!
It was the file "msupdate32.dll" that was responsible.
Checking around a little in the net, I saw that there is a
virus/trojan using the "msupdate32.exe" version. I just killed the
process, and all was ok. Checking inside the file with Notepad, I
could read the first url, probably the master in the DDoS atack.
There also was the file "mspostsp.exe" with the samd date and
timestamp: also renamed. Also, I found it in the registery at the key:
[......\Winlogon\Notify\msupdate]
"Dllname"="msupdate32.dll"........... deleted!

I installed the ProcessExplorer in autostart. the I restarted with the
network connected. Whe I saw the first dns call from the computer in
the freeSCO firewall, I disconnected the LAN cable and let the machine
work by it self.
I took more that six hours before it was up and running!!! Then I
could easyli see wich process that was taking all the cpu!

Thanks for the help, David

I tell him about PE and I don't get any thanks.

LOL

Duane

 

[kurt wismer]

Duane Arnold wrote:
[snip]

I tell him about PE and I don't get any thanks.

so your motivation in helping people is to receive thanks?

 

[Berra]

Ok, Ok friends, I get it!


Thanks everyone!!


-

/Bertil

Duane Arnold wrote:
[snip]

I tell him about PE and I don't get any thanks.

so your motivation in helping people is to receive thanks?

--
"it's not the right time to be sober
now the idiots have taken over
spreading like a social cancer,
is there an answer?"

 

[Duane Arnold]

Ok, Ok friends, I get it!


Thanks everyone!!


-

/Bertil

Duane Arnold wrote:
[snip]

I tell him about PE and I don't get any thanks.

so your motivation in helping people is to receive thanks?

You have been <plonked> by me I don't see you as you are worthless as far
as I am concerned. So you can stick it up your ass and don't get your
boxers in a bind or your panties in a pinch commenting to me about
anything.

And you're damn straight I like to get a little acknowledgement every now
and then like everyone else. It's part of the human nature.

 

[kurt wismer]

Ok, Ok friends, I get it!

Thanks everyone!!

-

/Bertil

Duane Arnold wrote:
[snip]

I tell him about PE and I don't get any thanks.

so your motivation in helping people is to receive thanks?

You have been <plonked> by me I don't see you as you are worthless as far
as I am concerned. So you can stick it up your ass and don't get your
boxers in a bind or your panties in a pinch commenting to me about
anything.

right... you might want to be a little more clear about who you're
responding to... i'm guessing it's me and that i was plonked some time
ago so you can't respond directly to me because my message doesn't
appear in your feed...

so how's that plonking working out for you? not so good apparently...

And you're damn straight I like to get a little acknowledgement every now
and then like everyone else. It's part of the human nature.

there are many things that are part of human nature, not all of them
good or noble... being self-serving, for example...

 

[David H. Lipman]

From: "kurt wismer" <[email protected]>


|
| right... you might want to be a little more clear about who you're
| responding to... i'm guessing it's me and that i was plonked some time
| ago so you can't respond directly to me because my message doesn't
| appear in your feed...
|
| so how's that plonking working out for you? not so good apparently...
||
| there are many things that are part of human nature, not all of them
| good or noble... being self-serving, for example...
|

 

[Duane Arnold]

From: "kurt wismer" <[email protected]>


|
| right... you might want to be a little more clear about who you're
| responding to... i'm guessing it's me and that i was plonked some
| time ago so you can't respond directly to me because my message
| doesn't appear in your feed...
|
| so how's that plonking working out for you? not so good apparently...
|
|
| there are many things that are part of human nature, not all of them
| good or noble... being self-serving, for example...
|

Self serving and self center my ass WTF are you talking about Kirk? I
don't even think you know. It's your usual BS commenting about nothing
that seems to be your ****ed up trademark which I avoid looking at your
dumb ass at all cost. However, I will respond to you through someone
else's post if I feel the need and you're out of line. But you'll never
get a direct post from me to you worthless POS. Why don't you recite some
God damn Shakespeare and post that while you're at it and take another
sip out of the flask you demented drunk.

One more time here old Kirk boy you can kiss my ass.

<g>

 

[David H. Lipman]

From: "Duane Arnold" <[email protected]>


| Self serving and self center my ass WTF are you talking about Kirk? I
| don't even think you know. It's your usual BS commenting about nothing
| that seems to be your ****ed up trademark which I avoid looking at your
| dumb ass at all cost. However, I will respond to you through someone
| else's post if I feel the need and you're out of line. But you'll never
| get a direct post from me to you worthless POS. Why don't you recite some
| God damn Shakespeare and post that while you're at it and take another
| sip out of the flask you demented drunk.
|
| One more time here old Kirk boy you can kiss my ass.
|
| <g>

It's Kurt not Kirk !
I for one have learned from Kurt and your attitude uin this thread is NOT making you look
too good.

