Ants

Discussion in 'malware problems & news' started by ljc1174, Aug 29, 2002.

Thread Status:
Not open for further replies.
  1. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok, I did all the clicked for all checks for the sockets...

    TCP 5000 in use - this is prolly cuz of a uni plug & play.

    all but one of those lights are green, one is red.

    how can i test all my ports with TDS?
    or better yet, direct me again with a link if it's been posted already! lol

    I hope this scan isn't a bad one...

    :rolleyes:
    ~Lori
     
  2. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I think I fuggered something out!
    I'll post again if I learn anything new! LOL
     
  3. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I did another scan, then my pc froze up and now I'm back... anyway...

    The other scan showed TCP 5000 as connected. If there is a uni plug & play connected to it, how do i find out which one and what can i do to close this port? Is it a problem that a plug & play is using this port?

    ~Lori
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does TDS now still say about the updating, while you have those 16742 references?
    That is not good!
    Are you running WinME by chance?
    I'm sure in that case you want to disable the system restore then, to make sure the possible deleted infections are not put back with the restore.
    You can put that back once the whole system is really clean and all set the way you really like it

    Thinking about that global plug and play thing.
    Somebody correct me or fill in the gaps as there was some reason to disable that thing.
    So with red socket you know there is another thing illigally listening on that port which is not TDS.
    Indeed, either that global p&P thing (thought there was ever a MS security update for that part? -- did you go for the windows updates?) or an infection (which i think not, for TDS would have found that).

    Port 5000 is used a lot by ICQ among others.
     
  5. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hi Jooske and Lori! Here is a link to Steve Gibson's website so you can get his little app called "Unplug and Pray." It plugs the Universal Raw Plug and Play Sockets.

    http://grc.com/unpnp/unpnp.htm

    I hope it helps you out!
     
  6. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Well, I'm assuming that the other port that was open was only due to running TDS. It was port 12345 or at least that is what's showing now. I'm going to try that unplug and pray link from Prince in a little bit.

    But now I'm a little more awake and aware of how to use TDS, I found out how to see what ports are being listened to.

    Now that I looked again, I see that port 12345 is an actual spot for a trojan. And it's still listed as listening. Is it normal to have a lot listed as listening? This doesn't mean that something is actually on my system right?

    And yes, I still have the update warning with the correct amount of references. Could it be saying this because I haven't purchased TDS yet? I want to use trial way and get used to it b4 I buy it... (i think that's a female thing) LOL Yes, I'm running ME. I haven't used a system restore, or window's update. I haven't actually pinpointed whether or not I have an type of infection on my pc.

    ~Lori
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Lori,

    as for updating as an unregistered user:

    "Unregistered users - Latest Radius Database - updated daily. Download this file to the TDS folder overwriting the older file. Close and restart TDS for changes to take effect."

    http://tds.diamondcs.com.au/radius.td3

    (that's a direct download link!)

    As for the open (NetBus Trojan) port: you didn't enable sockets, did you? If so, disable them.

    In general: NetBus is an oldie from the dark ages. Even without updating, TDS would have detected the server at the spot.

    Could be, some other app is running and using this port, not necessarily a "bad" app. Please check.

    regards.

    paul
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Lori,
    i'm female as well; i ever found TDS, and in a few hours had bought it, not long after (think within minutes) got my licence key.
    Since i collected a remarkable folder with support emails from which i dig answers, besides from the forums and the helpfile of course. I just admit had a lot to learn (and still learning everyday, while educating others in their steps)

    I am surprised that the listening port has changed now for 12345, which was standard netbus and several others use it; i hope you get rid of it if the P&P thing is the cause.
    If you look in TDS console > Sysem Analysis > Processes List is there anything which is not normal for you and would not belong to your normal autostart (also a place to look btw if there are unknown applications started)
    In the same area, do you see strange netstat connections?
    When you are not online and you start TDS, do you see any sockets on red then or does it happen when you go online?
    It's most certainly not the wanted situation, they should all turn green at initializing, unless you configured any application to listen (permanent?) on a certain port, maybe life updates, such things.
    With the firewall you can protect such ports further.

