slippery trojan cont.

Discussion in 'malware problems & news' started by zappa, Feb 10, 2002.

Thread Status:
Not open for further replies.
  1. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    http://pub24.ezboard.com/fsecureyesecurityfrm2.showMessageRange?topicID=42.topic&start=21&stop=33


    I will give up soon if it appears that I am out of my mind....but until I will continue to ask questions.

    Someone at the TDS Forum said I had what appears to me to be a network program when I'm not on a network, at least not one I know about.  (Excuse me if I misinterpreted his statements.) Here it is:

    RegCleaner 4.3 by Jouni Vuorio

    Extension : ratfile
    Command : Open
    Program : Rundll32.exe

    If you choose to remove this item these keys would be removed
    HKEY_CLASSES_ROOT\ratfile\DefaultIcon
    HKEY_CLASSES_ROOT\ratfile\Shell
    HKEY_CLASSES_ROOT\ratfile
    _______________________________________________

    M3GAWOLF, yes, I ran the .exe fixer and all the rest and I corrected my WIN.INI to read as follows:

    load=
    NULLPORT=none
    run=
    device=hpdeskjet895seriesc
    ____________________________

    Are there supposed to be just two entries in WIN.INI, load and run, or others too, like I have now?


    Was my previous WIN.INI altered due to a trojan or just normal stuff that happens?  
    Net_Toob was a plugin for Netscrape and at one time I had items running automatically in Win98 so I think I may know what those items were intitially....but what the hay do I know?  


     
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    zappa - First of all, congratulations for making the move to the new forum and welcome!

    As you might have noticed, I am now spy1 (which is my nic everywhere else on the net, just couldn't get that one at the old site) - no longer M3gaW0lf.

    As to your comments:

    RegCleaner DOES contain a 'network' feaure. i really have no idea what it is, since I've never used it. You might want to read up in the 'Help' files on it and see. In the meantime, you can go to the main screen and see if you have the words 'LAN Tool' there anywhere - if you do, it SHOULD be greyed out if you don't use it (please verify).

    Also, if you click on 'Preferences', then 'Network', is there a checkmark in "Enabled'? (I'm using jv16PowerTools, NOT RegCleaner, BTW, just to clarify. You might want to dump RegCleaner - if indeed that's what you have - and go to PowerTools, instead, just to see if that's what's causing the problems. Make sure you DON'T enable any 'network'-type features in PT's, until you know what it does, to preventy starting the problem all over again, if that's what it is).

    Can't really tell you if "hpdeskjet895seriesc" is supposed to be there or not - I know my printer doesn't show up in that line (you might want to check into that further with HP tech support). HTH Pete
     
  3. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Thank you for the nice words Spy1.  Responses to your ideas:

    1) I could not find any references in RegCleaner to Lan Tools.  I looked twice too.  My preferences tab in RegCleaner does not have a Network section.
    2) Nothing on my PC has Lan enabled or file sharing.  I have always checked those items, NO.


    I will contact HP and see about the entry in WIN.INI.  
    thanks
     
  4. FanJ

    FanJ Guest

    Hi Zappa,

    I have an HP DeskJet 970CXi.

    The first part (that means the [windows] part) of my winini file (W98SE) is:

    [windows]
    load=
    run=
    NullPort=None
    device=HP DeskJet 970C Series,hpf9xdr0,LPT1:
    open=
    MouseTrails=-7

    So yes, it looks like that line in your winini file with HP mentioned in it is maybe OK.

    You could also have a look here:
    http://productfinder.support.hp.com...are&h_query=deskjet895&Submit.x=13&Submit.y=8
    but I have to admit that with a quick look at these pages, I didn't find it.
     
  5. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    At this point in time I am inserting my foot in my mouth.  Although weird stuff has happened and this stuff was definitely bizarre, all I know at this point is that my quiver is  intact.  Didn't get to take a shot, blanked and didn't even get to see one.  At this point, it is safe to say that there is no trojan on my system.  If TDS-3 could not find it, it is not there.  Period.          


    So my last question and I will let this thread die.  I found this program in my startup, mdac_runonce.  I worked my way around to find out I have this Microsoft Data Client Server on my system.  Hadn't a clue it was there.  Yea, it's in my control panel big as day but never had a reason to open it up or check it out.  The mdac_runonce in start up is related to this program.  Probably why when I was starting TDS-3 it was always telling me my startup registry had changed since mdac_runonce is a part of Windows/system/runonce.exe.  


    My usual question, does anyone else have the following two icons in their control panel in  Win98SE, MS DTC client configuration and ODBC Data Sources (32bit)?   I bet this is why all the weird stuff has been happening.  Probably why my krnl386.exe is calling home every two minutes and is larger in actual size then others.  The ODBC-DS is a server for some type of network of which I need to research to see what it does and why I have it.  Probably will explain why my Internet access program gets stuck in the open position and why I can't disconnect it and why certain ports are open...might explain a whole bunch of stuff.   Probably will explain why I have network .dll's too.    

