Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trouble removing trojans [CLOSED]

Started by Bhishma , Oct 01 2005 11:24 AM

  • This topic is locked This topic is locked

#1
Bhishma
Posted 01 October 2005 - 11:24 AM

Bhishma

    New Member

  • Member
  • Pip
  • 1 posts
Any help I can get would be appreciate. Two days ago, I noticed that after going online, the send bytes was outpacing the receive. After installing ZoneAlarm, I discovered the culprit was xpjava.exe. I went through some fixes, installed Ewido and Hijack This, and I thought I removed both xpjava and pokapoka70.exe, deleting the windows/ebt folder. Ewido then found 150 intrusions mostly cookies. However the next day Ewido found taskcntr.exe and another trojan. Now today Ewido found Backdoor.SdBot and Trojan.QHost. I am wondering if I removed xpjava and pokapoka thoroughly. I did nto run LQFix or VundoFix, though I'm not sure those are necessary in my case. In ZoneAlarm I am getting mostly UDP intrusions today.

Here is a log from HijackThis run after the last Ewido scan.
Whoa, when I try to run HijackThis, it keeps closing, and only works after I change the name to JijackThis.

Logfile of HijackThis v1.99.1
Scan saved at 11:49:19 AM, on 10/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ZoneLabs\isafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\rasautou.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\libsys32.exe
C:\Download\hijackthis\JijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [Microsoft System Checkup] libsys32.exe
O4 - HKLM\..\RunServices: [Microsoft System Checkup] libsys32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E865A9E-F7A6-4D68-8862-73F80D57B039}: NameServer = 209.63.0.6 207.173.86.6
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\System32\ZoneLabs\isafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NT login service (ntlogin32) - Unknown owner - C:\WINDOWS\System32\libsys32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Here is services.msc list of started services,(m) for manual: Application Layer Gateway Service(m), CA ISafe, Com+ Event System(m), COmputer Browser, Cryptographic Services, DHCP Client, Distributed Link Tracking CLient, DNS CLient, Event Log, Ewido Security Suite, Fast USer Swithcing(m), Help and Support, ICF/ICS, IPSec Services, LEXBCE, Logical Disk Manager, NT Login Service, Network Connections(m), NLA(m), Plug and Play, Portable Media Serial Number, Print Spooler, Protected Storage, Remote Access Connection Manager(m), Remote Access Auto Conection Manager(m), RPC Secondary Logon, Security Accounts Manager, Server, Shell Hardware Detection, SSDP Discovery(m), System Event Notification, System Restore, Task Scheduler, TCP/IP NetBIOS, Telephony(m), Terminal Services(m), Themes, TrueVector, Upload Manager, WebClient, Windows Audio, WIA, WMI, Windows Time, Wireless Zero Cnfiguration, Workstation

----------------
Finally, here are some entries from the ZoneAlarm logfile.

