When I open the windows Task manager i see a program named xpjava.exe running. I am quite sure it is neither related to Win XP or Java in anyway. Can it be a trojan?
Also what is this registry key supposed to do?
HKLM/SOFTWARE/MICROSFT/Tracing
Printable View
When I open the windows Task manager i see a program named xpjava.exe running. I am quite sure it is neither related to Win XP or Java in anyway. Can it be a trojan?
Also what is this registry key supposed to do?
HKLM/SOFTWARE/MICROSFT/Tracing
Hi pi><boy
Indeed, xpjava.exe looks like a worm[1]. Check, whether it has
created a registry entry
and follow the removal instructions?Code:HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,xpjava.exe
Do you have an antivirus running? Which one?
Do you now hijack-this[2]? Give it a try and post the results here
on AO or on the automated analysis-page[3].
To prevent further infections:
W32/Rbot-YC spreads using a variety of techniques including exploiting weak
passwords on computers and SQL servers, exploiting operating system vulnerabilities
(including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other
worms or Trojans [1].
Which service pack? Are you running under the administrator account?
Do you use a strong password? Is your system patched (otherwise,
update now! and activate the automatic update function of Windows XP[4])?
Cheers.
[1] http://www.sophos.com/virusinfo/analyses/w32rbotyc.html
[2] http://www.majorgeeks.com/download3155.html
[3] http://www.hijackthis.de/en
[4] http://www.uic.edu/pharmacy/it/Tips/winupdat1.htm
Name: [not used]
Filename: xpjava.exe
Description: Added by the W32/Rbot-YC network worm/backdoor.
File Location: %System%
Startup Type: This programs starts by appending itself to the Userinit registry key.
Read more below...
http://www.bleepingcomputer.com/star....exe-8717.html
In addition....so you learn a bit instead of just being given an answer...
Anytime you find a suspicious process running the best move is to do a google search of the filename....you'll get tons of info that way.
Hello sec_ware.
I am using avast! antivirus. Do you think its OK? The firewall I use is WYvernWorks Firewall 2004. My ZoneAlarm busted up a few days ago. Anyway,a program userinit32.exe and jusched.exe were trying to access a remote machine which I didn't recognise. I blocked them using the firewall.
I saw a registry entry HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN dot.exe
I deleted it.
I used HijackThis and the log is as follows.
Logfile of HijackThis v1.97.7
Scan saved at 12:55:20 PM, on 5/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\WyvernWorks\Firewall 2004\Firewall 2004.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\soft\HijackThis.exe
F0 - system.ini: Shell=Explorer.exe jusched.exe
F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dot] dot.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\Program Files\WyvernWorks\Firewall 2004\Firewall.exe
O4 - HKLM\..\RunServices: [dot] dot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{78D92740-3062-4DED-8EA0-1ED26A96EE27}: NameServer = 61.0.128.65 61.0.0.5
Hi pi><boy
I cannot help you with recommendations for antivirus-products. Myself,
I do not really know avast! antivirus (except its name), but I am pretty
happy with AVG[1a]. But for sure, you should do a TrendMicro Housecall[1b].
Assuming, you have installed Free Download Manager, the following entries
should be removed immediately:
These should be checked more carefully (but I would remove them)Code:F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
-> Refers to W32/Rbot-YE[2]
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
-> AdWare.ToolBar.Azesearch
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
-> ISTBar foistware
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
-> questionable[3]
You could remove (I guess):Code:F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
-> have you installed the java runtime environment?
O4 - HKLM\..\Run: [dot] dot.exe
O4 - HKLM\..\RunServices: [dot] dot.exe
-> If you do not know them, remove them![4]
Make sure, these are your correct Nameservers (ISP provided):Code:O9 - Extra button: Research (HKLM)
Useful sites for further informations: Neuber.com[5] and liutilities.com[6].Code:O17 - HKLM\System\CCS\Services\Tcpip\..\{78D92740-3062-4DED-8EA0-1ED26A96EE27}: NameServer = 61.0.128.65 61.0.0.5
I strongly recommend you to follow foxyloxley's tutorial[7]! ;)
Cheers
[1a] http://free.grisoft.com/freeweb.php
[1b] http://housecall.trendmicro.com/
[2] http://www.sophos.com/virusinfo/analyses/w32rbotye.html
[3] http://castlecops.com/lsp-104.html
[4] http://castlecops.com/t115917-Dot_exe_in_StartUp.html
[5] http://www.neuber.com/taskmanager/pr...sched.exe.html
[6] http://www.liutilities.com/products/...brary/jusched/
[7] http://www.antionline.com/showthread...hreadid=265440
Don't flame me for this one....but - "MOST" Antivirus software programs do not include scans for Spyware. They are seperating 'virus' - as in destructive - (and spyware - as in annoying)
Panda has added 'spyware' / FProt has added 'spyware'
As far as I'm concerned ANYTHING not authorized or personally installed on my computer is a virus !!
Hi,
All good advice, you need to appreciate that these tools are fairly specialist, and will not detect everything.
http://www.ewido.net/en/
That will find about 107,000 of them
http://www.emisoft.com/en/software/free/
A specialist tool for trojans and diallers.
Add them to the box folks :D
Ewido expires after 14 days but that is only the interactive bit. You can still update and use the on demand scanning for free after that :)
And do run them in safe mode