Possible Trojan/Worm
From: DJ (doveman007_at_bigfoot.com)
Date: 04/29/05
- Next message: What's in a Name?: "Re: Possible Trojan/Worm"
- Previous message: Lawrence Abrams: "Re: IRC Packets being generated. Dont know where from..."
- Next in thread: What's in a Name?: "Re: Possible Trojan/Worm"
- Reply: What's in a Name?: "Re: Possible Trojan/Worm"
- Reply: David H. Lipman: "Re: Possible Trojan/Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Apr 2005 12:47:11 -0700
On my main XP Home PC, which is providing Internet access to another PC
via ICS, my firewall (Kerio PF 2.1.5) has recently
started reporting that winlogon.exe and rundll32.exe are trying to
access the Internet, which I have blocked as neither my other
XP Home PC, or my XP Pro PC have ever tried this. However, when they
are blocked, they just keep increasing the outgoing port number and
trying again, which eventually means XP reaches it's port limit, gives
a 'Socket error 10055. No buffer space available', my Internet
access stops working and I have to reboot to get it working again. I've
increased the port limit to it's
maximum, which delays this happening but I want to sort this out.
I used Process Explorer to see what was running under winlogon, and
alg.exe looked suspect, so I disabled this (I didn't need it
anyway), but it didn't make any difference.
I can kill rundll32.exe, but it tends to get reloaded somehow. Anyway,
I want to stop it loading in the first place. winlogon.exe can't be
killed. They IP address' they're trying to connect to are (all
destination port 80):
4.78.20.3
4.78.20.4
hosting-68.76.rev.fr.colt.net [213.41.76.68]
h-213.61.6.3.host.de.colt.net [213.61.6.3]
208.185.54.9.speedera.com [208.185.54.9]
208.185.54.16.speedera.com [208.185.54.16]
208.185.54.17.speedera.com [208.185.54.17]
My firewall also regularly blocks outgoing NetBios attempts (UDP,
source and destination port 137) to seemingly random address: Today's
log shows: 4.78.20.3 (which seems to be the only one in common with
winlogon.exe or rundll32.exe) 60.48.38.195, 61.152.158.123,
64.14.117.8, 64.216.139.96, 82.44.103.255, 82.155.164.245,
82.173.240.46, 82.240.30.68, 193.38.108.213, 203.62.201.47,
204.187.251.43, 218.83.153.58, 222.77.185.243.
Would doing a Repair Install fix these problems? I'm dubious, because
even if it replaces all the XP files, it won't clear any
entries from the registry that might be calling a non-XP file which
might be the cause of these problems.
If I have to, I'll re-install XP, but I don't want to do that if it's
not necessary obviously.
Online scans done: HouseCall, Bitdefender, Panda
Programs used: Norton, TDS-3, Spybot, Ad-aware SE,
Spybot found some Download Accelerator ad's, and a Fastclick cookie.
Panda found 30 Adware:Adware/Look2Me files.
Norton shows 31 items in Quarantine which are:
1 Bloodhound.Exploit.24
1 Download.Trojan
1 MHTMLRedir.Exploit
1 Trojan.Download.Inor.B
1 Trojan.Favadd
1 W32.Beagle.AV@mm
6 W32.Dumaru@mm
2 W32.Netsky.B@mm
4 W32.Netsky.C@mm
2 W32.Netsky.D@mm
5 W32.Netsky.D@mm!enc
4 W32.Novarg,A@mm
1 W32.Sober.K@mm
1 W32.Welchia.Worm
- Next message: What's in a Name?: "Re: Possible Trojan/Worm"
- Previous message: Lawrence Abrams: "Re: IRC Packets being generated. Dont know where from..."
- Next in thread: What's in a Name?: "Re: Possible Trojan/Worm"
- Reply: What's in a Name?: "Re: Possible Trojan/Worm"
- Reply: David H. Lipman: "Re: Possible Trojan/Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