    First have to get your system all ok, nothing strange listening on your ports, the P&P thing off, and you can say you did not use the system frestore, but are you sure it is turned off at the moment as long as there might be nasties?
    To do so for Windows Me:
    1. Close all open programs.
    2. Right-click My Computer on the Windows desktop, and then click Properties.
    3. Click the Performance tab.
    4. Click File System.
    5. Click the Troubleshooting tab.
    6. Check Disable System Restore, click OK, and then click Close.
    7. Click Yes to restart. This disables the System Restore feature and will purge the contents of the _RESTORE folder when the system is restarted.
    8. Verify that you have current virus definitions, then perform another scan.
    9. After cleaning any infected files, repeat steps 1 through 7, except in step 6, uncheck Disable System Restore

    do that point 9 when all is really really as you want your system and all is well and stable and no illigal lisening ports etc.

    The TDS update is really strange, first time i hear it is not ok. You did get it from the tds.diamondcs.com.au/radius.td3 didn't you? Just get download the file and put it in the TDS-3 directory, overwriting the older file. And after reload or start TDS.
    Where and how do you get that update warning? Is it a popup or a text written in the console?


    I hope you know the way to security updates at the windows site?
    In your IE browser > Tools > Windows Update should bring you to the right pages for your system, allow it to check what you need...... and at least take the necessary/important security updates.

    If TDS with all the update and all the scan options checked and on highest sensitivity did not find anything, i guess it has to do with the P&P or other application. You had it run and finish all your system, every drive and file on it?
    The online scan found something which you maybe deleted? And if you rebooted with the system restore still enabled you had nicely back? In that case you could be; if all that was not the matter, i choose for the application option. For Socket23/Socket de Troie is most certainly found, so is netbus and the whole lot if it was there.

    Hope to read next good news from you.
     
  9. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I'm running a full system scan...
    I clicked the link you gave me Paul, references are now at 16768, but it still says Warning: Radius. TDS needs updated.

    Sockets are closed, I d/l the UPnP that Prince suggested and thank you VERY much for that Prince, I'm shocked that the FBI was involved... I always thought that when it came to the internet we were on our own, is the internet being "governed" now?

    I looked at the ports b4 I scanned and nothing was open, but I did this check after I closed the sockets.

    I'm almost positive that TDS will find nothing. I finally have my icons back to normal and I changed my IE homepage to about/blank, it was set to yahoo.com but was loading as downloadalot.com.

    If anything appears on TDS I will post and beg for help if needed!

    Thanx guys!!

    ~Lori
     
  10. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    I scanned with my A/V and TDS with the system restore disabled and I was offline and no other programs were running. Nothing was found.

    Yesterday Prince advised me to set my homepage to blank because of the issues I'm having with a different website coming up as my homepage. Well, just as I was going to post about TDS, IE crashed, it restarted, and came up as www.downloadalot.com, then my explorer crashed and I had to beat my pc with a hammer! (i wish) anyway... I'm all rebooted now. If there are no trojans or virus's on my pc, then why am I still having this issue and how is this web site overriding the desired homepage setting?

    I thought the about/blank had really fixed this annoyance, but it hasn't. And it really has me concerned that there is something hiding on my pc that isn't being detected by the many, many, many scans I do.

    Someone please HELP!!!

    ~Lori
     
  11. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Lori,

    Glad to hear your system is clean - at least from trojans/backdoors etc.

    As for your problem: seems you got spyware/ home page hiajcker installed on your system (surfing with ActiveX enabled?). Grab a copy from Spybot Search & Destroy, update and perform a full system scan. Please post results.

    regards.

    paul
     
  12. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :) Hi Lori! Ignore my IM suggestions for now and get SpybotS&D again. This time when you install it, it will ask what folder to put it into with a default (usually something like C:\Program Files\Spybot). Use that. Don't install it to your desktop. Follow Paul's and Jooske's advice. Take your time. There's no rush. Keep your fingers crossed. We will see you through this whole mess.

    About Downloadalot. Got this at Versign:

    Registrant:
    Downloadalot.com (DOWNLOADALOT3-DOM <whois?ha+DOWNLOADALOT3-DOM&id=0>)
    Villa Maria Spanish Point
    County Clare, IE
    IE

    Domain Name: DOWNLOADALOT.COM

    Administrative Contact, Technical Contact:
    Services, Support (CAXVHTEWVI <whois?ha+CAXVHTEWVI&id=0>)      download@DOWNLOADALOT.COM
    Downloadalot.com
    Villa Maria Spanish Point
    County Clare, IE
    IE
    +351-999-999

    Record expires on 15-Feb-2011.
    Record created on 15-Feb-2000.
    Database last updated on 30-Aug-2002 14:13:42 EDT.

    Domain servers in listed order:

    DNS01.EXODUS.NET 209.1.222.244
    DNS02.EXODUS.NET 209.1.222.245
    DNS03.EXODUS.NET 209.1.222.246
    DNS04.EXODUS.NET 209.1.222.247

    Do they have a Better Business Bureau in Ireland? Something remotely like it?
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For rebooting normally a button or mouseclick are sufficient, no need to rebuild the system physically, although a new form might be candy for the eye. So don't take that reBOOT tooo literary.


    Had not seen the thread about that startpage story.
    Sounds like spyware, but it surprises me as that site is on the web some 6 years already. They seem to offer nice downloads.
    When you change such startpage settings, it seems if i read you that also for that the system restore seems to be rather annoying and putting it back after reboot.
    First of all i'm really happy your system is clean from any trojans and the kind, i hope you get even more clean from spyware with the other SpybotSD.
    Before or after the windows update and IE security patches and all that; which IE version are you using? 5.5 or 6.0?

    Sounds like a repair install would do wonders; happens with my sysgtem too at times. I'm only warning: if you do such an action like going for a repair install of IE and/or Windows, or installing any other program, please make sure you have no antivirus scanners active, not in the background, nothing like that. Till now i have been lucky with TDS running during such actions, although with the IE repair install i close all what is possible.
    You know to find that?
    There are several ways, one is for instance
    Control panel > software > dig for Microsoft Internet Explorer 5 (6?) and click it > click ONE time the Add/remove > then pops up a small popup thing with the middle choice for repair install > ok, after you need to reboot.
    As IE and OE are rather integrated with Windows Explorer, this action often helps a lot for that too.
    And look at the Windows Update site like said before.
    My IE 6 is much nicer since the last cumilative security update, as it was sometimes a real disaster in my opinion.

    Looking forward to your next part.
     
  14. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Ok, after my first problem with Spybot, it was installed and ran correctly yesterday. I have the congrats that no spybots were found on my pc. This scan was done just now, after the downloadalot.com loaded again. Spybot is not finding anything.

    I am running IE6, all is uptodate on my pc, all security patches and fixes were completed early this morning, then the downloadalot came up, and this was after the UPnP was installed as well.

    Prince your suggestion was fine... I'm leaving the setting at blank...

    If spybot was d/l yesterday, would an updating be necessary to find this one? My very first install of spybot which was over a week ago, found the original downloadalot problem labeled as searchalot, downloadalot is a part of them and SPs&d deleted the file so wouldn't the "catch" for searchalot/d'lalot already be in their search if it found it once?

    The only way I know to repair IE would be to take out my system restoration cd's and install the original version which is 5.0 I believe, it could be the 5.5v.

    The one main reason why I didn't want to update to IE6 is because it loads very slowly on my pc, but I updated it anyway to see if it would fix this issue in anyway, but it seems downloadalot.com has become a permanant fixture to my IE no matter what version I am running and regardless of the sercuity fixes and adjustments and scans with Ad-Aware and SpybotS&D.

    p.s. Jooske, I was meaning me the procrasitnating female, it's a bad habit of mine... :D

    Sorry if it seems as if I'm rambling, I am, my head thinks faster then my hands type...

    ~Lori
     
  15. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    :'(

    Spybot won't open now... I tried 3x's... I have 3 lil window's on my explorer bar and when I right click I only have the option to close or minimize... I have extra folders on my desktop, one was for plugins- i extracted all files... now i'm lost, this is the problem i had yesterday, the reason i unistalled and reinstalled.

