If I had any hair...

pxl8

pxl8

Suspended / Banned
Messages
5,288
Name
Andy Jones
Edit My Images
Yes
...it'd all be grey by now!

I've just spent the best part of the last 36 hours playing hunt the trojan on my pc. The only clue it was there was the constant stream of activity on the router. I tried Norton and Panda AV, various spyware/adware apps, the works. None of them found a thing and still the network activity for going crazy.

I think I've found finally the little rascal and got rid, it was an ActiveX plugin for IE6. No idea where it came from as I use Firefox and I've not downloaded or installed anything for a while. Still it's gone now only thing left to sort out is what happened when I bought an upgrade for Norton 2007 and the Symantec website died after I confirmed the purchase (on a different machine I might add). Dunno if I've been charged or not but I've not received any email about it... I hate computers I does :bonk: :bang: :bonk:
 
Spoke too soon.. it's back...

anyone know of an app that will tell you monitor network traffic and identify the process that it generating it? I've tried all the sysinternals stuff but that's not seeing the traffic :(
 
My company use HijackThis as a first tool - free to download and run - as well as looking for browser hijacks it can create lists of startup entries in the registr. might be worth ago....

google for it, its on many download sites.
 
Not sure what you current firewall setup is. I presume it's your router but software firewall's tend to alert you of processes that are trying to access the net other than the usual expected apps. This way you can maybe identify which exe's are infected.

There are trojan specfic detecters/removers that come as shareware. Such as this one I have used before.
http://www.simplysup.com/
At worst it may tell you the exact name of the trojan which is the first step to getting rid of it. At best it may do it for you.

Trojan's can be a pain in the ar&e to remove as they infect mulitple files so that if you get rid of one the other becomes aware and either infects another or re-infects the one you cleaned and vice versa. Not many virus checkers can detect them and if they can not many successfully remove them. If you know the exact name of the trojan the best way to remove them will by following a manual process you will most likely find by googling the name of the virus.

What makes you think it's a trojan? Adware/Spyware cause excessive network activity according to how inbedded they have become. Not all spyware/adware detection removal tools may spot it if it's a new one and like Trojans some can be a real pain to get rid of for the same reasons. Again the best way to remove them is by finding the exact name and find a manual process of removal on the net.


Load up "msconfig" from the run prompt and click on the end startup tab. This is a list of programs that start up in the registry. Have a look through them you may be able to identify the culprit from there. If you think you have untick it from the startup then open task manager and try and find it in the process list and kill it. Then try and delete the file from it's location. Be careful! If you are not sure you may be deleting a geniune app or part of windows so unless you are confident dont delete anything. Usually on reboot if it is a virus/troj/spyware it will have reestablished it's self in te checklist and popped back up in the startup list. If it hasn't checkout you network activity.

Hijack as TheRedUn mentioned is really good to for identifying the culprits but Hijack shows absolutly everything and unless you are really offey with you OS and know what should or should not be running you will find you won't recognise half the stuff. It is very useful though and worth a look and although you may not recognise some of it the trojan may stand out a mile.

Thats all I can think of at the mo

Let us know how you are doing
 
Do use a proper firewall something like ZoneAlarm (its free for home use)?
You should. Virus software isnt the half of it!

With ZA you can (and you should) be in complete control over what programs are allowed to access the internet.
It also traps all/many unwanted attacks and ingresses that could result in nasties getting in/control.
 
I had a similar problem a couple of years ago... drove me mad :bang:

If you want to do some in-depth analysis of TCP, UDP packets, where they come from/go to ... you could do a lot worse than using Ethereal. We use it loads at work and .... best of all it's OpenSource software! :clap:

Brilliant package.... available Clicky thing for download

Hope you get it sorted...
 
Zonealarm is running but not spotting anything.

Been through Hijack This scan with a fine tooth comb, nothing obvious.

I checked the packets and it's email. What I need to do now is try and isolate which process is sending and receiving those packets. Any suggestions?

Cheers!
 
pxl8 said:
Zonealarm is running but not spotting anything.

Been through Hijack This scan with a fine tooth comb, nothing obvious.

I checked the packets and it's email. What I need to do now is try and isolate which process is sending and receiving those packets. Any suggestions?

Cheers!
Click to expand...

Did you...Have you tried the trojan remover software?

I would be very suprised if any application can send outgoing packets and not be raised in software firewall software.

Are you suffering from PC slowness...internet slowness? What first alerted you to the problem? and what convinced you it was a Trojan?

