Trojan Infection WinXP

Discussion in 'malware problems & news' started by JV, Jan 9, 2003.

Thread Status:
Not open for further replies.
  1. JV

    JV Guest

    Hello,
    Thank you for redirecting me to the correct forum.

    My problem is I have been told that my system has major trojans infections. I was also told that the only way to fix the problem was to copy my important files and folders and then completely delete the hard drive and reinstall WinXP.
    I am just not buying that. I don't think because I am showing open ports that I have a major problem. When I run Anti-Trojan it says I am clean. When I run The Cleaner, it says no Trojans found. When I do port scans from Sygate, I am in Stealth mode so how have I gotten major infections? I was using Norton Firewall, then Sygate and now I am using ZoneAlarm Pro which I really prefer. I have to tell you that I am a novice and reformatting my hard drive is way over my head. I really need another way to go.

    Thank you very much.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hi JV,

    Thanks for posting over here. :)

    Okay, first up. Who or what told you that you have "major trojans infections"? That is key to helping us understand your situation...

    Some open ports on Windows XP, especially if you left it configured at the defaults it came installed with, is normal. It does take effort to close down ports, but, since you've been using firewalls, those open ports may well have always been protected from the Internet. (This depends upon what access rights you've given programs, but, we'll skip that for the moment.)

    From all the scans you've done, using all the tools mentioned, it certainly does not sound like you have multiple infections. In fact, it sounds like you might be clean.

    What ports are open, do you have the list? (You could bring up a CMD prompt and run "netstat -an" to see a list of open ports and then tell us here which they are.)

    Let us know,
    LowWaterMark
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    JV,

    Here is a website that has a real lot of information on Open ports on Windows 2000 or XP. This page is very detailed and highly technical. But, the main thing I'm referring you to is the first list of all the open ports shown on a typical Windows XP system. I'll quote below the link the sample netstat they show...

    http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

    As you can see (below), a typical XP system does have a lot of open ports.

    [pre]On a Windows XP system, the netstat -ano command returns:

    C:\WINDOWS>netstat -ano

    Active Connections

    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 884
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING 976
    TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1160
    TCP 192.70.106.143:139 0.0.0.0:0 LISTENING 4
    UDP 0.0.0.0:135 *:* 884
    UDP 0.0.0.0:445 *:* 4
    UDP 0.0.0.0:500 *:* 704
    UDP 0.0.0.0:1026 *:* 1112
    UDP 0.0.0.0:1027 *:* 976
    UDP 127.0.0.1:123 *:* 976
    UDP 127.0.0.1:1900 *:* 1160
    UDP 192.70.106.143:123 *:* 976
    UDP 192.70.106.143:137 *:* 4
    UDP 192.70.106.143:138 *:* 4
    UDP 192.70.106.143:1900 *:* 1160
    [/pre]

    Just thought you should see this,
    LowWaterMark
     
  4. JV

    JV Guest

    A programer business associate/friend had me download VNC Viewer from the UK and he looked inside my system in MD from his house in Maine. He has Linux on a cable and I am Windows on dial-up so it was taking way too long for pages to load. He said there were too many problems in my system and it would take too long this way. His next suggestion was to take it to a computer repair shop and have them reformat it.

    That is not an option for me. I have to find a way to take care of this online if at all possible.

    Something he said when I talked to him on the phone made me lose confidence in his ability to help me. His statement was, you know if I help you format your system I am using Linux. Like all of a sudden he is not sure he can help me with Windows. Anyway, I am supposed to be copying all my files tonight so he can walk me thru deleting and reinstalling XP tomorrow. There just has to be another way.

    Results From Anti-Trojan Version 5.5.407
    Trojan-Search Start of search: 1/8/2003 11:40:26 PM
    End of search: 1/9/2003 12:05:53 AM

    Port-Scan: (found known ports)

    $aopenports$

    Registry-Scan:

    Drive-Scan:

    Number of scanned files: 44195
    Number of found trojan-files: 0

    Congratulations! No Trojans found in your system.
       
