I have removed my trojans but..

I had some problems with my ident

Cant listen on port 113…
I couldnt find out what it was… but a friend told me to check for viruses/trojans…

I found some and removed them (after reading how-to here, thnx)

But still something is using my 113 port so i cant connect to ftp’s ect that need to use the ident…

What can i do ? Im getting very frustrated here…

lets say my indent are “hello” in my indent prog… but when i check it on f.eks mirc its random letters, different each time, so something must be wrong ?

I would really preciate some help here, cuz im stranded :frowning:

Thnx

j

Hi,
what trojans(exact name&version) where found and removed ? With which AV-Prog (uptodate??) ?
have you checked corresponding virus-Info-pages and removed/repaired the trojan-related registry/system settings ?
some trojans also drop other trojans/malware…

try additionally onlinescans by www.trendmicro.com and/or www.ravantivirus.com (use IE-Browser)

What’S to be found in your autostart/startup list (check especially RUN-entries in registry and win.ini/system.ini)?
any suspicious processes in taskmanager ?

What WIN do you have, anyway ?

It depens on what Win do you use. You can type “netstat -a” inside a dosbox(Without the “”)or ue tcpview from this side: http://www.sysinternals.com/ntw2k/source/tcpview.shtml
and of course try the tips, whocares gave you.

Maybe https://grc.com/x/ne.dll?bh0bkyd2 is intresting, too.

thnx for ur replies…

i use XP… and now the trojans are back :frowning:

C:\WINDOWS\system32\rundll33.exe\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\WINDOWS\system32\rundll33.exe\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\system32\rundll33.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)

and i cant delete them cuz avast tells me that the zip archives are corrupt.

and my computer seems to rum multiple net.exe, net1.exe and cmd.exe processes.

What can do about this ?

this is driving me crazy, so thanx again for any replies that helps me resolve this problem!

|j|

If i never said that i hate the generic Nameing of Avast, i do it now!

I HATE IT! :wink:

Use this link to identify the Malware: http://www.kaspersky.com/remoteviruschk.html
than we are able to give you more answers, i hope. :slight_smile:
You can show us your “Startuplist” if you want:
downloadlink: http://www.tomcoyote.org/hjt/startuplist.zip .
Downloqad it, start it and copy and paste it in your answer

thnx for the help,
i used www.trendmicro.com this… and it came up with totaly different stuff than avast… 4 infected files… i deleted them and my port 113 is now free again :slight_smile: :slight_smile: :slight_smile:

dont know if i got rid of the trojans though.

here is my startuplist:

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashserv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\TBPanel.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe
C:\Program Files\Common Files\CMEII\CMESys.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE
C:\Program Files\Intuwave\Shared\mRouterRunTime\mRouterRuntime.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CapMan.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\ElogErr.exe
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\BROADC~1.EXE
C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\SCRFS.exe
C:\Program Files\FlashFXP\FlashFXP.exe
D:\mIRC\mirc.exe
C:\Program Files\Winamp3\winamp3.exe
C:\Program Files\FlashFXP\FlashFXP.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\StartupList.exe

Is there something wrong here `?

thnx

|j|

Yes, there are defnetly to much Programms started!:slight_smile:

The gmt.exe seems to be adware http://www.answersthatwork.com/Tasklist_pages/tasklist_g.htm

You may check it with Adaware or Spyot(make a board or google search for a Link) .

BTW:Do you really need all these Programms to be started with Windows?

ill try removing the .exe file…

and no, i probably dont need all those to start up with windows… but how do i change that ?

WTF…
This is very strange… the crap seems to be back…cant use port 113 and the ident are changing randomly again.

I really need some help here, i thought it was over, but it wasnt.

What shall i do ?

|j|

Pleas use Spybot( http://security.kolla.de/ ) or Ad-Aware ( www.lavasoftusa.com ) vor this. You can disable the other files by using msconfig…exe for that.

We need a Name of that Malware. You still know it? Or just use the Trendmicro housecall again. Maybe you share your Drives to the internet and it comes back that way. or it is in the systemrecovery folder, but avast and TM Housecall should find it there,too.

i really preciate your help guys.

ive used spybot and adware… and found about 20 files that i deleted.

But still i have the port 113 prob. I use avast and it will find some trojans again i guess. (ill try later today, have to go now), but if i use that online scanner i get totaly different stuff (some .dat files), is this 2 programs detecting different stuff or it just the same ?

What shall i do now ? Run avast and paste the warnings here ?

i have run it now… and the same one are back: Here is the output:

C:\WINDOWS\system32\rundll33.exe\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\WINDOWS\system32\rundll33.exe\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)
C:\WINDOWS\system32\rundll33.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\nttest.exe [L] Win32:Trojan-gen. {UPX!} (0)
C:\winnt\system32\isa.exe\rundIl.exe [L] Win32:Trojan-gen. {Other} (0)

i also got some: \Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm [E] Archive is password protected. (42056)
\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini [E] Archive is password protected. (42056)

(many more)

but im not sure if this is any prob. seems like an action from the spybot. But right now im not sure of anything :frowning:

Thnx for answers!

|j|

No, that will not help. It will “only” say found generic.trojan. You can check the files avast reports as trojan generic by using this link: http://www.kaspersky.com/remoteviruschk.html

Or use the service from Trendmicro again and say what it will find.
We need an other name than trojan-generic! :slight_smile:

Ok… ill do that as soon as i come home again.

Thnx!

now i have runned the trend micro scanner

it found 3 infected files and it was:

bat flood.bi
bkrd flood.cd
bat flood.bi

Ive deleted those files now, but i did that last time last ass well…

What shall i do now ?

Okay, you can read this: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_FLOOD.CD
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BAT_FLOOD.BI

The Problem seems to be your (m)irc client. I do not use this client, but try to get a newer version, or try to configure it a bit more safe.

Maybe this is intresting too: http://www.mirc.com/faq6.html#section6 (chapter 6-19)

Now everything is back to normal again :slight_smile:

Thank u very much for the quick and good help…

Any suggestions on how i can avoid this kinda problems ?

Thnx

|j|

Difficult to say. It depense on the situation. One thing is allways usefull never trust a (unknown) file, not from an email, from a frind or via irc. And allways use your Brain! :slight_smile:

Made a test on GRC? https://grc.com/x/ne.dll?bh0bkyd2

actually speeking of that mate, does avast scan files downloaded off hotmail? Or is that something that you have to set up?