-
May 6th, 2005, 06:47 AM
#1
Suspicious program and registry key
When I open the windows Task manager i see a program named xpjava.exe running. I am quite sure it is neither related to Win XP or Java in anyway. Can it be a trojan?
Also what is this registry key supposed to do?
HKLM/SOFTWARE/MICROSFT/Tracing
-
May 6th, 2005, 07:09 AM
#2
Hi pi><boy
Indeed, xpjava.exe looks like a worm[1]. Check, whether it has
created a registry entry
Code:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
userinit.exe,xpjava.exe
and follow the removal instructions?
Do you have an antivirus running? Which one?
Do you now hijack-this[2]? Give it a try and post the results here
on AO or on the automated analysis-page[3].
To prevent further infections:
W32/Rbot-YC spreads using a variety of techniques including exploiting weak
passwords on computers and SQL servers, exploiting operating system vulnerabilities
(including DCOM-RPC, LSASS, WebDAV and UPNP) and using backdoors opened by other
worms or Trojans [1].
Which service pack? Are you running under the administrator account?
Do you use a strong password? Is your system patched (otherwise,
update now! and activate the automatic update function of Windows XP[4])?
Cheers.
[1] http://www.sophos.com/virusinfo/analyses/w32rbotyc.html
[2] http://www.majorgeeks.com/download3155.html
[3] http://www.hijackthis.de/en
[4] http://www.uic.edu/pharmacy/it/Tips/winupdat1.htm
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
May 6th, 2005, 07:11 AM
#3
Name: [not used]
Filename: xpjava.exe
Description: Added by the W32/Rbot-YC network worm/backdoor.
File Location: %System%
Startup Type: This programs starts by appending itself to the Userinit registry key.
Read more below...
http://www.bleepingcomputer.com/star....exe-8717.html
Al
It isn't paranoia when you KNOW they're out to get you...
-
May 6th, 2005, 07:16 AM
#4
In addition....so you learn a bit instead of just being given an answer...
Anytime you find a suspicious process running the best move is to do a google search of the filename....you'll get tons of info that way.
Al
It isn't paranoia when you KNOW they're out to get you...
-
May 6th, 2005, 08:17 AM
#5
Hello sec_ware.
I am using avast! antivirus. Do you think its OK? The firewall I use is WYvernWorks Firewall 2004. My ZoneAlarm busted up a few days ago. Anyway,a program userinit32.exe and jusched.exe were trying to access a remote machine which I didn't recognise. I blocked them using the firewall.
I saw a registry entry HKLM/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/RUN dot.exe
I deleted it.
-
May 6th, 2005, 08:26 AM
#6
I used HijackThis and the log is as follows.
Logfile of HijackThis v1.97.7
Scan saved at 12:55:20 PM, on 5/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\WyvernWorks\Firewall 2004\Firewall 2004.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\soft\HijackThis.exe
F0 - system.ini: Shell=Explorer.exe jusched.exe
F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [dot] dot.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [WyvernWorks Firewall] C:\Program Files\WyvernWorks\Firewall 2004\Firewall.exe
O4 - HKLM\..\RunServices: [dot] dot.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research (HKLM)
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
O10 - Unknown file in Winsock LSP: c:\program files\wyvernworks\firewall 2004\apptoport.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{78D92740-3062-4DED-8EA0-1ED26A96EE27}: NameServer = 61.0.128.65 61.0.0.5
-
May 6th, 2005, 09:40 AM
#7
Hi pi><boy
I cannot help you with recommendations for antivirus-products. Myself,
I do not really know avast! antivirus (except its name), but I am pretty
happy with AVG[1a]. But for sure, you should do a TrendMicro Housecall[1b].
Assuming, you have installed Free Download Manager, the following entries
should be removed immediately:
Code:
F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
-> Refers to W32/Rbot-YE[2]
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
-> AdWare.ToolBar.Azesearch
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
-> ISTBar foistware
O10 - Unknown file in Winsock LSP: c:\windows\system32\espfspi.dll
-> questionable[3]
These should be checked more carefully (but I would remove them)
Code:
F2 - REG:system.ini: Shell=Explorer.exe jusched.exe
-> have you installed the java runtime environment?
O4 - HKLM\..\Run: [dot] dot.exe
O4 - HKLM\..\RunServices: [dot] dot.exe
-> If you do not know them, remove them![4]
You could remove (I guess):
Code:
O9 - Extra button: Research (HKLM)
Make sure, these are your correct Nameservers (ISP provided):
Code:
O17 - HKLM\System\CCS\Services\Tcpip\..\{78D92740-3062-4DED-8EA0-1ED26A96EE27}: NameServer = 61.0.128.65 61.0.0.5
Useful sites for further informations: Neuber.com[5] and liutilities.com[6].
I strongly recommend you to follow foxyloxley's tutorial[7]!
Cheers
[1a] http://free.grisoft.com/freeweb.php
[1b] http://housecall.trendmicro.com/
[2] http://www.sophos.com/virusinfo/analyses/w32rbotye.html
[3] http://castlecops.com/lsp-104.html
[4] http://castlecops.com/t115917-Dot_exe_in_StartUp.html
[5] http://www.neuber.com/taskmanager/pr...sched.exe.html
[6] http://www.liutilities.com/products/...brary/jusched/
[7] http://www.antionline.com/showthread...hreadid=265440
If the only tool you have is a hammer, you tend to see every problem as a nail.
(Abraham Maslow, Psychologist, 1908-70)
-
May 6th, 2005, 05:05 PM
#8
Don't flame me for this one....but - "MOST" Antivirus software programs do not include scans for Spyware. They are seperating 'virus' - as in destructive - (and spyware - as in annoying)
Panda has added 'spyware' / FProt has added 'spyware'
As far as I'm concerned ANYTHING not authorized or personally installed on my computer is a virus !!
-
May 6th, 2005, 05:55 PM
#9
Hi,
All good advice, you need to appreciate that these tools are fairly specialist, and will not detect everything.
http://www.ewido.net/en/
That will find about 107,000 of them
http://www.emisoft.com/en/software/free/
A specialist tool for trojans and diallers.
Add them to the box folks
Ewido expires after 14 days but that is only the interactive bit. You can still update and use the on demand scanning for free after that
And do run them in safe mode
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|