    Port-Scan:   
    The portscan shows open ports on Your system. But an open port doesn't mean, also if there stands "possible trojan", that there must be an trojan on Your PC.    

    All open ports on Your system:

    Port 135 open.
    Port 139 open.
    Port 445 open.
    Port 1025 open.
    Port 1027 open.
    Port 1030 open.
    Port 1031 open.
    Port 1032 open.
    Port 1035 open.
    Port 1040 open.
    Port 1041 open.

    Registry-Scan:   
    The registry-scan search for known registry-keys of trojans an remove them.    

    Drive-Scan:   
    The disk-scan search on the directories or drives You want for trojans.    

    The following trojan-files were found: 0
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    That list of ports you show from Anti Trojan's output is not terribly unusual on XP (see my post right above yours). Just wondering... Why did you have him check your system anyway - were you experiencing a problem that you thought he could help you fix? Some sign of infection?

    If you have a little time, there are a number of things you can do that will give us some extra information, which can help us determine if you do have problem software on your system.

    If you will download and install a program called "StartupList v1.5", it will give you a complete list of all programs that are configured to start when you boot your system. It is an excellent tool for finding trojans in your startup files. The output it gives you, while a few pages long, can be cut/paste into a post here, and then people here can diagnosis it for you.

    It's a quick install and its available here:

    http://www.lurkhere.com/~nicefiles/index.html
     
  6. JV

    JV Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    9
    Location:
    Annapolis, MD USA
    StartupList report, 1/9/2003, 2:46:12 AM
    StartupList version: 1.50
    Started from : C:\unzipped\startuplist15\StartupList.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\MMKeybd.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\EarthLink 5.0\ConMgr.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\Norton Internet Security\IAMAPP.EXE
    C:\Program Files\Anti-Trojan-55\ATWatch.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\WINDOWS\Nhksrv.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINDOWS\System32\PackethSvc.exe
    C:\Program Files\America Online 7.0b\aoltray.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\CallWave\IAM.exe
    C:\Program Files\Common Files\efax\Dllcmd32.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton Internet Security\NISUM.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton Internet Security\SymProxySvc.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Norton Internet Security\NISSERV.EXE
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\America Online 7.0b\waol.exe
    C:\PROGRA~1\WINZIP\winzip32.exe
    C:\unzipped\startuplist15\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0b\aoltray.exe
    Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    Live Menu.lnk = C:\Program Files\Common Files\efax\Dllcmd32.exe
    Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    Microsoft Works Calendar Reminders.lnk = ?
    WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    DellTouch = C:\WINDOWS\MMKeybd.exe
    NvCplDaemon = RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    AdaptecDirectCD = "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
    UpdReg = C:\WINDOWS\Updreg.exe
    AHQInit = C:\Program Files\Creative\SBLive\Program\AHQInit.exe
    WorksFUD = C:\Program Files\Microsoft Works\wkfud.exe
    Microsoft Works Portfolio = C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
    Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe
    NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    PestPatrol Pest Removal = C:\Program Files\PestPatrol\autoupdate.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
    Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1
    msnmsgr = "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
    StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

    [>{26923b43-4d38-484f-9b9e-de460746276c}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

    [>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
    StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

    [{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
    StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

    [{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
    StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Load/Run keys from C:\WINDOWS\WIN.INI:

    load=
    run=

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=
    HKLM\..\Windows\CurrentVersion\WinLogon: load=
    HKLM\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=
    HKCU\..\Windows\CurrentVersion\WinLogon: load=
    HKCU\..\Windows\CurrentVersion\WinLogon: run=
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: load=
    HKLM\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=NVDESK32.DLL

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    *INI section not found*
    *INI section not found*
    *INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\sspipes.scr
    *Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: *Registry key not found*
    HKLM\..\Policies: *Registry value not found*