    What do I do?
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The IE repair i wrote above one of the ways; another is on the windows download site, go to the IE update choice, and tell the thing you want to reinstall it; then it looks first to necessary files you already have and what might be missing to download those extra parts and so you are re-installed/repaired.
    If Spybot removed those files, that was with the restore on so it could have been back eventually?
    Are you good with registry editing or have somebody around who is good in that? As i would not like you to damage the system after all you have done already to get it in this condition till now.
    I mean, you could hunt for a key in the registry somewhere in the software for that download thing but you must be really really sure you can do it; if not leave that part.
    You might like to try another time with "find" to hunt for all that download stuff. I searched that site a bit and i did not see it as a browser enhancement nor something to remove that, but i was there very short time.
    So if a blank startpage is the solution for the time being....
    After a repair update IE most of time asks as well what startpage you want, and possible settings, so that might be helpful?
     
  17. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Talk about frustrating. You could try a little expirement? But, first I have a wee little question. What do you use as a download app?

    My experiment would be to d/l Mozilla and remove IE from your MSCONFIG (if it's there). Try using Mozilla as your new browser. See if the downloadalot shows up with that or not? Don't delete the IE, just don't use it. I'll get the link and return to modify this post. :)

    Here's the link: http://www.mozilla.org/releases/

    Make sure to download version 1.1, and NOT version 1.1Beta!

    This is just an alternative you might try.

    I wouldn't try fiddling with your Registry if I were you. Very touchy stuff is that!

    The last alternative is to take your tower into the computer repair shop and have them look at it. Do you have any kind of warranty? If you don't, then get an estimate.
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The SpyBotSD problem is not clear to me: it worked one scan and after stopped working if i interprete your two postings with some 15 minutes between them?
    I don't run the program myself, so i hope others who do can tell something better about that.
    I don't understand about several icons and folders our desktop for instance: i would expect just one icon to start the program and all the rest is somewhere inside or do you mean this is what comes on your screen when you did program? Rather confusing, sorry, for someone not running the stuff.
    I used Ad-Aware. About oth are discussions on this board so there will be people being able to help you with them.

    I just don't understand if something would not be a spy and you choose in the browser page X or blank or the MSN as your startpage press apply and OK that it wme back to the other, unless you have system restore on and after a set back. Keep that system restore off for a while completely.
    And look for all the downloadalot stuff, find and delete it.
     
  19. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Hi Jooske,

    Well, I wasn't sure what to do again about spybot, so I again uninstalled and reinstalled. The more I do this the more familiar I get with it, the sad part is it's probably a very user friendly program and I just don't realize it! And yes, it was installed into my program files only.

    Hopefully all is well now... I haven't tried a scan since the last install of it. And on that last scan nothing was found.

    I don't understand either why my IE want's to come up as a page even after it's set to blank.

    My very first install of spybot found the main issue re: downloadalot, it was listed as searchalot.com and in the text of that was downloadalot.
    Spybot deleted it, and it returns, I've searched my pc for both of those names and nothing is coming up. I've been looking online to see if maybe there is another name it could be listed as but I cannot find anything.

    I am definitely not knowledgable in the reg. key writing thing so that is not an option for me. I'm sure I would totally kill my pc if I attempted something like that.

    I use Ad-Aware too, and it finds nothing as well.

    I think the only thing left for me to do at this point is wait and see if it pops back up again... at that point, I'm going to scan my pc with everything I have on here.

    Are there any other spyware programs on Wilder's free tools that I can use besides spybot and adaware?
    I could look, but that doesn't mean I actually know what I'm reading and after my last install of a program (ants) I was advised to get rid of it... I just don't want to d/l something that won't function properly or effectively. Besides the fact that I only have a 7gig hard drive! LOL

    Thanks for the help Jooske... and others!

    ~Lori
     
  20. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    hi Lori - i am sorry you are still having such a time with IE and that downloadalot thing.

    this question is off topic for this thread i believe, but i can't remember all that you have tried, but i was wondering if there isn't a command somewhere in your registry that keeps this thing popping back up.

    MyNethingyMan had posted a link in another thread to a program that would list all files/dll's associated with an application, it's called What'sHappening? Maybe something like that might reveal an unusual dll file under the IE application? it's just a thought, but it's a nice program to have. i just d/l'ed it on my son's WinME and it works great. You might want to give it a try?

    http://www.turboware.com/WhatsHappening.htm

    the only other things i can think of (if you haven't tried them already that is)...is a start-page-guard of some kind, and maybe ie-spyad...or you could try putting the downloadalot url in the restricted zone of IE and see if that might help block it...(won't remove the reason for it, but it might stop it from doing anything it shouldn't if it's in the Restricted Zone of IE until you can find what's causing it?