Post up you current process list...I can usually spot thing's that arn't supposed to be there. You may be running software that I don't recognise but it can quickly be check by simply searching the web for the executable filename.
 
Thanks, I've tried that. I reduced the system to a bare bone startup and checked every process shown in Process Explorer. The problem is that the infection has attached itself to a windows process so it can get past the firewall. ZoneAlarm was showing activity on Generic Host Process (svchost) but didn't complain about it.

It was the constant flickering on the activity light on the router that first made me wonder. The packets showed SMTP commands from mail transactions to thousands of different IPs. Basically the machine has become part of a spam network :(
 
pxl8 said:
Thanks, I've tried that. I reduced the system to a bare bone startup and checked every process shown in Process Explorer. The problem is that the infection has attached itself to a windows process so it can get past the firewall. ZoneAlarm was showing activity on Generic Host Process (svchost) but didn't complain about it.

It was the constant flickering on the activity light on the router that first made me wonder. The packets showed SMTP commands from mail transactions to thousands of different IPs. Basically the machine has become part of a spam network :(
Click to expand...

Do you mean the packets are using the smtp protocol? What application are you using to view these instances?
 
Ok a couple of things....

Using ethereal gives EVERY packet, it's source address and destination address and the port - there will be loads!

The tricky thing with Ethereal is the sheer bulk of data.... when I had this problem I set the capture to coincide with the "flood" as it hit the router....

If you then use a MS utility called TCPview this wis will resolve the port to a process and the PID which you can then kill.

sysinternals - a small ist of useful network tools

TCPView zip file with both windowed and CL tool

Playing around with these tools at work I can see you could get by using just TCPView. It shows opening and closing ports (green and red) dynamically. Changing the "options" will stop/start DNS resolution to TCP/IP address...

Best of Luck!
 
pxl8 said:
Thanks, I've tried that. I reduced the system to a bare bone startup and checked every process shown in Process Explorer. The problem is that the infection has attached itself to a windows process so it can get past the firewall. ZoneAlarm was showing activity on Generic Host Process (svchost) but didn't complain about it.

It was the constant flickering on the activity light on the router that first made me wonder. The packets showed SMTP commands from mail transactions to thousands of different IPs. Basically the machine has become part of a spam network :(
Click to expand...


Is your broadband connection wireless? is it security enabled? Many people experience the constant flickering because they do not have a security enabled wireless connection which allows anyone in the immediate area to share that connection!
 
Mate's PC had a similar thing ages ago. What I found out was that you not only have to remove the trojan itself, but also there was a 'parent' file running which simply recreated the trojan when I deleted it.

It took me about two hours to track it down and fix it.

Then a few weeks later I had the same thing happen on my own PC. I couldn't be arsed to mess about again so I reinstalled Windows.
 
Thanks again for all the suggestions and advice.

I installed Nav2007 and did a full scan - it didn't find anything apart from a few cookies but the problem is still there. I've managed to narrow it down to an instance of svchost which is running the DNSClient service but not being able to identify which trojan is responsible is making further progress slow to say the least. I'll keep plugging away at it... ho hum.
 
Well, fingers crossed I've fixed it. Turns out it was a mailer worm that NAV and Panda both failed to pick up on. BitDefender online scan found and killed it and everything seems back to normal now... yeah famous last words ;)
 
pxl8 said:
I've just spent the best part of the last 36 hours playing hunt the trojan on my pc.
Click to expand...



Been there... done that..;)

Crazy when you can Re-Instal windows in less than 2 hours..:nuts:



PS: Not a dig mate, just facts..:thumbs:
 
pxl8 said:
Thanks again for all the suggestions and advice.

I installed Nav2007 and did a full scan - it didn't find anything apart from a few cookies but the problem is still there. I've managed to narrow it down to an instance of svchost which is running the DNSClient service but not being able to identify which trojan is responsible is making further progress slow to say the least. I'll keep plugging away at it... ho hum.
Click to expand...

Ah, Windows bug, turn off auto update and see if the activity stops
 
busterboy said:
Been there... done that..;)

Crazy when you can Re-Instal windows in less than 2 hours..:nuts:



PS: Not a dig mate, just facts..:thumbs:
Click to expand...

I did think about it but re-installing everything else put me off - a repair re-install wasn't an option as there was no way of knowing if it would sort the problem :(
 
You must log in or register to reply here.
Back
Top