ZoneAlarm Logging Client v5.5.062.004
Windows XP-5.1.2600--SP
type,date,time,source,destination,transport (security)
type,date,time,virus name,file name,mode,e-mail id (antivirus)
type,date,time,source,destination,action,service (IM security)
PE,2005/09/30,19:43:02 -5:00 GMT,Generic Host Process for Win32 Services,0.0.0.0:5000,N/A
PE,2005/09/30,19:43:02 -5:00 GMT,Generic Host Process for Win32 Services,192.168.2.17:0,N/A
ACCESS,2005/09/30,19:43:02 -5:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (192.168.2.17); access was denied.,N/A,N/A
PE,2005/09/30,19:43:02 -5:00 GMT,Generic Host Process for Win32 Services,192.168.2.17:0,N/A
PE,2005/09/30,19:43:02 -5:00 GMT,Generic Host Process for Win32 Services,169.254.78.171:0,N/A
ACCESS,2005/09/30,19:43:02 -5:00 GMT,Generic Host Process for Win32 Services was unable to obtain permission for connecting to the Internet (169.254.78.171); access was denied.,N/A,N/A
PE,2005/09/30,19:43:08 -5:00 GMT,taskcntr.exe,0.0.0.0:53,N/A
ACCESS,2005/09/30,19:43:08 -5:00 GMT,taskcntr.exe was unable to obtain permission for connecting to the Internet; access was denied.,N/A,N/A
PE,2005/09/30,19:43:08 -5:00 GMT,taskcntr.exe,0.0.0.0:53,N/A
PE,2005/09/30,19:43:16 -5:00 GMT,taskcntr.exe,0.0.0.0:53,N/A
ACCESS,2005/09/30,19:43:16 -5:00 GMT,taskcntr.exe was unable to obtain permission for connecting to the Internet; access was denied.,N/A,N/A
ACCESS,2005/09/30,19:44:52 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (239.255.255.250:Port 1900).,N/A,N/A
ACCESS,2005/09/30,19:44:52 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (127.0.0.1:Port 3009).,N/A,N/A
ACCESS,2005/09/30,19:44:52 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (255.255.255.255:DHCP).,N/A,N/A
FWROUTE,2005/09/30,19:44:52 -5:00 GMT,67.136.146.26:3010,209.63.0.6:53,UDP
PE,2005/09/30,19:44:54 -5:00 GMT,Generic Host Process for Win32 Services,209.63.0.6:53,N/A
ACCESS,2005/09/30,19:44:56 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from sending data to the Internet (239.255.255.250:Port 1900).,N/A,N/A
ACCESS,2005/09/30,19:44:56 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (192.168.2.17).,N/A,N/A
ACCESS,2005/09/30,19:44:56 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (169.254.78.171).,N/A,N/A
ACCESS,2005/09/30,19:44:56 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (209.63.0.6:DNS).,N/A,N/A
ACCESS,2005/09/30,19:44:58 -5:00 GMT,taskcntr.exe was temporarily blocked from connecting to the Internet (207.173.86.6:DNS).,N/A,N/A
ACCESS,2005/09/30,19:45:02 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (127.0.0.1:Port 3012).,N/A,N/A
ACCESS,2005/09/30,19:45:02 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (127.0.0.1:Port 3013).,N/A,N/A
ACCESS,2005/09/30,19:47:02 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (255.255.255.255:DHCP).,N/A,N/A
FWIN,2005/09/30,19:51:26 -5:00 GMT,67.136.142.46:4751,67.136.146.2:445,TCP (flags:S)
FWIN,2005/09/30,20:00:44 -5:00 GMT,67.104.118.67:1546,67.136.146.2:445,TCP (flags:S)
FWIN,2005/09/30,20:04:34 -5:00 GMT,68.192.226.83:5431,67.136.146.2:1026,UDP
FWIN,2005/09/30,20:04:36 -5:00 GMT,200.115.206.175:1036,67.136.146.2:137,UDP
FWIN,2005/09/30,20:09:30 -5:00 GMT,221.208.208.15:34015,67.136.146.2:1026,UDP
FWOUT,2005/09/30,20:12:26 -5:00 GMT,67.136.146.2:3014,207.173.86.6:53,UDP
PE,2005/09/30,20:12:30 -5:00 GMT,Generic Host Process for Win32 Services,209.63.0.6:53,N/A
ACCESS,2005/09/30,20:12:34 -5:00 GMT,,N/A,N/A
ACCESS,2005/09/30,20:12:34 -5:00 GMT,,N/A,N/A
ACCESS,2005/09/30,20:12:34 -5:00 GMT,,N/A,N/A
ACCESS,2005/09/30,20:12:34 -5:00 GMT,,N/A,N/A
FWIN,2005/09/30,20:13:40 -5:00 GMT,199.181.135.4:12927,67.136.146.2:33436,UDP
FWIN,2005/09/30,20:14:52 -5:00 GMT,67.136.140.147:4209,67.136.146.2:135,TCP (flags:S)
FWIN,2005/09/30,20:17:06 -5:00 GMT,67.136.154.177:2532,67.136.146.2:135,TCP (flags:S)
FWIN,2005/09/30,20:17:22 -5:00 GMT,66.151.125.26:11892,67.136.146.2:33440,UDP
FWIN,2005/09/30,20:21:14 -5:00 GMT,68.195.71.211:18178,67.136.146.2:1026,UDP
FWIN,2005/09/30,20:23:46 -5:00 GMT,67.136.149.168:3366,67.136.146.2:1433,TCP (flags:S)
FWIN,2005/09/30,20:26:46 -5:00 GMT,70.84.34.202:32777,67.136.146.2:1026,UDP
