Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't Ftp - Something Blocking Ports?


  • Please log in to reply
6 replies to this topic

#1 freekie

freekie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 31 January 2007 - 01:04 PM

Ran through the prep guide, and ran all of the scans.

My computer is unable to connect to any FTP server over the internet although it used to be able to. I do have the correct login details and am able to access FTP from other computers on my home network, so it is not the firewall in the router blocking the access (tried switching it off anyway, but made no difference). No other software firewalls are installed apart from the Microsoft XP SP2 one which is disabled (exeptions for the FTP prog are granted in it anyway).

I have tried various alternative FTP programs, uninstalled, reinstalled etc but all with no success.

Another clue may be that my email (Outlook Express) often has problems connectiong to my ISP's POP3 server although this may be just a problem at their end.

I am normally pretty good at solving these problems, but this time i am pulling my hair out. Maybe something is blocking the ports or taking control of them?

I would be very grateful if someone could have a look through the log below and advise if anything looks wrong.

Logfile of HijackThis v1.99.1
Scan saved at 17:11:37, on 31/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
E:\Program Files\Executive Software\Diskeeper\DkService.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Eset\nod32krn.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\bcmwltry.exe
E:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
E:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe
E:\WINDOWS\system32\atwtusb.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\system32\LVCOMSX.EXE
E:\Program Files\Logitech\Video\LogiTray.exe
E:\WINDOWS\system32\JMRaidTool.exe
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Eset\nod32kui.exe
E:\Program Files\PeerGuardian2\pg2.exe
E:\WINDOWS\system32\ctfmon.exe
E:\Program Files\Windows Media Player\WMPNSCFG.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\Belkin\Bluetooth Software\BTTray.exe
E:\PROGRA~1\Belkin\BLUETO~1\BTSTAC~1.EXE
E:\Program Files\Logitech\Video\FxSvr2.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.eclipse.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - E:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {9165A4D3-2F90-94A6-9A54-C60E5F9C0CE4} - blank (file missing)
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] E:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "E:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware15] "E:\Program Files\ScanSoft\OmniPage15.0\Opware15.exe"
O4 - HKLM\..\Run: [PDF3 Registry Controller] "E:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\\RegistryController.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LVCOMSX] E:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] E:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [GBB36X Configure] E:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [EasyTuneV] E:\Program Files\Gigabyte\ET5\GUI.exe
O4 - HKLM\..\Run: [nod32kui] "E:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "E:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [PeerGuardian] E:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "E:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Iso Wave] E:\DOCUME~1\Dad\APPLIC~1\MP3BEN~1\WmaCast.exe
O4 - HKCU\..\Run: [WMPNSCFG] E:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: Download All by FlashGet - E:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - E:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://E:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
O8 - Extra context menu item: Send To &Bluetooth - E:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - E:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,23/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{178560EE-09F0-4FA7-905E-88685196935E}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B681B60-AAAE-4EC9-B952-4C2919880C7E}: NameServer = 192.168.2.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC08C804-FB63-4D83-84F2-1A937A30C85A}: NameServer = 192.168.2.1
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - E:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - E:\WINDOWS\system32\btxppanel.dll
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - E:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - E:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - E:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - E:\Program Files\Eset\nod32krn.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite XI\RpcSandraSrv.exe

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:24 PM

Posted 05 February 2007 - 04:52 PM

Hi Freekie,

Welcome to Bleeping Computer.

Sorry for the delay, and even sorrier for what I have to tell you.

You have two bot worms on your computer. :thumbsup:

A bot worm is a program that is installed without your knowledge and enables a hacker, sitting at another computer perhaps thousands of miles away, to control your computer so that it does what he wants -- it becomes his "bot."

Bots can be used to launch denial-of-service attacks (This is where hundreds of bots simultaneously bombard a website with requests for information, overwhelming its capacity to respond and, thereby, shutting it down) and for other sorts of mischief. The bot can also do mass spam mailing, download files to the computer, or upload files and data, including passwords and other private information. As a worm, it can also use its mass mailing ability to replicate itself on other users' machines.