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\WINDOWS\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\WINDOWS\Explorer\Explorer.exe: not present
    C:\WINDOWS\System\Explorer.exe: not present
    C:\WINDOWS\System32\Explorer.exe: not present
    C:\WINDOWS\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Disk Cleanup.job
    LiveUpdate - Norton AntiVirus.job
    Norton AntiVirus - Scan my computer.job
    Symantec NetDetect.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [CWDL_DownLoadControl Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CWDL_DownLoad.dll
    CODEBASE = http://www.callwave.com/include/cab/CWDL_DownLoad.CAB

    [Yahoo! Audio Conferencing]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yacscom.dll
    CODEBASE = http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab

    [Create and Print ActiveX Plug-in]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\AxCtp.dll
    CODEBASE = http://www.americangreetings.com/cnp/Install/AxCtp.cab

    [RdxIE Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\CONFLICT.1\RdxIE.dll
    CODEBASE = http://207.188.7.150/2813e831ff992d92b323/netzip/RdxIE6.cab

    [PWMediaSendControl Class]
    InProcServer32 = C:\WINDOWS\System32\PWACTIVEXIMGCTL.DLL
    CODEBASE = http://216.249.24.143/code/PWActiveXImgCtl.CAB

    [HouseCall Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
    CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

    [MSN Chat Control 4.2]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat42.ocx
    CODEBASE = http://sc.communities.msn.com/controls/chat/msnchat42.cab

    [{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetuppro.exe

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security2.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [ContentAuditX Control]
    InProcServer32 = C:\WINDOWS\DOWNLO~1\CONTEN~1.OCX
    CODEBASE = http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [GpcContainer Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\ieatgpc.dll
    CODEBASE = http://us3.webex.com/client/latest/webex/ieatgpc.cab

    --------------------------------------------------

    Enumerating Winsock LSP files:

    Protocol #1: wps.dll (file MISSING)
    Protocol #2: wps.dll (file MISSING)
    Protocol #3: wps.dll (file MISSING)
    Protocol #4: wps.dll (file MISSING)
    Protocol #5: wps.dll (file MISSING)
    Protocol #6: wps.dll (file MISSING)
    Protocol #7: wps.dll (file MISSING)
    Protocol #8: wps.dll (file MISSING)
    Protocol #9: wps.dll (file MISSING)
    Protocol #10: wps.dll (file MISSING)
    Protocol #11: wps.dll (file MISSING)
    Protocol #12: wps.dll (file MISSING)
    Protocol #13: wps.dll (file MISSING)
    Protocol #14: wps.dll (file MISSING)
    Protocol #15: wps.dll (file MISSING)
    Protocol #16: wps.dll (file MISSING)
    Protocol #17: wps.dll (file MISSING)
    Protocol #35: wps.dll (file MISSING)

    --------------------------------------------------
    End of report, 11,633 bytes
    Report generated in 0.531 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    JV,

    First, I see you've registered as a member here - Welcome !!! :)

    Note that I replied to your IM, and yes, you do have a number of open ports, but still, from the startuplist above - you are running a lot of software.

    At a very quick glance, I see you do have a lot of software, especially security software components, multimedia tools and add-ons, and not much jumped out in a 60 second overview. I'll take a deeper look for a bit, though it's very late where I am, but I hope other will jump in, too.

    Thanks for the extra information,
    LowWaterMark
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,842
    Location:
    New England
    Hmm, anyone know what "PackethSvc.exe" is??
     
  9. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi LowWaterMark, and welcome to you JV!

    LWM - i just did a quick search and all i could come up with was a post about it being an AOL file...(i don't know AOL at all, but thought i'd post what i found since JV did mention he was on dial-up)

    snap
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Googling around see it causes more questions.
    Here is an answer: AOL * Virtual Adapter Service (America Online)

    PE will have several translations for processes mapped to ports, TDS could scan for the trojans which i don't suppose to be there from the story till now.

    What was the reason for asking the person for help in the first place, are there problems on the system?
     