    The other program you might consider would be a StartUp Monitor, or StartUp Control Panel so you could have a li'l more control over what starts at boot-up.

    hope something there helps...don't give up...sooner or later you'll find it. :)

    snap
     
  21. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Thanx for the confindence! I need it!
    I d/l your suggestion, how do I know what'll be the bad stuff? There are a lot of instances that have IE on it...

    Would anything look like this... DNS01.EXODUS.NET 209.1.222.244
    DNS02.EXODUS.NET 209.1.222.245
    DNS03.EXODUS.NET 209.1.222.246
    DNS04.EXODUS.NET 209.1.222.247
    I think it was Prince who found those...

    I can click on the extentions and know what most of them are, but as far as bad stuff, would/could it possibly be hidden, meaning would my untrained eye know it? LOL

    i.e. KEYLIMIT.DLL(C:\Windows\System)
    is this a bad thing?

    Oh, now I have a question that is definitely off topic...

    On occassion, RUNDLL32.EXE crashes, I see it says for description that this means, run a dll as an app.
    Would this mean that I opened (though I know I never) a DLL file/folder and ran it as an application?

    I need to get myself in bed though... I'll check back tomorrow (later today). And I want to play with this some more!!! I like this thingy!

    Thnx Snap!
     
  22. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    you are welcome Lori!

    and i'll be learning along with you since i'm putting it on my Win98 tomorrow - LOL!

    good night :)

    snap
     
  23. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Just one more thing b4 I'm off to lalaland...

    I did add downloadalot and searchalot to my restricted zone and when I was browsing through the what's hap.? I noticed it said ActiveX was running... So I checked all those spots and ALL are marked disabled if it even remotely appeared to be an ActiveX thingy...

    If all are disabled, why is it appearing to be running?
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are they disabled in all your zones? Did they not hide themselves in your trusted zone?
    There i allow them or put them on "prompt" also in the internet zone, all on "prompt"

    For the running processes you can look in your TDS as well, which you have.
    I'm very happy with Faber Toys (www.faberbox.com) (free) to see what is all running and which dll's and others are called (you can do with the TDS processes too, if you click on a process you see all behind it)

    Did you just delete the "searchalot" or was there a way to uninstall it? As that was a program on their site is i remember well! Kind of searchengine so was it promoted.
    So in the worst case you could get that thing back to be able to uninstall it.
    Remember the "gohip" joke virus? Same kind of problem, really really had to uninsgtall and delete some registry keys to get really rid of that browser enhancement.

    The registry is indeed a thing not to touch if you don't know. You could email the guys and ask how to disable or uninstall the thing. They should be able to tell you.
     
  25. ljc1174

    ljc1174 Registered Member

    Joined:
    Aug 15, 2002
    Posts:
    276
    Location:
    Cleveland, Ohio USA
    Jooske, you are [glow=red,2,300]TEXT[/glow]
    I would have never thought to look into that part!

    There was no uninstall option for searchalot. And I've also kept system restore turned off and all ActiveX controls are disabled.

    I looked on the content tab, content advisor then "allowed" sites and found one that I'm sure of. view.adtmt.com and this one arc5.msn.com (nothing comes up on a web search for this)

    Upon searching I found this page http://www.geocities.com/Tokyo/6774/bestsurf.htm, with this listed 216.238.35.206 view.atdmt.com, I think this is an ad/spam thingy from what I've read.

    so I did a search with the word hosts on my pc and found
    HOSTS.SAM
    LMHOSTS.SAM
    hosts
    all located in my window's folder

    Now what do I do with these things? Is this d/lalot part of the adtmt.com thingy? downloadalot and searchalot are in my restricted not allowed zone but again it came up this evening (my reason for posting and searching now).

    I have a date tonight so no need to get back with me anytime soon.

    I'm not going to delete anything until I know for sure what I'm doing and with guidence from you or whomever.
    Should I just try the d/l from that web site of AdSubtract and see what happen's? Has anyone ever heard of this program?

    Take Care,
    Lori

    p.s. I'll check out the d/l for Faber once this part is resolved.
    :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.