Hi People, I have a trojan on, and don't know how to proceed. I was typing an e-mail and the screen wiggled up and down rapidly. I typed, "if you can see this , wiggle again" It did. I tried a few other communications and recieved a response each time. I scanned with TDS. No trojan found but a warning that exploere.exe had changed. I replaced the explorer.exe with another copy from backups. I scanned again, and recieved a warning that sys.ini had changed. I didn't know what to do with it or tell how it changed. My ZoneAlarm Pro now asks me can Explorer use Messenger to access the internet. It didn't ask that before. I tried saying no and my Messenger wont sign in. I changed it to yes and Messenger works.I read the entire help files from TDS. I tried the TCP Connect and TCP Listen. I turned on the NetBus Emulator. TCP Connect showd NetBus 1.60 and I sent the RemoveServer command and nothing happened. I probably ballsed it up through lack of knowledge. I then thought, maybe the Emulator is what I'm seeing connected in the first place, because, why didn't TDS find NetBus1.60 if it was on my system? These questions sparked a tidal wave of more questions. I vow here to learn as much as possible as fast as possible in order to help my self, but I could use a hand up here fellas as my head is swimming. I am asking for advice as to how to proceed from here. First up, should I leave the NetBus Emulator turned on? If not, please tell me how to turn it off. I eagerly await any advice and instructions! To put something back into the world, if anyone is having trouble catching mice, I invented a mousetrap modification that works like a charm on street smart urban mice. Let me know and I'll e-mail you the instructions. Meanwhile, there is a RAT in my beloved PC! Help! :o

Hi waya,

First, I got a number of questions...

1. Are you using a trial version or registered version of TDS?

1a. If registered, you should make sure that ExecProt is enabled (it should say whether or not it is enabled in the TDS console when starting TDS.

2. Are you protection options set high (Scan Control -> Scan Options Tab. Everything on the left side should be checked and on the right except Eicar and Show all NTFS Streams should be checked. On the ADS Stream Options, set it to ignore streams smaller than 512 bytes. On the Generic Detection tab click on both click boxes and set the slider to the extreme right. On the Configuration button, on the Startup tab, Startup Scanning section enable all except the CRC Test

3. If you are running NT/2k/XP download the freeware autostart viewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

The program is a GUI program, launch it and go to the Main menu and select all three top options and then select save (it will save the output to a text file. If you could post the contents of the file that would help immensely.

4. Restart TDS and do a full scan.

I think this is enough to get started on

BTW, the emulator has nothing to do with this but you might just as well leave it off while doing the scan

Another thing that would help (if you have NT/2k/XP) is to download fport from

http://www.foundstone.com/resources/termsofuse.htm?file=fport.zip

unzip it to your windows directory and from the command prompt type

fport -p > openports.txt

and paste the contents of the openports.txt file here

Download Port Explorer (http://www.diamondcs.com.au/portexplorer/), it has a Save capability so you can copy the results to a text file. It's far more accurate than FPort.