  11. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    LOL....beat ya by a split second there Jooske! We must have been searching at the same time. :)
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Not much to find about that one, but in this case it makes sense:
    http://www.computing.net/security/wwwboard/forum/628.html

    You do have a few ActiveX components I don't trust, go to Internet Options > Temp. Internet Files > Settings > Show Objects, and examine all ActiveX objects you see there.
    Right-click each one in turn, chose 'properties', and check the Version tab.
    If the company is anyone else but Macromedia, Apple or Microsoft, right-click that file, and choose 'remove'. The only exception could be Housecall. If you use that often, it can stay.

    I'm wondering what the reason was you wanted to check in the first place.
    If there are any trojans I'm missing them, but I do see a lot of programs that start up at boot unnecessary.

    Regards,

    Pieter
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    [glow=violet,500,500][shadow=darkblue,left,300]Snapdragin![/shadow][/glow]
    You must be closer to the server :)
    BTW did you see my icon proposition for you in the "test images" thread?

    There was a german page with several explanations for the processes, but i think we have other tools for that, like PE and Faber Toys (www.faberbox.com --free!) and there will be others too.
     
  14. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Pieter, i am wondering if it may be more likely spyware that may be opening ports? this caught my attention in JV's list (maybe it's the name that just makes me suspicious of spyware)

    [{BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetuppro.exe
     
  15. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Jooske...i may be closer to the server...i am in Southern Ontario....maybe it's the lake-effect!? LOL

    i am not sure if i saw your post in the Test Forum or not...but i will take another look. :)

    (sorry...didn't mean to hijack the thread)

    Opps..time for bed...making typos...sorry Jooske, i didn't mean to spell your name wrong.
     
  16. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    That's one of the reasons why I asked JV to remove those. And there's a few more I don't trust. Never thought of the ports though. :doubt:
    It might be a good idea to reboot after removing those and check the ports again to see if it made a difference.

    Regards,

    Pieter
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    <grin>
    bonzi?? the only ways allowed on my system is his bonzi.acs file.
    Now it's most certainly worth to have PE up and look at the ports.
    Might like to save the main screen and post it here to see all open ports.

    For the startup at boot yes, Pieter you guys did a marvalous job with Blaze's system, i think he's still in AAAAAWWE as we hardly saw him here since
    http://www.wilderssecurity.com/showthread.php?t=5914
    Realising niow the startupfile should give all those translations .. hmm.
     
  18. JV

    JV Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    9
    Location:
    Annapolis, MD USA
    The reason this all started was because I ran Trojan, Stealth and Virus scan from the Sygate website. According to Sygate I had no Trojans or Viruses and I was in Stealth mode. I do these runs every week like clock work and I have never had a problem until now.

    When I ran Anti-Trojan on my computer my first three ports, 21, 23, 25, came up with Trojans along with BlackDeath on port 31337. I ran The Cleanser and ran Anti-Trojan again. This time everything was clear and I was only showing the open ports in the previous message. I then went back to Sygate and ran a Stealth scan again. This time Port 53 was showing as not blocked and could be accessed.
    Since I am getting conflicking results I cannot be sure.

    I had some shareware and Spyware on my computer and I didn't know it at the time.

    I have deleted:
    Internet Alert
    Alexa
    Excite
    Gain
    SaveNow
    BonziBuddy
    Gator
    GoToMyPC

    I was just told yesterday that the mailer I use is Spyware.
    I still have Aureate on my computer. I have not had time
    to download my mailing lists from it. Is it really Spyware?

    This is what the person gave me to prove it was really Spyware. I am a novice at all this so I don't know.

    The Aureate spy may place some or all of the following
    files on a Windows machine:

    adimage.dll advert.dll
    advpack.dll amcis.dll
    amcis2.dll
    amcompat.tlb
    amstream.dll
    anadsc.ocx
    anadscb.ocx
    htmdeng.exe
    ipcclient.dll
    msipcsv.exe
    tfde.dll

    I will tell you that I am teachable, I will listen and follow directions and I want to learn so I am not caught off guard
    ever again. Thank all of you for your help.
     
