how to catch an undetected trojan?

Hi Lolly and all. Update: I had a local computer doctor dude come look over my system. Found nothing untoward. Did seem to think it funny the way Explorer asks permission to access the net. I phoned Microsoft and asked them if it was normal or necessary for this behaviour and their answer was very very ambiguous. "No it shouldn't need access, but it's not really an indication of something wrong if it does." Stranger yet, they did not charge me for the call as per usual. I am adopting a wait and see postire at this point. I figure that if I have a baddie, TDS will soon contain this bad boy's address in its database, enabling me to terminate it. If I have a free gift from the "good guys" I figure that the internet community at large will start to notice and soon have things out in the open. I can only advise for people to get a licensed TDS running on their machines, because,even good ole well known trojans can be used to prepare the ground for their new relatives. I will post here if I get any usefull info and will watch for same. Regards to all!

 

PS to above: Currently I have ZoneAlarmPro configured to allow Explorer access to internet, deny Explorer server privilages, and alas, permission to use other programs to access internet. So far this is the only configuration that will allow Messenger, my FTP Pro and several other programs to operate. I am not advising anyone to use this configuration, only stating what I have done while I figure this thing out.

 

hello all

you are right Paul, not really too difficult.. thanks for the link to the step by step instructions.. was a great help

friendly regards

Lolly

 

hello Waya, Paul.. hello all

waya and all.. I also installed the diamonds port explorer and noticed that AIM connects to 2 different IPs using Port 5190. Port explorer can solve one of the Ips and says it is AOL but with the second one I get the message: couldnt solve the host nor the IP. I started thinking over the possibility of an aim trojan.. *smile* and searched with google and it seems that there are some trojans using AIM and MSN. They dont use a port to connect (might be the reason why a scanner cannot find them?).

I also took a look to the startup programms using msconfig and found an entry in the registry. No name of the program, only: software\microsoft\windows\current version\run
thats it.. is this important? I am sorry, I know very little about systems :-(

just wanted to give you waya the idea it might be such a trojan which is annoying us

regards and wishes for a great weekend

Lolly

 

Hi Lolly,

Could you post your HijackThis log
Download, Unzip and run HijackThis, Then click Scan > Save log, save the log as a .txt file and copy & paste its content into your next post.
Don´t fix anything yet. Most of what it finds is harmless.

Among other things it will show us all programs starting automatically.

Regards,

Pieter

 

hello Pieter, here the log txt

Logfile of HijackThis v1.95.0
Scan saved at 20:28:11, on 28.06.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\AVPersonal\AVGUARD.EXE
C:\Programme\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Programme\AVPersonal\AVGNT.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
C:\Programme\Port Explorer Evaluation\PEDemo.exe
C:\Programme\Internet Explorer\iexplore.exe
J:\Zips von Programmen\PC Sicherheit\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26091a88e287df049321/netzip/RdxIE601_de.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37765.5069907407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

at the first sight.. "extra button for AIM".. hm! whats that? well hope you can help.. thanks

Lolly

 

Hi Lolly,

No signs of any malware.
One thing to get rid off (minor privacy risk):
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26091a88e287df049321/netzip/RdxIE601_de.cab
Put a checkmark in front of it in HijackThis and click Fix checked. It will be gone the next time you boot.

The extra button is exactly what it says. The program added a button in the bar of IE.

HTH,

Pieter

 

uh forgot to ask... TDS keeps saying:

"WARNING: Your Radius.TD3 database needs to be updated! "

and tds is right.. but the problem is.. the last radius update I can get its the one from yesterday, friday, 27th.. no radius updte for today available.. I refresh the page.. http://tds.diamondcs.com.au/
but no update for today

am I doing something wrong?..

greets

Lolly

 

Hi Lolly,

The last update was from the 27th.
Check if the number of primaries corresponds with the ones posted here: http://www.wilderssecurity.com/showthread.php?t=10760

Regards,

Pieter

 

thanks Pieter

I fixed it..
and glad to hear no malware there..

and also thanks for answer to the update

Lolly

 

Hi Lolly,

As long as you run the evaluation version you will be seeing this message
Dolf

 

a sunny and relaxed sunday to you all

hello Pieter.. I scanned again with hijack because I forgot I had already deactivated the one "suspicious" programm in the startup menu.. sorry.. apologies

here the new log text

Logfile of HijackThis v1.95.0
Scan saved at 10:47:35, on 29.06.2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\DigitalPatrol 4\DPatrolM.exe
C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Programme\Internet Explorer\iexplore.exe
J:\Zips von Programmen\PC Sicherheit\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [DP Monitor] C:\Programme\DigitalPatrol 4\DPatrolM.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall-Kontrolle) - http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37765.5069907407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

------------------------------------------

thanks Pieter.. and also thanks Dolf.. good to know

was reading online about AIM, MSN and trojans and found this.. I am shocked! didnt know there are such programs

here the link to the info about MSN/AIM Spy

http://www.spy-programs.com/online-spy/

and.. do someone knows a program to find out if I have one of such spies in my computer? since Feb. this year, I cannot help but have the strong impression I have a "spy".. but the virus scanners dont find anything.. might be I am paranoid.. lol in this cyberworld and technick.. but it also could be I am right, hm? ;-)

regards to all

Lolly

 

Hi Lolly, those keyloggers are detected with TDS. Keep it updated on a daily basis, monday-friday, all scan options enabled and on higest sensitivity, if there is a keylogger it is detected.