FWIN,2005/09/30,20:27:28 -5:00 GMT,67.81.172.134:4795,67.136.146.2:2745,TCP (flags:S)
FWIN,2005/09/30,20:28:34 -5:00 GMT,219.133.174.214:0,67.136.146.2:0,ICMP (type:8/subtype:0)
PE,2005/09/30,20:28:50 -5:00 GMT,Internet Explorer,127.0.0.1:3254,N/A
FWIN,2005/09/30,20:34:28 -5:00 GMT,12.110.182.136:20085,67.136.146.2:1026,UDP
FWIN,2005/09/30,20:34:52 -5:00 GMT,67.136.150.51:4440,67.136.146.2:1433,TCP (flags:S)
FWIN,2005/09/30,20:37:50 -5:00 GMT,68.191.131.105:16959,67.136.146.2:1026,UDP
FWIN,2005/09/30,20:38:26 -5:00 GMT,67.136.142.46:3168,67.136.146.2:445,TCP (flags:S)
FWIN,2005/09/30,20:43:00 -5:00 GMT,60.18.168.105:4050,67.136.146.2:1434,UDP
FWIN,2005/09/30,20:48:48 -5:00 GMT,70.85.177.90:35682,67.136.146.2:1026,UDP
FWIN,2005/09/30,21:02:24 -5:00 GMT,67.136.149.91:4656,67.136.146.2:445,TCP (flags:S)
FWROUTE,2005/09/30,21:05:58 -5:00 GMT,67.136.146.15:3008,209.63.0.6:53,UDP
PE,2005/10/01,10:16:50 -5:00 GMT,Generic Host Process for Win32 Services,239.255.255.250:1900,N/A
PE,2005/10/01,11:13:02 -5:00 GMT,libsys32.exe,0.0.0.0:53,N/A
PE,2005/10/01,11:13:02 -5:00 GMT,Generic Host Process for Win32 Services,0.0.0.0:5000,N/A
PE,2005/10/01,11:13:02 -5:00 GMT,Generic Host Process for Win32 Services,0.0.0.0:135,N/A
PE,2005/10/01,11:13:02 -5:00 GMT,Generic Host Process for Win32 Services,0.0.0.0:1025,N/A
PE,2005/10/01,11:15:40 -5:00 GMT,Generic Host Process for Win32 Services,0.0.0.0:53,N/A
FWROUTE,2005/10/01,11:15:44 -5:00 GMT,67.136.142.107:4391,67.136.146.9:445,TCP (flags:S)
ACCESS,2005/10/01,11:15:46 -5:00 GMT,libsys32.exe was temporarily blocked from connecting to the Internet (209.63.0.6:DNS).,N/A,N/A
PE,2005/10/01,11:15:50 -5:00 GMT,Generic Host Process for Win32 Services,209.63.0.6:53,N/A
PE,2005/10/01,11:17:10 -5:00 GMT,security suite,209.63.0.6:53,N/A
PE,2005/10/01,11:17:14 -5:00 GMT,Generic Host Process for Win32 Services,209.63.0.6:53,N/A
FWIN,2005/10/01,11:21:06 -5:00 GMT,67.124.190.49:3187,67.136.146.9:445,TCP (flags:S)
FWIN,2005/10/01,11:21:32 -5:00 GMT,87.123.102.58:2358,67.136.146.9:445,TCP (flags:S)
FWIN,2005/10/01,11:29:04 -5:00 GMT,67.136.141.105:4522,67.136.146.9:445,TCP (flags:S)
PE,2005/10/01,11:32:14 -5:00 GMT,Generic Host Process for Win32 Services,209.63.0.6:53,N/A
PE,2005/10/01,11:32:14 -5:00 GMT,libsys32.exe,0.0.0.0:10051,N/A
ACCESS,2005/10/01,11:32:20 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (67.136.146.9).,N/A,N/A
PE,2005/10/01,11:32:26 -5:00 GMT,libsys32.exe,209.63.0.6:53,N/A
FWIN,2005/10/01,11:34:20 -5:00 GMT,67.136.154.250:4118,67.136.146.9:135,TCP (flags:S)
FWIN,2005/10/01,11:42:14 -5:00 GMT,67.136.154.129:2971,67.136.146.9:135,TCP (flags:S)
FWIN,2005/10/01,11:44:16 -5:00 GMT,67.136.151.21:2932,67.136.146.9:445,TCP (flags:S)
FWIN,2005/10/01,11:45:48 -5:00 GMT,66.74.37.51:1028,67.136.146.9:137,UDP
ACCESS,2005/10/01,11:47:44 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (207.173.86.6:DNS).,N/A,N/A
ACCESS,2005/10/01,11:47:44 -5:00 GMT,Generic Host Process for Win32 Services was temporarily blocked from connecting to the Internet (67.136.146.9).,N/A,N/A
PE,2005/10/01,11:47:44 -5:00 GMT,libsys32.exe,0.0.0.0:10051,N/A
PE,2005/10/01,11:47:56 -5:00 GMT,libsys32.exe,207.173.86.6:53,N/A
ACCESS,2005/10/01,11:47:58 -5:00 GMT,libsys32.exe was blocked from connecting to the Internet (207.173.86.6:DNS).,N/A,N/A
FWIN,2005/10/01,11:51:00 -5:00 GMT,61.188.11.108:33651,67.136.146.9:1027,UDP
FWIN,2005/10/01,11:52:22 -5:00 GMT,221.12.161.99:33712,67.136.146.9:1026,UDP
FWIN,2005/10/01,11:52:22 -5:00 GMT,221.12.161.99:33712,67.136.146.9:1027,UDP
FWIN,2005/10/01,12:02:52 -5:00 GMT,67.136.151.21:2581,67.136.146.9:445,TCP (flags:S)
  • 0

Advertisements

#2
greyknight17
Posted 01 October 2005 - 04:19 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

One reason for this could be that you didn't install any of the Microsoft Service Packs (or updates).

Please read the first link in my signature and follow the steps outlined there. You must install XP SP1a (hold off on SP2 until your computer is clean). Without SP1a, you are wide open to re-infection. When you are ready, post the HijackThis log here.
  • 0

#3
greyknight17
Posted 15 October 2005 - 04:04 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP