slippery trojan cont.

[zappa]

http://pub24.ezboard.com/fsecureyesecurityfrm2.showMessageRange?topicID=42.topic&start=21&stop=33


I will give up soon if it appears that I am out of my mind....but until I will continue to ask questions.

Someone at the TDS Forum said I had what appears to me to be a network program when I'm not on a network, at least not one I know about. *(Excuse me if I misinterpreted his statements.) Here it is:

RegCleaner 4.3 by Jouni Vuorio

Extension : ratfile
Command : Open
Program : Rundll32.exe

If you choose to remove this item these keys would be removed
HKEY_CLASSES_ROOT\ratfile\DefaultIcon
HKEY_CLASSES_ROOT\ratfile\Shell
HKEY_CLASSES_ROOT\ratfile
_______________________________________________

M3GAWOLF, yes, I ran the .exe fixer and all the rest and I corrected my WIN.INI to read as follows:

load=
NULLPORT=none
run=
device=hpdeskjet895seriesc
____________________________

Are there supposed to be just two entries in WIN.INI, load and run, or others too, like I have now?


Was my previous WIN.INI altered due to a trojan or just normal stuff that happens? *
Net_Toob was a plugin for Netscrape and at one time I had items running automatically in*Win98 so I think I may know what those items were intitially....but what the hay do I know? *


*

[spy1]

zappa - First of all, congratulations for making the move to the new forum and welcome!

As you might have noticed, I am now spy1 (which is my nic everywhere else on the net, just couldn't get that one at the old site) - no longer M3gaW0lf.

As to your comments:

RegCleaner DOES contain a 'network' feaure. i really have no idea what it is, since I've never used it. You might want to read up in the 'Help' files on it and see. In the meantime, you can go to the main screen and see if you have the words 'LAN Tool' there anywhere - if you do, it SHOULD be greyed out if you don't use it (please verify).

Also, if you click on 'Preferences', then 'Network', is there a checkmark in "Enabled'? (I'm using jv16PowerTools, NOT RegCleaner, BTW, just to clarify. You might want to dump RegCleaner - if indeed that's what you have - and go to PowerTools, instead, just to see if that's what's causing the problems. Make sure you DON'T enable any 'network'-type features in PT's, until you know what it does, to preventy starting the problem all over again, if that's what it is).

Can't really tell you if "hpdeskjet895seriesc" is supposed to be there or not - I know my printer doesn't show up in that line (you might want to check into that further with HP tech support). HTH Pete

[zappa]

Thank you for the nice words Spy1. *Responses to your ideas:

1) I could not find any references in RegCleaner to Lan Tools. *I looked twice too. *My preferences tab in RegCleaner does not have a Network section.
2) Nothing on my PC has Lan enabled or file sharing. *I have always checked those items, NO.


I will contact HP and see about the entry in WIN.INI. *
thanks

Hi Zappa,

I have an HP DeskJet 970CXi.

The first part (that means the [windows] part) of my winini file (W98SE) is:

[windows]
load=
run=
NullPort=None
device=HP DeskJet 970C Series,hpf9xdr0,LPT1:
open=
MouseTrails=-7

So yes, it looks like that line in your winini file with HP mentioned in it is maybe OK.

You could also have a look here:
http://productfinder.support.hp.com/...=13&Submit.y=8
but I have to admit that with a quick look at these pages, I didn't find it.

[zappa]

At this point in time I am inserting my foot in my mouth. *Although weird stuff has happened and this stuff was definitely bizarre, all I know at this point is that my quiver is *intact. *Didn't get to take a shot, blanked and didn't even get to see one. *At this point, it is safe to say that there is no trojan on my system. *If TDS-3 could not find it, it is not there. *Period. * * * * *


So my last question and I will let this thread die. *I found this program in my startup, mdac_runonce. *I worked my way around to find out I have this Microsoft Data Client Server on my system. *Hadn't a clue it was there. *Yea, it's in my control panel big as day but never had a reason to open it up or check it out. *The mdac_runonce in start up is related to this program. *Probably why when I was starting TDS-3 it was always telling me my startup registry had changed since mdac_runonce is a part of Windows/system/runonce.exe. *


My usual question, does anyone else have the following two icons in their control panel in *Win98SE, MS DTC client configuration and ODBC Data Sources (32bit)? * I bet this is why all the weird stuff has been happening. *Probably why my krnl386.exe is calling home every two minutes and is larger in actual size then others. *The ODBC-DS is a server for some type of network of which I need to research to see what it does and why I have it. *Probably will explain why my Internet access program gets stuck in the open position and why I can't disconnect it and why certain ports are open...might explain a whole bunch of stuff. * Probably will explain why I have network .dll's too. * *

Thank goodness I bought new tennis shoes...

[spy1]

zappa - " does anyone else have the following two icons in their control panel in *Win98SE, MS DTC client configuration and ODBC Data Sources (32bit)?"

