www.grc.com, leaktester is a trojan!!

Discussion in 'malware problems & news' started by Adam, Jul 13, 2004.

Thread Status:
Not open for further replies.
  1. Adam

    Adam Registered Member

    Jul 9, 2004
    hello all,
    VisualZone, which works well with zonealarm{which i have} leads us to www.grc.com to test our firewall.

    it so happens that the free stuff they offer contains a trojan.
    ther is a program called Leaktester, which is supposed to check out your firewall, but when it is installed, it turns out to be a trojan.its no.1 on the download list.

    symptoms are cpu usage shoots up dramatically, even when no program is running, i have 3 iexplore programs in taskmanager, all working at around 6000 K, and i havent opened any site!!!

    trojan hunter 3.8 detected 2 trojans.
    1. leaktester.102
    2. passdump.exe

    i managed to delete them, but the sympoms are still there .
    now, even after reboot, trojanhnter detects no other trojans, but my cpu usage still is high, and spiking erratically.

    zonealarm tells me that iexplorer and genericprocess32 both have changed since the last time thy ran!
    ihad to allowthem, because i need to post on this site!!

    please, help me out.
  2. ronjor

    ronjor Global Moderator

    Jul 21, 2003

    GRC leak test is not a trojan. It was added to certain vendors lists because it mimicked trojan behavior. You can ignore this alert.


    I am not familiar with passdump.
  3. ronjor

    ronjor Global Moderator

    Jul 21, 2003
    Tell your firewall to block those apps.
  4. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Feb 10, 2002
    Perth, Western Australia
    Passdump is one of our programs, it will be detected by TDS-3 as POSSIBLE trojan with password stealing capability. This is because it uses a function the same way many trojans do, to read cached passwords. The alarm should say POSSIBLE, if it doesn't then thats bad

    We also detect Leaktest at the request of users, however it is detected as Demo.Leaktest (not a trojan) so you know its NOT a trojan :)

    Sounds like you have nothing to worry about, hope you can relax now :)
  5. Adam

    Adam Registered Member

    Jul 9, 2004
    Hello guys,
    thanks for the reply.

    i didnt mean to sound crazy..i was totally flipping out though, because this is supposed to be a firewall tester, not a trojan in disguise.

    and i am not like blaming or accusing grc.com of anything...i trust their shieldsup! tester .

    i am just not sure that that download didnt contain a trojan, cause i think it did, because immediately after, my pc was showing the strange symptoms.

    even now, my taskmanager is showing fluctuations of my cpu usage, immediately when i do cnt+alt+del.........it shoots up to 100%...then falls down to 30% then it becomes 3% then goes up to 25%..........!

    now trojan hunter dosent detect anything now, but for ex. my zonealarm has just blocked......
    Packet sent from{tcp port 1727} to [my ip address]
    to port 1433 of my pc!

    if this isint a trojan, is this a worm?

    typically, why does cpu usage fluctuate in your opinion?
    i tried quickkill worm killer, it turned up nothing........{www.quickheal.com}

    my computer noise, the whirring has gone up quite a bit, meaning that the fan is turning faster to col the harddisk , which is running at an abnormal usage rate.

    i have the dcs apm, but i dont know what to delete or end?
    please help me.
  6. Adam

    Adam Registered Member

    Jul 9, 2004
    hello again,

    just additional info.

    why are there 4 svchost running in the task manager?
    iis in network service, local service, and the other 2 are classified as system, one is 1300K and the other is 6800K ?

    i know this isint the right place fora log, but just in case....here goes

    Logfile of HijackThis v1.98.0
    Scan saved at 1:36:46 PM, on 7/13/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\TVR\RecSche.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
    O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
    O4 - HKLM\..\Run: [ScanRegistry] C:\W
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://www.computercops.net
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A04B6450-350D-41FF-850D-5F255B0A7E49}: NameServer =,

    also, when u say, passdump is one of our's , what do u mean?

    thanks in advance!!
  7. LowWaterMark

    LowWaterMark Administrator

    Aug 10, 2002
    New England
    Hi Adam,

    It looks like your looking at a lot of different things and are connecting them together in such a way that makes it seem like a big problem of some sort, though there's a really good chance that there isn't anything wrong. Perhaps, but not likely. So, let's take this apart some by looking at some of the pieces.

    First up, that Zone Alarm firewall log/alert... All that ZA is showing is that it block an incoming scan from some IP address out on the Internet to your PC. The key here is that ZA alerts you to the things it blocked, so those items are really just informational. They were blocked so they aren't an issue and scans from the Internet are not a sign that your system is infected. We all get scans - constantly.

    My copy of ZAP sitting here on my DSL connection 24 hours a day blocks approximately 150-200 odd packets/scans per hour. They are all similar in that they are "incoming" connection attempts from some Internet located IP address being blocked as they try to communicate to some port on my computer. While looking at the traffic pattern might be of some interest from a hobby perspective, blocked incoming scans are nothing to worry about. ZA is merely doing its job.

    The CPU spikes could be anything, including normal background processes on your PC. You want to see a big spike, do this. Minimize all programs to the taskbar. Open Task Manager (ctrl alt del) and then somewhere on a blank part of your desktop just right-click. Watch the CPU% of the task manager when you do that, on XP it should spike for a good 2 seconds to 100%. It's just a matter of what the OS has to do to call up the resulting menu from the right-click.

    Trying to use CPU spiking as a sign of a problem really means you need to look at just what tasks / processes are doing the spiking and then determine if they have valid reasons for doing it. There are endless possibilities there and most are not a sign of a problem.

    As for the 4 copies of svchost.exe - again totally normal. In fact, I know XP systems with 6 copies of that running. It all depends upon which services are enabled. svchost is Generic Host Process for Win32 Services. Basically that is a program that encapsulates many other functions, therefore it is a generic shell program that hosts many other programs or functions. While there are trojan variants on that name, often with slightly different lettering like scvhost.exe, or perhaps are named svchost.exe but are not in the proper directory (system32). Your's look normal.

    One last thing. If you do a reboot of your system, and once it comes up to the desktop, but before you open any programs at all... If you open Task Manager, are you seeing copies of iexplore.exe running then? Or was what you mentioned in your first post above only after having run the leak test demo? If IE is firing up all over the place without your input, yes that could be a problem, but if it was simply part of the leak test and its gone after rebooting, again while not a guarantee that all is perfect, it really lessens the odds again of a big problem.

    Basically, I'm saying its best not to assume problems all over because of things that might be total unrelated.
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    May 8, 2002
    State Queensland, Australia
    HI Adam.

    Leaktest, as said before, is just a firewall testing utility.
    It won't run if you have TDS with Exec Protection installed running.

    In order to get Leaktest to run to test your FW, you will have to close TDS.
    Then run Leaktest, if you have a good Firewall it should alert that Leaktest wants to connect to GRC.com. DENY it, then Leaktest should show the results like my pic.

    Those 4 svchost running is NORMAL.. no probs.

    Passdump is from DCS and TDS alerts it is a POSSIBLE Password stealer, for testing TDS.

    Will post pic next post on what TDS says re Leaktest and if you rightclick on it and select 'Additional File Information', you get that window showing all the attributes like you will see in next post shot.

    Cheers, TAS

    Attached Files:

    • 078.GIF
      File size:
      28.8 KB
  9. Tassie_Devils

    Tassie_Devils Global Moderator

    May 8, 2002
    State Queensland, Australia
    Pic showing TDS in action and results of Information in right click on the Alert it gave with Leaktest.


    Attached Files:

    • 077.GIF
      File size:
      26.4 KB
  10. gkweb

    gkweb Expert Firewall Tester

    Aug 29, 2003
    FRANCE, Rouen (76)
  11. Rasheed187

    Rasheed187 Registered Member

    Jul 10, 2004
    The Netherlands
    Ok but since I tried these leaktests I will get a notification about afpansi.vxd during the booting process, that it could not be found and maybe an app needs it. I searched for it on Google and I found this: http://www.pestpatrol.com/pestinfo/i/informer.asp

    So is it a trojan or is it maybe related to the leaktests? So far ZA didn't notify me about suspicious apps, but it is strange. Can I delete the key or the whole folder that it is in? The key is in the following registry folder:

  12. Adam_21

    Adam_21 Guest

    Hi guys,
    Tassie Devils, thanks for clearing my doubts about leaktester being a real trojan. i think u explained it to me well, so then i guess i am back to square one!

