Help - Trojan Infection???

Discussion in 'malware problems & news' started by deaditeash, Mar 9, 2002.

Thread Status:
Not open for further replies.
  1. deaditeash

    deaditeash Registered Member

    Joined:
    Mar 9, 2002
    Posts:
    14
    I recently installed and ran ANTS on my pc.  After scanning my ports I was given the following message -

    "Port 1027 openly. Probable Trojaner: Port 1030 found no Trojaner openly. Probable Trojaner: Port 5000 found no Trojaner openly. Probable Trojaner: SOCKET23"

    I also have Macfee Firewall and NAV2001.  Can someone provide me some direction - I assume this means I have a trojan(s) and I admit I'm a newbie at all this security stuff...but I'm learning... My initial run of ANTS detected 3 trojans (one in WINDOWS/TEMP and 2 in windows themes I had downloaded).  It also suspected the file C:\Program Files\Gateway\SRCD\win32ui.exe

    deaditeash
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hello deaditeash, and  welcome!

    What you have seen is merely a report from open ports on your system. By no means this does imply your system has been infected in any way.

    What has been stated after each detected open port is merely the name of the trojan/backdoor that standard uses this port. One should regard this just as extra info; no more, no less.

    As for the scan result: did you perform as scan while heuristics have been set at medium? Using the high heuristics is bound to provide false positives.

    If scanned using high heuristic settings, please scan once more using the medium heuristic settings. Don't delete any file at this moment.

    Keep us posted!

    regards.

    paul
     
  3. deaditeash

    deaditeash Registered Member

    Joined:
    Mar 9, 2002
    Posts:
    14
    I ran the scan again at medium and am getting a suspected file:

    C: \Program Files\Gateway\SRCD\win32UI.exe a Trojaner could be! (17) => program writes in Registry (Run, RunOnce etc.) or grasps on INIs to! => Program the system-index questions! => Program the windows-index questions! => Program questions the presently registered user! => Program belays a Port! => Program the sign chain "server" includes! => Program constructs DialUp-connections! ßßßßßßßßßßßßßßßß Required time: 898 seconds
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    This is pointing to the Gateway System Restoration, and seems like a false positive to me.

    "could be" is related to the fact, the .exe file has shows behaviour that equals common trojan(server) behaviour, as summed up.

    Nevertheless, to be absolutely on the safe side, you could send a copy of the file to the author from ANTS for examination: Andreas Haak, email: andy@ewido.com

    regards.

    paul
     
  5. wizard

    wizard Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    818
    Location:
    Europe - Germany - Duesseldorf
    It seems you use Ants 2.0. This version is outdated. I would not recommend to use it anymore. There will be a new version 2.2 out soon. If you still use Ants 2.0 be careful with the results. Ants 2.0's heuristic and port scan feature produce a lot of false positives.

    wizard
     
  6. deaditeash

    deaditeash Registered Member

    Joined:
    Mar 9, 2002
    Posts:
    14
    Ok - thanks - I actually ran TDS eval and came up trojan free - I was aware ANTS is coming out with a new version and was suspicous...
     
Loading...
Thread Status:
Not open for further replies.