    Thank goodness I bought new tennis shoes...
     
  6. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    zappa - " does anyone else have the following two icons in their control panel in  Win98SE, MS DTC client configuration and ODBC Data Sources (32bit)?"

    I have ODBC Data Sources icon on my W98SE computer (never really looked at/played with it, but we can compare fields in the different tabs if you wish), but not MS DTC client configuration.

    HTH Pete
     
  7. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    everyone had ODBC. it is a universally accepted standard for relational database systems so that data from one can always be coverted to another. Hence Oracle tables can be imported into SQL server tables, or My SQL tables ect. If I am coding an ASP website for someone I may make a DSN connection for the website to the database by using tools found in the ODBC section.

    MS DTC info can be found here: http://www.execpc.com/~gopalan/com/msdtc.html

    When I installed VisualStudio.net I have to get the latest version of MS DTC and MDAC. I would assume it is harmless.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi, UNICRON!

    Everyone may have it, but it is not showing as an icon in my W98SE computers' Control Panel (which is what he asked).

    Is my OS missing something? Pete
     
  9. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Pete, you do NOT have an odbc icon in control panel? hmm. I had win98 se and it always did from install. pehaps it has to do with choices made at install. But you computer can't run without ODBC so it must be there, just perhaps no icon to do anything with it.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Could it have something to do with the fact that I went from W98 to W98SE via the Updates CD? Pete
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    dunno, I had an ODBC icon with a default install of win95 back in the day.
     
  12. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    I have been checking out the ODBC server and all the drivers are up to date as of 2-9-02.  Don't know how or why they are so updated since I have never opened the thing.  Then there are Portugese languauge drivers and English language drivers.  I opened the trace logs and there was what appears to be either encrypted or coded info.   I guess it has carte blanche to access the net?

    I continue to notice an unusal amount of other computers wanting to connect to mine.  Wonder if the connection attempts are related to the OBDC server.

    Could someone use this server to access my system?      
     
  13. FanJ

    FanJ Guest

    Pete, I too got from 98 to 98SE, and I have the ODBC-icon in Control-panel.
     
  14. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    Scan Control Dumped @ 07:55:24 23-02-02
    Positive identification: Demo.Leaktest (Not a trojan)
     File: c:\my download files\leaktest.exe

    Positive identification <Adv> (in archive): Possible keylogger
     File: nfrbofl.exe (In c:\download\bof-1-01.zip)

    Suspicious Filename: Dual extensions
     File: c:\download\all_installs2\freeshade1.003.exe

    Positive identification <Adv>: Possible keylogger
     File: d:\hook\hprot32.exe
     
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Zappa,

    Seems to indicate, you do have a (rather useless) program called "BO Freeze" on your system. This app is supposed to freeze the Back Orifice trojan client from someone scanning your system for the existance from a Back orifice server on your system. Dump it.

    Indicates you have the desktop tool "Freeshade" installed on your system. What are th exact twe extensions named?

    Points to HookProtect from DCS installed on your system. If so, no need to worry; perfectly safe program.

    regards.

    paul
     
  16. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    1) Dumped BO Freeze.  I was taking the attitude the best defense is a good offense.   That was the way it was "sold" to me.  

    2) When I installed Freeshade it self extracted to Windows\System and therein lies the only two extensions I initially see.  Freeshade.dll and Freeshade.exe.  

    thanks.  
     
  17. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Hi zappa,

    It seems to me, we are talking about different things here. In the first quite above, it's indicated the file "freeshade1.003.exe" contains a double extension - probably one hidden extension. This is before the file has been executed. After execution (installation), it's not unusual to encounter several extensions.

    Thus, I'm still curious about the double extensions from the original (not yet executed) .exe file.

    regards.

    paul
       
     
  18. zappa

    zappa Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    176
    Location:
    Los Angeles, Ca.
    In folder options I had previously unchecked "show all hidden files" so I can see all hidden files.  I just unchecked the box that says "all hidden files with known extensions."  

    The only thing I can think of is that TDS flagged it  as double extensions because there are two dots in the application name.   If that statement is stupid bear with me.   That is the only difference between the Freeshade application and all the rest in the folder.  

    Hopefully, I am getting closer to talking about the same thing you are.  
     
  19. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    tds-3 or wormguard will b!tch about multiple file extensions if a file has two dots in the file name:

    eg:   scary.jpg.vbs
           perl5.6.1.exe
           Linux-mini-HOWTOs-20020226.tar.gz

    as you can see one of these is obviously suspicious, while the other two are not.

    Diamondcs products let you decide what to do and reports all double file extensions.
     
Loading...
Thread Status:
Not open for further replies.