Do I have a hidden trojan on my computer?

Discussion in 'malware problems & news' started by gdi, Oct 19, 2002.

Thread Status:
Not open for further replies.
  1. gdi

    gdi Guest

    Hi all,

    I'm feeling a little worried and paranoid at the moment.

    I was browsing through some sites and I came across this :

    "Netstat shows you how many active ports are on your computer. . Most of them are closed, but some are open for various reasons. Some reasons can be dangerous because it might mean someone is inside your computer doing god knows what in their. So again in the black box of DOS, type in: netstat
    You should then get a list of active connections to your computer. If none, then congrats, nobody is on your computer. If something does show up in the list. Take a look at it and write down the IP address number and go to www.SamSpade.org and type it in there to find the host. Analyze the host to see if it is suspicious or not. If it is then sign off immediately and go out and get a firewall. "

    This I did and ( on dos) and I got back about 40 entries.SO I followed the rest of the info given :

    "Another side of netstat is adding the -a to it. So type in: netstat -a
    it then will display a list of all open ports on your computer and tell you if there is an established connection on one of the ports that are open. Open ports could mean trojan horses (i.e. Backdoors) on your computer."

    By this time , my computer is not online ! I got another 40-45 entries here. I looked up the ip number and it came back with : onyx / Akamai server network . Do I have a problem or should I not be worried ?

    Many thanks !
     
  2. controler

    controler Guest

    Here is the deal...

    Do your netstat with your connection to the internet removed.
    Then if you see open ports. You have a trojan.
    I think 135,138 & 139 will show open by default.
    anything more than this is bad.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Active connections on your PC does not automatically mean that someone is on your computer. The quote from that site you referenced: "... If none, then congrats, nobody is on your computer" is a little misleading and is perhaps trying to scare people into buying firewalls.

    As you are actively browsing sites on the Internet, you will have many open connections to both the primary site you know you are looking at, as well as other sites that the main site may be using to provide extra images or advertisments. As a web page paints, you can have a large number of open connections, as each connection pulls down a part of the page you are viewing.

    Akamai is a very widely used provider for online content. Many websites use them to provide images and download files because Akamai has large content servers located in many places, allowing for the fastest page refreshing possible. (The idea being servers closer to you on the network will provide you files faster than servers farther away.)

    What is your Operating System and what version is it? Open ports can vary depending upon what you are running. If you're on NT, W2K or XP, you can tie all the open ports back to running programs quite easily.

    Perhaps you could cut/paste the exact output of that netstat command here, blocking out your own IP if it appears in any of the items listed. If you also do a "netstat -an" as controler said with the Internet disconnected, it would be a good view of what programs are listening. This information would make it easier to analyze what's going on.
     
  4. gdi

    gdi Guest

    Thanks for the quick reply.

    I have just a netstat on my computer offline.

    The results show a list of data about 60-70 long.
    state : time_wait

    Local address: 8080

    Foreign address : ranging from ports 4500 to 4800 and then a variety of different IP numbers.

    Then I tried the : netstat -a command.

    state : listening

    about 15 different entries came on.

    I wish I could capture the screen and show here.

    But from Ive said does this sound like a trojan?
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Not necessarily. Sorry, we really can't tell from just that description. Time_Wait is a normal state for connections to some websites that will time out after a while. If you wait without doing anything a few minutes, they should go away. Perhaps you can relay to us what's left then.

    Edit: I suppose, I could just tell you to download a trial of some Anti-Trojan software, but, I don't know that that is necessary. At this point, there's a good chance that you don't have a problem.
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Additional details of your configuration would be very helpful. OS version? Browser? Anti-Virus? Firewall and/or Proxy software? etc.
     
  7. controler

    controler Guest

    Download snagit trial and screen capture just the DOS window, remove your IP is you need to
    Very easy to use. then reboot, do a netstat -an and capture that window. save the file to your desktop.
    Come back here and post that picture. default is BMP with snagit but you can chose JPG GIF ect...
     
  8. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Or you can hold down the shift key and hit the print screen button. Then open Paint and go to edit>paste.
    You can then save as a gif or 16 color bmp and the file remains small.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For some reason for me the screenshot is just printscreen button without the shift to get it to the clipboard and from there to the paint > ecit > paste (just in case of confusion)
    and you can paint and cut whatever.....

    As netstat is a DOS function, you can also just in the c:\ type
    netstat -an > ns201002.txt (or any other easy to find back name) which will give your netstat output in a ns201002.txt file, which you can easily open in your notepad and edit your own IP address out, when you're happy with it (you might like to save it first) select all and copy it in a posting here.
    If you really want to make sure there are no wrapped lines you could type above and under that part [code ] [/ code] (without those extra spaces between the [] )
     
  10. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    From quite a different angle, trojans usually don't hide that well.

