Author Topic: Please Help!  (Read 16115 times)

0 Members and 1 Guest are viewing this topic.

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #30 on: April 05, 2008, 05:17:14 AM »
Ok oldman, I will try that. Thank you.

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #31 on: April 05, 2008, 05:21:49 AM »
This is my report from following your instructions:

MD5:     01c3346c241652f43aed8e2149881bfe
Date:    03.31.2008 06:17:30 (CET) [>4D]
Results:    0/32
Permalink:    analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef (here's the link so you can view it: http://www.virustotal.com/analisis/ed6726c2dfa5cc59ed62fb2c333dd8ef )

from reading this, I'm assuming the MD5 is some type of identifier for winlogon.exe, the Date is self explanatory, and Results: show the number of infected files I assume?

Why then did Ghost Buster specifically detect c:\windows\system32\winlogin.exe as Trojan.Win32.Patched.m
?

I just figured out that the link you sent me used online scanners like nortan and symantec to scan a specific file, which is awesome. But then why would all these known anti-virus programs not detect it but Ghost Buster 5 will?
« Last Edit: April 05, 2008, 05:24:35 AM by AleKx »

Offline Rifkin

  • Jr. Member
  • **
  • Posts: 36
  • Nothing happens unless it's inconvenient.
Re: Please Help!
« Reply #32 on: April 05, 2008, 05:31:17 AM »
http://www.trojanwin32-patched-removal.com.removal-instructions.com/removeTrojanWin32Patched.html

The above link has manual removal and a special SpyHunter scanner download link.  All free.  Also some viruses, infect the antivirus first!  So, they would detect it if they were not infected themselves.  On-line virus scanners avoid this problem.
Remember, according to Microsoft it's not a flaw, it's a feature.

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #33 on: April 05, 2008, 05:31:23 AM »
I uninstalled my P2P program UTorrent Rifkin, and I rebooted my pc. I also ran CCleaner and Registry Booster. I also cleaned my Temp files. I opened netstat and the same IP is still listening, still using netbios-ssn, epmap, microsoft-ds, and listening on specific ports.

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #34 on: April 05, 2008, 05:33:30 AM »
Yes thank you Rifkin, I have already googled the Trojan name and found that link myself. I already have installed and tried SpyHunter. It detects nothing. Ghost Buster 5 does though, and it detects winlogon.exe specifically, COINCIDENTLY? using the same files that the IP constantly listening to my ports is listening with? I think not. Again, thank you Rifkin.  ;)


......Wait I could be wrong, Instead of double posting I'll just modify the post, It says to do that in SAFE MODE, which I haven't done. So I'll do that first and I'll let you guys know.

A lot of you have been helping, again, you guys are kind, it is most welcome.
« Last Edit: April 05, 2008, 05:35:18 AM by AleKx »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Please Help!
« Reply #35 on: April 05, 2008, 05:38:15 AM »
That scan would appear to be clean. Yes the md5 is a file identifier. The date is a little strange, as on virustotal's page it says "File winlogon.exe_ received on 03.31.2008 06:08:56 (CET)", it april 04 where I am.

And yes, you are correct for the results, no one detected anything. A false positve on Ghost Buster's part perhaps? Don't get me wrong, I'm not denying you have a problem.

Let me check some more.

added

Rifkin may be correct, an online scan might be the answer. Eset and kaspersky both have good detection rates. The difference is eset will remove, kav will only report.

If this i the route you take, I'd be very interested in the results. A bit of a hobby.


Offline Rifkin

  • Jr. Member
  • **
  • Posts: 36
  • Nothing happens unless it's inconvenient.
Re: Please Help!
« Reply #36 on: April 05, 2008, 05:46:34 AM »
You may want to try Ad-aware free version.  I often run an Ad-aware scan with Avast set to check all files on opening.  As Ad-aware reads the files Avast! checks them and often finds viruses that are missed otherwise.  Also Ad-aware can find and remove some virus itself.  I also had one person's ISP provider was infected and every time the computer connected it got infected.  I finally had to go off-line do a clean reinstall and install anti-virus and anti-spyware before allowing it to connect even for Microsoft.
« Last Edit: April 05, 2008, 05:48:31 AM by Rifkin »
Remember, according to Microsoft it's not a flaw, it's a feature.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Please Help!
« Reply #37 on: April 05, 2008, 05:57:18 AM »
AleKx

Did Ghost Buster's scan also detect this file C:\WINDOWS\system32\dllcache\winlogon.exe ? It's a backup copy of the file. These bugs mutate, so it's possible that it's slipped past the avs and GB is the first out of the block with the detection.

