Peter,
Report back with a list of the programs that are running in
your taskbar. Folks here should be able recognize programs
that compromise your system.
Also, if you've got the Serv-U program on your system, do a
search through all files on the system. Typically hackers tend
to set it up in the root directory of your system, but it can be
anywhere.
I'm not fully qualified as to everything that's possible, but I'm
betting that the date on your ntdll.dll file is problem more
recent than what you're supposed to have. ntdll.dll is hacked
at times and folks add routines to it to open your system up.
I'd assume that your system has been totally compromised.
And the quickest way to fix it would be to format the HDD,
and reinstall XP. I spent two weeks of full time work trying
to reconfigure a Win2k server once, and finally ended up
deleting all the files in the Windows folder, in the Program
Files folder, and reinstalled Win2k.
If you want to take on the challenge though, post back with
the following information:
1) List of all tasks that are running. Folks here will be able
to help identify different things.
2) To help us out as well, keep notes about what you are
doing. This will provide a great reference to you and us,
and I'd appreciate the effort, as will others.
I will do my best to help out, but I'm not perfect and I do
not know everything, and cannot guarantee anything.
And it might end up taking a couple weeks to get
everything right. I'd recommend using ZoneAlarm, unless
someone else can recommend using a better firewall.
ZoneAlarm can be found at
http://www.zonelabs.com/.
They currently offer a free trial which I think is 60 days,
I don't recommend buying it right at the moment because
while it is a good product, it needs some serious reworking,
but it will help you out tremendously.
I look forward to someone else that might be able to suggest
other firewalls.
--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.
Jim Carlock said:
You might need to check some other things as well.
Certain programs are not viruses and will never be viruses,
but they open your system up.
One such file is the Serv-U ftp program. You should visit
www.grc.com and click on the Shields Up! link and tell
it to scan all ports. It'll take a couple minutes but it'll tell
you which ports it can connect to you through. I'm thinking
FTP is either port 21 or 23 (one of the two).
You really shouldn't see any open ports on your system.
If you do, post back to the newsgroup explaining which
ports are open.
The serv-u.exe program can have any name in the world,
and it will never be detected as a virus. What it does, is
open up the FTP port, but any port in the world can be
used for FTP transmissions, so... any open ports will
could mean your system has been compromised.
Let us know.
Alright, TaskManager is showing that I'm definitely running serve-u.
How do I get rid of it?
As for ports, I ran the link, and it showed lots of open ports. So
I adjusted my firewall settings, now its showing no open ports.
Here's the ports that were open.
==========================
GRC Port Authority Report created on UTC: 2004-04-19 at 17:58:29
Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000
11 Ports Open
15 Ports Closed
0 Ports Stealth
---------------------
26 Ports Tested
NO PORTS were found to be STEALTH.
Ports found to be OPEN were: 21, 25, 80, 113, 135, 139, 443,
445, 1025, 1026, 1027
Other than what is listed above, all ports are CLOSED.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.