Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pc Has An Trojan I Cannot Identify.


  • This topic is locked This topic is locked
2 replies to this topic

#1 banzaibob

banzaibob

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:02:08 PM

Posted 04 February 2008 - 03:59 PM

I am working on a PC that came up with some odd behaviors last week.
PC is a laptop running XP pro with current updates ,ad Kaspersky antivirus suite 6.03 corporate
Me first hint was some odd persistent connections showing in my boundary firewall for the office late one evening.
I thought all PC's would be off at that time. This one wasnt.
I traced the IP addresses to China

222.185.245.525
124.238.253..88
218.0.108.106
202.105.21.217

I tried dropping the connections but they quickly reestablished. So I setup a rule to block them.
While troubleshooting the laptop the next day the user said his network monitor showed unusual steady high data rates.
Using TCPmonitor and process monitor we found that a task named Firefox was causing the traffic. The user uninstalled Firefox and deleted the folders. When I allowed them the firewall showed the same IP connections to China.
We replaced the Corporate Kaspersky with the most current Demo version and it started blocking a process running in svchost that claims to be coming from c:\~program\mozilla\Firefox folder. This folder does not exist.
using the task ID I can kill 3 different svchosts tasks and then Laptop will run overnight without tripping the Kaspersky live protection. These tasks run about once every five minutes when the network cable is connected. They are silent when there is no network connection.

When Kaspersky blocks the tasks Ethereal logs also shows that the program is using DNS to find
NS1.3322.net
NS1.ORAY.NET
NS1.CHINA.COM
SHUA.2288.ORG
These sites trace back to the same IP's as above.

This traffic goes out when the network card is plugged into a a hub that is not connected to anything.
I have not logged the traffic that might occur if the DNS lookups were answered.

HighJackThis 2.0 does not show anything unusual

Kaspersky 7.0 antivirus scan and Antirootkit scans did not find anything

Microsoft Rootkit Detector did not find anything either

BC AdBot (Login to Remove)

 


m

#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:08 PM

Posted 04 February 2008 - 08:44 PM

Hello banzaibob and welcome to BC :flowers:

Given that something on the computer is being identified as Firefox even though it has been uninstalled and deleted, I have serious doubts that Firefox was responsible to begin with. Something else is the culprit.

For now, I'm going to suggest scanning with SUPERAntiSpyware Free in Safe Mode

Download and install SUPERAntiSpyware free found here: http://www.superantispyware.com/superantis...efreevspro.html. Of course, you will install it in normal mode.

Be sure to click on the download button to the left, not on the free trial download on the right.

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes.
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
o Close browsers before scanning
o Scan for tracking cookies
o Terminate memory threats before quarantining.
o Please leave the others unchecked.
o Click the Close button to leave the control center screen.
Reboot into safe mode then open SUPERAntiSpyware
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click Yes.
Reboot into normal mode.
To retrieve the removal information for me please do the following:
o After reboot, double-click the SUPERAntispyware icon on your desktop.
o Click Preferences. Click the Statistics/Logs tab.
o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o It will open in your default text editor (such as Notepad/Wordpad).
o Please highlight everything in the notepad, then right-click and choose copy.
Click close and close again to exit the program.

Please post the log in your next reply.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:11:08 AM

Posted 07 February 2008 - 07:37 PM

Hello banzaibob,

I have split your hijackthis log and it is posted Here. Please refrain from asking for help from other members or staff while you are being instructed by a member of the HJT Team.

The HJT Team should be the only members that you take advice from, until they have verified your log as clean.

If, after your log has been cleaned, you still need help, please PM a Moderator and we will re-open this topic. If you have any questions, don't hesitate to send me a PM.
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users