Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
someone thought they would amuse themselves by sending me a trojan. the file sent was in .pif format, but no longer exists in my files. the only files that have been found were found in the task manager as 'kernel32.exe', 'kerneill128.pif', and 'kernell128.exe'. i also found these files in c:\windows\ and c:\windows\system32. i was also told the kdll.dll file might be suspected as an infected file. that was found in windows\system
i'm just wondering what sort of trojan this is, and how i can go about removing it. .. considering i had no type of anti-virus before receiving it.
hi miranda,
its the badtrans trojan.
here's some info on how to manually delete it:Badtransfix:
Open task manager to stop the process used by the worm:
Press CTRL+ALT+DEL. Select 'Task Manager'. Click on the 'Processes' tab.
Highlight the process 'KERNEL32.EXE' and click on 'End Process'.
You will see a confirmation message - click 'Yes'.Scan with an updated antivirus scanner and remove all files detected as the worm.
Please note: you may be unable to delete the KDLL.DLL file cause the operating system has locked it open. If so, restart your computer and scan again with your virusscanner to delete KDLL.DLL. If virus is reported in System Restore under Windows XP:
Infection in \Restore folder (Windows XP).
You can not remove infected files in \Restore folder.
Follow these instructions to create a workaround (no data will be lost):1.Close all open programs.
2.Then, right-click My Computer on the Windows desktop.3.Click Properties.
4.Click the System Restore tab.
Click checkbox Turn off System Restore
(or checkbox Turn Off System Restore on all drives)
5.Click OK.
6.Click Yes when prompted to turn off System Restore.
7.Ok your way out.This disables the System Restore feature and will purge the contents of the _RESTORE folder.
After finishing the removal instructions, repeat steps 1 through 7, except in step 4, choose: uncheck checkbox Turn Off System Restore and OK your way out again.
for more info on trojans go to www.thepublicworks.com security section and link to simovits consulting, darkE, security dogs, tomcat, trojan ports etc.
hope this helps,
murve
0 
For the past day or so i've been deleting the kernel32.exe file from my task manager. after realizing i had the trojan, i went out and bought norton antivirus. .. i installed it, but any time i try to run a scan, the program will just shut down. i'm not exactly sure how to scan for any infected files if the program won't open.
i downloaded the w32.badtrans.b remover from that website and it said it couldn't find the virus on my computer.. so i'm not sure if that is the right one.
0
i also downloaded a program called trojan defense suite 3. i'm not quite sure if this isn't a real program, and just another type of virus ... but when it scanned, it said it found in my registry under HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\Current Version\Run\ [RunProg=C:\WINDOWS\kernell128.exe] it asked if i wanted to have it deleted from the registry.. i wasn't sure if that would be safe.
0
i've deleted the kernell128.exe files from my computer. thank you.
tds3 also found port 5000 open on my computer, which i heard can either be plug 'n play, or the blaze 5 trojan.
i've also come across an IP that i believe to be the person using the trojan.
i looked on symantec.com and found where i can trace a potential attack. i typed in the IP that was found by my computer and found out the location and ISP. what could be done with this information?
0
Port 5000 is most likely UPNP. You can either run Steve Gibsons UnPlug n' Pray utility from here: http://www.grc.com
Or disable it through Services.msc. Click Start > Run > type services.msc and click OK
Scroll down to Universal Plug and Play and double click on it.
First stop the service, then disable it.As far as doing anything with the IP address, It's probably a waste of time. Most ISP's are reluctant to take any action.
Make sure you change all your passwords and install a firewall if you are not currently running one.
0
if port 5000 still shows as being in use after disabling universal plug n play, should i suspect it's a trojan?
0
Yes, If you disabled UPNP and 5000 is still open, something is using it. Let's see what is going on, Go here and download and run StartupList. It will create a log file, copy the log and paste it in a reply.
