Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outgoing Connections From Port 21467


  • Please log in to reply
4 replies to this topic

#1 dsJonCole

dsJonCole

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Mansfield, OH
  • Local time:04:31 PM

Posted 18 July 2007 - 02:10 PM

Hello all!

We have a compromised machine, and we are having trouble figuring out what is causing the issue.

Some background: we received noticed that a machine on our network was sending spam. We viewed the logs in our SonicWall and figured out which PC was doing it. Spyware and Virus Scans (Windows Defender, A-SQUARED Free, Norton Corporate, Panda Software Online, Trend Micro Housecall) found a couple adware items and tracking cookies, but nothing to indicate a rogue program). We added a rule to our firewall to only allow SMTP traffic from our legitimate server, which blocked the affected machine from causing that trouble.

However, now I see another issue based on the connections monitor in our firewall. At any given time, this machine is connecting to 13-200 different IP addresses and ports from UDP port 21467. I am at a loss on what to do next. :thumbsup: We are at the point where we are going to have to wipe the machine, but I was hoping that someone might be able to shed some light on what to look for or what is happening. I will attach the HijackThis! log that I ran today.

Thank you so much for your help!
Jon Cole


Logfile of HijackThis v1.99.1Scan saved at 12:25:37 PM, on 7/18/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\a-squared Free\a2service.exeC:\Program Files\Miramar\PC MACLAN\ATMsg.exeC:\WINDOWS\system32\basfipm.exeC:\Program Files\NavNT\defwatch.exeC:\Program Files\Dell\OpenManage\Client\Iap.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Miramar\PC MACLAN\ATSERVER.EXEC:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXEC:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exeC:\Program Files\NavNT\rtvscan.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\Sonic\Update Manager\sgtray.exeC:\WINDOWS\system32\dla\tfswctrl.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\Logitech\MediaLife\MediaLifeService.exeC:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exeC:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeC:\WINDOWS\system32\MsgSys.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeC:\fuji photos\QuickDCF.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\lotus\organize\easyclip.exeC:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXEC:\Program Files\Extensis\Portfolio 8\Portfolio Express.exeC:\Documents and Settings\davida\Desktop\joncole\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.dell.com"]http://www.dell.com[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url="http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html"]http://red.clientapps.yahoo.com/customize/.../search/ie.html[/url]R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com"]http://red.clientapps.yahoo.com/customize/...//www.yahoo.com[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://www.dell.com"]http://www.dell.com[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.dell.com"]http://www.dell.com[/url]F2 - REG:system.ini: Shell=O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dllO2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Home\wsbho2k0.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dllO4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /rO4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exeO4 - HKLM\..\Run: [MediaLifeService] "C:\Program Files\Logitech\MediaLife\MediaLifeService.exe"O4 - HKLM\..\Run: [MMTray] C:\PROGRA~1\MUSICM~1\MUSICM~2\mm_tray.exeO4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exeO4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: Exif Launcher.lnk = C:\fuji photos\QuickDCF.exeO4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO4 - Global Startup: Lotus Organizer EasyClip.lnk = C:\lotus\organize\easyclip.exeO4 - Global Startup: Portfolio Express.lnk = C:\Program Files\Extensis\Portfolio 8\Portfolio Express.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - [url="http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab"]http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab[/url]O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (TotalScan Installer Class) - [url="http://www.nanoscan.com/as/v1/cabs/ascstubie.cab"]http://www.nanoscan.com/as/v1/cabs/ascstubie.cab[/url]O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - [url="http://download.bitdefender.com/resources/scan8/oscan8.cab"]http://download.bitdefender.com/resources/scan8/oscan8.cab[/url]O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - [url="http://www.nanoscan.com/cabs/nanoinst.cab"]http://www.nanoscan.com/cabs/nanoinst.cab[/url]O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url="http://acs.pandasoftware.com/activescan/as5free/asinst.cab"]http://acs.pandasoftware.com/activescan/as5free/asinst.cab[/url]O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dllO20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dllO20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dllO20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dllO23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exeO23 - Service: AppleTalk Messenger (ATMsg) - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATMsg.exeO23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exeO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exeO23 - Service: Miramar AppleTalk File Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSERVER.EXEO23 - Service: Miramar AppleTalk Print Server - Miramar Systems Inc. - C:\Program Files\Miramar\PC MACLAN\ATSPOOL.EXEO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


BC AdBot (Login to Remove)

 


m

#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:31 PM

Posted 31 July 2007 - 03:04 PM

Hi dsJonCole, :huh:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

A new version of HijackThis has now been released, so before you repost your log please download and install the new version by following the instructions in Step 9 of the Preparation Guide For Use Before Posting A Hijackthis Log. Note that it is unnecessary to uninstall the old version because the new one will be copied to a different folder.

Thanks for your patience! :thumbsup:

P.S. Just copy/paste your log into this thread. :flowers:

#3 dsJonCole

dsJonCole
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:Mansfield, OH
  • Local time:04:31 PM

Posted 14 August 2007 - 12:21 PM

Thanks for following up. Due to time constraints, we had to format the machine and repurpose it. That log is the latest version we had because we took it out of service and replaced it with something else right away. I was just curious if anyone had any ideas on what could cause the machine to do what it was doing. Thanks!

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:31 PM

Posted 14 August 2007 - 12:33 PM

Hi dsJonCole, :flowers:

I will check the log tomorrow morning and let you know. :thumbsup:

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:03:31 PM

Posted 15 August 2007 - 01:53 PM

Hi dsJonCole, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

Due to time constraints, we had to format the machine and repurpose it. That log is the latest version we had because we took it out of service and replaced it with something else right away. I was just curious if anyone had any ideas on what could cause the machine to do what it was doing.


In general what did I see in your log:

1. No trace of a firewall. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

Since this is a corporate computer a software firewall isn't sufficient, but you probably are aware of that.

2. I would recommend that you don't install Logitech Desktop Manager again. It's not malicious, but it does put an unnecessary strain on your computer.

3. Outdated Java: it may be you stll have it so update to Java Runtime Environment (JRE) 6u2 Don't forget to uninstall the older versions first.

4. Some entries to be removed/fixed with HijackThis.

As far as I can see from your HJT-log malware is not responsible for what happened, but.... with other tools we could have dug deeper. I would recommend to look for more information using Google.

My coach illukka explained:

i would say a network aware worm, such as an rbot ( with a rootkit driver to hide itself ) was the most likely cause


Good luck.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users