Do I have a hidden trojan on my computer?

Hi all,

I'm feeling a little worried and paranoid at the moment.

I was browsing through some sites and I came across this :

"Netstat shows you how many active ports are on your computer. . Most of them are closed, but some are open for various reasons. Some reasons can be dangerous because it might mean someone is inside your computer doing god knows what in their. So again in the black box of DOS, type in: netstat
You should then get a list of active connections to your computer. If none, then congrats, nobody is on your computer. If something does show up in the list. Take a look at it and write down the IP address number and go to www.SamSpade.org and type it in there to find the host. Analyze the host to see if it is suspicious or not. If it is then sign off immediately and go out and get a firewall. "

This I did and ( on dos) and I got back about 40 entries.SO I followed the rest of the info given :

"Another side of netstat is adding the -a to it. So type in: netstat -a
it then will display a list of all open ports on your computer and tell you if there is an established connection on one of the ports that are open. Open ports could mean trojan horses (i.e. Backdoors) on your computer."

By this time , my computer is not online ! I got another 40-45 entries here. I looked up the ip number and it came back with : onyx / Akamai server network . Do I have a problem or should I not be worried ?

Many thanks !

 

Here is the deal...

Do your netstat with your connection to the internet removed.
Then if you see open ports. You have a trojan.
I think 135,138 & 139 will show open by default.
anything more than this is bad.

 

Thanks for the quick reply.

I have just a netstat on my computer offline.

The results show a list of data about 60-70 long.
state : time_wait

Local address: 8080

Foreign address : ranging from ports 4500 to 4800 and then a variety of different IP numbers.

Then I tried the : netstat -a command.

state : listening

about 15 different entries came on.

I wish I could capture the screen and show here.

But from Ive said does this sound like a trojan?

 

Download snagit trial and screen capture just the DOS window, remove your IP is you need to
Very easy to use. then reboot, do a netstat -an and capture that window. save the file to your desktop.
Come back here and post that picture. default is BMP with snagit but you can chose JPG GIF ect...

 

Or you can hold down the shift key and hit the print screen button. Then open Paint and go to edit>paste.
You can then save as a gif or 16 color bmp and the file remains small.

 

For some reason for me the screenshot is just printscreen button without the shift to get it to the clipboard and from there to the paint > ecit > paste (just in case of confusion)
and you can paint and cut whatever.....

As netstat is a DOS function, you can also just in the c:\ type
netstat -an > ns201002.txt (or any other easy to find back name) which will give your netstat output in a ns201002.txt file, which you can easily open in your notepad and edit your own IP address out, when you're happy with it (you might like to save it first) select all and copy it in a posting here.
If you really want to make sure there are no wrapped lines you could type above and under that part [code ] [/ code] (without those extra spaces between the [] )

 

From quite a different angle, trojans usually don't hide that well.

Please do this:

Go to http://www.spywareinfoforum.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

Unpack, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

Go to Edit > select all, copy it and please post the contents here.

If you do have a trojan, there's a pretty good chance we'll be able to pinpoint it right there.

 

Hi gdi,

I am going to approach this from a different angle. Everything people have posted so far is true. But what you are experiencing I have seen so many times before and in my opinion is not a cause for alarm.

Many OS..especially win98 when it is installed on some hardware with built in modems..and you might even be on dial up..gives you the appearance in netstat..even when you are off line...that you are still connected on some ports and will even give you the IP...WinME also does this "sticky thing at times".

I think that is what might be happening to you here.

I had some modem drivers at one time from Lucent that did not play well and the netstat did not want to refresh. I had to put some extra instructions and then it all went away.

There are other reasons this can happen..but I think you are trojan free..but it is disconserting.

Also..when you are off line and do netstat..if you would first clean out your cache...temp..TIF...history and off line content...and then try netstat..I think it will all go away.


You can also download and install a program that has a windows GUI that will duplicate some of the Netstat function with out using those commands...here is one such free program that is small and will tell you in real time the connections.

__________
Netmon is a compact, easy-to-use network information utility. It displays infomation pertaining to the IP, TCP, UDP and ICMP protocols. It's main purpose is viewing connections made using TCP and UDP protocols from or to your computer. This information may prove very useful in hunting trojans (or other suspicious activity) present in your system.
Netmon is a graphical conversion of the "netstat" utility shipped with Windows. It's main advantages over the console based version, is the graphical user interface (GUI), the database of common trojan ports and the complete list of well-known ports (the ports that are numbered below 1024 and reserved for different applications).

Users familiar with the netstat utility should feel at home with the GUI and the information presented.

Copyright (c) 1999-2001 Johan Samuelson

You can download it here.
netmon160.exe

http://nidaho.net/1way/files/files.htm

 

Program description sounds nice, but get a 404

 

I did a Google search and came up with this one:

http://mts.wmich.edu/603security/netmon160.exe

Looks to be the same thing.