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #38 on: April 05, 2008, 06:08:44 AM »
No, it only detected the virus in c:\windows\system32\winlogon.exe

I'm currently in Safe-Mode with Networking.

I figured out how to know exactly which exe the file is listening to. When you do Netstat -ab, it associates a PID to the connection. You can then CTRL+ALT+DELTE, go to view: show PID's, that way your Task manager will show the PID's. The files are: image name svchost.exe (Network service PID 864) , image name winlogon.exe, svchost.exe (Network service PID 728) and image name System (System PID 4)

Here are some of the DLL files in use that THE IP LISTENING ON MY PORTS ALSO USES.

Protocol: TCP Local Adress: box:epmap Foreign Adress:ppp-54-25.32-151.iol.it:0 State:Listening PID:728
RPCRT4.DLL
WS2_32.DLL
svchost.exe
(unknown components)
svchost.exe

epmap is just one of them. It also uses netbios-ssn, and microsoft-ds and a few others.



PS: "box" is the name of my computer.
« Last Edit: April 05, 2008, 06:12:06 AM by AleKx »

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #39 on: April 05, 2008, 06:13:29 AM »
I have a solution, screw microsoft, and yay linux or mac. I've been a windows user for 10 years and I'm fedup with all the protection needed, antiviruses, anti-malware, anti-spyware, anti-trojans, anti-worms, etc etc. Even after investing in legitimate copies of the programs I use(I wasn't always an angel but I learned) I still get viruses, even when running Avast or having a router. I can't be arsed to hop from one anti-virus to the other because one program won't fix them all because microsoft sells us an unfinished product, hence the 150 security updates I had to do 4 days ago after re-installing windows.

I'm done with it, done. Windows is going in the garbage. I'm probly going to run Mac since Linux is a lot of manual stuff. Besides, Mac's have the fastest processors and best GFX, oh, and no viruses, or virtually none. A lot better than 10 years of microsoft's bs that's for sure.

Thank you to everyone who helped. But I've found a solution to my problem. Instead of finding a solution to get rid of the viruses, I'll get rid of the thing that hosts them, the operating system itself.
« Last Edit: April 05, 2008, 06:19:55 AM by AleKx »

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Please Help!
« Reply #40 on: April 05, 2008, 06:29:28 AM »
If that's your solution, then so be it.  ;D I understand your frustration.

BTW did Rifkin's suggestion work?

Offline AleKx

  • Jr. Member
  • **
  • Posts: 22
Re: Please Help!
« Reply #41 on: April 05, 2008, 07:13:13 AM »
Negative, I have uninstalled UTorrent, rebooted and the IP is still listening.  ???

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4143
  • Some days..... MOS...this bug's for you
Re: Please Help!
« Reply #42 on: April 05, 2008, 07:21:33 AM »
If you are interested, we can try a scan tool or two an see if we can see anything amiss.

You could also check  C:\WINDOWS\system32\dllcache for winlogon.exe and check the file info in it's properites.

Offline Rifkin

  • Jr. Member
  • **
  • Posts: 36
  • Nothing happens unless it's inconvenient.
Re: Please Help!
« Reply #43 on: April 05, 2008, 04:59:01 PM »
If your copy of  UTorrent was infected, uninstalling it would not remove the virus (it had already infected other files).  It turns out Avast has it's own online virus scanner, it is single file scanner, so you can have it scan winlogon.exe directly.  It's http://onlinescan.avast.com.

Here are a few links I use to check for Internet security.

http://www.doxdesk.com/parasite/                (Parasite Detector)
https://www.grc.com/x/ne.dll?bh0bkyd2         (Shields UP! — Internet Vulnerability Profiling)
http://www.grc.com/lt/leaktest.htm               (GRC  LeakTest -- Firewall Leakage Tester)
http://bcheck.scanit.be/bcheck/                    (Browser Security Test)
http://www.hashemian.com/tools/whoami.php  (Whoami - My IP Address, Browser info, DNS Lookup)
Remember, according to Microsoft it's not a flaw, it's a feature.