Explorer.exe do strange things...

  • Thread starter Thread starter Giuseppe
  • Start date Start date
G

Giuseppe

My Explorer.exe always try to connect
to "fbiserver.shacknet.nu" (151.25.32.99)

I have XP home edition Sp2 fully updated with Avast
antivirus + Firewall + Spybot Search & Destroy and the
great Microsoft Anti-spyware Beta...
 
The new DLLs have been loaded:
C:\PROGRA~1\MICROS~3\Office10\MCPS.DLL

To disable DLL Authentication go to the security tab under
the Tools, Options menu.

File Version : 6.0.2900.2180
File Description : Esplora risorse
File Path : C:\WINDOWS\explorer.exe
Process ID : 0x9EC (Heximal) 2540 (Decimal)

Connection origin : local initiated
Protocol : TCP
Local Address : 192.168.0.2
Local Port : 1042
Remote Name : fbiserver.shacknet.nu
Remote Address : 151.25.32.99
Remote Port : 3386 (GPRS-DATA - GPRS Data)

Ethernet packet details:
Ethernet II (Packet Length: 76)
Destination: 00-50-22-10-03-57
Source: 08-00-46-db-ab-ce
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 64
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x0 (Incorrect - Checksum should
be 0xa503)
Source: 192.168.0.2
Destination: 151.25.32.99
Transmission Control Protocol (TCP)
Source port: 1042
Destination port: 3386
Sequence number: 1981374775
Acknowledgment number: 0
Header length: 28
Flags:
0... .... = Congestion Window Reduce
(CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Checksum: 0x5c22 (Correct)
Data (0 Bytes)

Binary dump of the packet:
0000: 00 50 22 10 03 57 08 00 : 46 DB AB CE 08 00 45 00
| .P"..W..F.....E.
0010: 00 30 BE FC 40 00 40 06 : 00 00 C0 A8 00 02 97 19
| .0..@.@.........
0020: 20 63 04 12 0D 3A 76 19 : 61 37 00 00 00 00 70 02
| c...:v.a7....p.
0030: FF FF 22 5C 00 00 02 04 : 05 B4 01 01 04 02 65 72
| .."\..........er
0040: 63 69 61 05 6E 6F 2D 69 : 70 03 6F 72 |
cia.no-ip.or
 
I've no idea what this is about, but it sure isn't good.

Neither fbiserver.shacknet.nu, nor
cia.no-ip.org

look like places I'd want to visit.

I can't seem to reach either one at the moment, which is probably a good
thing.

I don't find either URL in the MVP Hosts file which is a pretty extensive
list of malware sites, so maybe these are newer or smaller fry than they
notice.

I would recommend guided cleaning via HijackThis at an online forum designed
for that purpose.

You can start here:

http://www.aumha.org/a/quickfix.htm

You can download the HijackThis application from links in this page, and
post logs at their forum--in step 6.
 
Thanks for your hints...

ps: The Ip of "fbiserver...." sometimes changes...

Explorer, always load office xp dll (form 1 to 5)...
Maybe i have an unknown virus that infected office xp...
 
Cleaning via HijackThis with help from a forum is a good way to deal with
something unknown--I'd be interested to hear how it goes, and whether they
ever put a name on what's happening.
 
He posted his HijackThis log at:

http://forum.aumha.org/viewtopic.php?p=90395

It looks clean.

I assume he has tried to turn off Active Desktop or
display webcontent? Sometimes that does some odd things.


We are currently seeing a lot of problems with something
called alemod:

http://vil.nai.com/vil/content/v_134451.htm

This thing is invisible in HijackThis since it replaces
the wininet.dll file in the System32 folder with its own
file. Sometimes explorer stops running altogether and the
complaint is no desktop. The easiest way to check for a
bad wininet.dll file is to run sigverif:

Start, Run, sigverif, OK then press Start when the program
comes up. If wininet.dll shows up in the output then
that's a good sign that it's been replaced with a bogus
version.

The fix for a bad wininet.dll is to get a new one from
http://www.dll-files.com/dllindex/dll-files.shtml?wininet
and save it to C:\

I always use Killbox to delete on reboot the files
mentioned in the McAfee article so it can't reinfect.

Then boot into Safe Mode with Command Prompt and:

del C:\Windows\System32\dllcache\wininet.dll
del /f C:\Windows\System32\wininet.dll
copy c:\wininet.dll c:\windows\system32\

Also in HijackThis, Misc Tools, Open Process Manager,
check the box where it says Show Dlls then select
explorer.exe and look in the bottom pane to see what
folders have dlls loaded that are not in the system32
folder. Then use sigverif to check them (look under
Advanced). Interestingly explorer.exe is not signed in my
Win2K but it does show version 5.0.3700.6690

Ron
 
Ron Kinner said:
He posted his HijackThis log at:

http://forum.aumha.org/viewtopic.php?p=90395

It looks clean.

I assume he has tried to turn off Active Desktop or
display webcontent? Sometimes that does some odd things.


We are currently seeing a lot of problems with something
called alemod:

http://vil.nai.com/vil/content/v_134451.htm

This thing is invisible in HijackThis since it replaces
the wininet.dll file in the System32 folder with its own
file. Sometimes explorer stops running altogether and the
complaint is no desktop. The easiest way to check for a
bad wininet.dll file is to run sigverif:

Start, Run, sigverif, OK then press Start when the program
comes up. If wininet.dll shows up in the output then
that's a good sign that it's been replaced with a bogus
version.

The fix for a bad wininet.dll is to get a new one from
http://www.dll-files.com/dllindex/dll-files.shtml?wininet
and save it to C:\

I always use Killbox to delete on reboot the files
mentioned in the McAfee article so it can't reinfect.

Then boot into Safe Mode with Command Prompt and:

del C:\Windows\System32\dllcache\wininet.dll
del /f C:\Windows\System32\wininet.dll
copy c:\wininet.dll c:\windows\system32\

Also in HijackThis, Misc Tools, Open Process Manager,
check the box where it says Show Dlls then select
explorer.exe and look in the bottom pane to see what
folders have dlls loaded that are not in the system32
folder. Then use sigverif to check them (look under
Advanced). Interestingly explorer.exe is not signed in my
Win2K but it does show version 5.0.3700.6690

Ron
Click to expand...

Thanks for the report, Ron.

I used sigverif recently just to see whether it would work for a novice
user--the article I was reading said run it and verify that 0 files are
shown as not verifying (?) I think I had hundreds shown as not verifying,
so I didn't post that reference. But I could look for an individual file, I
guess!

This is another rootkit-like behavior that Microsoft Antispyware probably
needs to look for, I guess.

I'm a bit surprised this hijack succeeds--are these Windows 2000, xpsp2??
 
Back
Top