-
April 21st, 2005, 12:56 AM
#1
Junior Member
Packets in are 10x packets out
Hello all:
I am extremely new to both computers and security. unfortunately, the web doesnt wait for one to become familiar with things before getting hit... I am running Microsoft XP, and surf the web with Internet Explorer.
I was surfing the web a few days ago, and one of the pages that came up was a trojan. i caught it (i thought) before it got into my comp, and I thought I deleted it. But now my packets out are 10 times my packets in, in my network connection status.
I have AVG, and have run it 3 times, once in safe mode. I have ad aware and spybot, and have run those as well. Finally, I have kerio firewall, and have always had that running.
I checked my Kerio intrusions, and have found several things:
BACKDOOR trojan active trojancow
trojan probe orifice
trojan backdoor construction
DDOS shaft synflood incoming
a bunch of SCAN things, from nmap to webtrends
a plethora of BACKDOOR trojans, from yetanother to Voodoo to portalofdoom.
finally, there were severa attempts to remote activation bind.
in the vast majority of things, the reference URL was www.whitehats.com/info/ID####
the other common reference URL was www.cve.mitre.org
there were several 4 digit numbers used.
Aside from the incoming packet thing, my comp has no problems. I did not have the latest updates from Microsoft, but I have them now.
-
April 21st, 2005, 03:34 AM
#2
updating was a very good start. You may want to try housecall.trendmicro.com It is one of the best virus scanners I know of. Also download stinger (just google it, it is a mcafee product that has saved me tons of time and agrovation in the past) both are free and both are awesome. Make sure all your anti malware software is up to date and run thoe two scanners. run stinger in safe mode and re run adaware and spybot in safe mode also. After all that is done, if the problem still continues download hijackthis and post the log here and some of us can help you out with what to delete.
-
April 21st, 2005, 03:42 AM
#3
As long as the intrusions have been logged by Kerio, you have nothing to worry about - it's the ones that Kerio didn't detect you should worry about
The reference URL is just a link to more information on the attack.
In your case, what I would do first is delete all Kerio rules, and start all over. Any time something requests a connection, look it up or ask for advice (look at what it's trying to connect to - look up the IP address). In addition to that, follow XTC46's advice
And run a trojan scanner (http://www.agnitum.com/tauscan for example).
-
April 21st, 2005, 04:44 AM
#4
Use Firefox
...surf the web with Internet Explorer...
Hi RamsestheGreat, have u checked out Firefox at http://********firefox.com or somebody recommended you using IE
Use firefox and get rid of most of spyware/malware problems.
\"And life is what we make it. Always has been, always will be.\"
-
April 21st, 2005, 10:34 AM
#5
Yes, it certainly sounds as if "ET is phoning home"
Get Ewido, and the Microsoft anti-spyware beta.
Update everything then re-boot into safe mode and run them.
Be warned, AVG, in common with a lot of AVs is not very good at detecting spyware and trojans. Hence the need to run specialist products in safe mode.
Good luck
-
April 21st, 2005, 12:43 PM
#6
If your machine is compromised you need to reinstall it and restore carefully from backups.
If you don't have a hardware firewall, be sure to install the updates before connecting to the internet; this is tricky if you have to connect to the internet to obtain them - ask a friend (who has not had their machine compromised) to burn the SP2 and latest updates on to a CD for you, so you can install them after you reinstall but before you connect to the internet (of course, run Windows Update too, once connected, to get any more recent ones).
Slarty
-
April 21st, 2005, 01:40 PM
#7
Junior Member
<a href="http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en&Hash=FP4FH6C">M$Antispyware Beta</a> - the only free one that stays running in the task bar
-
April 21st, 2005, 05:54 PM
#8
Junior Member
OK, SO here's an update.
I did all of the above suggestions. The only thing found was something that dealtwith Internet Explorer. I fixed that, but the problem persists.
I guess I will download the hackerlog and see if that provides any illumination...
Thanks for the advice, everyone. It was very appreciated.
-
April 21st, 2005, 06:13 PM
#9
Junior Member
OK, I got hijackthis, and here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 1:08:45 PM, on 4/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\SmackyMc\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/news?ned=
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: eurekster Toolbar - {7380543E-F530-42EF-BDB0-D03BCCFA7185} - C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.7\taumon.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - Global Startup: Microsoft Broadband Networking.lnk = ?
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &eurekster Toolbar search - res://C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: eurekster Toolbar - {B9510087-D944-4309-9823-38D3D544D15B} - C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll
O9 - Extra 'Tools' menuitem: eurekster Toolbar - {B9510087-D944-4309-9823-38D3D544D15B} - C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/game...ts/y/ht1_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: {7380543E-F530-42EF-BDB0-D03BCCFA7185} (eurekster Toolbar) - http://home.eurekster.com/toolbar/eurekster.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/A...oadcontrol.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-
April 21st, 2005, 06:54 PM
#10
Greeting's
you hijackthis log looks clean to me except 1 entry
Extra context menu item: &eurekster Toolbar search - res://C:\WINDOWS\Downloaded Program Files\eurekster-2.10.dll/SEARCH.HTML
This search bar has been identified as nasty. Anyway looking at your hijackthis log it looks good except this i would advise you too creat new rules for your firewall something what negative said.
I have saved analysis of your log at
http://www.hijackthis.de/logfiles/fb...05792fd01.html
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|