Hi fellas: heres the reports. I configured the TDS as you said. I ran another scan and still no results/findings. As for the Emulator, I figured out how to install it, but I don't know how to uninstall/turn it off. Please advise. Sorry for the lag, I had to pick up the missus from work. I already had PortExplorer, and AutostrtViewer. I didn't mention before but I'm running XP home with all updates.
----------
| NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
--------------------------------------------------------------------------------------------------------------------------------------------------------
| SYSTEM | --- | 0 | TCP | XX.XX.XXX.XX | 1309 | 66.227.68.99 | 80 | TIME_WAIT | --- | --- |
| SYSTEM | --- | 4 | TCP | 0.0.0.0 | 445 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 4 | TCP | XX.XX.XXX.XX | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 4 | TCP | 0.0.0.0 | 1027 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| SYSTEM | --- | 4 | UDP | XX.XX.XXX.XX | 137 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 4 | UDP | XX.XX.XXX.XX | 138 | *.*.*.* | * | LISTENING | --- | --- |
| SYSTEM | --- | 4 | UDP | 0.0.0.0 | 445 | *.*.*.* | * | LISTENING | --- | --- |
| lsass.exe | 17:29 14/06/2003 | 428 | UDP | 0.0.0.0 | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| lsass.exe | 17:29 14/06/2003 | 428 | UDP | 0.0.0.0 | 4500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 17:29 14/06/2003 | 600 | TCP | 0.0.0.0 | 135 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| svchost.exe | 17:29 14/06/2003 | 600 | UDP | 0.0.0.0 | 135 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 17:29 14/06/2003 | 624 | TCP | 0.0.0.0 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| svchost.exe | 17:29 14/06/2003 | 624 | UDP | XX.XX.XXX.XX | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 17:29 14/06/2003 | 624 | UDP | 127.0.0.1 | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| svchost.exe | 17:29 14/06/2003 | 624 | UDP | 0.0.0.0 | 1026 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| iexplore.exe | 17:42 14/06/2003 | 1620 | UDP | 127.0.0.1 | 1102 | 127.0.0.1 | 1102 | LISTENING | 2102/2102 | 2102/2102 |
| iexplore.exe | 20:42 14/06/2003 | 1620 | TCP | XX.XX.XXX.XX | 1310 | 66.227.68.99 | 80 | CLOSE_WAIT | 21/10670 | 88/43906 |
| iexplore.exe | 20:42 14/06/2003 | 1620 | TCP | XX.XX.XXX.XX | 1311 | 66.227.68.99 | 80 | CLOSE_WAIT | 20/10279 | 79/26876 |
| iexplore.exe | --- | 1620 | TCP | 0.0.0.0 | 1310 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| iexplore.exe | --- | 1620 | TCP | 0.0.0.0 | 1311 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| explorer.exe | 20:39 14/06/2003 | 1724 | TCP | XX.XX.XXX.XX | 1308 | 207.46.248.249 | 80 | CONNECTING | 3/393 | 8/795 |
| explorer.exe | 20:39 14/06/2003 | 1724 | TCP | XX.XX.XXX.XX | 1307 | 207.46.248.249 | 80 | CONNECTING | 2/262 | 5/529 |
| explorer.exe | --- | 1724 | TCP | 0.0.0.0 | 1307 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| explorer.exe | --- | 1724 | TCP | 0.0.0.0 | 1308 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| nbsrvem.exe | 18:56 14/06/2003 | 1804 | TCP | 0.0.0.0 | 12345 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| msmsgs.exe | 17:30 14/06/2003 | 1952 | UDP | 0.0.0.0 | 1028 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| msmsgs.exe | 17:30 14/06/2003 | 1952 | UDP | XX.XX.XXX.XX | 15117 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| msmsgs.exe | 17:30 14/06/2003 | 1952 | TCP | XX.XX.XXX.XX | 14479 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| msmsgs.exe | 17:30 14/06/2003 | 1952 | TCP | XX.XX.XXX.XX | 1030 | 207.46.106.198 | 1863 | ESTABLISHED | 9/566 | 16/2011 |
| msmsgs.exe | 17:30 14/06/2003 | 1952 | UDP | 127.0.0.1 | 1031 | 127.0.0.1 | 1031 | LISTENING | 5/5 | 5/5 |
| msmsgs.exe | --- | 1952 | TCP | 0.0.0.0 | 1030 | 0.0.0.0 | 0 | LISTENING | --- | --- |
| pavproxy.exe | 17:30 14/06/2003 | 2008 | UDP | 127.0.0.1 | 18001 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| pavproxy.exe | 17:30 14/06/2003 | 2008 | UDP | 127.0.0.1 | 18003 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| pavproxy.exe | 17:30 14/06/2003 | 2008 | UDP | 127.0.0.1 | 18002 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
| pavproxy.exe | 17:30 14/06/2003 | 2008 | TCP | 127.0.0.1 | 31595 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| pavproxy.exe | 17:30 14/06/2003 | 2008 | TCP | 127.0.0.1 | 31597 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
