Hi,
I noticed that my system (WinXP/SP2) sometimes produces
internet traffic although there should be no reason for this.
It's not doing it all the time and constantly but only
sometimes and in a way that one could not tell from just
looking at the system load.
TCPView.exe shows that winlogon.exe accesses multiple different
systems on port 25 (smtp).
All tools that I could get that are supposed to remove
spyware/trojans etc. did not help. I've also checked the usual
place in the registry with no success (did not find anything
suspicious).
I took several snapshots with netstat to show which systems
it is connecting to. The very first line (http) stays
all the time. The smtp connections vary.
Any idea what this is?
MfG
Koch
PS: The mail adr. works if you remove "_NSPAM_" from it.
TCP a3gg:2108 217.6.176.25:http TIME_WAIT
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2
TCP a3gg:2254 digdug.vosn.net:smtp ESTABLISHED
TCP a3gg:2186 mail39.myhosting.com:smtp CLSING
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2
TCP a3gg:2251 banana.webcom.com:smtp ESTABLISHED
TCP a3gg:2253 storm.voltz.net:smtp ESTABLISHED
TCP a3gg:2186 mail39.myhosting.com:smtp CLSING
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2
TCP a3gg:2250 a3gs:smtp SYN_SENT
TCP a3gg:2251 banana.webcom.com:smtp SYN_SENT
TCP a3gg:2252
SYN_SENT
TCP a3gg:2186 mail39.myhosting.com:smtp CLSING
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2
TCP a3gg:2246 mail5.hsphere.cc:smtp ESTABLISHED
TCP a3gg:2248 server8.firstfind.nl:smtp ESTABLISHED
TCP a3gg:2186 mail39.myhosting.com:smtp CLSING
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2
TCP a3gg:2244 host122.ipowerweb.com:smtp ESTABLISHED
TCP a3gg:2246 mail5.hsphere.cc:smtp ESTABLISHED
TCP a3gg:2186 mail39.myhosting.com:smtp CLSING
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2
TCP a3gg:2240 blitzen.anywherehost.net:smtp ESTABLISHED
TCP a3gg:2241 webmasters.plaats.nl:smtp SYN_SENT
TCP a3gg:2186 mail39.myhosting.com:smtp CLSING
TCP a3gg:2194
FIN_WAIT_2
TCP a3gg:2203 FIN_WAIT_
2

"David H. Lipman" <DLipman~nospam~@Verizon.Netwrote in
news:F2ywf.1547$sa4.1389@trnddc07:

--
It could be plugged in to Winlogon via the Registry Winlogon Notify
function

HKEY_LCAL_MACHINE\SFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify

This will then be used to load a DLL.

David,
thanks for the hints.
The winlogon/notify key does not exist on my system.
There is no winlogon key at all in CurrentVersion.

I've downloaded your package and all the scanners that wget
(I didn't know that there is a windows version of this ;-)
was getting and created a dos boot floppy with the NTFS
driver.
Booted this and ran the McAfee (over night).
This is the result:

C:\SYSTEM~1\_REST~1\RP59\A0048649.exe Found potentially unwanted
program Joke-MessageMate.
The file has been deleted.
<snipdeleted a lot of the joke stuff

C:\WINDWS\country.exe Found the ProcKill-DJ trojan !!!
The file has been deleted.
C:\WINDWS\kl.exe Found trojan or variant New Malware.u !!!
Please send a copy of the file to McAfee
The file has been deleted.
C:\WINDWS\ms1.exe Found the Downloader-ASR trojan !!!
The file has been deleted.

Summary report on C:\
File(s)
Total files: 81523
Clean: 81217
Possibly Infected: 16
Cleaned: 1
Deleted: 66
Non-critical Error(s): 2
Master Boot Record(s): 2
Possibly Infected: 0
Boot Sector(s): 1
Possibly Infected: 0
Scanning D: []
Scanning D:\

Summary report on D:\
0 files were on the disk.

Master Boot Record(s): 2
Possibly Infected: 0
Boot Sector(s): 0
Possibly Infected: 0

Time: 00:43.50

The program kl.exe was not on system any more after I booted
back to normal mode this morning.
AND: the trojan that sends out spam is still there.
I will try the other 3 scanners tonight from the dos boot floppy
and post the result here as well but I have the feeling
that I will have to reinstall my system (and move most
of the work to LINUX) just leaving XP for what I cannot
run on Linux.

MfG

Manfred Koch wrote:

the trojan that sends out spam is still there.
I have the feeling that I will have to reinstall my system
(and move most of the work to LINUX) just leaving XP for
what I cannot run on Linux.

Remove the infected hard drive from that system and connect it as a
slave or secondary drive to another XP system (one that you trust, and
which also has a variety of AV software). Do NT have anything like
Google desktop or any other automatic indexing or search software
running on the trusted computer. Temporarily disconnect the trusted
computer from the internet while you do this.

Check the slaved (infected) drive with the AV software. It should
have no problem accessing the entire drive (hidden and protected
directories, etc) and should have no problem quarantining or deleting
any suspect files (because they won't be running or active).

"David H. Lipman" wrote:

| Remove the infected hard drive
| Check the slaved (infected) drive with the AV software.

N !

There are many alterations made to the Registry that is
made by the executables noted.