    Please do this:

    Go to http://www.spywareinfoforum.com/downloads.html , and download 'Startuplist' (in the "Startup Program Management" section).

    Unpack, doubleclick it, and it will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    Go to Edit > select all, copy it and please post the contents here.

    If you do have a trojan, there's a pretty good chance we'll be able to pinpoint it right there.
     
  11. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Hi gdi,

    I am going to approach this from a different angle. Everything people have posted so far is true. But what you are experiencing I have seen so many times before and in my opinion is not a cause for alarm.

    Many OS..especially win98 when it is installed on some hardware with built in modems..and you might even be on dial up..gives you the appearance in netstat..even when you are off line...that you are still connected on some ports and will even give you the IP...WinME also does this "sticky thing at times".

    I think that is what might be happening to you here.

    I had some modem drivers at one time from Lucent that did not play well and the netstat did not want to refresh. I had to put some extra instructions and then it all went away.

    There are other reasons this can happen..but I think you are trojan free..but it is disconserting.

    Also..when you are off line and do netstat..if you would first clean out your cache...temp..TIF...history and off line content...and then try netstat..I think it will all go away.


    You can also download and install a program that has a windows GUI that will duplicate some of the Netstat function with out using those commands...here is one such free program that is small and will tell you in real time the connections.

    __________
    Netmon is a compact, easy-to-use network information utility. It displays infomation pertaining to the IP, TCP, UDP and ICMP protocols. It's main purpose is viewing connections made using TCP and UDP protocols from or to your computer. This information may prove very useful in hunting trojans (or other suspicious activity) present in your system.
    Netmon is a graphical conversion of the "netstat" utility shipped with Windows. It's main advantages over the console based version, is the graphical user interface (GUI), the database of common trojan ports and the complete list of well-known ports (the ports that are numbered below 1024 and reserved for different applications).

    Users familiar with the netstat utility should feel at home with the GUI and the information presented.

    Copyright (c) 1999-2001 Johan Samuelson

    You can download it here.
    netmon160.exe

    http://nidaho.net/1way/files/files.htm
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Program description sounds nice, but get a 404
     
  13. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I did a Google search and came up with this one:

    http://mts.wmich.edu/603security/netmon160.exe

    Looks to be the same thing.

    Cheers,
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    And another one:

    http://cstrike.gamewarriors.com/downloads/miscfiles/netmon160.exe
     
  15. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    Bummer Jooske..it works for me still..thanks Tony...

    If you can get to that page I posted it also contains these goodies also...let me know if others have a problem with it



    PK250DOS.exe 203 K ThumbView.exe 106 K Spider.zip 244 K
    ClipText.zip 190 K ActiveSaver.scr 45 K CleanIE.exe 310 K
    HTMLnotepad.zip 1 M NetMon160.exe 105 K SynchronX.exe 332 K
    TinyUpLoader.exe 140 K PopUpStopper.exe 427 K WebTime.zip 76 K
    DOSinDIR.zip 123 K pppBoost.exe 369 K WinLock.exe 341 K
    HideDesktop.zip 9 K Process-Memory.zip 61 K OnTop.exe 124 K
    FolderSize.zip 167 K SecLock.zip 114 K XmsDsk.zip 13 K
    ClipCrypt.zip 115 K SendToAnyFoldr.zip 6 K TweakUI.exe 111 K

    Here it is again.
    http://nidaho.net/1way/files/files.htm


    Wondering if your browsers need the www thingie.

    hmmmmm

    Caution: direct download link!

    http://nidaho.net/1way/files/NetMon160.exe
     
  16. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    That link doesn't work here either, I'm afraid.
     
  17. controler

    controler Guest

    What i always do after I get the page not found in IE is
    click on find network connection on the error page.
    here is what I get doing that.

    http://nidaho.net/

    http://www.nullsoft.com/free/netmon/

    Download: netmon04.exe
     
  18. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
  19. controler

    controler Guest

    one of the newest files there Jooske is a lockdown file

    http://mts.wmich.edu/603security/
     
  20. gdi

    gdi Guest

    StartupList report, 10/20/2002, 7:37:34 PM
    StartupList version: 1.34.0
    Started from : C:\unzipped\startuplist\StartupList.EXE
    * Using default options
    ==================================================

    Running processes:

    C:\winnt\System32\smss.exe
    C:\winnt\system32\winlogon.exe
    C:\winnt\system32\services.exe
    C:\winnt\system32\lsass.exe
    C:\winnt\system32\svchost.exe
    C:\winnt\System32\svchost.exe
    C:\winnt\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\winnt\system32\regsvc.exe
    C:\winnt\system32\MSTask.exe
    C:\winnt\system32\stisvc.exe
    C:\winnt\SYSTEM32\THOTKEY.EXE
    C:\Program Files\TOSHIBA\TME2\Tmesrv2.exe
    C:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    C:\winnt\Explorer.exe
    C:\winnt\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\SYSTEM32\ZONELABS\minilog.exe
    C:\winnt\System32\TPWRTRAY.EXE
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\winnt\System32\Promon.exe
    C:\winnt\loadqm.exe
    C:\Program Files\PERFECT SERIES\SCROLL MOUSE\4.0\MOUSE32A.EXE
    C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\AnalogX\CookieWall\cookie.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\WebWasher\wwasher.exe
    C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\unzipped\startuplist\StartupList.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
    Network Device Switch.lnk = C:\Program Files\TOSHIBA\NetDevSw\NetDevSW.exe
    ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINNT\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    Synchronization Manager = mobsync.exe /logon
    Tpwrtray = TPWRTRAY.EXE
    TMESRV.EXE = C:\Program Files\TOSHIBA\TME2\TMESRV2.EXE /logon
    EM_EXEC = C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    Promon.exe = Promon.exe
    LoadQM = loadqm.exe
    LWBMOUSE = C:\Program Files\PERFECT SERIES\SCROLL MOUSE\4.0\MOUSE32A.EXE
    Pop-Up Stopper = "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
    AVG_CC = C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    ScriptSentry = C:\Program Files\Script Sentry\ScriptSentry.exe /check
    zSPGuard = c:\program files\pjw\startpage guard\spguard.exe /s /r
    CookieWall = C:\Program Files\AnalogX\CookieWall\cookie.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background
    WebWasher = C:\Program Files\WebWasher\wwasher.exe

    --------------------------------------------------

    Enumerating Active Setup stub paths:
    HKLM\Software\Microsoft\Active Setup\Installed Components
    (* = disabled by HKCU twin)

    [{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

    [{7790769C-0471-11d2-AF11-00C04FA35D02}] *
    StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

    [{89820200-ECBD-11cf-8B85-00AA005B4340}] *
    StubPath = regsvr32.exe /s /n /i:U shell32.dll

    [{89820200-ECBD-11cf-8B85-00AA005B4383}] *
    StubPath = %SystemRoot%\system32\ie4uinit.exe

    --------------------------------------------------

    Checking for EXPLORER.EXE instances:

    C:\winnt\Explorer.exe: PRESENT!

    C:\Explorer.exe: not present
    C:\winnt\Explorer\Explorer.exe: not present
    C:\winnt\System\Explorer.exe: not present
    C:\winnt\System32\Explorer.exe: not present
    C:\winnt\Command\Explorer.exe: not present

    --------------------------------------------------

    Checking for superhidden extensions:

    .lnk: HIDDEN! (arrow overlay: yes)
    .pif: HIDDEN! (arrow overlay: yes)
    .exe: not hidden
    .com: not hidden
    .bat: not hidden
    .hta: not hidden
    .scr: not hidden
    .shs: HIDDEN!
    .shb: HIDDEN!
    .vbs: not hidden
    .vbe: not hidden
    .wsh: not hidden
    .scf: HIDDEN! (arrow overlay: NO!)
    .url: HIDDEN! (arrow overlay: yes)
    .js: not hidden
    .jse: not hidden

    --------------------------------------------------

    Verifying REGEDIT.EXE integrity:

    - Regedit.exe found in C:\winnt
    - .reg open command is NOT normal! (C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*)
    - Company name OK: 'Microsoft Corporation'
    - Original filename OK: 'REGEDIT.EXE'
    - File description: 'Registry Editor'

    Registry check FAILED!

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\winnt\System32\macromed\Shockwave 8\Download.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [Symantec RuFSI Registry Information Class]
    InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
    CODEBASE = http://security1.norton.com/SSC/SharedContent/sc/bin/cabsa.cab

    [Shockwave Flash Object]
    InProcServer32 = C:\winnt\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    --------------------------------------------------
    End of report, 6,304 bytes
    Report generated in 0.431 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only


    I downloaded the startuplist program and copied what it found.
    I also want to say a big thankyou to everyone here for your help. Hope theres nothing to worry about !
     
  21. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    A lot of Toshiba stuff but nothing to worry about.
    I´m guessing this entry:
    is caused by Script Sentry as indicated. Maybe someone who uses it as well could check.
    To reassure yourself you might consider taking this test: http://www.pcflank.com/trojans_test1.htm

    Regards,

    Pieter
     
  22. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I agree with Pieter. It looks fine.

    No sign of the presence of a trojan there at all.

    And the Regfile open command is indeed due to ScriptSentry opening regfiles by default, so that's quite alright as well.

    From my point of view, nothing that we should take a closer look at, at least judging by the List.
     
  23. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Agreed. I think it comes down to basically a normal netstat output, and so far, there appears to be no sign of a trojan. If you have any other indicators, odd or out of the ordinary behaviors, those might be worth exploring, otherwise, you seem to be okay. :)
     
Loading...
Thread Status:
Not open for further replies.