Re: Possible Trojan/Worm
From: David H. Lipman (DLipman~nospam~_at_Verizon.Net)
Date: 04/29/05
- Next message: Loane Sharp: "Re: http://server4.103092804.com/..."
- Previous message: David H. Lipman: "Re: Cannot remove virus"
- In reply to: DJ: "Possible Trojan/Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Apr 2005 17:17:39 -0400
From: "DJ" <doveman007@bigfoot.com>
| On my main XP Home PC, which is providing Internet access to another PC
| via ICS, my firewall (Kerio PF 2.1.5) has recently
| started reporting that winlogon.exe and rundll32.exe are trying to
| access the Internet, which I have blocked as neither my other
| XP Home PC, or my XP Pro PC have ever tried this. However, when they
| are blocked, they just keep increasing the outgoing port number and
| trying again, which eventually means XP reaches it's port limit, gives
| a 'Socket error 10055. No buffer space available', my Internet
| access stops working and I have to reboot to get it working again. I've
| increased the port limit to it's
| maximum, which delays this happening but I want to sort this out.
|
| I used Process Explorer to see what was running under winlogon, and
| alg.exe looked suspect, so I disabled this (I didn't need it
| anyway), but it didn't make any difference.
|
| I can kill rundll32.exe, but it tends to get reloaded somehow. Anyway,
| I want to stop it loading in the first place. winlogon.exe can't be
| killed. They IP address' they're trying to connect to are (all
| destination port 80):
| 4.78.20.3
| 4.78.20.4
| hosting-68.76.rev.fr.colt.net [213.41.76.68]
| h-213.61.6.3.host.de.colt.net [213.61.6.3]
| 208.185.54.9.speedera.com [208.185.54.9]
| 208.185.54.16.speedera.com [208.185.54.16]
| 208.185.54.17.speedera.com [208.185.54.17]
|
| My firewall also regularly blocks outgoing NetBios attempts (UDP,
| source and destination port 137) to seemingly random address: Today's
| log shows: 4.78.20.3 (which seems to be the only one in common with
| winlogon.exe or rundll32.exe) 60.48.38.195, 61.152.158.123,
| 64.14.117.8, 64.216.139.96, 82.44.103.255, 82.155.164.245,
| 82.173.240.46, 82.240.30.68, 193.38.108.213, 203.62.201.47,
| 204.187.251.43, 218.83.153.58, 222.77.185.243.
|
| Would doing a Repair Install fix these problems? I'm dubious, because
| even if it replaces all the XP files, it won't clear any
| entries from the registry that might be calling a non-XP file which
| might be the cause of these problems.
|
| If I have to, I'll re-install XP, but I don't want to do that if it's
| not necessary obviously.
|
| Online scans done: HouseCall, Bitdefender, Panda
| Programs used: Norton, TDS-3, Spybot, Ad-aware SE,
|
| Spybot found some Download Accelerator ad's, and a Fastclick cookie.
| Panda found 30 Adware:Adware/Look2Me files.
|
| Norton shows 31 items in Quarantine which are:
| 1 Bloodhound.Exploit.24
| 1 Download.Trojan
| 1 MHTMLRedir.Exploit
| 1 Trojan.Download.Inor.B
| 1 Trojan.Favadd
| 1 W32.Beagle.AV@mm
| 6 W32.Dumaru@mm
| 2 W32.Netsky.B@mm
| 4 W32.Netsky.C@mm
| 2 W32.Netsky.D@mm
| 5 W32.Netsky.D@mm!enc
| 4 W32.Novarg,A@mm
| 1 W32.Sober.K@mm
| 1 W32.Welchia.Worm
Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files
Dump the contents of the Mozilla FireFox Cache
Tools --> Options --> Privacy --> Cache --> Clear
1) Download TrendMicro Sysclean by other of the following 2 methods
Trend Sysclean Method 1
---------------------------------------
Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp
Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp
Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")
Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt604.zip
Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.
Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe
2) Download Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point
* * * Please report back your results * * *
-- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm
- Next message: Loane Sharp: "Re: http://server4.103092804.com/..."
- Previous message: David H. Lipman: "Re: Cannot remove virus"
- In reply to: DJ: "Possible Trojan/Worm"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