| pavproxy.exe | 17:30 14/06/2003 | 2008 | TCP | 127.0.0.1 | 31596 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
--------------------------------------------------------------------------------------------------------------------------------------------------------
DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for michael@PRE-INSTALLED, 06-14-2003
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\config.sys
C:\DOS\HIMEM.SYS
C:\HXCD-ROM\CDROM.SYS /D:MSCD000
C:\HXCD-ROM\CDROM.SYS /D:MSCD000
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\ssstars.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\ssstars.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PPMemCheck
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookiePatrol
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad-watch
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PestPatrol Control Center
C:\PROGRA~1\PESTPA~1\PPControl.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
C:\WINDOWS\system32\dumprep 0 -k
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpyCop ScanCheck
C:\Program Files\Common Files\Microsoft Shared\Perl.exe /LASTSCAN
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
C:\badger\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
C:\Program Files\Messenger\msmsgs.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
C:\WINDOWS\inf\unregmp2.exe /ShowWMP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
%ProgramFiles%\Outlook Express\setup50.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
regsvr32.exe /s /n /i:U shell32.dll
HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
C:\WINDOWS\System32\ie4uinit.exe
HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
C:\WINDOWS\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD
HKLM\System\CurrentControlSet\Services\AFD\
C:\WINDOWS\System32\drivers\afd.sys
HKLM\System\CurrentControlSet\Services\Alerter\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\AudioSrv\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\CryptSvc\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Dhcp\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Eventlog\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\helpsvc\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\lanmanworkstation\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\LmHosts\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\Messenger\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\NVSvc\
C:\WINDOWS\System32\nvsvc32.exe
HKLM\System\CurrentControlSet\Services\PAVDRV\
C:\WINDOWS\system32\drivers\Pavdrv51.sys
HKLM\System\CurrentControlSet\Services\PAVSRV\
C:\badger\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
HKLM\System\CurrentControlSet\Services\PlugPlay\
C:\WINDOWS\system32\services.exe
HKLM\System\CurrentControlSet\Services\PolicyAgent\
C:\WINDOWS\System32\lsass.exe
HKLM\System\CurrentControlSet\Services\ProtectedStorage\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\RpcSs\
C:\WINDOWS\system32\svchost -k rpcss
HKLM\System\CurrentControlSet\Services\SamSs\
C:\WINDOWS\system32\lsass.exe
HKLM\System\CurrentControlSet\Services\Schedule\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Secdrv\
C:\WINDOWS\System32\DRIVERS\secdrv.sys
HKLM\System\CurrentControlSet\Services\seclogon\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\SENS\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\ShellHWDetection\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\Spooler\
C:\WINDOWS\system32\spoolsv.exe
HKLM\System\CurrentControlSet\Services\srservice\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\stisvc\
C:\WINDOWS\System32\svchost.exe -k imgsvc
HKLM\System\CurrentControlSet\Services\Themes\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\TrkWks\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\uploadmgr\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\vsdatant\
\??\C:\WINDOWS\System32\vsdatant.sys
HKLM\System\CurrentControlSet\Services\vsmon\
C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
HKLM\System\CurrentControlSet\Services\W32Time\
C:\WINDOWS\System32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WebClient\
C:\WINDOWS\System32\svchost.exe -k LocalService
HKLM\System\CurrentControlSet\Services\winmgmt\
C:\WINDOWS\system32\svchost.exe -k netsvcs
HKLM\System\CurrentControlSet\Services\WZCSVC\
C:\WINDOWS\System32\svchost.exe -k netsvcs

