how to catch an undetected trojan?

Discussion in 'Trojan Defence Suite' started by waya, Jun 14, 2003.

Thread Status:
Not open for further replies.
  1. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    Hi People, I have a trojan on, and don't know how to proceed. I was typing an e-mail and the screen wiggled up and down rapidly. I typed, "if you can see this , wiggle again" It did. I tried a few other communications and recieved a response each time. I scanned with TDS. No trojan found but a warning that exploere.exe had changed. I replaced the explorer.exe with another copy from backups. I scanned again, and recieved a warning that sys.ini had changed. I didn't know what to do with it or tell how it changed. My ZoneAlarm Pro now asks me can Explorer use Messenger to access the internet. It didn't ask that before. I tried saying no and my Messenger wont sign in. I changed it to yes and Messenger works.I read the entire help files from TDS. I tried the TCP Connect and TCP Listen. I turned on the NetBus Emulator. TCP Connect showd NetBus 1.60 and I sent the RemoveServer command and nothing happened. I probably ballsed it up through lack of knowledge. I then thought, maybe the Emulator is what I'm seeing connected in the first place, because, why didn't TDS find NetBus1.60 if it was on my system? These questions sparked a tidal wave of more questions. I vow here to learn as much as possible as fast as possible in order to help my self, but I could use a hand up here fellas as my head is swimming. I am asking for advice as to how to proceed from here. First up, should I leave the NetBus Emulator turned on? If not, please tell me how to turn it off. I eagerly await any advice and instructions! To put something back into the world, if anyone is having trouble catching mice, I invented a mousetrap modification that works like a charm on street smart urban mice. Let me know and I'll e-mail you the instructions. Meanwhile, there is a RAT in my beloved PC! Help! :eek:
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi waya,

    First, I got a number of questions...

    1. Are you using a trial version or registered version of TDS?

    1a. If registered, you should make sure that ExecProt is enabled (it should say whether or not it is enabled in the TDS console when starting TDS.

    2. Are you protection options set high (Scan Control -> Scan Options Tab. Everything on the left side should be checked and on the right except Eicar and Show all NTFS Streams should be checked. On the ADS Stream Options, set it to ignore streams smaller than 512 bytes. On the Generic Detection tab click on both click boxes and set the slider to the extreme right. On the Configuration button, on the Startup tab, Startup Scanning section enable all except the CRC Test

    3. If you are running NT/2k/XP download the freeware autostart viewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    The program is a GUI program, launch it and go to the Main menu and select all three top options and then select save (it will save the output to a text file. If you could post the contents of the file that would help immensely.

    4. Restart TDS and do a full scan.

    I think this is enough to get started on

    BTW, the emulator has nothing to do with this but you might just as well leave it off while doing the scan
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Another thing that would help (if you have NT/2k/XP) is to download fport from

    http://www.foundstone.com/resources/termsofuse.htm?file=fport.zip

    unzip it to your windows directory and from the command prompt type

    fport -p > openports.txt

    and paste the contents of the openports.txt file here
     
  4. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Download Port Explorer (http://www.diamondcs.com.au/portexplorer/), it has a Save capability so you can copy the results to a text file. It's far more accurate than FPort.
     
