Can you Identify

Discussion in 'malware problems & news' started by olekingcole, Oct 23, 2003.

Thread Status:
Not open for further replies.
  1. olekingcole

    olekingcole Guest

    Unbeknownst to me...(don't they always start out that way) a very large system hidden(of course) file shows up. Redirects Current User through it's load bundle. And the only way it was discovered was bottle arsing through files, and discovers this 3 gig file. And I'll bet your'e saying under your breathe, "how could anyone not know that was there. Someone, a gamer, setup and running that type muscle throughput is undetected and the box gives not a clue?" Well, the short answer is, paranoid as it may seem(yeah,yeah), I have had great suspicions, but couldn't pin it down. Didn't say, I am not naive. At times the cable modem activity light stays solid more than breathes. So, me calls the provider, and I get an IQ of about 69, "Well, Mr. XYZ, every function is okay here, Do want to reset the modem". To which, I bark, "No, I am running a firewall in full stealth mode, AVP current, Ad-aware, and SpyBot-S&Daggressive, and it's not on this end". If they only knew what was found on this end. After discovering this mojo file, I'm seriouly looking for the greatest Trojan Horse kungFu kickarse program out there. And do my homework. Find this trick rad program name TD(touchdown) - 3 (my Sprint Car number). "I'ts an oman", says id to alter. Not... And then, I think, It's gotta be me. Please find that it's me.

    Can anyone tell me how I can double check to make sure this great looking program does not smell that stank air. Here are the files found only by a command prompt doing a "find" command. Here are the files.


    ---------- C:WINNT\SOB\3000
    c:\adlog.txt
    c:\blocklog.txt
    c:\recv_bp.txt
    c:\send_bp.txt
    c:\documents and settings\jwang\desktop\htlogs\%d.txt
    c:\documents and settings\jwang\desktop\htlogs\%d.txt
    c:\recv_ap.txt
    c:\send_ap.txt
    pec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    windir=C:\WINNT
    ComSpec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    windir=C:\WINNT
    \??\C:\WINNT\system32\winlogon.exe
    NTREM c:\config.sys.
    NTREM visible to an OS/2 program that opens c:\config.sys, however they are
    NTREM modify NT OS/2 config.sys configuration by editing c:\config.sys with
    REM OS/2 Apps that access c:\config.sys actually manipulate this information.
    PROTSHELL=c:\os2\pmshell.exe c:\os2\os2.ini c:\os2\os2sys.ini \cmd.exe
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\x509\x509_vfy.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_eay.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_oaep.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rsa\rsa_sign.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_asn1.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dsa\dsa_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\dh\dh_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\err\err.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\stack\stack.c
    4@c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\rand\md_rand.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\pkcs12\p12_decr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\lhash\lhash.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\objects\o_names.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_enc.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\s3_srvr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_asn1.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_cert.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_ciph.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_rsa.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\ssl_sess.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\ssl\t1_enc.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_print.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\b_sock.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_buff.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bf_nbio.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bio_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_acpt.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_bio.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\bio\bss_conn.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bitstr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_bytes.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_digest.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_dup.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_gentm.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_int.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_object.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_set.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_type.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_utctm.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\a_verify.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\asn1_lib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_dhp.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\i2d_r_pr.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\p8_pkey.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_algor.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_attrib.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_cinf.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\x_crl.c
    c:\builds\battlestar\lroot\english\buildroot\src\common\openssl\crypto\asn1\e
    C:\WINNT\CSC
    C:\WINNT\system32\
    \??\C:\WINNT\system32\winlogon.exe
    SERSPROFILE=C:\Documents and Settings\All Users
    CommonProgramFiles=C:\Program Files\Common Files
    ComSpec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    CommonProgramFiles=C:\Program Files\Common Files
    ComSpec=C:\WINNT\system32\cmd.exe
    Os2LibPath=C:\WINNT\system32\os2\dll;
    Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\PROGRA~1\MBTRAD~1\MBTNAV~1
    ProgramFiles=C:\Program Files
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    USERPROFILE=C:\Documents and Settings\don
    windir=C:\WINNT
    ProgramFiles=C:\Program Files
    SystemRoot=C:\WINNT
    TEMP=C:\WINNT\TEMP
    TMP=C:\WINNT\TEMP
    USERPROFILE=C:\Documents and Settings\don
    windir=C:\WINNT
    ÿÿÿÿ’Mu’Muÿÿÿÿ7’Mu;’MuC:\perfco_O.dat
    C:\MSHLOCAL.LOG
    C:\DEBUG.LOG
    c:\
    X±ÿÿÿÿÀÿ*\G{00020430-0000-0000-C000-000000000046}#1.0#0#C:\WINNT\System32\stdole32.tlb#


    nested in WINNT hidden System file.

    I know that could run a Repair install routine, but I would like to know is this seemingly great program is going to work. BTW, I have already placed a folder around the file to keep it warm, but where "jwang" gets a "no one's home, when he wants to come play.

    Honestly, I'd like to catch "jwang" and change the octice on his choir.

    Thanks for your input,
    And I apologize for the novel.

    Do You Recognize this Trojan?

    don
    ---------------
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Don,

    Let´s keep it all in one thread:
    http://www.wilderssecurity.com/showthread.php?t=15322;start=0#msg95631
    I will close this one.

    Regards,

    Pieter
     
Loading...
Thread Status:
Not open for further replies.