You should quit while you are behind.

 

[Duane Arnold]

From: "Duane Arnold" <[email protected]>


| Self serving and self center my ass WTF are you talking about Kirk? I
| don't even think you know. It's your usual BS commenting about
| nothing that seems to be your ****ed up trademark which I avoid
| looking at your dumb ass at all cost. However, I will respond to you
| through someone else's post if I feel the need and you're out of
| line. But you'll never get a direct post from me to you worthless
| POS. Why don't you recite some God damn Shakespeare and post that
| while you're at it and take another sip out of the flask you demented
| drunk.
|
| One more time here old Kirk boy you can kiss my ass.
|
| <g>

It's Kurt not Kirk !

Well that should tell you how much he means to me if I cannot get that
****er's name right.

I for one have learned from Kurt and your attitude uin this thread is
NOT making you look too good.

Do you actually think that I give a Rat Ass what you have learned from
anybody?

You should quit while you are behind.

Why don't you suck his *dick* while you're at it if that will make you
happy?

My attitude is that of the EOR specialist - that's Equal Opportunity
Ragger to you. Don't **** with me and I won't **** with you and I will
return fire if need be.

I got no respect for Kirk, Kurt or whatever -- **** him and maybe you
too. <g>

<VBG>

<EOR>

Duane

 

[David H. Lipman]

From: "Duane Arnold" <[email protected]>

| |

|> Self serving and self center my ass WTF are you talking about Kirk? I
|> don't even think you know. It's your usual BS commenting about
|> nothing that seems to be your ****ed up trademark which I avoid
|> looking at your dumb ass at all cost. However, I will respond to you
|> through someone else's post if I feel the need and you're out of
|> line. But you'll never get a direct post from me to you worthless
|> POS. Why don't you recite some God damn Shakespeare and post that
|> while you're at it and take another sip out of the flask you demented
|> drunk.
|>
|> One more time here old Kirk boy you can kiss my ass.
|>

|
| Well that should tell you how much he means to me if I cannot get that
| ****er's name right.
||
| Do you actually think that I give a Rat Ass what you have learned from
| anybody?
||
| Why don't you suck his *dick* while you're at it if that will make you
| happy?
|
| My attitude is that of the EOR specialist - that's Equal Opportunity
| Ragger to you. Don't **** with me and I won't **** with you and I will
| return fire if need be.
|
| I got no respect for Kirk, Kurt or whatever -- **** him and maybe you
| too. <g>
|
| <VBG>
|
| <EOR>
|
| Duane

I don't see any reason for such language nor such a negative attitude.
You obviously can't discuss *anything* in a rational fashion.

/* Please killfile me so you will no longer see what I have to say. */

 

[Duane Arnold]

I don't see any reason for such language nor such a negative attitude.
You obviously can't discuss *anything* in a rational fashion.

/* Please killfile me so you will no longer see what I have to say. */

I see plenty of reason when someone needs to play the God damn NG Sheriff
in a NG.

And you're not worth a damn <plonk> to me.

<EOR>

Duane

 

[Trolls Are Retards]

Well that should tell you how much he means to me if I cannot get that
XXXXX's name right.


Do you actually think that I give a Rat Ass what you have learned from
anybody?


Why don't you XXXXXX while you're at it if that will make you
happy?

My attitude is that of the EOR specialist - that's Equal Opportunity
Ragger to you. Don't XXXX with me and I won't XXXX with you and I will
return fire if need be.

I got no respect for Kirk, Kurt or whatever -- XXXX him and maybe you
too. <g>
Duane

Shame on you, son!! My XX key is worn out. Did I get all the XXXXing
words?? Time to wash your mouth out with a bar of lye soap, lol.

Mother

 

[Ant]

From: "Duane Arnold":
| I got no respect for Kirk, Kurt or whatever -- **** him and maybe you
| too. <g>

And the horse you rode in on.

I don't see any reason for such language nor such a negative attitude.
You obviously can't discuss *anything* in a rational fashion.

This has long been obvious. He's so sensitive, that he takes any
criticism as a personal attack. It's amusing to watch. Perhaps he
wants to be the new Sooge.

 

[Duane Arnold]

You whinning *bitches* and you know who you are don't you.

<VBG>

Duane

 

[Heather]

You whinning *bitches* and you know who you are don't you.

<VBG>

Duane

For shame!! And it is "whining or whinging".....so if you are going to
insult me, at least spell it right, lol. But I could *pull a Sooge* and
thank you for calling me "winning".

Bar of soap awaits!!