 

Hi Lolly,

I copied the startup-items from your log and added in bold, what I think they are for:

O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
both for nVidia Videocard
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Programme\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [VOBID] C:\Programme\Pinnacle\InstantCDDVD\\InstantDrive\InstantDrive.exe /remount
All three needed to be able to use your burner as sort of an extra HD
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
Ctfmon.exe provides text input support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
O4 - HKCU\..\Run: [DP Monitor] C:\Programme\DigitalPatrol 4\DPatrolM.exe
DigitalPatrol, freeware trojan scanner.
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
Adobe Gamma enables you to eliminate unwanted color casts from your monitor.
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Programme\Zone Labs\ZoneAlarm\zapro.exe
ZoneAlarm firewall

The one you seem to have disabled:
O4 - HKLM\..\Run: [AVGCtrl] C:\Programme\AVPersonal\AVGNT.EXE /min
belongs to AntiVir


The only program for detecting the kind of spies, you´re referring to, on your computer, that I know to be trusted by people who´s opinion I value is: http://spycop.com/
It´s the only I can think of that can find more of these programs then TDS-3. Mainly because it has (more) legitimate spy-programs in it database.

HTH,

Pieter

 

if you (or anyone using your computer) don't have bad eyesight or bad hearing i think it would be goot to disable the ctfmon.
it's a waste of resources
http://support.microsoft.com/support/ kb/articles/Q282/5/99.asp
his article was previously published under Q282599
SUMMARY
When you run a Microsoft Office XP program, the file Ctfmon.exe (Ctfmon) runs in the background, even after you quit all Office programs.

This article answers some of the frequently asked questions about the Microsoft Text Services Ctfmon.exe file, which is loaded after installing Office XP Alternative User Input features. This article answers the following questions:
What is the Ctfmon.exe (ctfmon) file?
What does the Ctfmon.exe file do?
Can I remove the Ctfmon.exe file?
Why won't Ctfmon.exe go away when I remove it from MSConfig?
When I uninstall the alternative input items from Office XP, Ctfmon.exe still loads. What else do I need to do to keep it from running?
What amount of system resources is used when Ctfmon.exe is running?
Can I load Ctfmon.exe on demand instead of all the time?
Will I break something if I click End Task on the Ctfmon.exe process?
Does Ctfmon.exe work the same on all operating systems?
MORE INFORMATION
What Is the Ctfmon.exe (Ctfmon.exe) File?
Ctfmon.exe activates the Alternative User Input Text Input Processor (TIP) and the Microsoft Office Language Bar.
What Does the Ctfmon.exe File Do?
Ctfmon.exe monitors the active windows and provides text input service support for speech recognition, handwriting recognition, keyboard, translation, and other alternative user input technologies.
Can I Remove the Ctfmon.exe File?
Removing the Ctfmon.exe might cause problematic behavior in your Office XP programs, so removing it is not recommended. To prevent Ctfmon.exe from running, follow these steps.
Step 1: Uninstall Alternative User Input
To uninstall the alternative user input feature, set the installation state to Not Available in Office XP Setup.

Microsoft Windows Millennium Edition (Me), Microsoft Windows 98, or Microsoft Windows NT 4.0:
Quit all Office programs.
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add/Remove Programs.
On the Install/Uninstall tab, click to select Microsoft Office XP product, where Office XP product is the name of the specific Office product being used. If you are using a standalone version of one of the Office programs, click to select the appropriate product in the list. Click Add/Remove.
In the Maintenance Mode Options dialog box, select Add or Remove Features, and then click Next. This displays the Choose installation options for all Office applications and tools dialog box.
Click the plus sign (+) next to Office Shared Features to expand it.
Click the icon next to Alternative User Input, and then select Not Available.
Click Update.
NOTE: If you have multiple Office XP products installed, for example, Office XP Professional and Publisher 2002, you must repeat the preceding steps for each installed product.

Microsoft Windows 2000 and Microsoft Windows XP:
Quit all Office programs.
Click Start, point to Settings, and then click Control Panel. NOTE: In Windows XP, click Start and then click Control Panel.


In Control Panel, double-click Add/Remove Programs.NOTE: In Windows XP, click Add or Remove Programs.


