Sal
Fri Aug 08 08:52:05 CDT 2003
Sandi -
Thanks for all the useful recommendations. I have spent
quite a bit of time the last 3 days analyzing whats been
happening on the questionable PC described previously.
To my suprise Ad-Aware, SysBot Search and Destroy, and
BHODemon identified and cleaned SpyWare/Hyjackware found
on ALL PC's on our network. I also used Sygate Personal
FW Pro v5.1 (trial mode) to identify, via the logs, the
Rouge application that attempted random connections to
66.220.17.x as being HP Web Jet Admin Service
(hpwebjetd.exe). This all has led me to ask what is the
the best way to stay Protected (besides running these apps,
and updating to IE 6.x SP1) ? It looks like scanning for
these exploits will need to be done regularly ... Has
anyone had similar problem/exploit with this Application
hpwebjetd.exe ?
>-----Original Message-----
>It is essential to check for spyware/hijackware/foistware.
>
>Go to IE tools, internet options, general tab. Click on
the cache settings
>button and then 'view objects'. Delete anything you don't
recognise. If you
>are unsure, or no objects appear, for diagnosis purposes
I REALLY like
>BHODemon, available at
http://www.definitivesolutions.com/bhodemon.htm. It
>does not need installing - simply unzip and run the EXE
programme. It is
>very easy to use.
>
>Also, you may like to use a programme called BHOCop
available here:
>
>
http://www.pcmag.com/article2/0,4149,2023,00.asp
>
>I find this programme is a better option than IE6's
ability to turn off
>"Enable third-party browser extensions (requires
restart)". This disables
>*all* plug-ins and makes troubleshooting very difficult.
>
>Many people like AdAware, available at www.lavasoft.de .
Make sure you keep
>the signature files up to date and remember, AdAware may
only remove the
>current installation of spyware; it may not do anything
about software that
>reinstalls itself, so unless you want to get stuck in an
endless loop of
>hijack/cleanout/hijack/cleanout make sure you get rid of
whatever is
>installing the junk. See my Troubleshooting advice for
information about
>how to track down and get rid of spyware completely.
>
http://www.mvps.org/inetexplorer/Darnit.htm#tshoot
>
>An excellent replacement for AdAware is Spybot. Again, it
is a free
>programme which can be downloaded from:
>
http://spybot.eon.net.au/
>
>--
>Hyperlinks are used to ensure answers remain current.
>________________________________________
>Sandi Hardmeier - Microsoft MVP since 1999
>
http://www.mvps.org/inetexplorer
>
>"Sal Zumpano" <sal.zumpano@rl.af.mil> wrote in message
>news:002501c35b75$fc3d8fa0$a501280a@phx.gbl...
>> I have a PC that has an unknown application installed on
>> it that attempts to connect to a specific site
>> (66.220.17.X) at random times, at least 1-3 times a day
>> (usually from 12-7am) using a SVCHOST.EXE process. I
have
>> downloaded an application that monitors TCP/IP port
>> connections and captures the task manager process info
to
>> a file. I have identified the process id attempting to
>> make the connection via the captured log. I have also
>> run "tlist -s pid" from the Windows Platform SDK to
>> identify the services associated with each instance of
>> svchost running. Unfortunately, the questionable process
>> does not always exist at the time I analyze the capured
>> logs so I have not been able to determing the program
>> being executed. I have also set auditing
on "scvhost.exe"
>> to see if I can capture the activity causing this
exploit.
>>
>> I have also gotten a Windows Performance "Trace Log"
(.etl
>> file) which I am unable to parse via "Tracefmt.exe" also
>> from the Windows Platform SDK. Any suggestions on how
to
>> proceed to identify the rouge application ? (Thanks)
>> i have but am unable to parse with f
>
>.
>