  19. JV

    JV Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    9
    Location:
    Annapolis, MD USA
    I hit post too quickly. I have just found out about these programs being Spyware and deleted them in the last week. That is probably why my system is giving mixed signals. And, I don't think I deleted Gator when I was cleaning out programs, it just disappeared. I have already
    changed all important passcodes on anything in Gator so there is no problem there.

    It is 4:30 AM here on the East coast and I really have to get some sleep. I will be back in a fewhours and get started on your directives.
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Hi JV,

    Always before I install something, I check it against this list:
    http://www.tom-cat.com/cgi-bin/spybase/spybase.cgi?view_records=1&name=^A|^A&re=1&sb=4&so=ascend&nh=7
    (This links directly to the page you might be interested in. This is the main page of the Spywarelist: http://www.tom-cat.com/spybase/index.html )
    After installing I do some more tests, because new spyware keeps popping up all the time.
    Did you use an anti-spyware program to get rid of the ones you mentioned?

    Regards,

    Pieter
     
  21. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I see your bonzi, weatherbug and americangreetings, conentwatch too.
    You have pestpatrol, which is capable of indicating a part of the spyware.
    After get SpybotS&D and after you might like to use Ad-aware. (both very fine known free tools for detecting and removing spyware)
    At least in the freetools section of www.wilders.org (click the logo on top of the forum, quicker way :) in euhhmmmm free tools or downloads (must dig for that again) are those tools for download.
    In the Internet Sweeper section get the IS - latest free version was 1.8.4 (careful to have it removing what you know it should, i don't have it removing read only nor the hidden files but you can get really clean with that)

    It's good to do some online scans regularly and get rid of what is not needed. There was listed a whole posting with test sites for different things, must find that back too.
     
  22. JV

    JV Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    9
    Location:
    Annapolis, MD USA
    This is a list of ActiveX components that are not the three mentioned in your message to remove. I recognize most of them and wanted to make sure before I deleted something I needed.

    ContentAuditX / iAccess.com,Inc
    GpcContainer Class / WebEx Communications, Inc
    Create And Print ActiveX Plug-in / AmericanGreetings.com
    CWDL_DownLoadControl Class / CallWave,Inc
    PWMediaSendControl Class / Internet Pictures Corp
    RdxIE Class / RealNetworks, Inc
    Symantec RuFSI Registry Information Class / Symantec Corp
    Yahoo Audio Conferencing / Yahoo, Inc
    Yahoo Chat / Unknown

    I did delete this one:
    BD11A280-2E73-11CF-B6CF-00AA00A74DAF}]
    CODEBASE = http://images.bonzi.com/freebuddy/wd/bbsetuppro.exe    
    I got an error message that bonzibuddy did not have enough info to remove it and to go to control panel and delete it from program deletions. I did that, and bonzibuddy was not listed in the programs. When I click the error message the entry was gone from the ActiveX list.
       
       
     
  23. JV

    JV Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    9
    Location:
    Annapolis, MD USA
    I deleted the spyware programs from the control panel, I did not use a program to delete them. I deleted Pest Patrol. It should not be showing up.

    Should I get rid of WeatherBug and American Greetings? I don't have a problem with deleting anything that intrudes on my privacy.

    I am copying everything you are all sending and I will continue after I get a little rest. I am tired and I don't want to make any mistakes in following your directions. ;)   
       
     
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    JV,

    You can hold on to the Symantec entry and anything that you know you use regularly. There is no need for that however, since they will be reinstalled as soon as you need them.

    So, anything you don't recognize and trust (and does not belong to the ones I mentioned): dump them.

    If I may suggest you take a look here after doing so: http://www.wilderssecurity.com/spywareblaster.html

    Regards,

    Pieter
     
  25. JV

    JV Registered Member

    Joined:
    Jan 9, 2003
    Posts:
    9
    Location:
    Annapolis, MD USA
    OK, I deleted all but 4 from the ActiveX list.

    I downloaded the Spyware Blaster but I have not run
    it yet. I wanted to know if it will disabled Aureate Bulk Mailer since I was told it was Spyware? I have to copy my
    mailing lists before I can delete it.
     
Loading...
Thread Status:
Not open for further replies.