Page 1 of 2 12 LastLast
Results 1 to 15 of 20
  1. #1
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Checkin.B Trojan

    For the second time in consecutive days I have been hit at work with Checkin.B variant. It's not a true virus, rather it's net snoop software. See Kaspersky and F-Secure.

    My question isn't with removing the virus (well, maybe it is, because once installed, it reports the machine to another site, from where it may be being reinstalled), it's with tracking down the source. Today I opened the browser, went, in order, to my Corporate Inranet, to Yahoo, and finally here to the Lounge. Bingo, the virus checker pops up Checkin.B again.

    Does anyone know where this pest is coming from? Anyone having similar experiences? Is it possible that my Corporate Intranet is tainted? Yahoo? (Wouldn't surprise me.) Certainly hope it's not the Lounge. Anyone know of a permanent cleaner? (The corporate Virus checker, Trend Micro Officescan, which I do not have permission to change, doesn't seem to handle it very well.)
    -John ... I float in liquid gardens
    UTC -7ąDS

  2. #2
    Banned Member
    Join Date
    Jul 2002
    Location
    Newport Richey, Florida, USA
    Posts
    2,149
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Have you tried a Spyware remover Program?
    Have you located and removed these? I got this from one of your Links above.

    The trojan EXE file does not copy itself to any directory but creates a system registry auto-run key:
    "Checkin.a":

    HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    SysReg = %SystemDir%SysReg

    "Checkin.b":

    HKCUSoftwareMicrosoftWindowsCurrentVersionRun
    OWMngr = %SystemDir%OWMngr.exe


    The trojan program also creates more registry keys:


    HKCUSoftwareIExplore
    Ads
    AID
    ID
    LoggedIn

  3. #3
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Re: Checkin.B Trojan

    Cowboy, I cleaned it all out, again, but I'm trying to avoid doing a third and subsequent cleanups. Can't find any preventive devices for this one yet, but haven't completed my search.
    -John ... I float in liquid gardens
    UTC -7ąDS

  4. #4
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Hi John

    Considering how often these have been mentioned in the lounge, I probably shouldn't be asking......but, have you run both Spybot S&D and AdAware???

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

  5. #5
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Hi again John

    If you haven't tried it, you could also try SpywareBlaster.
    It's good spyware prevention program to use in addition to Spybot S&D.

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Checkin.B Trojan

    To avoid the "payload," you might want to use your hosts file to redirect ads.onwebmedia.com to 127.0.0.1 (localhost). See http://www.trendmicro.com/vinfo/virusencyc...ECKIN.B&VSect=T.

  7. #7
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Re: Checkin.B Trojan

    I plead ignorance. Is this the hosts file in Win 2000, IE 6.026, located at C:winntsystem32driversetc, with data in text format laid out as:

    207.44.240.65 ad.ca.doubleclick.net

    Where does 207.44.240.65 redirect?

    And I should edit this file to include:

    127.0.0.1 ads.onwebmedia.com

    Do I get it?
    -John ... I float in liquid gardens
    UTC -7ąDS

  8. #8
    Silver Lounger Bruce K's Avatar
    Join Date
    Apr 2002
    Location
    Phoenix, Arizona, USA
    Posts
    1,876
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Hi, John ~

    207.44.240.65 is the resolved address to ad.ca.doubleclick.net. If you change that in your HOSTS file to 127.0.0.1, then ti will not load. 127.0.0.1 is the address of your own computer. Before and URLs are resolved via DNS, it checks the HOSTS file first. It will find ad.ca.doubleclick.net, but instead of going to the real address, it is redirected to your own computer at 127.0.0.1 where there is nothing and thus nothing loads.

