Tech Support Guy banner
Cancel

IP lookup

Jump to Latest Follow
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 7 of 7 Posts
J

· Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
I am using Symantec Client Firewall and keep getting notices that it has blocked a backdoor/subseven trojan horse and gives me the IP address. Someone told me there was a way to find out where it is coming from and ways to report it. Can anyone tell me how to find out who is trying to get into my computer and how to report it, the same IP address is trying to get in my computer almost daily.

Thanks
 
Schnitzu

· Registered
Joined
·
5,297 Posts
#2 ·
It is unclear from you post whether your firewall is preventing the subseven trojan from comming in, or whether you already have it on your machine and your firewall is preventing it from sending somthing to a server at the IP address it gives you. I kind of suspect the later.

Symantec has quite a bit of information about it on their site:

http://www.symantec.com/avcenter/venc/data/backdoor.subseven.html
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#3 ·
if it's the same IP constantly then it's posible that you have an infection on your computer that is sending out a message and phonong home to that IP

please do this
go to http://www.thespykiller.co.uk/files/HijackThis.exe and download 'Hijack This!'.
make sure it is placed into it's own folder, not a temporary folder. Then doubleclick the Hijackthis.exe.
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

also post the IP number that is being blocked constantly and we can advise which ISP it belongs to & who to report to
 
J

· Registered
Joined
·
7 Posts
Discussion Starter · #4 ·
Here is the logfile from hijack this. Also the firewall is keeping anyone from getting into my computer.

Logfile of HijackThis v1.97.2
Scan saved at 6:37:17 AM, on 3/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\svchost.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
D:\Program Files\DIGStream\digstream.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
D:\WINDOWS\wt\updater\wcmdmgr.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
D:\Program Files\Messenger\msmsgs.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Outlook Express\msimn.exe
D:\Documents and Settings\Tiger Fan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
O2 - BHO: (no name) - {000006B1-19B5-414A-849F-2A3C64AE6939} - D:\WINDOWS\bi.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - D:\Program Files\Srng\SNHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TB_setup] D:\DOCUME~1\TIGERF~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [Belt] D:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [DIGStream] D:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wcmdmgr] D:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] D:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: Greetings Workshop Reminders.lnk = D:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = D:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Billminder.lnk = D:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .PDF: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON39120/payload2.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com/download/cabs/FON39120/flash.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37822.8211921296
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4336/mcfscan.cab
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#5 ·
Quite a few pieces of spyware and trojan applications running do this, your firewall hasn't stopped them getting on because you have invited them on when you have downloaded something, That is what trojans do: Virttualy all of these applications you have phone home for updates and to download other baddies to keep them company.
these are ther baddies you have running

D:\WINDOWS\bi.dll
D:\Program Files\Srng\SNHelper.dll
D:\Program Files\MyWebSearch
D:\WINDOWS\wt\
D:\DOCUME~1\TIGERF~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
D:\WINDOWS\Belt.exe

O16 - DPF: {20000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...20/payload2.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abetterinternet.com...39120/flash.cab

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware 6 from http://www.lavasoft.de/support/download

Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least 01R274 23.03.2004 or a higher number/later date

Then ........

Make sure the following settings are made and on -------"ON=GREEN"
From main window :Click "Start" then " Activate in-depth scan"

then......

click "Use custom scanning options>Customize" and have these options on: "Scan within archives" ,"Scan active processes","Scan registry", "Deep scan registry" ,"Scan my IE Favorites for banned URL" and "Scan my host-files"

then.........

go to settings(the gear on top of AdAware)>Tweak>Scanning engine and tick "Unload recognized processes during scanning" ...........then........"Cleaning engine" and "Let windows remove files in use at next reboot"

then...... click "proceed" to save your settings.

Now to scan it´s just to click the "Scan" button.

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

reboot again

then post a new hijackthis log to check what is left
 
J

· Registered
Joined
·
7 Posts
Discussion Starter · #6 ·
Did all that and here is the log file

Logfile of HijackThis v1.97.2
Scan saved at 8:20:20 PM, on 3/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\svchost.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
D:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
D:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
D:\Program Files\Winamp\Winampa.exe
D:\Program Files\DIGStream\digstream.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
D:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
D:\Program Files\Logitech\MouseWare\system\em_exec.exe
D:\Program Files\QUICKENW\QWDLLS.EXE
D:\Program Files\Greetings Workshop\GWREMIND.EXE
D:\WINDOWS\System32\svchost.exe
D:\Program Files\PFE Studyware\PFE.exe
D:\Documents and Settings\Tiger Fan\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [WinampAgent] "D:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [TB_setup] D:\DOCUME~1\TIGERF~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck
O4 - HKLM\..\Run: [DIGStream] D:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] D:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iamapp] D:\PROGRA~1\SYMANT~1\SYMANT~2\IAMAPP.EXE
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech Desktop Messenger.lnk = D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .PDF: D:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,76/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37822.8211921296
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4336/mcfscan.cab
 
dvk01

· Retired Moderator Retired Malware Specialist
Joined
·
56,593 Posts
First Name -
Derek
#7 ·
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKLM\..\Run: [TB_setup] D:\DOCUME~1\TIGERF~1\LOCALS~1\Temp\TB_ANI~1.EXE /dcheck

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

then using windows explorer navigate to
D:\DOCUMENTS AND SETTINFG\TIGER FAN1\LOCAL SETTINGS\Temp select everything in that folder and delete it, windows normally will not let you delete anything less than24 hours old so to make it easy when in that folder, right click a blank spot & select view and details, then arrange icons by and select arrange oin groups then select modified, that will put a list of all files in date order with today at the top and then select everything except the today list and delete them all

then
Reboot normally & post a new log to check please
 
1 - 7 of 7 Posts
Status
Not open for further replies.
About this Discussion
6 Replies
3 Participants
Last post:
dvk01
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Windows XP Off Topic Lounge Thread Games & Discussion
Top