Solved

Trojan, Spyware ,Rootkit or just a virus?

Posted on 2006-11-29
4
377 Views
Last Modified: 2013-12-04
I have a rogue Windows XP SP2 machine.
Since 25 November I see the following behaviour of this machine, according to the Juniper firewall logs.

Once the machine is started up with a timeframe of 10 minutes it tries to make contact to
193.238.38.225 port 35618 and tries to do so every 10 minutes.
(According to ZoneAlarm which we installed later it tries to connect to 207.46.211.122:DNS (53) )
So somehow this "thing" can circumvent this.


After that we see that the machine is trying to send email to some random IP addresses.

Here is what we did.

1. We did a sfc /scannow to check the system files of windows xp.
2. Ran a complete virusscan of the machine with Kaspersky AntiVirus and AVG.
3. Did a full scan with Spybot Search & Destroy, Adware, Remover from G-Data.
4. Performed rootkit detection with Sysinternal Rootkit Detector, F-Secure Backlight.
5. Checked the %systemfolder%\system32\driver\etc\ files for any strange things but it is all default.

But no-one sees it.

Has anyone some good suggestions on how to proceed without suggesting reinstalling because I want to know what this is.
0
Comment
Question by:trenes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 11

Assisted Solution

by:Kruno Džoić
Kruno Džoić earned 100 total points
ID: 18037687
0
 
LVL 11

Expert Comment

by:Kruno Džoić
ID: 18037702
0
 
LVL 12

Accepted Solution

by:
Phil_Agcaoili earned 300 total points
ID: 18043567
As of 31/10/2006 193.238.38.225 is www.ultra-search.biz 

Sometimes the firewall logs lose track of state.
Have you looked to see if there are any source logs from 193.238.38.225?
If so, what port does it say is associated as the source port? TCP/80?

ultra-search.biz is a search engine site, but from what I've seen it's used only by spyware.


Have you tried using a tool like fport? fport reports all open TCP/IP and UDP ports and maps them to the owning application.
http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm

Even if you cannot isolate what malware is loaded on your system, you can determine when and what application is talking to 193.238.38.225.

I also suggest trying other antispyware tools such as Windows Defender, Spy Sweeper, etc. since Spybot alone cannot detect all spyware.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 100 total points
ID: 18044004
Can we look at a hijackthis log? it might show something.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then upload the logs to any hosting sites,
or go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.


Also try this scanner, it's very good.
Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the "check for updates" button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the "scan your computer" button.
Check "Perform Complete Scan" and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has

found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click "Preferences" and then click the "statistics/logs" tab. Click the dated log and press view log and a

text file will appear.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question