  9. #9
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Re: Checkin.B Trojan

    OK. Then how come all my host file contents are redirected to 207.44.240.65? Here's a sample of the file:

    207.44.240.65 images.trafficmp.com
    207.44.240.65 ad.ca.doubleclick.net
    207.44.240.65 ads.specificpop.com
    207.44.240.65 ads.specificclick.com
    207.44.240.65 ads.popupsponsor.com
    207.44.240.65 adfarm.mediaplex.com
    207.44.240.65 media.fastclick.net
    207.44.240.65 media1.fastclick.net
    207.44.240.65 adserv.internetfuel.com
    207.44.240.65 www.satellitepop.com

    as they say on late night TV, and many more.
    -John ... I float in liquid gardens
    UTC -7ąDS

  10. #10
    Silver Lounger Bruce K's Avatar
    Join Date
    Apr 2002
    Location
    Phoenix, Arizona, USA
    Posts
    1,876
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Ahh, interesting! I didn't know that beforehand. Let me check - BRB!

  11. #11
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Re: Checkin.B Trojan

    <img src=/S/grovel.gif border=0 alt=grovel width=31 height=23> Sorry, I did not explain that in the prior post, which was misleading on my part.
    -John ... I float in liquid gardens
    UTC -7ąDS

  12. #12
    Silver Lounger Bruce K's Avatar
    Join Date
    Apr 2002
    Location
    Phoenix, Arizona, USA
    Posts
    1,876
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Well, whatever it is, it got me! <IMG SRC=http://www.krymow.com/images/kopfpatsch.gif>

    I loaded the address and nothing apparently loaded but a "page unavailable" However, I did find it promptly changed my home page to http://www.slotch.com/?&account_id=126482, some crappy internet search and sales site that among other things, conspicuously showcases adult entertainment. Who know what else what else was changed. <img src=/S/hmmn.gif border=0 alt=hmmn width=15 height=15> I will check and find out about that address, but it sounds like your HOSTS file may have been hijacked. I would recommend replacing it with one of the HOSTS files from SpyBot or one that R2 and TimOz suggest.

  13. #13
    Uranium Lounger
    Join Date
    Dec 2000
    Location
    Salt Lake City, Utah, USA
    Posts
    9,508
    Thanks
    0
    Thanked 6 Times in 6 Posts

    Re: Checkin.B Trojan

    <img src=/w3timages/censored.gif alt=censored border=0>! Thanks. I replaced all those IP addressses with 127.0.0.1 and made the file read-only. Technically I'm supposed to get permission to screw with the work machine. The IS guys have blind faith in the Virus Checker, we'll see what happens.
    -John ... I float in liquid gardens
    UTC -7ąDS

  14. #14
    Silver Lounger Bruce K's Avatar
    Join Date
    Apr 2002
    Location
    Phoenix, Arizona, USA
    Posts
    1,876
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Bilnd faith huh? Check this out.

    I am still checking to see what else may have been snuck on my system. In the meantime, SamSpade Safe Browser couldn't connect to its server and the SS Whois turned up a block of addresses of Everyones Internet, Inc. which means nothing to be and more searching turned up more garbage. <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>

  15. #15
    5 Star Lounger
    Join Date
    May 2002
    Location
    43.8N 81.0W, Ontario
    Posts
    815
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Checkin.B Trojan

    Hi John

    Here's some info about the ID in your Hosts file:

    Search results for: 207.44.240.65


    OrgName: Everyones Internet, Inc.
    OrgID: EVRY
    Address: 2600 Southwest Frwy., Suite 500
    City: Houston
    StateProv: TX
    PostalCode: 77098
    Country: US

    NetRange: 207.44.128.0 - 207.44.255.255
    CIDR: 207.44.128.0/17
    NetName: EVRY-BLK-11
    NetHandle: NET-207-44-128-0-1
    Parent: NET-207-0-0-0-0
    NetType: Direct Allocation
    NameServer: NS1.EV1.NET
    NameServer: NS2.EV1.NET
    Comment:
    RegDate:
    Updated: 2002-05-08

    TechHandle: RW172-ARIN
    TechName: Williams, Randy
    TechPhone: +1-713-400-5400
    TechEmail: admin@ev1.net

    OrgTechHandle: RW172-ARIN
    OrgTechName: Williams, Randy
    OrgTechPhone: +1-713-400-5400
    OrgTechEmail: admin@ev1.net

    Have a Great day!!!
    Ken
    <IMG SRC=http://www.wopr.com/w3tuserpics/KenK_sig.gif>

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •