Author Topic: I have removed my trojans but..  (Read 13597 times)

0 Members and 1 Guest are viewing this topic.

Offline jazzen

  • Newbie
  • *
  • Posts: 9
I have removed my trojans but..
« on: July 18, 2003, 11:44:46 PM »
I had some problems with my ident

Cant listen on port 113..
I couldnt find out what it was... but a friend told me to check for viruses/trojans..

I found some and removed them (after reading how-to here, thnx)

But still something is using my 113 port so i cant connect to ftp's ect that need to use the ident...

What can i do ? Im getting very frustrated here.....

lets say my indent are "hello" in my indent prog... but when i check it on f.eks mirc its random letters, different each time, so something must be wrong ?

I would really preciate some help here, cuz im stranded :(

Thnx

j

Offline whocares

  • Super Poster
  • ***
  • Posts: 1698
  • I'm not a llama! :-)
Re:I have removed my trojans but..
« Reply #1 on: July 19, 2003, 05:02:40 PM »
Hi,
what trojans(exact name&version) where found and removed ? With which AV-Prog (uptodate??) ?
have you checked corresponding virus-Info-pages and removed/repaired the trojan-related registry/system settings ?
some trojans also drop other trojans/malware..

try additionally onlinescans by www.trendmicro.com and/or www.ravantivirus.com (use IE-Browser)

What'S to be found in your autostart/startup list (check especially RUN-entries in registry and win.ini/system.ini)?
any suspicious processes in taskmanager ?

What WIN do you have, anyway ?



Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:I have removed my trojans but..
« Reply #2 on: July 19, 2003, 05:22:12 PM »
Cant listen on port 113..
But still something is using my 113 port so i cant connect to ftp's ect that need to use the ident...

It depens on what Win do you use. You can type "netstat -a" inside a dosbox(Without the "")or ue tcpview from this side:  http://www.sysinternals.com/ntw2k/source/tcpview.shtml
and of course try the tips, whocares gave you.

Maybe https://grc.com/x/ne.dll?bh0bkyd2 is intresting, too.
MfG Ralf

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #3 on: July 19, 2003, 08:00:10 PM »
thnx for ur replies..

i use XP... and now the trojans are back :(

C:\WINDOWS\system32\rundll33.exe\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\WINDOWS\system32\rundll33.exe\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\system32\rundll33.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)

and i cant delete them cuz avast tells me that the zip archives are corrupt.

and my computer seems to rum multiple net.exe, net1.exe and cmd.exe processes.

What can do about this ?

this is driving me crazy, so thanx again for any replies that helps me resolve this problem!

|j|

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:I have removed my trojans but..
« Reply #4 on: July 19, 2003, 08:34:25 PM »
If i never said that i hate the generic Nameing of Avast, i do it now!

I HATE IT!  ;)

Use this link to identify the Malware: http://www.kaspersky.com/remoteviruschk.html
than we are able to give you more answers, i hope. :)
You can show us your "Startuplist" if you want:
downloadlink:  http://www.tomcoyote.org/hjt/startuplist.zip .
Downloqad it, start it and copy and paste it in your answer
MfG Ralf

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #5 on: July 19, 2003, 09:55:13 PM »
thnx for the help,,
i used www.trendmicro.com this... and it came up with totaly different stuff than avast... 4 infected files.. i deleted them and my port 113 is now free again  :) :) :)

dont know if i got rid of the trojans though.

here is my startuplist:

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\TBPanel.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\Program Files\FlashFXP\FlashFXP.exe
D:\mIRC\mirc.exe
C:\Program Files\Winamp3\winamp3.exe
C:\Program Files\FlashFXP\FlashFXP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\StartupList.exe

Is there something wrong here `?

thnx

|j|

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:I have removed my trojans but..
« Reply #6 on: July 19, 2003, 10:35:45 PM »
Is there something wrong here `?

<g>Yes, there are defnetly to much Programms started!:)

The gmt.exe seems to be adware http://www.answersthatwork.com/Tasklist_pages/tasklist_g.htm

You may check it with Adaware or Spyot(make a board or google search for a Link) .

BTW:Do you really need all these Programms to be started with Windows?
MfG Ralf

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #7 on: July 19, 2003, 11:21:15 PM »
ill try removing the .exe file...


and no, i probably dont need all those to start up with windows.. but how do i change that ?

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #8 on: July 20, 2003, 01:24:11 AM »
WTF....
This is very strange.. the crap seems to be back..cant use port 113 and the ident are changing randomly again.

I really need some help here, i thought it was over, but it wasnt.

What shall i do ?

|j|

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:I have removed my trojans but..
« Reply #9 on: July 20, 2003, 08:19:35 AM »
ill try removing the .exe file...
and no, i probably dont need all those to start up with windows.. but how do i change that ?

Pleas use Spybot( http://security.kolla.de/ ) or Ad-Aware ( www.lavasoftusa.com ) vor this. You can disable the other files by using msconfig..exe for that.
MfG Ralf

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:I have removed my trojans but..
« Reply #10 on: July 20, 2003, 08:31:23 AM »
This is very strange.. the crap seems to be back..cant use port 113 and I really need some help here, i thought it was over, but it wasnt.

We need a Name of that Malware. You still know it? Or just use the Trendmicro housecall again. Maybe you share your Drives to the internet and it comes back that way. or it is in the systemrecovery folder, but avast and TM Housecall should find it there,too.
MfG Ralf

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #11 on: July 20, 2003, 10:48:00 AM »
i really preciate your help guys.


ive used spybot and adware... and found about 20 files that i deleted.

But still i have the port 113 prob. I use avast and it will find some trojans again i guess. (ill try later today, have to go now), but if i use that online scanner i get totaly different stuff (some .dat files), is this 2 programs detecting different stuff or it just the same ?

What shall i do now ? Run avast and paste the warnings here ?

i have run it now... and the same one are back: Here is the output:

C:\WINDOWS\system32\rundll33.exe\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\WINDOWS\system32\rundll33.exe\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\system32\rundll33.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)


i also got some: \Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm [E] Archive is password protected. (42056)
\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini [E] Archive is password protected. (42056)

(many more)

but im not sure if this is any prob. seems like an action from the spybot. But right now im not sure of anything :(


Thnx for answers!

|j|
« Last Edit: July 20, 2003, 11:28:42 AM by jazzen »

Offline raman

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1062
Re:I have removed my trojans but..
« Reply #12 on: July 20, 2003, 11:26:34 AM »
What shall i do now ? Run avast and paste the warnings here ?

No, that will not help. It will "only" say found generic.trojan. You can check the files avast reports as trojan generic by using this link: http://www.kaspersky.com/remoteviruschk.html

Or use the service from Trendmicro again and say what it will find.
We need an other name than trojan-generic! :)
MfG Ralf

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #13 on: July 20, 2003, 11:31:43 AM »
Ok.. ill do that as soon as i come home again.

Thnx!

Offline jazzen

  • Newbie
  • *
  • Posts: 9
Re:I have removed my trojans but..
« Reply #14 on: July 20, 2003, 07:53:25 PM »
now i have runned the trend micro scanner

it found 3 infected files and it was:

bat flood.bi
bkrd flood.cd
bat flood.bi

Ive deleted those files now, but i did that last time last ass well..

What shall i do now ?