Eagerly awaiting your reply. Waya

- Removed your private TCP IP address - LowWaterMark

Still looking through it but at the time of the capture viua Port Explorer did you have any signs of a current connection?

Not that I'm aware of. BTW my TDS is a full registered version. I forgot to tell you. Also how to toggle the Emulator on or off?

Good question :)

I would try to just stop that process from the task manager

Regarding your PortExplorer output I do not see anything there to worry about yet. I suggest you keep PortExplorer on the Remote tab and keep an eye out for addresses you cant account for.

Still looking through the asviewer output :)

Do I leave Port Explorer running whenever I'm on the computer and just watch that tab?

Sure,

you might also want change some default settings

Settings -> File Logging -> limit to 16MB
Settings -> Show New Sockets for 10Seconds
Settings -> Show Dead Sockets for 10 seconds

This way you can position the window around back on the side and still get a hint when there is some activity

I Don't see anything obvious in the autostart either but hopefully some others will have some input.

Did you load any software lately that might account for this?

waya,

If you haven't already done so, you might want to register on the TDS Private Forum over at

http://www.diamondcs.com.au/forum

In the meantime, to save time I created a thread there pointing to this one to see if anyone else will have additional input (as I am quite sure they will!)

Because I have difficulty reading the wrapped text of the PE port listing output, here is an image of it with just the bytes sent/received columns removed.

waya,

Thanks to LowWaterMark's treatment of the PE output a couple of possibilities are evident.

I suggest enabling SocketSpy on the TCP 14479 and UDP 15117 (both used by the MS Messenger Process)

Thanks LowWaterMark and Dan. I have enabled spying on both. I dont see anything yet when i clik on packet data, yet.Hope I did it right. I went to the tab, highlighted the appropriate line and then cliked enable spying. Hmmm... :-\ I think we're getting closer.

also, did you recently change your screensaver?

Not at all.

nope

Okay,

Let's see what modules you have loaded in the explorer.exe process.

If you could goto

http://www.xmlsp.com/pview/prcview.htm

and download the freeware PrcView product. It has a GUI as well as a command line component.

open a command prompt to where you install it and type the command

pv -m explorer.exe > explorermodules.txt

and paste the contents of that here

nbsrvem.exe listening on port 12345 looks dodgy to me. It's the default port used by NetBus trojan.

Yes that's right but that is TDS's custom NetBus Emulator, not the real thing.

here goes!

ill try pasting it for easy reading

[Dan Perez] cut and submitted as txt file for better readability :)

Waya, Try changing the font to courier regular 10 ;)

hello everybody :)

I come from Germany.. I have exactly the same problems

first windows explorer tried and tried to come online.. my firewall (Zone Lab Pro) blocked..

then windows explorer tried to go online using Trillian (a chat programm with multiple chatprogramms.. I use with trillian.. MSN, AOL and Yahoo)

When I allow windows explorer to use trillian to go online, I can log in with it.. otherwise Trillian cannot go online

I installed today TDS-3 trial and scanned my computer.. no trojans

not sure if I configured TDS-3 in the right way.. uh.. a little complicated and in English.. *smile* will need a little longer to read the help files and to understand what I must do to get effectiv results.. I suppose.. (or there is a german version from TDS-3?)

with interest will follow this thread and hope to find "my trojan".. if I have one..

greets from germany :)

Lolly

Willkommen, Lolly,

-{ Quote: "not sure if I configured TDS-3 in the right way.. uh.. a little complicated and in English.." }-

Not really; justfollow these instructions (http://www.wilderssecurity.com/showthread.php?t=2871) - and make sure you do have the latest database update installed ;)

regards.

paul

Hi Lolly and all. Update: I had a local computer doctor dude come look over my system. Found nothing untoward. Did seem to think it funny the way Explorer asks permission to access the net. I phoned Microsoft and asked them if it was normal or necessary for this behaviour and their answer was very very ambiguous. "No it shouldn't need access, but it's not really an indication of something wrong if it does." Stranger yet, they did not charge me for the call as per usual. I am adopting a wait and see postire at this point. I figure that if I have a baddie, TDS will soon contain this bad boy's address in its database, enabling me to terminate it. If I have a free gift from the "good guys" I figure that the internet community at large will start to notice and soon have things out in the open. I can only advise for people to get a licensed TDS running on their machines, because,even good ole well known trojans can be used to prepare the ground for their new relatives. :o I will post here if I get any usefull info and will watch for same. Regards to all!

PS to above: Currently I have ZoneAlarmPro configured to allow Explorer access to internet, deny Explorer server privilages, and alas, permission to use other programs to access internet. So far this is the only configuration that will allow Messenger, my FTP Pro and several other programs to operate. I am not advising anyone to use this configuration, only stating what I have done while I figure this thing out.

hello all :)

you are right Paul, not really too difficult.. thanks for the link to the step by step instructions.. was a great help :)

friendly regards

Lolly

-{ Quote: " quoting: Lolly link=board=5;threadid=10301;start=15#msg69465 date=1056565339]
hello all :)

you are right Paul, not really too difficult.. thanks for the link to the step by step instructions.. was a great help :)

friendly regards

Lolly" }-

My pleasure, Lolly - and enjoy ;)

regards.