I have ODBC Data Sources icon on my W98SE computer (never really looked at/played with it, but we can compare fields in the different tabs if you wish), but not MS DTC client configuration.

HTH Pete

[UNICRON]

everyone had ODBC. it is a universally accepted standard for relational database systems so that data from one can always be coverted to another. Hence Oracle tables can be imported into SQL server tables, or My SQL tables ect. If I am coding an ASP website for someone I may make a DSN connection for the website to the database by using tools found in the ODBC section.

MS DTC info can be found here: http://www.execpc.com/~gopalan/com/msdtc.html

When I installed VisualStudio.net I have to get the latest version of MS DTC and MDAC. I would assume it is harmless.

[spy1]

Hi, UNICRON!

Everyone may have it, but it is not showing as an icon in my W98SE computers' Control Panel (which is what he asked).

Is my OS missing something? Pete

[UNICRON]

Pete, you do NOT have an odbc icon in control panel? hmm. I had win98 se and it always did from install. pehaps it has to do with choices made at install. But you computer can't run without ODBC so it must be there, just perhaps no icon to do anything with it.

[spy1]

Could it have something to do with the fact that I went from W98 to W98SE via the Updates CD? Pete

[UNICRON]

dunno, I had an ODBC icon with a default install of win95 back in the day.

[zappa]

I have been checking out the ODBC server and all the drivers are up to date as of 2-9-02. *Don't know how or why they are so updated since I have never opened the thing. *Then there are Portugese languauge drivers and English language drivers. *I opened the trace logs and there was what appears to be either encrypted or coded info. * I guess it has carte blanche to access the net?

I continue to notice an unusal amount of other computers wanting to connect to mine. *Wonder if the connection attempts are related to the OBDC server.

Could someone use this server to access my system? * * *

Quote:

Could it have something to do with the fact that I went from W98 to W98SE via the Updates CD? Pete

Pete, I too got from 98 to 98SE, and I have the ODBC-icon in Control-panel.

[zappa]

Scan Control Dumped @ 07:55:24 23-02-02
Positive identification: Demo.Leaktest (Not a trojan)
*File: c:\my download files\leaktest.exe

Positive identification <Adv> (in archive): Possible keylogger
*File: nfrbofl.exe (In c:\download\bof-1-01.zip)

Suspicious Filename: Dual extensions
*File: c:\download\all_installs2\freeshade1.003.exe

Positive identification <Adv>: Possible keylogger
*File: d:\hook\hprot32.exe

[Paul Wilders]

Zappa,

Quote:

Positive identification <Adv> (in archive): Possible keylogger
*File: nfrbofl.exe (In c:\download\bof-1-01.zip)

Seems to indicate, you do have a (rather useless) program called "BO Freeze" on your system. This app is supposed to freeze the Back Orifice trojan client from someone scanning your system for the existance from a Back orifice server on your system. Dump it.

Quote:

Suspicious Filename: Dual extensions
*File: c:\download\all_installs2\freeshade1.003.exe

Indicates you have the desktop tool "Freeshade" installed on your system. What are th exact twe extensions named?

Quote:

Positive identification <Adv>: Possible keylogger
*File: d:\hook\hprot32.exe

Points to HookProtect from DCS installed on your system. If so, no need to worry; perfectly safe program.

regards.

paul

[zappa]

1) Dumped BO Freeze. *I was taking the attitude the best defense is a good offense. * That was the way it was "sold" to me. *

2) When I installed Freeshade it self extracted to Windows\System and therein lies the only two extensions I initially see. *Freeshade.dll and Freeshade.exe. *

thanks. *

[Paul Wilders]

Hi zappa,

Quote:

Suspicious Filename: Dual extensions
*File: c:\download\all_installs2\freeshade1.003.exe

Quote:

2) When I installed Freeshade it self extracted to Windows\System and therein lies the only two extensions I initially see. *Freeshade.dll and Freeshade.exe.

It seems to me, we are talking about different things here. In the first quite above, it's indicated the file "freeshade1.003.exe" contains a double extension - probably one hidden extension. This is before the file has been executed. After execution (installation), it's not unusual to encounter several extensions.

Thus, I'm still curious about the double extensions from the original (not yet executed) .exe file.

regards.

paul
* *

[zappa]

In folder options I had previously unchecked "show all hidden files" so I can see all hidden files. *I just unchecked the box that says "all hidden files with known extensions." *

The only thing I can think of is that TDS flagged it *as double extensions because there are two dots in the application name. * If that statement is stupid bear with me. * That is the only difference between the Freeshade application and all the rest in the folder. *

Hopefully, I am getting closer to talking about the same thing you are. *

[UNICRON]

tds-3 or wormguard will b!tch about multiple file extensions if a file has two dots in the file name:

eg: * scary.jpg.vbs
* * * *perl5.6.1.exe
* * * *Linux-mini-HOWTOs-20020226.tar.gz

as you can see one of these is obviously suspicious, while the other two are not.

Diamondcs products let you decide what to do and reports all double file extensions.