Und3ertak3r
June 27th, 2004, 07:19 AM
Hi Guys,
Googled out on this one.. or I am lazy..
Looked at a machine yesterday, that appeared to be "Now"clear of Malware..
WinXP Pro, P4-2.4Ghz, 512Mb.yada yada, 10/100, into a hub, and a xp box .. internet is via a XP Box with firewall / internet gateway
it's history was:
Various malware removed: including
My SearchBar
Perfect Nav
GaoBot.XX (various versions over the last couple of weeks - the system has been patched and repatched.. after finding the gaobot.. I check and find the pataches are no nolonger here)
..
Now after using the Cleaner, Spybot, Adaware, AVG, and the installed PC-Cillen..
Most of that crap is clear.. also ran removal tools for Gaobot, bugbear, nachi/welcher, yaha, sasser
But, the gatway box is still reporting traffic (after isolating it) from this box to various IP's on port 25 (POP3) (64.x.x.x 65.x.x.x 220.x.x.x to name a couple of ip groups) .
A run with FPORT showed a couple of Un-named or Blank processes on TCP and UDP ports on the machine.. namley
Process 1548 tcp 3001 and udp 1813
but as the process ID changes from boot to boot this isnot a help.. but the above is the common ports but these also seem to change.. (only made one note on this ..I am pissed at self for not making more notes)..
during a boot into safe mode . I noted a file being loaded I didn't recognise.. and a quick google showed it to be a part of PCAnywhere..(huh I thought I had disabled that months ago I left it there "just incase I needed It").. the file Gernuwa.sys.
so in one pass.. I then removed All Symantec progs and files.. PcAnywhere, liveupdate and redirector ..
While I was here I removed another program I found "Remote Control Pro"
as well as "Trojan remover"
As each of these were installed by the previous tech.. It may be a backdoor I may not have covered..
NOW:
After removing the above three progs.. the outbound traffic to port25 ip's seems to have stopped.. BUT
I still have a un-named process on a tcp and udp port when i FPORT.. the machine..
I ihaven't used process explorer or simiolar as yet..
any other ideas to pin down this un-named process.. (HJTéd this box to death )
Cheers
Googled out on this one.. or I am lazy..
Looked at a machine yesterday, that appeared to be "Now"clear of Malware..
WinXP Pro, P4-2.4Ghz, 512Mb.yada yada, 10/100, into a hub, and a xp box .. internet is via a XP Box with firewall / internet gateway
it's history was:
Various malware removed: including
My SearchBar
Perfect Nav
GaoBot.XX (various versions over the last couple of weeks - the system has been patched and repatched.. after finding the gaobot.. I check and find the pataches are no nolonger here)
..
Now after using the Cleaner, Spybot, Adaware, AVG, and the installed PC-Cillen..
Most of that crap is clear.. also ran removal tools for Gaobot, bugbear, nachi/welcher, yaha, sasser
But, the gatway box is still reporting traffic (after isolating it) from this box to various IP's on port 25 (POP3) (64.x.x.x 65.x.x.x 220.x.x.x to name a couple of ip groups) .
A run with FPORT showed a couple of Un-named or Blank processes on TCP and UDP ports on the machine.. namley
Process 1548 tcp 3001 and udp 1813
but as the process ID changes from boot to boot this isnot a help.. but the above is the common ports but these also seem to change.. (only made one note on this ..I am pissed at self for not making more notes)..
during a boot into safe mode . I noted a file being loaded I didn't recognise.. and a quick google showed it to be a part of PCAnywhere..(huh I thought I had disabled that months ago I left it there "just incase I needed It").. the file Gernuwa.sys.
so in one pass.. I then removed All Symantec progs and files.. PcAnywhere, liveupdate and redirector ..
While I was here I removed another program I found "Remote Control Pro"
as well as "Trojan remover"
As each of these were installed by the previous tech.. It may be a backdoor I may not have covered..
NOW:
After removing the above three progs.. the outbound traffic to port25 ip's seems to have stopped.. BUT
I still have a un-named process on a tcp and udp port when i FPORT.. the machine..
I ihaven't used process explorer or simiolar as yet..
any other ideas to pin down this un-named process.. (HJTéd this box to death )
Cheers