Alterations made to the registry of the infected (slave) drive you
mean. Alterations which won't mean a hoot when rogue files are
quarantined or deleted and then the drive is re-started as a master.

Also these Trojans are paired with non-viral malware. If you have these Trojans,

If the slave drive has Trojans, they will be quarantined during the
scan. This is the ultimate "safe-mode" way to scan a suspect hard
drive. Even if adware or spyware is still present (and not removed
during the scan) they can be removed once the drive is re-installed on
the original system and started up.

Slaving the drive will NT correct the alterations made to
the S.

Slaving the drive (to a trusted computer) will render all files on the
slave as benign and in-active, and any and all suspect files can be
scanned safely and without interference by running processes that may
be present and may be trying to interfere with such scans. Suspect
files can be either quarantined or deleted without nuisance error
messages that the file is in use (or being protected by other rogue
processes) or that the user doesn't have the necessary rights to
remove it, etc. Root kits are laid bare and completely visible to AV
software by slaving a drive.

Rogue entries in the registry will not (necessarily) be corrected or
removed, but if the target executables of said entries are no longer
present, then the entries are harmless and can be removed in a
controlled manner once the drive is re-started and scanned by suitable
AV or anti-malware software.

"David H. Lipman" wrote:

The problem is that if the AV software does not find the files,
it won't fix the Registry.

- I would agree with that - if I was sure that any given AV
software that I have or was using actually _does_ look for and remove
specific registry entries that are associated with specific malware
files that it finds.

What comes to mind when I think of drive or file scanning is just that
- to look for files that match AV definition specs. As I really am
hardly ever in a position to fight a battle against an actual
infection, I have never had to resort to collect and apply all the
tools to completely remove an infection (files, registry entries,
etc).

It was not my impression that AV software has the ability to _also_ go
into the registry and clean up things. Wouldn't that require a more
sophisticated definition file - one that contains not only viral
patterns, but also additional data as to what registry entries need to
be checked out?

Maybe this wouldn't work, but once a drive has been cleaned of
malware, I would then use something like Norton Utilities "WinDoctor"
to scan the registry for errors or missing file associations and then
let it fix it (by nuking the entries). Possibly also use (gasp)
regclean.

My understanding is it finds an infected file and based upon
that infected file, makes corrections to the S based what
was found.

Well, I'm not so sure that you can depend on every piece of AV
software out there to also fix the registry if it finds something.
Maybe that's a shortcoming of, say, NAV 2002 compared to NAV 2005.
Maybe AdAware or spybot does registry scanning and fixing. I don't
know.

At the very least, if you scan a slave drive and find malware, you can
look up the specifics of what that malware does to the registry - and
manually remove the entries yourself.

Slaving the drive is an excellent way to remove viruses,
Trojans and RootKits when the traditional methods are
unsuccesful. However, it shouldn't be the first level
solution.

The P in this case was thinking of reinstalling the S. I thought
that scanning the drive as a slave was a less drastic alternative.

Given the relative lack of malware that appears on the computers that
I manage, if/when I do encounter one, I run NAV and "The Cleaner" with
the drive in-place (ie as master) and then slave the drive and repeat
the scan to convince myself that the drive is clean. I find that "The
Cleaner" can go to places, find hidden or protected files, or just
plain be able to unpack more files than NAV can, and when it does, NAV
usually butts in and announces a discovery.

"David H. Lipman" <DLipman~nospam~@Verizon.Netwrote in
news:yeSwf.32365$v84.15831@trnddc06:

snip lots of text

I recognize those Trojans immediately !
--
Download SmitFraud.exe from the URL --

Execute; SmitFraud.exe { Note: You must accept the default of
C:\McAfee } Choose; Unzip
Choose; Close

NTE: You may have to disable your software FireWall or allow WGET.EXE
to go through your FireWall to enable WGET.EXE to download the needed
McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be
generated. At the end of the scan, it will be displayed in your
browser (, FireFox or Internet Explorer). It is suggested that
you move the report out of c:\mcafee before performing another scan.
>
>
>
Please Copy and Paste the contents of the HTML Log file;
C:\mcafee\ScanReport.HTML in your reply.

* * * Please report back your results * * *

Hi David,

I tried to run Kapersky from you prev. batch over night from
an NTFS boot floppy but it didn't finish 'til this morning.
The result of the McAfee is (ran this morning):

Summary report on C:\
File(s)
Total files: 293399
Clean: 293125
Possibly Infected: 1
Cleaned: 0
Deleted: 2
Non-critical Error(s): 3
Master Boot Record(s): 3
Possibly Infected: 0
Boot Sector(s): 1
Possibly Infected: 0

Time: 00:47.03

but the trojan is still there. No change.
The 2 files that were deleted had nothing to do with this.

What I've noticed is two things:
a) It is only active when I login using an admin account.
It is not doing anything when I login as regular user.
b) Before the winlogon processes shows up using port 25
I can see a process System (0) appearing making a http
connection to some server.
It almost looks like this guy is downloading something from
there before starting the winlogon guys to send out their
spam.

I will try to us the process viewer from sysinternals to
figure out where this system(0) process really comes from.

Thanks for your help anyhow.

BTW: are you maintaining those packages that you advised me to
use?

MfG