Backdoor Beasty

Sorry to say, I'm not up to speed on that particular tool - hopefully Wayne or Gavin will spot this (they're the TDS folks) and can guide you to the correct answer. Didn't want to seem rude by stopping by and not responding but I don't quite know the answer to that one.

I'm going to GUESS that you're running Win98 or ME from the folder locations you described earlier - there's ANOTHER alternative that might work that won't risk the registry (though knowing TDS's skill in coding, I doubt any harm can come, just don't know for sure) ...

You CAN go to the RUN item on your start menu and see if typing in MSCONFIG will work. This will present you with a list of startups, AND the option to UNCHECK the offending startup. Nothing gets deleted, and the startup won't until you can get to the bottom of what's going on there.

Might be helpful until one of the TDS folks stop by and have a proper answer for you ...

 

In ASViewer you can right-click the entry and then you have several options like deleting the file from the registry or from disk

If you only remove the entry from the registry, you always can put it back.
Dolf

 

Only a little snip:

Once more: thanks, Kevin !
Thanks for putting up those words.
I wished my English-language-skills were better ; in that case I would have be able to express my feelings better.

I DO know uncla Kevin and uncla Wayne go well together
I DO know their programs work perfectly well together.
I DO wish more developpers would go that much friendly together as you two show.
You BOTH ARE my most loved companies

Best regards, Jan.

 

Thanks Kevin.

Went to Run on startup menu, typed MSCONFIG and was presented with the list of startups as you forecast.

I unchecked the offender and the problem has gone away - if you take my meaning.

It is still on the system and I am still seeking the definitive answer on:

 

Post your results from the tool please ! Then everyone will see and we can all help

- Press F2 F3 F4 or tick the top 3 options to show more autostarts

 

Thanks you Kevin for the info on MSCONFIG.

I have now disabled the offender and no more irritating dialler pop-ups.

However, it is still on the system and I still seek the definitive answer to removal and registry cleanse.

I have been told to either start in safe mode and let NAV take care of it.

I have downloaded the trial version of TDs-3, and although it found the Trojans, and gives me right-click delete option I am unsure of what(if any) damage I will do. Presumably, if I delete these entries and then reboot, I will restore the old registry with the Trojans there again?

Also tried the trial version of Trojanhunter. Sent the file to them for analysis and advice but no reply yet.

Took Pieter's advice and removed MSR>EXE - no ill effects. Also ran CW Shredder. Nothing found.

As I am still on MSCONFIG (Startup), I have 2 entries that I am unsure about:

1. run= C:\WINDOWS\svcinit.exe
2. system service C\WINDOWS\SYSTEM\MSR
EXE.EXE.

Any advice on whether I can disable these on startup?

Many thanks for your collective knowledge, advice and help.

John

 

Please be so kind as to send the files (if possible zipped) to submit@diamondcs.com.au (or by rightclicking on the alert and press submit)

for the ASViewer, please do as Gavin asked: do download the file, nothing to install, just press the exe and check all the options Gavin asked for, save log as txt to post overhere.
Thanks for the learning experience for all, so people can see if there is more to look for.

Systen restore? are you running ME or XP then?
Also this can be cleansed out and disabled etc but first let the specialists see what's all wrong.

 

FanJ, you mean a person can have BOTH BoClean and TDS on their system and running at the SAME TIME?

Acadia

 

Acadia, Many users do run both successfully together

 

Excellent! I currently use BoClean but unfortunately on my old system I simply can't add any thing else; it's the old System Resources problem which most of you XP users have probably completely forgotten about. I even had to REMOVE SpywareGuard to make room for other stuff. HOWEVER, in 6-7 months I'll be getting (keeping fingers crossed) a brand spanking new system with all the latest and greatest, then if I remember (which may be a problem since I'll be over 50 by then), I will add TDS to my layered defense. Thanks.

Acadia

 

Maybe you can do something with WinTask to delay some functions and other fine tuning, or with Port Explorer you can throttle bandwidth use which might be of help too. Several programs don't need to be active all time.
Not shure about your specifications and what you have all running (maybe in a separate thread?)

 

Jooske, I really appreciate your offer of help. And with all the good stuff that I've heard about TDS (and you) I'd really like to. But BELIEVE ME, I've got so much running on this old system and I've fine tuned this thing about as much as I can. Actually, I'm kind of proud of the fact that I can have as much running as I do on this Win98 system and only see the dreaded blue sceen about once every other month. Plus I'm still on the old fashioned dial-up modem which is somewhat defensive in itself. But that's one of the other things that I'm planning on doing when I get my new system, MAKE THE JUMP TO BROADBAND, YES!! Then I will definitely welcome a second Trojan scanner to my system. Thanks again for your offer. Gee, I'm starting to get the impression that the tech support for TDS is every bit as good as the tech support for BoClean; now if only Symantec and NOD would take some tech support lessons from you and Kevin. Oops, should not have said that. (Oh yes I should!)