In your case, one of the bot worms sets up an FTP client on your computer. This probably explains why you are unable to get access to the FTP port of your machine. You should read this writeup (click the "Advanced" tab) for a detailed explanation of what it does.

Judging by your description of how your computer is behaving, it appears that this worm is active and in fact is making use of many if not all its capabilities.

For these reasons it is very important that, starting immediately, this machine be kept off the internet and physically disconnected from any network it may be part of.

If you use or have used this computer for online banking or shopping or for accessing or storing personal information such as school records, then you need to take steps to protect your information that may have been compromised. I recommend these steps for action:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

The very first step is to go to a clean computer and change any and all online passwords -- banking, credit cards, schools, employers, e-mail, all of them. Then follow up with the other steps in the "Possible Identity Theft" article. Do this now.

The problem with infections like this is, there is no telling what or how much damage may have been done to your system. Besides stealing passwords and other personal information, the hacker(s) running these bots could change almost anything on your machine. Putting it back to where it was before may prove to be impossible, because scanners and other security programs will not be able to uncover all the alterations.

This is something i don't like to recommend normally, but with a computer this badly infected, the best solution for your safety, and for the safety of others, would be to reformat the hard drive and reinstall Windows.

Please read the following link very carefully:

When Should I Format, How Should I Reinstall

Here are some more links to help you decide:


Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx


Only you can make this decision. But please consider carefully before deciding against a reformat. If you do make that decision I will do my best to help you disinfect it, but you must understand that once a machine has been taken over by this type of malware, it can never be declared clean.

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html

Please let me know whatever decision you make. I will be glad to advise you on exactly how to do the reformat and reinstall. If that is your decision, please include the make and model number of your computer so that I can research it. The procedure is different depending on what sort of recovery disks you have available.

Dave

#3 freekie

freekie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 06 February 2007 - 02:40 AM

Oh S@#t one big question, will I have to reformat all of my 2Tb+ of hard drive space? or just the drive with the OS on it?

#4 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:24 PM

Posted 06 February 2007 - 07:12 AM

Hi Freekie,

Only the drive or partition where the operating system is installed.

When I set up my own computers I create a separate data partition for this very reason. If my OS ever gets hosed I don't lose my e-mails, documents, tax records etc. But I still make backups, because there's always the chance that the hard drive will go belly up. (Physical failure.)

Any important data stored on your OS partition will of course have to be backed up to another drive or partition before doing the format.

Once you have reinstalled the operating system, before you begin using the computer again, you should install an antivirus program and scan all your backed up data files, and the other drives/partitions on your system. That will assure that your system does not get re-infected.

Also, once you're up and running again, be sure to follow the recommendations in this tutorial.

Any other questions, just ask. I'm here to help.

Dave

#5 freekie

freekie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:24 AM

Posted 06 February 2007 - 11:38 AM

Well, at least some fairly good news. Just one more question, what parts of the HJT log indicated my problem, so I can scan the other computers on the network to make sure that they are not infected aswell. I am sure that you don't want another 4 logs posting just for this.

#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:24 PM

Posted 06 February 2007 - 01:28 PM

Hi freekie,

Here are the lines in the HJT log:

O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [NTSF MICROSOFT SYSTEM] winsis32.exe
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe


Each line represents a key in the registry from which one of the baddies is started. You'll note that the W32/Rbot-ABD worm (micront.exe) has three different launch points...an attempt to make it harder to stop.

You should definitely scan all the other computers on your network. From the Sophos write-up I linked to in my first post here:

The worm spreads to network shares with weak passwords and also by using the exploits for security vulnerabilities described in Microsoft security bulletin MS04-011and MS03-039.



You might want to run HijackThis on the other network computers, but in addition I would suggest scanning with a couple of online scanners, such as McAfee and Panda.

Dave

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:05:24 PM

Posted 18 February 2007 - 09:53 AM

Hi Freekie,

Just wondering how things have gone with your cleanup.

Dave




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users