TCPOSMOD.EXE

Hi, i have a problem a system32 file (tcposmod.exe), norton detect a pw stealer on it but was unable to access the file for cleaning. I will use tds-3, but i want to know if someone steals my passwords (and which passwords). Thanks

[Jooske]

If you can get to the file try to zip it!
then it can't run.
Further besides TDS-3 get also Port Explorer which shows you all possible connections, you can spy on those connections and block them.
After installing TDS-3 go back to that site and get the update for the detection databases.
Configure TDS System Testing with everything checked and in highest sensitivity.
If TDS says it's a positive identification you've the choice to delete it, if is says "suspicious" don't hesitate to send it to support@diamondcs.com.au (zipped if possible) or use the little menu when right-clicking on the alert in the result console.
If TDS would not alarm i would certainly send the file in with the link to this thread in your email.

Please keep us informed how it goes.

[Pieter_Arntz]

Hi Strad,

Can you see if this key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "DSS"
is present in your registry?
After disabling it from starting up there, you should have no problem removing tcposmod.exe
From what I could find about this BackDoor I gather it deletes netstat.exe and adds c:\WINDOWS\readme-net.doc and the file you found.
Mostly used to gather online passwords like Hotmail etc.
To find out if any and which passwords were stolen, the first thing to do is find out if it was ever active. You can do that by checking if the changes I mentioned were indeed made.

Regards,

Pieter

[Jooske]

Munga bunga if i remember well? or DSSdoor?
It's in the TDS primaries.
Try hitting ctrl+ alt+ del and either end prog or task manager depending on your o/s end task on tcposmod.exe. Yes to the warning box.
Look in the startup list using msconfig.
start> run> type in msconfig> hit enter> go to startup tab and uncheck TCPOSMOD.EXE. Reboot and scan again to clean it. You couldn't delete it because it is running.

And after removal i would try to change passwords just to be sure.

Ok, the changes you mentioned are maded, netstat.exe was deleted, the doc file is there. I have win 98 and 2k instaled on my computer, and i can delete tcposmod.exe by using win 98, but who stolen my passwords? and what passwords?, how do this back door works?

[Pieter_Arntz]

"What does this software do?

It's a Brute Forcer, which uses the HTTP protocol to establish its connections. In English, this means the program tries various passwords for a given username (called brute forcing) and verifies whether those passwords are correct for the given username within the HTTP protocol (meaning, via web page connections).

You can hack into any form you see on the Internet, this means any web based email account like Hotmail, Yahoo, Excite etc… or even affiliate accounts like AllAdvantage, GoToWorld, LinkExchange, or even actual Web Sites and many more. Basically, any thing that can be entered via a HTML form with a password and username, you would be able to brute force into with my program. The sky is the limit, it can even be used as a DoS (Denial of Service) program but I do not encourage such behavior and shall not be held responsible for your illegal doings."

Do you have a firewall? It´s logs might come in handy.

Regards,

Pieter
Source left out because of downloadlinks

[Jooske]

Does the readme-net.doc contain anything interesting?

Did not find nothing about spreading the thing yet, as i thought it was in the first place looking for passwords combinations to get into a system, or webpage; do you run a server by chance making you an interesting goal for them?

The problem is solve. my little brother download the Munga bunga program and instaled it . Thank a lot.

[Jooske]

Glad you found it! So no outside onlookers i hope, but now you certainly should make sure! I mean, you had the nasty on your system and installed, so your system was very vulnerable for other users of it.
I saw in the manual they say you can d/l passwordfiles all from internet, so you could google for such things and maybe check a few for a couple of your passwords; you will have changed them anyway by now i suppose!

[whkoh]

Someone installed Munga Bunga on my PC Now Norton AV wouldn't run, even if I reinstall it. Any solutions?

[Dan Perez]

Hi whkoh,

Welcome to Wilders!

Can you please download and run HijackThis from

http://www.tomcoyote.org/hjt/hijackthis.zip

and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

Thanks,

Dan

[whkoh]

Thanks, this is the log:

[Dan Perez]

Hi whkoh,

I see no signs of it in the HT log though I did find two other nuisances, you might want to close all other programs/windows and select and fix the following two entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html

Regarding your main issue, we will need more logs it seems...

First I would do a remote scan of your system from an online AV such as Panda's ActiveScan which can be accessed here

http://www.pandasoftware.com/actives..._principal.htm

Then, can you please download and run DCS's AutostartViewer from

http://www.diamondcs.com.au/downloads/asviewer.zip

Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

Also, can you please download DCS's OpenPorts program from

http://www.diamondcs.com.au/downloads/openports.zip

Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

openports > openports.txt

and then press the Enter key

Then type;

openports.txt

and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review

Thanks,

Dan

[whkoh]

It appears that other accounts in my PC can access the AV.

ok how to remove the TCPOSMOD.EXE Press CTRL+ALT+DEL end the task of TCPOSMOD.EXE then in anywindow click on Tools then Folder Options then click on the Tab " View " then click on Show Hidden Files and folders and make sure there is no check on the box Hide Extensions for known file types. Now go to C:\WINDOWS and you will see the TCPOSMOD.EXE file remove it from your system then in regedit go here HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "DSS" and remove it from your reg and restart your system

send me an email and tell me if it works ...

Davidcat