| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 27176 | 2002-11-16 00:28:00 | firewall / trojans / nerdy stuff | markOS X (494) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 98859 | 2002-11-16 00:28:00 | I just installed sygates’ personal firewall pro and I am having a problem with an app that is trying to connect to irc. I think I have some sort of trojan or something – I don’t have much experience in this area – which is trying to connect to its base. What I would like to do is track the app back to the originating exe or service and terminate it. The problem being (I think) that it is using spoolsw.exe to do the communication, and I can’t track it back any further than that. I am blocking the traffic at the moment, but I’d rather not have any traffic at all. The connection attempts read as follows: Time: 10:56:29 Action: Blocked Protocol: TCP Direction: Outgoing Destination: us.undernet.org [194.134.5.82] Destn. Port: 6667 Source IP: 203.96.159.76 Source Port: 3082 Application: C:\WINDOWS\system32\spoolsw.exe Begin Time: 10:56:07 End Time: 10:56:16 Time: 10:57:40 Action: Blocked Protocol: TCP Direction: Outgoing Destination: us.undernet.org [199.184.165.133] Destn. Port: 6667 Source IP: 203.96.159.76 Source Port: 3085 Application: C:\WINDOWS\system32\spoolsw.exe Begin Time 10:57:16 End Time: 10:57:25 This communication is occuring many times a minute, and is present in my logs since the day I installed the firewall. Can anyone make some suggestions as to what I should be doing? I’m interested in tracing this thing back to its source, but if that doesn’t work I may have to do a re-install of windows. I’m using winXP Pro – if that’s of any help. Cheers, markOS X. |
markOS X (494) | ||
| 98860 | 2002-11-16 03:14:00 | Try downloading this Ad-Aware (www.lavasoftusa.com/) tool. It can detect spyware and things that go bump in the night. If you do a registry check with it, you will likely find some troubling things. You can use this tool to remove them (I think). rads:) |
raddersnz (684) | ||
| 98861 | 2002-11-16 03:41:00 | Are you using XP? If so, make sure the ability to see hidden files is activated. Go to Control panel, select Appearance and Themes. Now pick Folder Options and go to the View tab. Find a Hidden Files and Folder section, and tick the Show Hidden Files and Folders radio button. Now you will be able to see the C:\WINDOWS\system32\spoolsw.exe folder and file. You might get a better understanding of the application that is tryingto use resources from this. Please let us know what you find.:) rads:) |
raddersnz (684) | ||
| 98862 | 2002-11-16 04:06:00 | ok, will do. thanks for your quick replies. markOS X |
markOS X (494) | ||
| 98863 | 2002-11-16 22:00:00 | Hi. The following can help determine if you've got something to worry about: There's a possibility that your computer has been infected with a RAT server (remote access trojan), which can be described as a form of virus that gives access, and sometimes full control, of your computer to someone else, while connected to a network such as the Internet. Some of the most common in recent years have been Netbus, Back Orrifice and SubSeven. The first steps in determining whether you're infected or not, is to use a completely updated Anti-Virus scan. Most, but not all, RATs will be detected. However, as RATs masquerade as legitimate programmes, similar to other remote-access applications such as PC Anywhere, your AV may not find it. If you're running Windows 9.x (incl ME) there are a couple of other checks you can make, which are 99% sure of detecting the intrusion (not sure if it'll be the same in XP): Go Start | Run | Type in "regedit" without the quotes | Ok | and browse to the following keys: My Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Win dows\CurrentVersion\RunServices \ Run \ and Runload (screenshot) (www.mentalfloss.co.nz) In the right-hand pane will be shown the applications that when you start up. If there is an entry that you don't recognise, it may well be the culprit. Don't delete anything here without backing up your registry! Removal isn't simply a case of deleting the entry anyway - a search of your computer for the file shown may (or may not) find other instances of the offender. Generally a search of the better anti-virus sites will come up with accurate removal steps. Or there are purpose-built programmes for cleaning up. An alternative and somewhat easier check is to find out if your computer is trying to connect to a remote client. This can be done via DOS: Close all applications and ensure you're disconnected from the Net. Make sure that Rnaap is not running by going Ctrl-Alt-Dlt and ending the task. Go Start | Programs | MS-DOS Prompt | type in "netstat -an" without the quotes | Enter. (To get to the DOS prompt in XP and ME go Start | Run | type "command" w/out the quotes) (screenshot) (www.mentalfloss.co.nz) This will show if any connections are trying to be made - you shouldn't have anything showing at all under the headings. If there is something that is attempting a connection, suspect it, and again go on the Net to find appropriate removal instructions/tools. A check to see what form of RAT you have, is to see what port it is trying to connect through (which will be the last 3 - 5 numbers under Local Address). Go to the excellent Simovits Consulting site, and compare your port number with those used by known trojans - just keep in mind that this isn't conclusive, as modern trojan writers can have them connect through any random port number that's not in use. |
Greg S (201) | ||
| 98864 | 2002-11-20 09:04:00 | Tried various methods mentioned here, and other stuff I could find on the net. I ended up renaming the spoolsw.exe to spoolsw.exe.old This stopped the communication attempts, but I don't know if it was a valid winXP app (it lived in the directory C:\Windows\System32\). Ended up doing a full format and re-install, as it was long overdue anyway. A rather brute force way to solve the problem, as I would have preferred to trace it back and find more out about it - but this was not to be. Thanks for your help, markOS X ================================================== = |
markOS X (494) | ||
| 1 | |||||