Dave
I checked out the tools at SysInternals that you suggested --- I'm
impressed. ProcessExplorer is the killer --- all the inter-dependencies and
relationships between threads, processes, applications and services
displayed in one place instead of four or five different utilities is very
useful.
Having seen all the inter-dependencies now, I'm inclined to agree that those
ports are legit --- I can see whats what now with that tool, and yes, they
are just little system processes that have the ports open to do things like
manage DCOM, remote proc calls, network time protocol, and stuff like that.
Thx.
Regards, Tom
--------------------------------------------------------------------------------------------------------------------------------------
TomH:
Yes, I am sure...
I have no idea why the others miss the Java/ByteVerify. Maybe it is out of
dat, maybe it
isn't scanning archive files, maybe the AV software was shutdown when it
waqs infected. I
don't know.
But is the folowing patch on your PC --
http://www.microsoft.com/technet/security/bulletin/MS03-011.mspx
Information below...
Exploit-ByteVerify --
http://vil.nai.com/vil/content/v_100261.htm
Finally I have attached a McAfee Scan Report log file in HTML format showing
a similar
infection.
--
Dave
| Dave, thanks again.
| Are you sure? Why did that av app not list that in the "viruses found"
| category?
| I don't use java for anything other than a cute little applet-in-a webpage
| that calculates and displays the current position of the ISS, so I took it
| right out.
| Any idea why all my other av apps missed it? And, any idea what this one
| does as a payload? or is it under complete control of its maker?
|
| Thanks again
|
| | > You had the Java/ByteVerify Exploit Trojan.
| >
| > JAVA is JAVA and the Sun Java was infected. I have seen this before,
| > nothing new (te me at
| > least)
| >
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\BlackBox.class-72615c50-5f72dbb6.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-4f7a6e50-5a280a80.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-36d0366-38625aff.class
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1910af14-607cb935.zip,(Installe
| > r.class)
| > Success Clean [ JAVA_BYTEVER.A]( 1) from C:\Documents and
| > Settings\limited\Application
| >
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5d0f29c3.zip,(Parse
| > r.class)
| >
| > Often the .CLASS files are in ZIP files in the Java JAR or .CLASS files
in
| > the FILE cache so
| > it is a good idea to go to the Java Control Panel applet and select the
| > "clear the cache"
| > function.
| >
| > On another note, NETSTAT is a good Command Line utility but it is a
static
| > view, basically a
| > momentary snapshot. A better tool is a GUI called TCPView.exe --
| >
http://www.sysinternals.com/ it will display the active changes in UDP
| > and TCP and will
| > show the executable opening the port.
| >
| > Thanx for posting the SYSCLEAN.LOG file !
| >
| > --
| > Dave
| >
| >
| >
| >
| > | > | David, I did all of that. The summary says nothing found, but in the
| > | logfiles it seems to describe the removal of a java virus. But this
| > virus
| > | is supposed to infect the MS java VM, which I don't have. I have the
| > Sun
| > | Java implementation.
| > | Also there seems to have been a lot of problems accessing files,
"Access
| > | denied", but the account under which I ran this has full admin privs,
so
| > it
| > | seems inconsistent. In any case, I have attached the sysclean.log
text
| > file
| > | (and that text file only) for you to look at. Please let me know what
| > your
| > | opinion is.
| > | Thankyou for your useful help.
| > |
| > |
| > | ==========================================================
| > | | > | > Please try another tool...
| > | >
| > | > 1) Download the following two items...
| > | >
| > | > Trend Sysclean Package
| > | >
http://www.trendmicro.com/download/dcs.asp
| > | >
| > | > Latest Trend signature files.
| > | >
http://www.trendmicro.com/download/pattern.asp
| > | >
| > | > Create a directory.
| > | > On drive "C:\"
| > | > (e.g., "c:\New Folder")
| > | > or the desktop
| > | > (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")
| > | >
| > | > Download SYSCLEAN.COM and place it in that directory.
| > | > Download the Trend Pattern File by obtaining the ZIP file.
| > | > For example; lpt351.zip
| > | >
| > | > Extract the contents of the ZIP file and place the contents in the
| > same
| > | > directory as
| > | > SYSCLEAN.COM .
| > | >
| > | > 2) Disable System Restore
| > | >
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
| > | > 3) Reboot your PC into Safe Mode then shutdown as many
| > applications as
| > | > possible.
| > | > 4) Using the Trend Sysclean utility, perform a Full Scan of your
| > | > platform and
| > | > clean/delete any infectors found
| > | > 5) Restart your PC and perform a "final" Full Scan of your
| > platform
| > | > 6) Re-enable System Restore and re-apply any System Restore
| > | > preferences,
| > | > (e.g. HD space to use suggested 400 ~ 600MB),
| > | > 7) Reboot your PC.
| > | > 8) Create a new Restore point
| > | >
| > | > * * * Please report back your results * * *
| > | >
| > | >
| > | > --
| > | > Dave
| > | >
http://www.claymania.com/removal-trojan-adware.html
| > | >
| > | >
| > | >
| > | >
| > | > | > | > | Can anyone please tell me why my system has opened all of
| > | > | these UDP ports(output from MS PortReporter):
| > | > | ==========================================
| > | > | Operating System: Windows XP
| > | > | TCP/UDP Port to Process Mappings at service start-up
| > | > | 22 mappings found
| > | > | PID
rocess Port Local IP State Remote IP
ort
| > | > | 4:System TCP 445 0.0.0.0 LISTENING 0.0.0.0
| > | > | 4:System UDP 445 0.0.0.0 *:*
| > | > | 824:svchost.exe TCP 135 0.0.0.0 LISTENING 0.0.0.0
| > | > | 888:svchost.exe UDP 123 24.86.74.167 *:*
| > | > | 888:svchost.exe UDP 123 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1934 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1935 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1937 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1938 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1940 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1941 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1943 127.0.0.1 *:*
| > | > | 888:svchost.exe UDP 1944 127.0.0.1 *:*
| > | > | 944:svchost.exe UDP 1044 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1206 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 1617 0.0.0.0 *:*
| > | > | 944:svchost.exe UDP 3182 0.0.0.0 *:*
| > | > | 1500:iexplore.exe TCP 1136 24.86.74.167 CLOSE WAIT
| > 69.50.166.212:80
| > | > | 1500:iexplore.exe UDP 2885 127.0.0.1 *:*
| > | > | 1684:iexplore.exe TCP 3455 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe TCP 3456 24.86.74.167 CLOSE WAIT
| > | > 24.69.255.240:8080
| > | > | 1684:iexplore.exe UDP 3312 127.0.0.1 *:*
| > | > | =======================
| > | > |
| > | > | I only have these applications running: IE and Outlook Express.
| > | > | I deactivated netbios over tcpip to minimize attack surfaces, and
| > all my
| > | > | anti spyware, antitrojan, and other
| > | > | security ware say my system is clean, so I'm puzzled by all these
| > open
| > | > | ports.
| > | > | Please help.
| > | > |
| > | > |
| > | > |
| > | > |
| > | > |
| > | >
| > | >
| > |
| > |
| > |
| >
| >
|
|