Cheers,

 

And another one:

http://cstrike.gamewarriors.com/downloads/miscfiles/netmon160.exe

 

Bummer Jooske..it works for me still..thanks Tony...

If you can get to that page I posted it also contains these goodies also...let me know if others have a problem with it



PK250DOS.exe 203 K ThumbView.exe 106 K Spider.zip 244 K
ClipText.zip 190 K ActiveSaver.scr 45 K CleanIE.exe 310 K
HTMLnotepad.zip 1 M NetMon160.exe 105 K SynchronX.exe 332 K
TinyUpLoader.exe 140 K PopUpStopper.exe 427 K WebTime.zip 76 K
DOSinDIR.zip 123 K pppBoost.exe 369 K WinLock.exe 341 K
HideDesktop.zip 9 K Process-Memory.zip 61 K OnTop.exe 124 K
FolderSize.zip 167 K SecLock.zip 114 K XmsDsk.zip 13 K
ClipCrypt.zip 115 K SendToAnyFoldr.zip 6 K TweakUI.exe 111 K

Here it is again.
http://nidaho.net/1way/files/files.htm


Wondering if your browsers need the www thingie.

hmmmmm

Caution: direct download link!

http://nidaho.net/1way/files/NetMon160.exe

 

That link doesn't work here either, I'm afraid.

 

What i always do after I get the page not found in IE is
click on find network connection on the error page.
here is what I get doing that.

http://nidaho.net/

http://www.nullsoft.com/free/netmon/

Download: netmon04.exe

 

Googled a little more and in cached pages, think these could work? (these are yours i see now)
http://mts.wmich.edu/603security/
http://www.google.nl/search?q=cache:bfRgNYZrR8EC:nidaho.net/1way/files/files.htm+netmon160&hl=nl&ie=UTF-8
Only there is no description of the various tools.
Found out in the meantime i had the netmon1.60 already installed, just had not recognized it
On that mts site is a lot but lack of description makes me careful with downloading.

 

one of the newest files there Jooske is a lockdown file

http://mts.wmich.edu/603security/

 

StartupList report, 10/20/2002, 7:37:34 PM
StartupList version: 1.34.0
Started from : C:\unzipped\startuplist\StartupList.EXE
* Using default options
==================================================

Running processes:

C:\winnt\System32\smss.exe
C:\winnt\system32\winlogon.exe
C:\winnt\system32\services.exe
C:\winnt\system32\lsass.exe
C:\winnt\system32\svchost.exe
C:\winnt\System32\svchost.exe
C:\winnt\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\winnt\system32\regsvc.exe
C:\winnt\system32\MSTask.exe
C:\winnt\system32\stisvc.exe
C:\winnt\SYSTEM32\THOTKEY.EXE
C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
C:\winnt\Explorer.exe
C:\winnt\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
C:\winnt\System32\TPWRTRAY.EXE
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\winnt\System32\Promon.exe
C:\winnt\loadqm.exe
C:\Program Files\PERFECT SERIES\SCROLL MOUSE\4.0\MOUSE32A.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AnalogX\CookieWall\cookie.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WebWasher\wwasher.exe
C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\unzipped\startuplist\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
Tpwrtray = TPWRTRAY.EXE
TMESRV.EXE = C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Promon.exe = Promon.exe
LoadQM = loadqm.exe
LWBMOUSE = C:\Program Files\PERFECT SERIES\SCROLL MOUSE\4.0\MOUSE32A.EXE
Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
ScriptSentry = C:\Program Files\Script Sentry\ScriptSentry.exe /check
zSPGuard = c:\program files\pjw\startpage guard\spguard.exe /s /r
CookieWall = C:\Program Files\AnalogX\CookieWall\cookie.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
WebWasher = C:\Program Files\WebWasher\wwasher.exe

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\winnt\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\winnt\Explorer\Explorer.exe: not present
C:\winnt\System\Explorer.exe: not present
C:\winnt\System32\Explorer.exe: not present
C:\winnt\Command\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\winnt
- .reg open command is NOT normal! (C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check FAILED!

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\winnt\System32\macromed\Shockwave 8\Download.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

[Shockwave Flash Object]
InProcServer32 = C:\winnt\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------
End of report, 6,304 bytes
Report generated in 0.431 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


I downloaded the startuplist program and copied what it found.
I also want to say a big thankyou to everyone here for your help. Hope theres nothing to worry about !

 

A lot of Toshiba stuff but nothing to worry about.
I´m guessing this entry:

is caused by Script Sentry as indicated. Maybe someone who uses it as well could check.
To reassure yourself you might consider taking this test: http://www.pcflank.com/trojans_test1.htm

Regards,

Pieter

 

I agree with Pieter. It looks fine.

No sign of the presence of a trojan there at all.

And the Regfile open command is indeed due to ScriptSentry opening regfiles by default, so that's quite alright as well.

From my point of view, nothing that we should take a closer look at, at least judging by the List.