0
StartupList report, 3/11/2003, 6:54:31 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\demo\Local Settings\Temp\Temporary Directory 1 for startuplist152.zip\StartupList.exe
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\tds\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\tds\Ext.Sys\tbridge.exe
C:\Program Files\AIM95\aim.exe
C:\tds\Ext.Sys\tbridge.exe
C:\tds\Ext.Sys\loc_scan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\tds\Ext.Sys\loc_scan.exe
C:\tds\Ext.Sys\loc_scan.exe
C:\Documents and Settings\demo\Local Settings\Temp\Temporary Directory 1 for startuplist152.zip\StartupList.exe
C:\Program Files\Messenger\msmsgs.exe---------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe---------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunIgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
USRpdA = C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
MediaLoads Installer = "C:\Program Files\DownloadWare\dw.exe" /H
KAZAA = C:\Program Files\Kazaa\kazaa.exe /SYSTRAY
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
PromulGate = "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
Microsoft Tray = C:\windows\system32\kerneill128.pif
InternalSystray = c:\windows\system32\kernel32.exe
ccApp = C:\Program Files\Common Files\Symantec Shared\ccApp.exe
ccRegVfy = C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunAIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl
Yahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe---------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*---------------------
Enumerating Browser Helper Objects:MediaLoads Enhanced - C:\Program Files\MediaLoads Enhanced\ME1.DLL - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}---------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job---------------------
Enumerating Download Program Files:
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/04d3e68c46fd756eb401/netzip/RdxIE6.cab[{69FD62B1-0216-4C31-8D55-840ED86B7C8F}]
CODEBASE = http://installs.hotbar.com/installs/hotbar/programs/hotbar.cab[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.140/code/PWActiveXImgCtl.CAB[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37662.9353819444[CDToolCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cdTool.dll
CODEBASE = http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[IMViewerControl Class]
InProcServer32 = C:\WINDOWS\System32\CIMVIEW.dll
CODEBASE = http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4251/mcfscan.cab---------------------
Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*Windows NT checkdisk command:
BootExecute = autocheck autochk *Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\DOCUME~1\demo\LOCALS~1\Temp\_iu14D2N.tmp|||L---------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll---------------------
End of report, 7,926 bytes
Report generated in 2.313 secondsCommand line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
0
i need to close port 5001. i got sockets de troie in it. how do i close it. i got a firewall, actually i have 3, and a router. i have a linkseys router with a wireless internet card. please email me at matt@comprotech.com your response cause i will forget to check back alter. lol. thanks
0
o and also sometimes when i try to install or download something this popup comes up saying, "Access to the specified device, path, or file is denied."
0
Click Start > Run > type msconfig and click OK.
Click the startup tab and uncheck the following:Microsoft Tray = C:\windows\system32\kerneill128.pif
InternalSystray = c:\windows\system32\kernel32.exe
Click Apply/OK and reboot. Do a find files for kerneill128.pif and kernel32.exe and delete them.
You also have quite a bit of spyware. Download, update and run Spybot S&D to remove it.
0
If you remove the spyware (which i also recommend) kazaa won't work. You should uninstall kazaa completely, run spybot, then download kazaalite, which is exactly the same as kazaa but without the spyware.
0
well, i've removed the kerneill128.pif and kernel32.exe files from my computer and ran spybot (and removed kazaa). i ran a port scan on tds again and it is still coming up with port 5000 being in use(universal plug & play is still disabled).
0
StartupList report, 3/12/2003, 2:12:42 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\demo\Local Settings\Temp\Temporary Directory 2 for startuplist152.zip\StartupList.exe
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\demo\Local Settings\Temp\Temporary Directory 2 for startuplist152.zip\StartupList.exe---------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe---------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,---------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunIgfxTray = C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\System32\hkcmd.exe
AdaptecDirectCD = "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
USRpdA = C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunYahoo! Pager = C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
LDM = \Program\BackWeb-8876480.exe
AIM = C:\Program Files\AIM95\aim.exe -cnetwait.odl---------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceICQ Lite = C:\Program Files\ICQLite\ICQLite.exe -trayboot
---------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*Policies Shell key:
HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*---------------------
Enumerating Browser Helper Objects:NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
---------------------
Enumerating Task Scheduler jobs:
Norton AntiVirus - Scan my computer.job
Symantec NetDetect.job---------------------
Enumerating Download Program Files:
[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst.cab[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://207.188.7.150/04d3e68c46fd756eb401/netzip/RdxIE6.cab[PWMediaSendControl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\PWActiveXImgCtl.dll
CODEBASE = http://216.249.24.140/code/PWActiveXImgCtl.CAB[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37662.9353819444[CDToolCtrl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\cdTool.dll
CODEBASE = http://free.aol.com/tryaolfree/cdt175/aolcdt175.cab[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[IMViewerControl Class]
InProcServer32 = C:\WINDOWS\System32\CIMVIEW.dll
CODEBASE = http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab[McFreeScan Class]
InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll
CODEBASE = http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4251/mcfscan.cab---------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll---------------------
End of report, 6,826 bytes
Report generated in 0.672 secondsCommand line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
0
I don't see any signs of a virus. But to be safe side, Go here and run an online scan:
HousecallMake sure you disable your Norton auto protect while running the online scan.
Then install a firewall and see if it alerts you to anything unusual trying to connect to the net.
0
i downloaded a program called zonealarm and everything seems to be going okay. i believe the trojan is off the computer. the only thing weird going on, is that every few minutes my cursor will have the hourglass as if it's doing something.. just out of the blue (even if no programs are open). i'm not sure what that means. i looked in the task manager to see what all was running, but nothing out of the ordinary was there. maybe i'm just paranoid now. heh
i just wanted to say thank you to everyone who helped!! i really appreciate it!
0
Hi Miranda,Here are a couple of things to do:
1. Get an antivirus program. AVG Antivirus is very good, and it's free:
http://www.grisoft.com/html/us_index.htm?session=c3dc94b33cd6cd22410a4cd204cc999d
2. Install "Spy Bot Search and Destroy" or "Ad-Aware" (I prefer Spy Bot).
http://security.kolla.de/index.php?lang=en&page=download
Hope this helps.
Robstr
0  |
 http server w0000t ?!!!
|
Bad Sectors
|
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