  5. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    Hi fellas: heres the reports. I configured the TDS as you said. I ran another scan and still no results/findings. As for the Emulator, I figured out how to install it, but I don't know how to uninstall/turn it off. Please advise. Sorry for the lag, I had to pick up the missus from work. I already had PortExplorer, and AutostrtViewer. I didn't mention before but I'm running XP home with all updates.
    ----------
    | NAME | CREATION | PID | PROTOCOL | LOCAL ADDRESS | LOCAL PORT | REMOTE ADDRESS | REMOTE PORT | PORT STATUS | SENT | RECVD |
    --------------------------------------------------------------------------------------------------------------------------------------------------------
    | SYSTEM | --- | 0 | TCP | XX.XX.XXX.XX | 1309 | 66.227.68.99 | 80 | TIME_WAIT | --- | --- |
    | SYSTEM | --- | 4 | TCP | 0.0.0.0 | 445 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 4 | TCP | XX.XX.XXX.XX | 139 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 4 | TCP | 0.0.0.0 | 1027 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | SYSTEM | --- | 4 | UDP | XX.XX.XXX.XX | 137 | *.*.*.* | * | LISTENING | --- | --- |
    | SYSTEM | --- | 4 | UDP | XX.XX.XXX.XX | 138 | *.*.*.* | * | LISTENING | --- | --- |
    | SYSTEM | --- | 4 | UDP | 0.0.0.0 | 445 | *.*.*.* | * | LISTENING | --- | --- |
    | lsass.exe | 17:29 14/06/2003 | 428 | UDP | 0.0.0.0 | 500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | lsass.exe | 17:29 14/06/2003 | 428 | UDP | 0.0.0.0 | 4500 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 17:29 14/06/2003 | 600 | TCP | 0.0.0.0 | 135 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 17:29 14/06/2003 | 600 | UDP | 0.0.0.0 | 135 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 17:29 14/06/2003 | 624 | TCP | 0.0.0.0 | 1025 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 17:29 14/06/2003 | 624 | UDP | XX.XX.XXX.XX | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 17:29 14/06/2003 | 624 | UDP | 127.0.0.1 | 123 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | svchost.exe | 17:29 14/06/2003 | 624 | UDP | 0.0.0.0 | 1026 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | iexplore.exe | 17:42 14/06/2003 | 1620 | UDP | 127.0.0.1 | 1102 | 127.0.0.1 | 1102 | LISTENING | 2102/2102 | 2102/2102 |
    | iexplore.exe | 20:42 14/06/2003 | 1620 | TCP | XX.XX.XXX.XX | 1310 | 66.227.68.99 | 80 | CLOSE_WAIT | 21/10670 | 88/43906 |
    | iexplore.exe | 20:42 14/06/2003 | 1620 | TCP | XX.XX.XXX.XX | 1311 | 66.227.68.99 | 80 | CLOSE_WAIT | 20/10279 | 79/26876 |
    | iexplore.exe | --- | 1620 | TCP | 0.0.0.0 | 1310 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | iexplore.exe | --- | 1620 | TCP | 0.0.0.0 | 1311 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | explorer.exe | 20:39 14/06/2003 | 1724 | TCP | XX.XX.XXX.XX | 1308 | 207.46.248.249 | 80 | CONNECTING | 3/393 | 8/795 |
    | explorer.exe | 20:39 14/06/2003 | 1724 | TCP | XX.XX.XXX.XX | 1307 | 207.46.248.249 | 80 | CONNECTING | 2/262 | 5/529 |
    | explorer.exe | --- | 1724 | TCP | 0.0.0.0 | 1307 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | explorer.exe | --- | 1724 | TCP | 0.0.0.0 | 1308 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | nbsrvem.exe | 18:56 14/06/2003 | 1804 | TCP | 0.0.0.0 | 12345 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | msmsgs.exe | 17:30 14/06/2003 | 1952 | UDP | 0.0.0.0 | 1028 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | msmsgs.exe | 17:30 14/06/2003 | 1952 | UDP | XX.XX.XXX.XX | 15117 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | msmsgs.exe | 17:30 14/06/2003 | 1952 | TCP | XX.XX.XXX.XX | 14479 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | msmsgs.exe | 17:30 14/06/2003 | 1952 | TCP | XX.XX.XXX.XX | 1030 | 207.46.106.198 | 1863 | ESTABLISHED | 9/566 | 16/2011 |
    | msmsgs.exe | 17:30 14/06/2003 | 1952 | UDP | 127.0.0.1 | 1031 | 127.0.0.1 | 1031 | LISTENING | 5/5 | 5/5 |
    | msmsgs.exe | --- | 1952 | TCP | 0.0.0.0 | 1030 | 0.0.0.0 | 0 | LISTENING | --- | --- |
    | pavproxy.exe | 17:30 14/06/2003 | 2008 | UDP | 127.0.0.1 | 18001 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | pavproxy.exe | 17:30 14/06/2003 | 2008 | UDP | 127.0.0.1 | 18003 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | pavproxy.exe | 17:30 14/06/2003 | 2008 | UDP | 127.0.0.1 | 18002 | *.*.*.* | * | LISTENING | 0/0 | 0/0 |
    | pavproxy.exe | 17:30 14/06/2003 | 2008 | TCP | 127.0.0.1 | 31595 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | pavproxy.exe | 17:30 14/06/2003 | 2008 | TCP | 127.0.0.1 | 31597 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    | pavproxy.exe | 17:30 14/06/2003 | 2008 | TCP | 127.0.0.1 | 31596 | 0.0.0.0 | 0 | LISTENING | 0/0 | 0/0 |
    --------------------------------------------------------------------------------------------------------------------------------------------------------
    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for michael@PRE-INSTALLED, 06-14-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\config.sys
    C:\DOS\HIMEM.SYS
    C:\HXCD-ROM\CDROM.SYS /D:MSCD000
    C:\HXCD-ROM\CDROM.SYS /D:MSCD000
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\ssstars.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\ssstars.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PPMemCheck
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CookiePatrol
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Ad-watch
    C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\PestPatrol Control Center
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\KernelFaultCheck
    C:\WINDOWS\system32\dumprep 0 -k
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SpyCop ScanCheck
    C:\Program Files\Common Files\Microsoft Shared\Perl.exe /LASTSCAN
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\APVXDWIN
    C:\badger\Panda Software\Panda Antivirus Titanium\APVXDWIN.EXE
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS
    C:\Program Files\Messenger\msmsgs.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZoneAlarm Pro.lnk
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\inf\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\System32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}\
    C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install
    HKLM\Software\Microsoft\Active Setup\Installed Components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}\
    C:\WINDOWS\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\Alerter\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\Messenger\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PAVDRV\
    C:\WINDOWS\system32\drivers\Pavdrv51.sys
    HKLM\System\CurrentControlSet\Services\PAVSRV\
    C:\badger\Panda Software\Panda Antivirus Titanium\Pavsrv51.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Secdrv\
    C:\WINDOWS\System32\DRIVERS\secdrv.sys
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\stisvc\
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\vsdatant\
    \??\C:\WINDOWS\System32\vsdatant.sys
    HKLM\System\CurrentControlSet\Services\vsmon\
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs

    Eagerly awaiting your reply. Waya

    - Removed your private TCP IP address - LowWaterMark
     
  6. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Still looking through it but at the time of the capture viua Port Explorer did you have any signs of a current connection?
     
  7. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    Not that I'm aware of. BTW my TDS is a full registered version. I forgot to tell you. Also how to toggle the Emulator on or off?
     
  8. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Good question :)

    I would try to just stop that process from the task manager

    Regarding your PortExplorer output I do not see anything there to worry about yet. I suggest you keep PortExplorer on the Remote tab and keep an eye out for addresses you cant account for.

    Still looking through the asviewer output :)
     
  9. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    Do I leave Port Explorer running whenever I'm on the computer and just watch that tab?
     
  10. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Sure,

    you might also want change some default settings

    Settings -> File Logging -> limit to 16MB
    Settings -> Show New Sockets for 10Seconds
    Settings -> Show Dead Sockets for 10 seconds

    This way you can position the window around back on the side and still get a hint when there is some activity

    I Don't see anything obvious in the autostart either but hopefully some others will have some input.

    Did you load any software lately that might account for this?
     
  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    waya,

    If you haven't already done so, you might want to register on the TDS Private Forum over at

    http://www.diamondcs.com.au/forum

    In the meantime, to save time I created a thread there pointing to this one to see if anyone else will have additional input (as I am quite sure they will!)
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Because I have difficulty reading the wrapped text of the PE port listing output, here is an image of it with just the bytes sent/received columns removed.
     

    Attached Files:

  13. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    waya,

    Thanks to LowWaterMark's treatment of the PE output a couple of possibilities are evident.

    I suggest enabling SocketSpy on the TCP 14479 and UDP 15117 (both used by the MS Messenger Process)
     
  14. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    Thanks LowWaterMark and Dan. I have enabled spying on both. I dont see anything yet when i clik on packet data, yet.Hope I did it right. I went to the tab, highlighted the appropriate line and then cliked enable spying. Hmmm... :doubt: I think we're getting closer.
     
  15. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    also, did you recently change your screensaver?
     
  16. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    Not at all.
     
  17. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    nope
     
  18. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Okay,

    Let's see what modules you have loaded in the explorer.exe process.

    If you could goto

    http://www.xmlsp.com/pview/prcview.htm

    and download the freeware PrcView product. It has a GUI as well as a command line component.

    open a command prompt to where you install it and type the command

    pv -m explorer.exe > explorermodules.txt

    and paste the contents of that here
     
  19. xam

    xam Registered Member

    Joined:
    Feb 14, 2003
    Posts:
    20
    nbsrvem.exe listening on port 12345 looks dodgy to me. It's the default port used by NetBus trojan.
     
  20. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Yes that's right but that is TDS's custom NetBus Emulator, not the real thing.
     
  21. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    here goes!
     

    Attached Files:

    • 2.txt
      File size:
      18 KB
      Views:
      694
  22. waya

    waya Registered Member

    Joined:
    Oct 10, 2002
    Posts:
    28
    Location:
    vancouver
    ill try pasting it for easy reading

    [Dan Perez] cut and submitted as txt file for better readability :)
     

    Attached Files:

  23. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Waya, Try changing the font to courier regular 10 ;)
     
  24. Lolly

    Lolly Guest

    hello everybody :)

    I come from Germany.. I have exactly the same problems

    first windows explorer tried and tried to come online.. my firewall (Zone Lab Pro) blocked..

    then windows explorer tried to go online using Trillian (a chat programm with multiple chatprogramms.. I use with trillian.. MSN, AOL and Yahoo)

    When I allow windows explorer to use trillian to go online, I can log in with it.. otherwise Trillian cannot go online

    I installed today TDS-3 trial and scanned my computer.. no trojans

    not sure if I configured TDS-3 in the right way.. uh.. a little complicated and in English.. *smile* will need a little longer to read the help files and to understand what I must do to get effectiv results.. I suppose.. (or there is a german version from TDS-3?)

    with interest will follow this thread and hope to find "my trojan".. if I have one..

    greets from germany :)

    Lolly
     
  25. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Willkommen, Lolly,

    Not really; justfollow these instructions - and make sure you do have the latest database update installed ;)

    regards.

    paul
     
Thread Status:
Not open for further replies.