MAJOR TROJAN KILLED OUR COMPUTER!

Hello All,

Last night I posted (MaryH) from our PE (Evaluation Version - I had JUST purchased and was unable to get complete version - long story) -
If you look at it closely - now listen, we learned this through experience, too late - the 5000 AND 1900 ports were open (using our FIRST IP address - we were on our new one when we posted, and although just shows it was "just" listening, that was while we were not online - and who knows how long they were there, and after we went online just ONE more time and AFTER reading up on what it was and what it could do, it destroyed everything right in front of our eyes!!! I have NEVER seen ANYTHING like this in my life! I cried, there was nothing we could do (in time) to fix it. I'm sure there were some steps we could have taken, but we only had THIS software for 2 or 3 days and not enough knowledge about Trojans... I just had to point it out so nobody else goes through what we did... PEACE and wish us luck restoring! Any helpful ideas in restoring our computer will be appreciated. At this point we are restoring our computer and then some! Is there anyway to tell if the Seagate boot sector SCSI hard drive is infected without further damage and/or system BIOS (I read it can start with the Slave)? What can we use and what steps should we take? As of now we will keep it off until tomorrow - hopefully clearer minds will prevail...


Mary Helen & Tommy

(we used a different e-mail addy than the one we registered with since we won't be on our modem for a while...)

 

Hi Mary Helen Tommy,

At first I am very sorry for your lost. Internet security knowledge starts that way as usual, sad.
I might not be the right person to answer you first, I just wanted to help you a little bit. The worst has happened already if I understood it right; all data is gone.

At first of all you should have a boot diskette, for your operating system, secondly you should have OS CD diskette. Insert both of them and start your computer. If it does not boot from the floppy diskette, you have to enable diskette booting on Bios. You might better do "format C:" first before reinstalling the operating system to make sure there are no viruses either trojans left.....formatting takes awhile so you can have a nice cup of hot coffee and relax After formatting partition C you might better reboot, that happens using three keys at the same time : ctrl, alt, del. When your computer boots up from the diskette, you have to select " CD -rom support" when it asks the boot type. That can be done by using up/down arrow buttons on keyboard. You are all this time on MS - Dos and on partition A:\ .

Now, after formatting you just type "Install", it should take effect [ A:\install] and start installing operating system. Follow the instructions on screen and do all it asks. You must have the OS OEM key too [ can be found on the cover of the OS handmanual] , the serial number for your operating system, if you do not have it, it doesn´t continue installing when it asks for it.

I hope you got all of these already; bootdiskette, OS CD.

I do not want to start speculating what it was but I think it might have been a 15 year old kid with trojan horse on your puter...but I also do not think it was a virus neither worm...

See:

"""MS Universal Plug and Play (UPnP)
TCP 1900, 5000
UDP 1900, 5000
Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also registered, but not by Microsoft, and not for this service I don't think. Microsoft Security Bulletins: MS01-054, MS01-059. NIPC Advisory 01-030.2, SecurityFocus. Also see the Remote Access Trojan FAQ about port 5000."""


And the source for the info:
http://www.chebucto.ns.ca/~rakerman/trojan-port-table.html

And use Steve "Magic" Gibsons UnPlug n' Pray feature:
http://grc.com/default.htm

I hope this helps little bit -Ari

 

Hi Mary, sorry to hear that you lost your system to a trojan! . With Port Explorer you should look at all the sockets that appear and find out what application has those sockets. Under NT/2K/XP there are a lot of services so depending on your various network configurations there could be a lot of sockets on your system. Port Explorer is a tool you need to use to work out if everything on your system is going as it should be.

Port Explorer will alert you to any hidden/trojan possible applications by highlighting them in RED, those are your first concern. Second concern is any apps which are listening or sending/receiving data that you aren't sure about. Trojans and spyware are easily found in Port Explorer through this method. You can find out where the files are, investigate them, work out how they got there, etc, and if aren't sure about them you can try closing down the process and see what happens.

The one good thing you can take out of any infection scenario is you come out of it always with more knowledge.

-Jason-

 

Your netsurf.exe was commercial software from an ISP, to enable faster internet speed and always being connected.
You might have bought and installed it for that reason.

http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
See here all conclusions about possible startup files and if necessary or not.

So this can't be a trojan unless a trojan went connected to it, or a trojan used that name.
We urgently asked you to forward infected files to Gavin, from the TDS lab to look into that file or if there were more alarms after you updated your radius database to send in the whole scandump.txt so we can look into it.

We have more questions we really would like to see answered to be able to give adequate help.

You didn't tell you were connected or not connected.
Port 5000 is normally the UPnP port, which can be closed with some tools,
1900 SSDP (UDP) --- is that part of the netsurf utility?
If you had written the PE log was created from the situation you thought not to be online those two lines on port 53 and 1900 with data receive and sent would have been very suspicious of course!
Further you don't describe in that one which windows services were connected to them, i imagined 53 could have to do with your email client.


What did you see happening exactly and why do you think you lost everything? did you see a trojan or other name in one of the scans?
Are there still older restore points to go to without the need of full rebuilding everything or is that gone too?

If still there, please make sure you get the most recent TDS radius database and be offline immediately after it. Unplug the modem from the wall to make really sure you can't even be connected with that netsurf thing on it. Do a full scan and please give us the scandump.txt you make when all is ready.
From there we can talk further.

 

TCP 5000 and UDP 1900 are both held 'open' by Universal Plug & Pray on ME and XP Windows systems... There need not be anything fishy about that. So Jooske's question on what exactly happened that made you think a trojan was at work was a very good one.

 

Without adequate answers and files or screenshots on essential questions it is impossible to trigger associated helpoptions by anyone trying to support here.
If going back to a former restore point is an option we could work from there and ask for a complete startup listing like created with hijackthis or startup list or autostartviewer,
compare unknown entries with users experiences and the startfiles overviews from the link i just posted above and with the TDS scandump.txt plus the PE log we can look what's more there and looking into lots more secure configuration.
So if first the system works again we want it infection free and want to know what is installed there in security hard- and software and what to do with that netsurf.exe, if that has configuration options for instance.
I know it's a lot and lot of braincells movement but for all a learning experience.

 

Well, this is certainly a lot to take in! My husband has already reformatted the two SCSII drives that we have and diabled the UPnP on the BIOS. Once we get back up and running we will upgrade our TDS & port explorer to full edition and get the logs that you are requesting. We will then forward them to you (Gavin - DiamondCS) for a check up and only go back on if we get the all clear.

You are right about the Netsurf. My husband now remembers downloading that. That always came up in red though and being new to all of these programs it rang alarms in my head as well.

The damage that this "person" did was too severe to restore our computer - we saw a backup of our computer on the desktop one minute - the next it was gone! The whole thing was bizarre and like out of a movie (no kidding). It's good for me to know that once we do get back on, we have the support we need to gain more knowledge and stay safe!

Thank you very much for your assistance!

Mary Helen & Tommy

(logs to follow probably tomorrow)