paul

hello Waya, Paul.. hello all :-)

waya and all.. I also installed the diamonds port explorer and noticed that AIM connects to 2 different IPs using Port 5190. Port explorer can solve one of the Ips and says it is AOL but with the second one I get the message: couldnt solve the host nor the IP. I started thinking over the possibility of an aim trojan.. *smile* and searched with google and it seems that there are some trojans using AIM and MSN. They dont use a port to connect (might be the reason why a scanner cannot find them?).

I also took a look to the startup programms using msconfig and found an entry in the registry. No name of the program, only: software\microsoft\windows\current version\run
thats it.. is this important? I am sorry, I know very little about systems :-(

just wanted to give you waya the idea it might be such a trojan which is annoying us

regards and wishes for a great weekend

Lolly

Hi Lolly,

Could you post your HijackThis log (http://www.tomcoyote.org/hjt/)
Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Among other things it will show us all programs starting automatically.

Regards,

Pieter

hello Pieter, here the log txt

Logfile of HijackThis v1.95.0
Scan saved at 20:28:11, on 28.06.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
C:\Programme\Port Explorer Evaluation\PEDemo.exe
C:\Programme\Internet Explorer\iexplore.exe
J:\Zips von Programmen\PC Sicherheit\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26091a88e287df049321/netzip/RdxIE601_de.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37765.5069907407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

at the first sight.. "extra button for AIM".. hm! whats that? well hope you can help.. thanks :-)

Lolly

Hi Lolly,

No signs of any malware.
One thing to get rid off (minor privacy risk):
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26091a88e287df049321/netzip/RdxIE601_de.cab
Put a checkmark in front of it in HijackThis and click Fix checked. It will be gone the next time you boot.

The extra button is exactly what it says. The program added a button in the bar of IE.

HTH,

Pieter

uh forgot to ask... TDS keeps saying:

"WARNING: Your Radius.TD3 database needs to be updated! "

and tds is right.. but the problem is.. the last radius update I can get its the one from yesterday, friday, 27th.. no radius updte for today available.. I refresh the page.. http://tds.diamondcs.com.au/
but no update for today

am I doing something wrong?..

greets :)

Lolly

Hi Lolly,

The last update was from the 27th.
Check if the number of primaries corresponds with the ones posted here: http://www.wilderssecurity.com/showthread.php?t=10760

Regards,

Pieter

thanks Pieter

I fixed it.. :-)
and glad to hear no malware there..

and also thanks for answer to the update

Lolly

Hi Lolly,
-{ Quote: ""WARNING: Your Radius.TD3 database needs to be updated! "
" }-
As long as you run the evaluation version you will be seeing this message
Dolf

a sunny and relaxed sunday to you all :-)

hello Pieter.. I scanned again with hijack because I forgot I had already deactivated the one "suspicious" programm in the startup menu.. sorry.. apologies

here the new log text

Logfile of HijackThis v1.95.0
Scan saved at 10:47:35, on 29.06.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\DigitalPatrol 4\DPatrolM.exe
C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Programme\Internet Explorer\iexplore.exe
J:\Zips von Programmen\PC Sicherheit\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DP Monitor] C:\Programme\DigitalPatrol 4\DPatrolM.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37765.5069907407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

------------------------------------------

thanks Pieter.. and also thanks Dolf.. good to know

was reading online about AIM, MSN and trojans and found this.. I am shocked! didnt know there are such programs

here the link to the info about MSN/AIM Spy

http://www.spy-programs.com/online-spy/

and.. do someone knows a program to find out if I have one of such spies in my computer? since Feb. this year, I cannot help but have the strong impression I have a "spy".. but the virus scanners dont find anything.. might be I am paranoid.. lol in this cyberworld and technick.. but it also could be I am right, hm? ;-)

regards to all

Lolly

Hi Lolly, those keyloggers are detected with TDS. Keep it updated on a daily basis, monday-friday, all scan options enabled and on higest sensitivity, if there is a keylogger it is detected.

