Impossible Trojan Horse

Unbeknownst to me...(don't they always start out that way) a very large system hidden(of course) file shows up. Redirects Current User through it's load bundle. And the only way it was discovered was bottle arsing through files, and discovers this 3 gig file. And I'll bet your'e saying under your breathe, "how could anyone not know that was there. Someone, a gamer, setup and running that type muscle throughput is undetected and the box gives not a clue?" Well, the short answer is, paranoid as it may seem(yeah,yeah), I have had great suspicions, but couldn't pin it down. Didn't say, I am not naive. At times the cable modem activity light stays solid more than breathes. So, me calls the provider, and I get an IQ of about 69, "Well, Mr. XYZ, every function is okay here, Do want to reset the modem". To which, I bark, "No, I am running a firewall in full stealth mode, AVP current, Ad-aware, and SpyBot-S&Daggressive, and it's not on this end". If they only knew what was found on this end. After discovering this mojo file, I'm seriouly looking for the greatest Trojan Horse kungFu kickarse program out there. And do my homework. Find this trick rad program name TD(touchdown) - 3 (my Sprint Car number). "I'ts an oman", says id to alter. Not... And then, I think, It's gotta be me. Please find that it's me.

Can anyone tell me how I can double check to make sure this great looking program does not smell that stank air. Here are the files found only by a command prompt doing a "find" command. Here are the files.


---------- C:WINNT\SOB\3000
c:\adlog.txt
c:\blocklog.txt
c:\recv_bp.txt
c:\send_bp.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\documents and settings\jwang\desktop\htlogs\%d.txt
c:\recv_ap.txt
c:\send_ap.txt
pec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
windir=C:\WINNT
\??\C:\WINNT\system32\winlogon.exe
NTREM c:\config.sys.
NTREM visible to an OS/2 program that opens c:\config.sys, however they are
NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
REM OS/2 Apps that access c:\config.sys actually manipulate this information.
PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
C:\WINNT\CSC
C:\WINNT\system32\
\??\C:\WINNT\system32\winlogon.exe
SERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ALLUSERSPROFILE=C:\Documents and Settings\All Users
CommonProgramFiles=C:\Program Files\Common Files
ComSpec=C:\WINNT\system32\cmd.exe
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ProgramFiles=C:\Program Files
SystemRoot=C:\WINNT
TEMP=C:\WINNT\TEMP
TMP=C:\WINNT\TEMP
USERPROFILE=C:\Documents and Settings\don
windir=C:\WINNT
ÿÿÿÿ’Mu’Muÿÿÿÿ7’Mu;’MuC:\perfc.dat
C:\MSHLOCAL.LOG
C:\DEBUG.LOG
c:\
X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


nested in WINNT hidden System file.

I know that could run a Repair install routine, but I would like to know is this seemingly great program is going to work. BTW, I have already placed a folder around the file to keep it warm, but where "jwang" gets a "no one's home, when he wants to come play.

Honestly, I'd like to catch "jwang" and change the octice on his choir.

Thanks for your input,
And I apologize for the novel.

don
---------------

 

Welcome Don, Your prose is leaving me wondering exactly what you want?
If you download the trial version of TDS3 and the latest radius database & run a full scan, it is very unlikely that if TDS3 does not find a Trojan that you have one, You may also like to try Autostart Viewer available for free also from DCS.

Pilli

 

Philli,

For starters, thank you very much for your very timely response. Very impressive. The prose is just to add a 'touch of class'.

The straight of it is, I have already run TDS-3, w/ latest update file, on the "jwang" Trojan, and didn't get anything. This program is the reason I left the file on the system. Is there anyway that the programmer can escape your scan?

I know that I can run an installation repair, after nuken the files, after an ERD and full +system state backup, of course. I just wanted a kick arse Trojan scanner, and thought I had found "the one". What else can be done, before I bite the bullet, and is there an altenative way of removing this particular Trojan?

Appreciate you answer at you conveience.

Best regards,
don

BTW, kudos to whoever compiled the little forum proggie. Unique.
------------

 

Hi don..like your stuff and have been following it for a while know like 4 and twenty black birds baked in the pie

**************************************

You sure have a mystery there...you have been injected and i guess it is on the Win2K and not the 98...cant be a token rings but this might help...


OpenSSL Security Advisory [17 March 2003]

Timing-based attacks on RSA keys
================================

OpenSSL v0.9.7a and 0.9.6i vulnerability
----------------------------------------

Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.

Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.


http://www.openssl.org/news/secadv_20030317.txt

 

Also this link my help you..


http://www.google.com/search?client=googlet&q=X%B1%FF%FF%FF%FF%C0%FF*%5CG%7B00020430-0000-0000-C000-000000000046%7D%231.0%230%23C%3A%5CWINNT%5CSystem32%5Cstdole32.tlb%23

 

Hi there dcdon,
If TDS didnt detect it or alert you to anything suspicious but you suspect the file is/might be a trojan, please send it to submit@diamondcs.com.au for analysis, requesting in the email information on disinfection

Best regards,
Wayne

 

I also think that the advice Pegasus gave you to run the the text find thingie was a good idea for the 3000...but I would have taken a different approach to start.

Wayne will sort it all out for you since there are certainly some things missing in that captured file you now have compiled.

3 meg is a lot of junk..and if it really is a compromise to your system. The answer is yes..you can track it.

Be Well,
John

 

DCDon Wrote:

A leading question but I can say that a new DCS tool will be out early next week which will certainly increase your PC's security by a large margin - prevention is better than cure

 

I'm still waiting to see the results of ASViewer, but in short there is no such thing as a text file trojan. There is no scripting in the file and from what has been provided we have no idea what created that text file. Will gladly take a close look at autostarts and running processes via ASViewer / Hijack This