Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I still infected


  • Please log in to reply
9 replies to this topic

#1 Shermanladd

Shermanladd

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 02 January 2009 - 12:43 PM

Caught a bug the other day which used all my bandwidth continually, ran combofix and winsockfix that seemed to remove the bug and fix most of the problems, I also ran symantec and malwarebytes and the machine shows clean BUT wireshark shows my machine sending out packets to a china address every 10 sec or so, which makes me think I am still infected. the IP is always the same so I blocked it in my firewall but I need suggestions.

Posted Image

BC AdBot (Login to Remove)

 


#2 SteelSlasher

SteelSlasher

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:14 AM

Posted 02 January 2009 - 01:03 PM

Can you trace the packets to an application, it might be something you need (unlikely). But still knowing what is sending the packets would probably help. I know that the Comodo Firewall displays all applications that are sending or receiving packets.

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:14 AM

Posted 02 January 2009 - 01:17 PM

This is the server address the packet goes to:

CNCGROUP-BJ
descr: CNCGROUP Beijing province network
descr: China Network Communications Group Corporation
descr: No.156 Fu-Xing-Men-Nei Street
descr: Beijing 100031
country: CN

It means you are not clean.

#4 Shermanladd

Shermanladd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 02 January 2009 - 01:32 PM

Yeah i figured as much, I am using a free tool called vision from foundationstone to see if I can trace the application. Thanks for your input I will post my results

#5 Shermanladd

Shermanladd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 02 January 2009 - 01:57 PM

Well, it looks like i traced the packets to one of my svchost.exe . the process sends two SYN packets and then when it cant connect (because my firewall blocks it) it send out 2 more every 10 sec and increments the port number by 1, none of my malware software detects it. Suggestions?

#6 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:14 AM

Posted 02 January 2009 - 02:25 PM

If it is the legit svchost.exe located at C:\Windows\System32\ , it means you have to take a serious look at it as it might have been patched by the malware. The Windows svchost.exe should not go to China for any Windows update or other reason.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:14 AM

Posted 02 January 2009 - 02:28 PM

Adding to that svchost.exe might have 4 open ports at the same time, that is normal, more than that, specially when it goes to China or Ukraine might be suspicious.

#8 Shermanladd

Shermanladd
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 02 January 2009 - 02:34 PM

OK Killed IT!!!!! I traced that svchost source to a file in my system32 called boozizoa which was started by a windows service. I killed the specific svchost process and I deleted boozizoa.exe and boozizoa.dll and went in the registry and removed that service and PEACE AND HARMONY HAS RETURNED. problem is gone thanks for all your help. BTW that Vision product really helped

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:14 AM

Posted 02 January 2009 - 04:47 PM

Glad it is sorted out, but I would be still on guard.

#10 killragtshirts

killragtshirts

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:14 PM

Posted 17 February 2009 - 05:34 PM

Hi,

Where can I find this Vision Software please?


Thanks




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users