In the Currently installed programs list, click to select Microsoft Office XP product, where Office XP product is the name of the specific Office product being used. If you are using a standalone version of one of the Office programs, click to select the appropriate product in the list. Click Change.
In the Maintenance Mode Options dialog box, select Add or Remove Features, and then click Next. This displays the Choose installation options for all Office applications and tools dialog box.
Click the plus sign (+) next to Office Shared Features to expand it.
Click the icon next to Alternative User Input, and then select Not Available.
Click Update.
NOTE: If you have multiple Office XP products installed, for example, Office XP Professional and Publisher 2002, you must repeat the preceding steps for each installed product.
Step 2: Remove Alternative User Input Services from Text Services
Click Start, point to Settings, and then click Control Panel.
In the Control Panel, double-click Text Services.NOTE: In Windows XP, click Date, Time, Language, and Regional Options, and then click Regional and Language Options. On the Languages tab, click Details.


Under Installed Services, select each input item that is listed, and then click Remove to remove the item. All items must be removed, one by one, except the following input service:

English (United States)- default Keyboard United States 101
Step 3: Run Regsvr32 /U on the Msimtf.dll and Msctf.dll Files
Click Start and then click Run.
In the Run dialog box, type the following command:

Regsvr32.exe /u msimtf.dll
Click OK.
Repeat steps 1 through 3 for the Msctf.dll file.
For additional information about how to remove CTFMon.exe, click the article number below to view the article in the Microsoft Knowledge Base:

313176 Programs May Start, Quit, Lose, and Gain Focus Randomly
Why Will Ctfmon.exe Not Go Away When I Remove It from MSConfig?
Removing Ctfmon.exe from MSConfig does not disable Ctfmon.exe. For more information about disabling Ctfmon.exe, refer to the "Can I remove the Ctfmon.exe file?" section earlier in this article.
When I Remove the Alternative Input Features from Office XP, Ctfmon.exe Still Loads. What Else Must I Do to Keep It from Running?
Unlike the Alternative User Input features, Ctfmon.exe is a system component that cannot be uninstalled. For more information about disabling Ctfmon.exe, refer to the "Can I remove the Ctfmon.exe file?" section earlier in this article.
What Amount of System Resources Is Used When Ctfmon.exe Is Running?
Ctfmon.exe uses little of the system resources if Advanced Text Services are not running. Advanced Text Services are those input technologies (speech recognition, handwriting recognition, and Input Method Editors) that are being controlled by Ctfmon.exe via a TIP.
Can I Load Ctfmon.exe on Demand Instead of All the Time?
The Alternative User Input system is not designed to be loaded and unloaded on demand.
Can I Click "End Task" in the Task Manager Dialog Box or "End Task" in the Close Program Dialog Box for the Ctfmon.exe Process?
No. It is not recommended that you manually close the Ctfmon.exe process. It is recommended that you use the steps in the "Can I remove the Ctfmon.exe file?" section if you want to stop the Ctfmon.exe process.
Does Ctfmon.exe Work the Same in All Operating Systems?
Generally, yes. Ctfmon.exe performs the same tasks on different Microsoft Windows operating systems.
Additional Information
Ctfmon.exe is the file that is responsible for controlling the Alternative User Input technologies. It starts the Language Bar component (in the Systray) and remains running in the background even after you quit an Office XP program. It also starts each time Windows is started and remains in the background, regardless of whether an Office XP program is started.

Ctfmon.exe is designed to continue to run in the background during Windows sessions after the Office XP Alternative User Input components are installed.

the ctfmon.exe was runnig on my new xp system, and i have never had m$ office produts in it. i use open office instead. but it's safe to disable

 

I would not do without the speech recognition as one of the means of communication: imagine all the ss3 scripts in TDS which can use speech recognition to start with!

and handwriting recognition i do use too ocasionally

keyboard i use all time and would hardly name that alternative

 

*smiles* seems I installed the ctfmon because I thought it could be helpful to be able to switch the keyboard in spanish (my native language) or in english characters.. I hear very good *grin* some men think I hear "too good" lol

thanks Illuka.. will read your helpful advice when I come back .. I came to say bye for now.. cuz I will be out of town for the next 2 weeks.. I think.. and it might be I dont come near enough to a computer to come over here to say hi

thanks Pieter.. and tot zins (right spelling? uh! live near the netherlands but still dont speak the language *shame*)

see you all soon..

regards

Lolly

 

And how about a (TDS) script with an msagent walking over your screen, you press the scroll-lock and can make him read your text, open files, surf you to to this forum, send your email and lots more, sing a happy song for you, tell the time and start applications, when you ask this by talking in your microphone? Would not like to miss all that!

Have a good time, hope it will be a nice holiday!
Sounds good Lolly, almost right "tot ziens"!