Hi Lolly,

I copied the startup-items from your log and added in bold, what I think they are for:

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
both for nVidia Videocard
O4 - HKLM\..\Run: C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
All three needed to be able to use your burner as sort of an extra HD
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
Ctfmon.exe provides text input support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
O4 - HKCU\..\Run: [DP Monitor] C:\Programme\DigitalPatrol 4\DPatrolM.exe
DigitalPatrol, freeware trojan scanner.
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
Adobe Gamma enables you to eliminate unwanted color casts from your monitor.
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
ZoneAlarm firewall

The one you seem to have disabled:
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
belongs to AntiVir


The only program for detecting the kind of spies, you´re referring to, on your computer, that [i]I know to be trusted by people who´s opinion I value is: http://spycop.com/
It´s the only I can think of that can find more of these programs then TDS-3. Mainly because it has (more) legitimate spy-programs in it database.

HTH,

Pieter

if you (or anyone using your computer) don't have bad eyesight or bad hearing i think it would be goot to disable the ctfmon.
it's a waste of resources
http://support.microsoft.com/support/ kb/articles/Q282/5/99.asp
his article was previously published under Q282599
SUMMARY
When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background, even after you quit all Office programs.

This article answers some of the frequently asked questions about the Microsoft Text Services Ctfmon.exe file, which is loaded after installing Office XP Alternative User Input features. This article answers the following questions:
What is the Ctfmon.exe (ctfmon) file?
What does the Ctfmon.exe file do?
Can I remove the Ctfmon.exe file?
Why won't Ctfmon.exe go away when I remove it from MSConfig?
When I uninstall the alternative input items from Office XP, Ctfmon.exe still loads. What else do I need to do to keep it from running?
What amount of system resources is used when Ctfmon.exe is running?
Can I load Ctfmon.exe on demand instead of all the time?
Will I break something if I click End Task on the Ctfmon.exe process?
Does Ctfmon.exe work the same on all operating systems?
MORE INFORMATION
What Is the Ctfmon.exe (Ctfmon.exe) File?
Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.
What Does the Ctfmon.exe File Do?
Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
Can I Remove the Ctfmon.exe File?
Removing the Ctfmon.exe might cause problematic behavior in your Office XP programs, so removing it is not recommended. To prevent Ctfmon.exe from running, follow these steps.
Step 1: Uninstall Alternative User Input
To uninstall the alternative user input feature, set the installation state to Not Available in Office XP Setup.

Microsoft Windows Millennium Edition (Me), Microsoft Windows 98, or Microsoft Windows NT 4.0:
Quit all Office programs.
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add/Remove Programs.
On the Install/Uninstall tab, click to select Microsoft Office XP product, where Office XP product is the name of the specific Office product being used. If you are using a standalone version of one of the Office programs, click to select the appropriate product in the list. Click Add/Remove.
In the Maintenance Mode Options dialog box, select Add or Remove Features, and then click Next. This displays the Choose installation options for all Office applications and tools dialog box.
Click the plus sign (+) next to Office Shared Features to expand it.
Click the icon next to Alternative User Input, and then select Not Available.
Click Update.
NOTE: If you have multiple Office XP products installed, for example, Office XP Professional and Publisher 2002, you must repeat the preceding steps for each installed product.

Microsoft Windows 2000 and Microsoft Windows XP:
Quit all Office programs.
Click Start, point to Settings, and then click Control Panel. NOTE: In Windows XP, click Start and then click Control Panel.


In Control Panel, double-click Add/Remove Programs.NOTE: In Windows XP, click Add or Remove Programs.


In the Currently installed programs list, click to select Microsoft Office XP product, where Office XP product is the name of the specific Office product being used. If you are using a standalone version of one of the Office programs, click to select the appropriate product in the list. Click Change.
In the Maintenance Mode Options dialog box, select Add or Remove Features, and then click Next. This displays the Choose installation options for all Office applications and tools dialog box.
Click the plus sign (+) next to Office Shared Features to expand it.
Click the icon next to Alternative User Input, and then select Not Available.
Click Update.
NOTE: If you have multiple Office XP products installed, for example, Office XP Professional and Publisher 2002, you must repeat the preceding steps for each installed product.
Step 2: Remove Alternative User Input Services from Text Services
Click Start, point to Settings, and then click Control Panel.
In the Control Panel, double-click Text Services.NOTE: In Windows XP, click Date, Time, Language, and Regional Options, and then click Regional and Language Options. On the Languages tab, click Details.


