PDA

View Full Version : Possibly infected with some DDOS trojan - outgoing connections over SMTP


For Goshs Sake
2008-01-31, 06:00
From what I understand, someone ran an EXE downloaded from the net on this machine. AVG antivirus raised an alarm, but could not prevent infection. Since then, I closed the SMTP on the router, but it still looks like this machine downloads lots from the net - about 10 megs a minute.

There is no reason I should have all those connections:

c:\> netstat -b -o -v > 111


Active Connections

Proto Local Address Foreign Address State PID
TCP alex:2193 218.30.115.106:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2196 mta2-f.biz.mail.vip.mud.yahoo.com:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2197 mta2-f.biz.mail.vip.mud.yahoo.com:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2198 imp8.kp.org:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2199 mail3.americantilesupply.com:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2200 unallocated.star.net.uk:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2202 213.23.86.77:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2203 mail-fwd.mx.g19.rapidsite.net:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2206 81.23.235.185:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2207 218.30.111.181:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]

TCP alex:2210 mta-v7.mail.vip.mud.yahoo.com:smtp SYN_SENT 600
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\WS2_32.dll
-- unknown component(s) --
C:\WINDOWS\system32\kernel32.dll
[services.exe]


TCP alex:2204 localhost:30606 TIME_WAIT 0
TCP alex:2235 localhost:30606 TIME_WAIT 0
TCP alex:30606 localhost:2184 TIME_WAIT 0
TCP alex:30606 localhost:2186 TIME_WAIT 0
TCP alex:30606 localhost:2201 TIME_WAIT 0
TCP alex:30606 localhost:2187 TIME_WAIT 0
TCP alex:30606 localhost:2183 TIME_WAIT 0
TCP alex:30606 localhost:2185 TIME_WAIT 0
TCP alex:2209 207.167.205.198:http TIME_WAIT 0
TCP alex:2236 old.ccrdude.net:http TIME_WAIT 0
For Goshs Sake
2008-01-31, 06:04
BTW, there is no good reason for the last two lines too.
For Goshs Sake
2008-01-31, 06:07
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 192.251.125.137: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 216.203.33.173: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 200.93.192.156: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 200.93.216.18: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 62.149.128.151: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 62.149.128.154: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 170.153.64.24: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 170.153.196.18: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 193.26.242.16: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 193.26.242.10: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:26 PM Unallowed access from 192.168.2.3: to 12.10.217.40: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 12.10.217.41: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 216.203.33.173: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 192.251.125.137: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 209.85.147.114: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 204.202.241.5: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 217.199.186.103: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 152.135.235.12: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 69.20.116.20: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 207.97.242.6: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:27 PM Unallowed access from 192.168.2.3: to 198.91.8.20: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 194.2.0.80: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 167.102.242.130: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 64.141.114.2: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 169.200.184.93: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 169.200.91.95: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 82.132.141.69: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 201.55.240.15: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 62.0.33.214: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 12.161.199.101: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 12.161.199.100: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 209.191.118.103: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 195.177.96.250: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 202.5.32.9: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 216.57.221.35: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 216.157.243.228: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 209.203.56.25: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 207.217.125.17: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 213.17.170.75: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 66.45.16.64: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 209.181.247.105: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 63.162.158.23: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:28 PM Unallowed access from 192.168.2.3: to 204.193.128.99: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 195.242.120.9: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 206.81.222.5: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 212.58.5.151: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 212.177.183.135: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 207.97.230.2: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 200.42.0.144: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 66.135.195.180: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 66.135.195.181: protocol=6 rule=1 (by parent control!!)
Wednesday, January 30, 2008 11:05:29 PM Unallowed access from 192.168.2.3: to 205.160.194.195: protocol=6 rule=1 (by parent control!!)
For Goshs Sake
2008-01-31, 06:24
Fixing the problems below could not rid me of the problem:

--- Search result list ---
Win32.Tiny.abk: [SBI $C2ECF02B] Data (File, nothing done)
C:\WINDOWS\Temp\AE8AB41F91F72503.tmp

Win32.Tiny.abk: [SBI $E125794F] Temporary file (File, nothing done)
C:\WINDOWS\system32\woyssehw.tmp

Win32.Tiny.abk: [SBI $70B44025] Temporary file (File, nothing done)
C:\WINDOWS\Temp\7CF28762C38CA0D4.tmp

MediaPlex: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)


BurstMedia: [SBI $61F39AC8] Tracking cookie (Firefox: default) (Cookie, nothing done)