Suspicious program and registry key
Results 1 to 9 of 9

Thread: Suspicious program and registry key

  1. #1

    Suspicious program and registry key

    When I open the windows Task manager i see a program named xpjava.exe running. I am quite sure it is neither related to Win XP or Java in anyway. Can it be a trojan?

    Also what is this registry key supposed to do?


    HKLM/SOFTWARE/MICROSFT/Tracing

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi pi><boy

    Indeed, xpjava.exe looks like a worm[1]. Check, whether it has
    created a registry entry

    Code:
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Userinit
    userinit.exe,xpjava.exe
    and follow the removal instructions?

    Do you have an antivirus running? Which one?
    Do you now hijack-this[2]? Give it a try and post the results here
    on AO or on the automated analysis-page[3].

    To prevent further infections:
    W32/Rbot-YC spreads using a variety of techniques including exploiting weak
    passwords on computers and SQL servers, exploiting operating system vulnerabilities
    (including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other
    worms or Trojans [1].

    Which service pack? Are you running under the administrator account?
    Do you use a strong password? Is your system patched (otherwise,
    update now! and activate the automatic update function of Windows XP[4])?


    Cheers.


    [1] http://www.sophos.com/virusinfo/analyses/w32rbotyc.html
    [2] http://www.majorgeeks.com/download3155.html
    [3] http://www.hijackthis.de/en
    [4] http://www.uic.edu/pharmacy/it/Tips/winupdat1.htm
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  3. #3
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Name: [not used]
    Filename: xpjava.exe
    Description: Added by the W32/Rbot-YC network worm/backdoor.
    File Location: %System%
    Startup Type: This programs starts by appending itself to the Userinit registry key.

    Read more below...

    http://www.bleepingcomputer.com/star....exe-8717.html
    Al
    It isn't paranoia when you KNOW they're out to get you...

  4. #4
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    In addition....so you learn a bit instead of just being given an answer...

    Anytime you find a suspicious process running the best move is to do a google search of the filename....you'll get tons of info that way.
    Al
    It isn't paranoia when you KNOW they're out to get you...

  5. #5
    Hello sec_ware.

    I am using avast! antivirus. Do you think its OK? The firewall I use is WYvernWorks Firewall 2004. My ZoneAlarm busted up a few days ago. Anyway,a program userinit32.exe and jusched.exe were trying to access a remote machine which I didn't recognise. I blocked them using the firewall.

    I saw a registry entry HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN dot.exe

    I deleted it.

  6. #6
    I used HijackThis and the log is as follows.

    Logfile of HijackThis v1.97.7
    Scan saved at 12:55:20 PM, on 5/6/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\pctspk.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\WyvernWorks\Firewall 2004\Firewall 2004.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    D:\soft\HijackThis.exe

    F0 - system.ini: Shell=Explorer.exe jusched.exe
    F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
    F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [dot] dot.exe
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\Program Files\WyvernWorks\Firewall 2004\Firewall.exe
    O4 - HKLM\..\RunServices: [dot] dot.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research (HKLM)
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{78D92740-3062-4DED-8EA0-1ED26A96EE27}: NameServer = 61.0.128.65 61.0.0.5

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    557
    Hi pi><boy

    I cannot help you with recommendations for antivirus-products. Myself,
    I do not really know avast! antivirus (except its name), but I am pretty
    happy with AVG[1a]. But for sure, you should do a TrendMicro Housecall[1b].

    Assuming, you have installed Free Download Manager, the following entries
    should be removed immediately:

    Code:
    F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
    -> Refers to W32/Rbot-YE[2]
    O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
    -> AdWare.ToolBar.Azesearch 
    O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
    -> ISTBar foistware 
    O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
    -> questionable[3]
    These should be checked more carefully (but I would remove them)
    Code:
    F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
    -> have you installed the java runtime environment?
    O4 - HKLM\..\Run: [dot] dot.exe
    O4 - HKLM\..\RunServices: [dot] dot.exe
    -> If you do not know them, remove them![4]
    You could remove (I guess):
    Code:
    O9 - Extra button: Research (HKLM)
    Make sure, these are your correct Nameservers (ISP provided):
    Code:
    O17 - HKLM\System\CCS\Services\Tcpip\..\{78D92740-3062-4DED-8EA0-1ED26A96EE27}: NameServer = 61.0.128.65 61.0.0.5
    Useful sites for further informations: Neuber.com[5] and liutilities.com[6].


    I strongly recommend you to follow foxyloxley's tutorial[7]!

    Cheers

    [1a] http://free.grisoft.com/freeweb.php
    [1b] http://housecall.trendmicro.com/
    [2] http://www.sophos.com/virusinfo/analyses/w32rbotye.html
    [3] http://castlecops.com/lsp-104.html
    [4] http://castlecops.com/t115917-Dot_exe_in_StartUp.html
    [5] http://www.neuber.com/taskmanager/pr...sched.exe.html
    [6] http://www.liutilities.com/products/...brary/jusched/
    [7] http://www.antionline.com/showthread...hreadid=265440
    If the only tool you have is a hammer, you tend to see every problem as a nail.
    (Abraham Maslow, Psychologist, 1908-70)

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    267
    Don't flame me for this one....but - "MOST" Antivirus software programs do not include scans for Spyware. They are seperating 'virus' - as in destructive - (and spyware - as in annoying)

    Panda has added 'spyware' / FProt has added 'spyware'

    As far as I'm concerned ANYTHING not authorized or personally installed on my computer is a virus !!

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    Hi,

    All good advice, you need to appreciate that these tools are fairly specialist, and will not detect everything.

    http://www.ewido.net/en/

    That will find about 107,000 of them

    http://www.emisoft.com/en/software/free/

    A specialist tool for trojans and diallers.

    Add them to the box folks

    Ewido expires after 14 days but that is only the interactive bit. You can still update and use the on demand scanning for free after that

    And do run them in safe mode
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides