Solve : Invisible hijacker??

1.	Solve : Invisible hijacker??
Answer» I was in the school's computer lab doing some research for English I. (The PC is the exact one in GX1_Man's avatar) I had to use IE 6 SP1 and of course it was going slowly. I wanted to get Email, so I could get a link I Emailed myself. I try to go to hotmail.com. That's exactly what I type. However, it takes me to http://hotmail.com.org, which is NOT what I wanted. I think to myself, "browser hijacker". So, I pull out my binder and extract my HJT diskette* (yeah, floppies have a use), pop it in, and scan. I don't see anything out of the ordinary. In fact, I've never seen a cleaner log: Quote C:\WINNT\Explorer.EXE C:\WINNT\SYSTEM32\DWRCST.exe C:\WINNT\system32\internat.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE A:\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization MANAGER] mobsync.exe /logon O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126832105875 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amity.k12.or.us O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amity.k12.or.us O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amity.k12.or.us O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE O23 - Service: IM Detector (imdetector) - Unknown owner - C:\Program Files\IMLogic\IM Detector\detector.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe O23 - Service: Symantec AntiVirus Client (NORTON AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) I Google'd for a few .exe files (difficult) but found nothing. It appears clean, even the last one appeared to be OK. Typing in the http and all the rest RETURNS a 404 error (as it turns out, Email is blocked in the lab...). But at this point, my concern is ridding the PCs of the hijacker, because if that can get through, what else can? We only have Norton for protection there, and if a virus gets on there... well, we use floppies a lot in that lab... other PC's nearby were slow as well, but I didn't check for the hijacker there. So what's up? *I don't know if there is a rule about floppy programs or not, but I haven't heard one... Quote The PC is the exact one in GX1_Man's avatar <---------------- A fine machine indeed! DWRCST.exe could be Cptv.Windir.Malware, can you get the file byte size? Check the HOSTS file. I'll see about getting that as soon as I can. Dilbert... DWRCST.exe The dwrcs.exe is process required to allow other computers to connect to you computer using the DameWare remote control client. If you do not use DameWare remote administration software you should terminate this process. dwrcs.exe is an application that does NOT appear to be a security risk Given that nothing showed up in the scans , I would say its harmless. dl65 Malware Group Cptv.Windir.Malware Vendor DameWare Development Product DWRCST Tray Icon Version 5, 0, 1, 1 Path Name %WINDIR%\ SYSTEM32\ File Name DWRCST.exe Behaviour Modifies the hostsfile File Size 85504 Observed Behaviour - Cptv.Windir.Malware was first detected by Prevx1 on Jul 16 2005. Could use your PC to send mass mail using SMTP protocols. Modifies Internet Browser Settings:(HomePage). Creates multiple copies of the Malicious infection on your PC. Creates registry run keys to ensure it is restarted every time you boot your PC. Installs other malicious programs. Examines which processes are running on your PC allowing it to explore vulnerabilities in Windows and your antivirus and anti-spyware products. Modifies the HostsFile which could stop your antivirus or anti-spyware protection or PUT your personal information at risk. Connects with 3rd party computer systems and forwards data via the internet. Hijacks other processes. You will find out for sure when you check the file size. Check your HOSTS file for re-directs.OK. Soon as I can. I couldn't get into the computer lab today though; testing. :-/

Answer»

I was in the school's computer lab doing some research for English I. (The PC is the exact one in GX1_Man's avatar) I had to use IE 6 SP1 and of course it was going slowly. I wanted to get Email, so I could get a link I Emailed myself. I try to go to hotmail.com. That's exactly what I type. However, it takes me to http://hotmail.com.org, which is NOT what I wanted. I think to myself, "browser hijacker". So, I pull out my binder and extract my HJT diskette* (yeah, floppies have a use), pop it in, and scan. I don't see anything out of the ordinary. In fact, I've never seen a cleaner log:

Quote

C:\WINNT\Explorer.EXE
C:\WINNT\SYSTEM32\DWRCST.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
A:\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization MANAGER] mobsync.exe /logon
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126832105875
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amity.k12.or.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amity.k12.or.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = amity.k12.or.us
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINNT\SYSTEM32\DWRCS.EXE
O23 - Service: IM Detector (imdetector) - Unknown owner - C:\Program Files\IMLogic\IM Detector\detector.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (NORTON AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

I Google'd for a few .exe files (difficult) but found nothing. It appears clean, even the last one appeared to be OK. Typing in the http and all the rest RETURNS a 404 error (as it turns out, Email is blocked in the lab...). But at this point, my concern is ridding the PCs of the hijacker, because if that can get through, what else can? We only have Norton for protection there, and if a virus gets on there... well, we use floppies a lot in that lab... other PC's nearby were slow as well, but I didn't check for the hijacker there. So what's up?

*I don't know if there is a rule about floppy programs or not, but I haven't heard one... Quote

The PC is the exact one in GX1_Man's avatar

<----------------

A fine machine indeed!
DWRCST.exe could be Cptv.Windir.Malware, can you get the file byte size?

Check the HOSTS file.

I'll see about getting that as soon as I can. Dilbert... DWRCST.exe

The dwrcs.exe is process required to allow other computers to connect to you computer using the DameWare remote control client. If you do not use DameWare remote administration software you should terminate this process.

dwrcs.exe is an application that does NOT appear to be a security risk

Given that nothing showed up in the scans , I would say its harmless.

dl65

Malware Group
Cptv.Windir.Malware

Vendor
DameWare Development
Product DWRCST Tray Icon
Version 5, 0, 1, 1

Path Name
%WINDIR%\
SYSTEM32\

File Name
DWRCST.exe

Behaviour
Modifies the hostsfile

File Size
85504

Observed Behaviour - Cptv.Windir.Malware was first detected by Prevx1 on Jul 16 2005.
Could use your PC to send mass mail using SMTP protocols. Modifies Internet Browser Settings:(HomePage). Creates multiple copies of the Malicious infection on your PC. Creates registry run keys to ensure it is restarted every time you boot your PC. Installs other malicious programs. Examines which processes are running on your PC allowing it to explore vulnerabilities in Windows and your antivirus and anti-spyware products. Modifies the HostsFile which could stop your antivirus or anti-spyware protection or PUT your personal information at risk. Connects with 3rd party computer systems and forwards data via the internet. Hijacks other processes.

You will find out for sure when you check the file size.
Check your HOSTS file for re-directs.OK. Soon as I can. I couldn't get into the computer lab today though; testing. :-/

Solve : Invisible hijacker??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment