If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
Ads |
#17
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
Tom Willett wrote:
The most current version of JRE is now 6.0 Here is a very good free online scan from world leaders in security. It will let you know what needs securing ( updating ) & what needs removing ( security risk ) Secunia Software Inspector http://secunia.com/software_inspector |
#18
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
From:
| | Here is a very good free online scan from world leaders in security. | It will let you know what needs securing ( updating ) & what needs | removing ( security risk ) | Secunia Software Inspector | http://secunia.com/software_inspector It is very good and it is highly suggested. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#19
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote:
From: "Gabriele Neukam" | On this special day, David H. Lipman wrote : | If you are using any version of Sun Java that is prior to JRE Version 6.0, then you are strongly urged to remove any/all versions. | | You should replace the six with a nine or ten. | | http://sunsolve.sun.com/search/docum...=1-26-102729-1 | http://sunsolve.sun.com/search/docum...=1-26-102731-1 | http://sunsolve.sun.com/search/docum...=1-26-102732-1 | | are the newest alerts by Sun. | | Gabriele Neukam | | | I'm sorry Gabriele but Sun is f'd up and confusing. v6 is the latest and based upon ALL the problems with Sun not being forthcoming with Vulnerability statements, v6 is the suggested version. It is a complete re-write. In the middle of the following page... "Java Runtime Environment (JRE) 6" http://java.sun.com/javase/downloads/index.jsp -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm I did have older versions of JRE, J2SE and J2ME SDK and uninstalled them as well as deleting all related folders. The problem is still there. As I mentioned before, I have run a few anivirus and antispyware programs both in normal and safe mode and they haven't identified any issues. Of course all software were properly updated before running. At this poing I'm starting to consider reinstalling Windows XP. Raffi |
#20
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| | I did have older versions of JRE, J2SE and J2ME SDK and uninstalled | them as well as deleting all related folders. The problem is still | there. | | As I mentioned before, I have run a few anivirus and antispyware | programs both in normal and safe mode and they haven't identified any | issues. Of course all software were properly updated before running. | | At this poing I'm starting to consider reinstalling Windows XP. | | Raffi Replacing Sun Java was NOT part of the solution for you. Since there are so many vulnerabilities in older version, upgrading and replacing them with the latest version will help mitigate malware which may exploit those vulnerablities and help prevent future problems. Plaese run the anti malware scans and software I suggested. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#21
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote: From: "Raffi" | | I did have older versions of JRE, J2SE and J2ME SDK and uninstalled | them as well as deleting all related folders. The problem is still | there. | | As I mentioned before, I have run a few anivirus and antispyware | programs both in normal and safe mode and they haven't identified any | issues. Of course all software were properly updated before running. | | At this poing I'm starting to consider reinstalling Windows XP. | | Raffi Replacing Sun Java was NOT part of the solution for you. Since there are so many vulnerabilities in older version, upgrading and replacing them with the latest version will help mitigate malware which may exploit those vulnerablities and help prevent future problems. Plaese run the anti malware scans and software I suggested. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm I'll run all the scans you suggested later today and post the results. Raffi |
#22
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
Raffi wrote: David H. Lipman wrote: From: "Raffi" | | I did have older versions of JRE, J2SE and J2ME SDK and uninstalled | them as well as deleting all related folders. The problem is still | there. | | As I mentioned before, I have run a few anivirus and antispyware | programs both in normal and safe mode and they haven't identified any | issues. Of course all software were properly updated before running. | | At this poing I'm starting to consider reinstalling Windows XP. | | Raffi Replacing Sun Java was NOT part of the solution for you. Since there are so many vulnerabilities in older version, upgrading and replacing them with the latest version will help mitigate malware which may exploit those vulnerablities and help prevent future problems. Plaese run the anti malware scans and software I suggested. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm I'll run all the scans you suggested later today and post the results. Raffi OK, I downloaded and ran all the software. While Ad-Aware was running I get a warning from AntiVir that it had found a virus called Run_it_xxx.exe. I deleted it. Other than that, they came up with a few minor viruses on some files that have been on my PC for ever. I quarantined them. I also made sure I have all the Windows security updates, and I do except for a RAID driver. I also upgraded to IE 7 just to be sure. The problem still persists. I installed a program called Prevx1 which seems to be a nice program. It tells you when an application starts ends etc. Every time I disconnect and reconnect the network connection, it tells me that a program called MOBSYNC.EXE has started. I'm not sure if this is related. Also, the network connection seems to be active only at certain times and inactive otherwise. When it's active it goes like crazy. I'm suspicious that the PC is being used for DOS attacks or SPAM etc. I'm still at a loss and any help will be appreciated. The only way I can fight this is by unplugging the network connection. Also, I recently configured reverse DNS lookup for my static IP address through my ISP. Can this be related to the network activity? Raffi |
#23
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| | OK, I downloaded and ran all the software. While Ad-Aware was running I | get a warning from AntiVir that it had found a virus called | Run_it_xxx.exe. I deleted it. Other than that, they came up with a few | minor viruses on some files that have been on my PC for ever. I | quarantined them. I also made sure I have all the Windows security | updates, and I do except for a RAID driver. I also upgraded to IE 7 | just to be sure. The problem still persists. | | I installed a program called Prevx1 which seems to be a nice program. | It tells you when an application starts ends etc. Every time I | disconnect and reconnect the network connection, it tells me that a | program called MOBSYNC.EXE has started. I'm not sure if this is | related. | | Also, the network connection seems to be active only at certain times | and inactive otherwise. When it's active it goes like crazy. I'm | suspicious that the PC is being used for DOS attacks or SPAM etc. | | I'm still at a loss and any help will be appreciated. The only way I | can fight this is by unplugging the network connection. | | Also, I recently configured reverse DNS lookup for my static IP address | through my ISP. Can this be related to the network activity? | | Raffi MOBSYNC.EXE is most likely legit and OK. This may have to do with the RDNS service. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#24
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote: From: "Raffi" | | OK, I downloaded and ran all the software. While Ad-Aware was running I | get a warning from AntiVir that it had found a virus called | Run_it_xxx.exe. I deleted it. Other than that, they came up with a few | minor viruses on some files that have been on my PC for ever. I | quarantined them. I also made sure I have all the Windows security | updates, and I do except for a RAID driver. I also upgraded to IE 7 | just to be sure. The problem still persists. | | I installed a program called Prevx1 which seems to be a nice program. | It tells you when an application starts ends etc. Every time I | disconnect and reconnect the network connection, it tells me that a | program called MOBSYNC.EXE has started. I'm not sure if this is | related. | | Also, the network connection seems to be active only at certain times | and inactive otherwise. When it's active it goes like crazy. I'm | suspicious that the PC is being used for DOS attacks or SPAM etc. | | I'm still at a loss and any help will be appreciated. The only way I | can fight this is by unplugging the network connection. | | Also, I recently configured reverse DNS lookup for my static IP address | through my ISP. Can this be related to the network activity? | | Raffi MOBSYNC.EXE is most likely legit and OK. This may have to do with the RDNS service. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm I had some time to do packet analysis using Etherial and most of the conenctions were DNS queries and SMTP connections. I went ahead and blocked all traffic from the PC to the ISP DNS servers in my firewall (Comodo). The DNS server for my PC is statically defined as the gateway router. Since the ISP DNS was no longer accessible it rerouted the DNS queries (and/or query responses) to the gateway router. These were a bunch of MX queries for mostly .ru domains. Next I blocked all inbound and outbound UDP connections for svchost.exe and services.exe. This stopped most of the traffic. After a while I started seeing traffic to a couple of specific ip addresses (208.66.195.78 and 62.189.194.215) which don't resolve to anything with nslookup. I blocked these IP addresses in the firewall as well. Next the PC started sending out a bunch of broadcasts (.255). So I blocked outbound broadcast connections. Next it started sending broadcast to 0.255 using the ZIP (Zone Information Protocol) protocol. I don't think I've seen this one before. I haven't been able to block these yet. My guess is the PC is somehow being used as a DNS/SMTP relay. Another guess is my svchost.exe and/or services.exe have been compromized. As usual, any help in getting to the bottom of this would be welcome. Raffi |
#25
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
From: "Raffi"
| I had some time to do packet analysis using Etherial and most of the | conenctions were DNS queries and SMTP connections. | I went ahead and blocked all traffic from the PC to the ISP DNS servers | in my firewall (Comodo). The DNS server for my PC is statically defined | as the gateway router. Since the ISP DNS was no longer accessible it | rerouted the DNS queries (and/or query responses) to the gateway | router. These were a bunch of MX queries for mostly .ru domains. | Next I blocked all inbound and outbound UDP connections for svchost.exe | and services.exe. This stopped most of the traffic. After a while I | started seeing traffic to a couple of specific ip addresses | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with | nslookup. I blocked these IP addresses in the firewall as well. Next | the PC started sending out a bunch of broadcasts (.255). So I blocked | outbound broadcast connections. | Next it started sending broadcast to 0.255 using the ZIP (Zone | Information Protocol) protocol. I don't think I've seen this one | before. I haven't been able to block these yet. | My guess is the PC is somehow being used as a DNS/SMTP relay. Another | guess is my svchost.exe and/or services.exe have been compromized. | As usual, any help in getting to the bottom of this would be welcome. | Raffi http://www.dnsstuff.com/tools/whois....whois.arin.net http://www.dnsstuff.com/tools/whois....4.215&email=on This is suspicious. You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the csnas have come up negative. The only other option is to use anti RootKit software such as Gmer and BlackLight to find the malware. Otherwise, wipe the system. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm |
#26
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
The only other option is to use anti RootKit software such as Gmer and BlackLight to find the malware. Otherwise, wipe the system. Try Sysinternals RootkitRevealer. Also I suggest to visit Sysinternals - Malware forum at: http://forum.sysinternals.com/forum_topics.asp?FID=18 -- Grzegorz Wiktorowski |
#27
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
On 12/21/2006 9:49 AM, something possessed Alun Jones to write:
"Raffi" wrote in message ups.com... David H. Lipman wrote: From: "Raffi" | | Thanks for the reply. Removing the P2P software and clearing the | \etc\hosts file did not correct the issue after all. I just logged in | with the administrator account and the network activity is no longer | there. This seems to be happenning only when I log into my personal | account. During my last login, SERVICES.EXE was making the connections | rather than SVCHOST.EXE. Is there a way to determine if these files | have been tampered with? | | I'll try to get more information from netstat etc. | | Raffi Yes. Download and use Process Explorer http://www.microsoft.com/technet/sys...sExplorer.mspx And look at not only the file name SERVICES.EXE but the fully qualified name and path. SERVICES.EXE and SVCHOST.EXE should ONLY be executed from the folder; %windir%\system32 If they are executed from any other location it is a sure sign of malware. Also, there are DLLs that can be loaded and use SERVICES.EXE and SVCHOST.EXE such that the legitimate SERVICES.EXE and/or SVCHOST.EXE are being loaded and used but are loading malicuious DLL files. You can also run MSCONFIG.EXE and compare what is loaded as administrator vs. what is loaded in you everyday account. You indicated the activity stopped when you logged on as admin. thus what may be loaded to cause the activity is being loaded by that personal account. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Dave, Thanks for all the help and suggestions. I took the easy way out this time. I created a new user and transferred all important files (documents etc) to the new user. Then I deleted the original account. This fixed the issue. My guess is that this was some sort of malware. I did download process explorer for future use. Sorry I couldn't chase this any longer but this is my main workstation and I have alot of work to do which had been on hold while I was chasing this. Since the problem is "fixed" by running under a different user, that really strongly points the finger at malware. Agrees with you here However, I would definitely recommend that you not view this as being "fixed". It isn't. It could be, but a more thourogh checkup is in order You still have that malware, and the "work" that you do on it is now exposed to the author of that malware, and anyone he chooses to share it with. Your most reliable bet would be to "flatten" the machine - take your work off to a backup device, reinstall the OS and your applications, and restore your work. Yes, that is the only way to entirely be sure that you're using a clean machine. However, that probably isn't necessary. I would recommend using David Lipman's multi-AV scan either in Safe Mode as administrator (so that you'll have access to all files) or using BartPE (if these AV proggies can be incorporated into a BartPE disc). And don't be running P2P applications on your work machine. Depends on which P2P and what its used fore P2P "file-sharing" is a great way to pick up malware, because you're downloading and then executing untrusted data and applications from unknown and untrusted third parties. Not necessarily. If you're just using it to illegally download music and videos (not program executables), and you're careful about how you play these (I wouldn't rely on Windows to launch them, for example, but load them in Winamp, and don't let Winamp connect to Internet), than you're more or less safe. Also, more than likely, the P2P proggie you used had its own malware (like Navaccel or something like that). Finally, some P2P proggies (such as Bittorrent) can be used safely (like for downloading Linux distros), since even though you're downloading from other computers, the tracker is administered by the Linux Distribution and, to my knowledge, it's not possible yet to alter a file or set of files once the tracker has already been posted without posting a new torrent tracker. Is it any wonder you got infected? Unless you remove the infection, and stop doing the things that got you infected, you'll stay infected, and you'll get infected again with the next thing that comes along. Eventually, your "work" will be spread around the world for everyone to enjoy. I don't think you want that. Alun. ~~~~ |
#28
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
David H. Lipman wrote:
From: "Raffi" | I had some time to do packet analysis using Etherial and most of the | conenctions were DNS queries and SMTP connections. | I went ahead and blocked all traffic from the PC to the ISP DNS servers | in my firewall (Comodo). The DNS server for my PC is statically defined | as the gateway router. Since the ISP DNS was no longer accessible it | rerouted the DNS queries (and/or query responses) to the gateway | router. These were a bunch of MX queries for mostly .ru domains. | Next I blocked all inbound and outbound UDP connections for svchost.exe | and services.exe. This stopped most of the traffic. After a while I | started seeing traffic to a couple of specific ip addresses | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with | nslookup. I blocked these IP addresses in the firewall as well. Next | the PC started sending out a bunch of broadcasts (.255). So I blocked | outbound broadcast connections. | Next it started sending broadcast to 0.255 using the ZIP (Zone | Information Protocol) protocol. I don't think I've seen this one | before. I haven't been able to block these yet. | My guess is the PC is somehow being used as a DNS/SMTP relay. Another | guess is my svchost.exe and/or services.exe have been compromized. | As usual, any help in getting to the bottom of this would be welcome. | Raffi http://www.dnsstuff.com/tools/whois....whois.arin.net http://www.dnsstuff.com/tools/whois....4.215&email=on This is suspicious. You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the csnas have come up negative. The only other option is to use anti RootKit software such as Gmer and BlackLight to find the malware. Otherwise, wipe the system. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Update - I had tried a couple of rootkit detection software without success and had given up. But gmer finally found it. Turns out it is a rootkit. It's called Backdoor.Rustock.B. It uses the following hidden data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467). This Symantec website has more information: http://www.symantec.com/security_res...305-99&tabid=3 The syptoms for the rootkit are similar to what I'm experiencing. From what I've read so far it might be tricky to get rid of. It seems to be active in safe mode as well. I'll be searching for a way to get rid of it. If there are any ideas out there, please let me know. Thanks for all the help. Raffi |
#29
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
On 12/26/2006 10:21 PM, something possessed Raffi to write:
David H. Lipman wrote: From: "Raffi" | I had some time to do packet analysis using Etherial and most of the | conenctions were DNS queries and SMTP connections. | I went ahead and blocked all traffic from the PC to the ISP DNS servers | in my firewall (Comodo). The DNS server for my PC is statically defined | as the gateway router. Since the ISP DNS was no longer accessible it | rerouted the DNS queries (and/or query responses) to the gateway | router. These were a bunch of MX queries for mostly .ru domains. | Next I blocked all inbound and outbound UDP connections for svchost.exe | and services.exe. This stopped most of the traffic. After a while I | started seeing traffic to a couple of specific ip addresses | (208.66.195.78 and 62.189.194.215) which don't resolve to anything with | nslookup. I blocked these IP addresses in the firewall as well. Next | the PC started sending out a bunch of broadcasts (.255). So I blocked | outbound broadcast connections. | Next it started sending broadcast to 0.255 using the ZIP (Zone | Information Protocol) protocol. I don't think I've seen this one | before. I haven't been able to block these yet. | My guess is the PC is somehow being used as a DNS/SMTP relay. Another | guess is my svchost.exe and/or services.exe have been compromized. | As usual, any help in getting to the bottom of this would be welcome. | Raffi http://www.dnsstuff.com/tools/whois....whois.arin.net http://www.dnsstuff.com/tools/whois....4.215&email=on This is suspicious. You may have to backup the PC, wipe it and then reinstall the OS from scratch if all the csnas have come up negative. The only other option is to use anti RootKit software such as Gmer and BlackLight to find the malware. Otherwise, wipe the system. -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm Update - I had tried a couple of rootkit detection software without success and had given up. But gmer finally found it. Turns out it is a rootkit. It's called Backdoor.Rustock.B. It uses the following hidden data stream c:\windows\system32:lzx32.sys (c:\windows\system32:18467). This Symantec website has more information: http://www.symantec.com/security_res...305-99&tabid=3 The syptoms for the rootkit are similar to what I'm experiencing. From what I've read so far it might be tricky to get rid of. It seems to be active in safe mode as well. I'll be searching for a way to get rid of it. If there are any ideas out there, please let me know. Thanks for all the help. Raffi First, stay of the network with your infected PC. Secondly, Get PEBuilder and create a BartPE LiveCD. Use this to edit your registry.hiv file in order to remove the rootkit (I haven't done the research because my blood sugar is getting low, so you'll need to do the research to figure out what registry keys in registry.hiv should be deleted (or maybe someone else here will be nice enough to post those for you). Good luck. Cheers, Will |
#30
|
|||
|
|||
Unknown svchost.exe DNS port 53 network activity
"William" wrote in message
t... Not necessarily. If you're just using it to illegally download music and videos (not program executables), and you're careful about how you play these (I wouldn't rely on Windows to launch them, for example, but load them in Winamp, and don't let Winamp connect to Internet), than you're more or less safe. Right, because Winamp has never had any vulnerabilities that can be exploited by badly formatted data. Oh. No, wait, actually it has. Several times. This is why the trend lately is to attack applications, rather than operating systems - the operating system vendors are getting much better at tracking and fixing problems, but many application vendors still have their heads in the sand - and so do many users, to judge from the reactions I get whenever I suggest that data - music, video, etc - might carry trojans. In the abstract sense, there is no dividing line between code and data - data tells code where to go, and so acts as pseudo-code, in many cases. Also, more than likely, the P2P proggie you used had its own malware (like Navaccel or something like that). Don't make the mistake of assuming that I'm talking about my own experiences with P2P - I've simply seen too many machines infected where the source of infection is traced to an overactive P2P exchanger. Finally, some P2P proggies (such as Bittorrent) can be used safely (like for downloading Linux distros), since even though you're downloading from other computers, the tracker is administered by the Linux Distribution and, to my knowledge, it's not possible yet to alter a file or set of files once the tracker has already been posted without posting a new torrent tracker. I'm glad you put me at ease there - after all, the main Linux distros have never been altered maliciously by hackers. Oh, wait, they have, haven't they. http://www.linuxinsider.com/story/32240.html Cleaning a virus or trojan infection is only going to be effective if you can plug whatever hole they got in through - whether it's a hole in your behaviour, or in your apps, or in your OS. Even flattening and restoring just means that the attacker gets another chance to try the same thing at you, but this time on a system that's less cluttered with the debris of other previous attacks. Alun. ~~~~ |
Thread Tools | |
Display Modes | |
|
|