Under Installed Services, select each input item that is listed, and then click Remove to remove the item. All items must be removed, one by one, except the following input service:

English (United States)- default Keyboard United States 101
Step 3: Run Regsvr32 /U on the Msimtf.dll and Msctf.dll Files
Click Start and then click Run.
In the Run dialog box, type the following command:

Regsvr32.exe /u msimtf.dll
Click OK.
Repeat steps 1 through 3 for the Msctf.dll file.
For additional information about how to remove CTFMon.exe, click the article number below to view the article in the Microsoft Knowledge Base:

313176 Programs May Start, Quit, Lose, and Gain Focus Randomly
Why Will Ctfmon.exe Not Go Away When I Remove It from MSConfig?
Removing Ctfmon.exe from MSConfig does not disable Ctfmon.exe. For more information about disabling Ctfmon.exe, refer to the "Can I remove the Ctfmon.exe file?" section earlier in this article.
When I Remove the Alternative Input Features from Office XP, Ctfmon.exe Still Loads. What Else Must I Do to Keep It from Running?
Unlike the Alternative User Input features, Ctfmon.exe is a system component that cannot be uninstalled. For more information about disabling Ctfmon.exe, refer to the "Can I remove the Ctfmon.exe file?" section earlier in this article.
What Amount of System Resources Is Used When Ctfmon.exe Is Running?
Ctfmon.exe uses little of the system resources if Advanced Text Services are not running. Advanced Text Services are those input technologies (speech recognition, handwriting recognition, and Input Method Editors) that are being controlled by Ctfmon.exe via a TIP.
Can I Load Ctfmon.exe on Demand Instead of All the Time?
The Alternative User Input system is not designed to be loaded and unloaded on demand.
Can I Click "End Task" in the Task Manager Dialog Box or "End Task" in the Close Program Dialog Box for the Ctfmon.exe Process?
No. It is not recommended that you manually close the Ctfmon.exe process. It is recommended that you use the steps in the "Can I remove the Ctfmon.exe file?" section if you want to stop the Ctfmon.exe process.
Does Ctfmon.exe Work the Same in All Operating Systems?
Generally, yes. Ctfmon.exe performs the same tasks on different Microsoft Windows operating systems.
Additional Information
Ctfmon.exe is the file that is responsible for controlling the Alternative User Input technologies. It starts the Language Bar component (in the Systray) and remains running in the background even after you quit an Office XP program. It also starts each time Windows is started and remains in the background, regardless of whether an Office XP program is started.

Ctfmon.exe is designed to continue to run in the background during Windows sessions after the Office XP Alternative User Input components are installed.

the ctfmon.exe was runnig on my new xp system, and i have never had m$ office produts in it. i use open office instead. but it's safe to disable

I would not do without the speech recognition as one of the means of communication: imagine all the ss3 scripts in TDS which can use speech recognition to start with!

and handwriting recognition i do use too ocasionally

keyboard i use all time and would hardly name that alternative

*smiles* seems I installed the ctfmon because I thought it could be helpful to be able to switch the keyboard in spanish (my native language) or in english characters.. I hear very good *grin* some men think I hear "too good" lol

thanks Illuka.. will read your helpful advice when I come back .. I came to say bye for now.. cuz I will be out of town for the next 2 weeks.. I think.. and it might be I dont come near enough to a computer to come over here to say hi :-)

thanks Pieter.. and tot zins (right spelling? uh! live near the netherlands but still dont speak the language *shame*)

see you all soon.. :-)

regards

Lolly

And how about a (TDS) script with an msagent walking over your screen, you press the scroll-lock and can make him read your text, open files, surf you to to this forum, send your email and lots more, sing a happy song for you, tell the time and start applications, when you ask this by talking in your microphone? Would not like to miss all that!

Have a good time, hope it will be a nice holiday!
Sounds good Lolly, almost right "tot ziens"!