    LowWaterMark, thanks for narrowing it down for me, i guess svcshost is not the problem, and i am a little calmer about the cpu spikes.........

    ther is just a couple of things that are worring me at the moment, and i think they require some close attention.
    now we know , whatever this is, it is persisting on my pc and is not detected by normal virus or trojan or worm scans.

    ok dont laugh, but i really think there is something going on, i am not just being paranoid! lol

    for example.......
    1. yes, LowWaterMark, right after i boot the machine, there are 2 iexplore process running, somethmes just one though...........and say i wait for 5-10 minutes, without doinganything....it steadily increases from 500K to 1200K to 3000K...right before my eyes.
    2. then, after reaching i think critical mass, i get an alert on my pc about iexplorer trying to access the internet! and i deny it.
    3. right after i deny it, the K's go down......it settles at around 4-700K..
    4. now earlier, before this thing hit me, whenever i booted the machine, it never happened that iexplorer was involuntarily trying to access the net.
    5. not only that, but i find that when i first try to a site, zonealarm tells me that iexplorer has changed since the last time it ran!
    6. similarly it tells me generichost32 has changed since the last time it ran!
    7. i have no other choice but to allow it access, but then i can connect to any site.
    8. and it is not like any of my ports are open, in fact, even now ALL my ports are in the stealth mode.
    9.then , the fluctuations are there as well{i tried what u said, they do indeed shoot up!}, but this is striking because till 2 days ago, nothing of this sort happened.

    10. like, even right now, i just had an alert telling "generichostprocess32 trying to access the internet" i denied it.
    in the visualzone, the intruded name is 'computer' and the DNS is also 'computer'.

    11. now, i have downloaded mozilla firefox, it is installed on my E drive, i jusst have to install it so that it becomes my browser...but i have to take care of thismess first..who knows, maybe this thing will attack mozilla also.so i need to figure out what this is!

    please, any suggestions??
  13. Adam

    Adam Registered Member

    Jul 9, 2004
    Hi guys,
    just check this out.

    FILE: c:\documents and settings\admin\my documents\trojanscan3.9report.rtf
    SIZE: 896 bytes
    ---------------------FILE BEGINS <Extracted Strings>---------------------
    1: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Arial;}}
    81: {\colortbl ;\red255\green0\blue0;\red0\green0\blue255;\red8\green0\blue0;}
    157: \viewkind4\uc1\pard\b\fs20 Registry scan
    199: \par \pard\li200\b0 No suspicious entries found
    248: \par \pard\b Inifile scan
    275: \par \pard\li200\b0 No suspicious entries found
    324: \par \pard\b Port scan
    349: \par \pard\li200\tx6000\cf1\b0 Port 2003/TCP is open (Matches TransmissionScout.100. Port being used by process IEXPLORE.EXE/PID 250:cool:\cf0 \tab (\cf2\ul Tell me more about port alerts...\cf3\ulnone )\cf1
    556: \par Port 2003/TCP is open (Matches TransmissionScout.110. Port being used by process IEXPLORE.EXE/PID 250:cool:\cf0 \tab (\cf2\ul Tell me more about port alerts...\cf3\ulnone )\cf1
    736: \par \pard\cf0\b Memory scan
    766: \par \pard\li200\b0 No trojans found in memory
    814: \par \pard\b File scan
    838: \par \pard\li200\b0 No trojan files found
    888: \par }

    the lines 349 and 556 are peculiar.

    ok, now this is a scan done by trojan hunter 3.9 .............
    the reason it is looking like this, is because my Wormguard program thought it would be cool to 'safely view this file" which i had saved in 'my documents' to post here.

    anyway, i think after i downloaded the 3.9 version, and ran the scan it found those 2 ports open.

    but then i went to ZAP/Privacy/Cookiecontrol/custom/Mobilecode and rechecked the option'block mime type integrated objects'
    and did the scan again, no open ports ............whew!
  14. Adam_21

    Adam_21 Guest

    Hi guys,
    you can say i was a little paranoid back there.........lol
    {hope i didnt offend anyone}

    its just that i am a novice pc user, i got my pc 2 months ago, and on the 4th day itself i had hundreds of spyware, adware, cookies, browser hijackers...and to top it all off, 2 deadly trojans >.bds_dumator, trojdumarin, mitglieder.100 or whatever...{to name a few!}
    if this wasnt enough, also had a nasty trojan program that forced me to reformat my machine!!

    turns out, it was a new trojan, it dropped 2 .dll files, and 2.exe files, and modified 30 registry entries!
    it was embedded in my system32 folder.....

    anyway, so now i have my registered version of ZAP 5.0, i do a live update of Norton everyday..and have webroot spysweeper 3.0 , which i think is a fantastic spyware detector......and things are looking much safer these days.

    mysteriously, my cpu spikes have reduced, they are no longer that extreme, and sometimes just shoot up to 45% to 50%..... so now i think everything is fine{keeping my fingers crossed though!}
Thread Status:
Not open for further replies.