Acadia

 

Hi Acadia,

Yes, just like Pilli already wrote: you can have them both running. I just started up TDS-3, while BOClean already was running, on this Windows 98 SE machine: not any problem

 

Nice to see Kevin around more often these days over here too for sure. Think NOD as good support to the max as possible with the forum here so close if they can concentrate on the program and technical issues; they're here even with multi-lingual supporting moderators!
The DCS team complete, we've seen Magnus here around too rather often, so yes, we can but say the lines to the developers themselves are very direct!


Really wondering about the specs of your win98 system and what you all keep loaded at all time.
Win98(SE) is not that bad, even though MS and others let us believe it is but old fashioned. It is somewhat old, difficult to really secure with the many vulnerabilities, but for normal work it's still ok.

 

Greetings, all ... apologies for going away, but we've all got to take a nap after milk and cookies SOMEWHERE on the clock.

Pegasus ... if you still have those files, I'm pretty sure we already know them, but there's no better definitive answer when it comes to "mystery meat" than having a copy of the files to put into one of our lab rats for a "look see." If you still have copies of those files:

C:\WINDOWS\svcinit.exe and            C\WINDOWS\SYSTEM\MSREXE.EXE

Would love to have a copy of each if you can email them to me at support@nsclean.com ... I expect we've already got those as they're quite familiar sounding, but such filenames are also commonly used for "new" nasties, thus my curiosity. Glad the MSCONFIG trick did it for the time being, it was the only thing I was SURE of as a possible holding pattern until Unca Gavin came along with a REAL answer.

For everyone else, THANKS! Yes, there are many of us who have been practitioners in the security "biz" for a long long time and we all have the utmost respect for one another and actually SHARE information "behind the scenes" for the greater good. BOClean and TDS, as well as many OTHER fine products all cooperate nicely. Most recent KUDOS to the ZoneLabs folks (Zone Alarm) who have solved a pesky problem with their rulesets which caused challenges for some ZA users in getting their BOClean autoupdater connecting properly. As a result of THIS specific bit of cooperation, ZA's firewall now seals off "piggy-backers" a whole lot better than in the past. Such is the nature though of professionals - sure we all want to "make that sale" but the more IMPORTANT thing is that we all pull together and work together against bigger enemies than any of US could ever be - the malware authors.

But with the exception of only a few, we ALL work together to ensure that whatever choice someone makes, security programs MUST work together to make a sum greater than its parts. Cooperation is ESSENTIAL to this mission, something just about ALL of us realize.

 

Hi again,

I haven't received copies of these files either, there was also a C:\BEST.EXE if I remember correctly ? sorry.. so many users, so many nasties *sigh*

 

One-armed kickboxers all. No sign of it on this end either. Long and amusing night, glad I'm not alone.

 

I'm sure you guys have copies of this particular Svcinit.exe file. I'm pretty sure it's CoolWebSearch, and the startup location bears it out.

As for MSREXE.EXE, we run into that one on a daily basis, so there again I suspect you have a copy of that one as well. Will look around for one though, and will send it ASAP.

 

I had a feeling, as I'm sure Gavin did ... you guys actually ahve it EASY on the spyware side of things - the stuff is always the same names, the same files, a simple FILE scan usually takes care of it. On the backdoor realm thoug, things are different, and that's what frightens me about where "adware" is going ... they're starting to HIRE the script kiddies. In the old days, these spammers would just hire up a kiddie to tell them what HOLE to go through and they'd ply the same old, same old again and again.

Now that the "skiddies" are looking for REAL jobs, SOME of them are actually starting to use "trojan technology" as cut and pasted, and variants are starting to emerge that really ARE the same old same old underneath. But undetected just as was the case with trojans for all these years. That's the reason why we started covering them in BOClean after several years of reluctance owing to reliable "freeware that does that, go download it." The spammer too now are learning to use filenames that SOUND legit.

Just wanted to say THANKS, buddy for keeping at what you do at spywareinfoforum.com ... those of use who share your interests TRULY appreciate your cooperation with all of us in battling the latest "surge" in contamination of machines. Don't think for a MOMENT that we don't appreciate you deeply!

But given the paranoia that WE deal with every day, we'd STILL like to see the meat. Heh. MIGHT be something else!

 

Hey, we just enjoy hunting for new stuff. You guys are doing all the really hard work!

 

I agree that it is getting harder to find the thin line between spyware and trojans. Want to categorize these?

Unlike Kevin I like to get a minimum of files sent to me. (I lack his skills to analyze them) But, and I'm sure Tony agrees, we have to resort to that more and more, because we just can't be sure whether it's something old or yet another new one.

Regards,

Pieter

 

Msrexe.exe file received and sent.
It's indeed an "oldie":


- narrowed image some for thread width...