pleas help - a problem with a trojan horse

Discussion in 'Trojan Defence Suite' started by DT, Aug 22, 2003.

Thread Status:
Not open for further replies.
  1. DT

    DT Guest

    Hello :)
    every time i turn on my computer, my Norton FireWall alerts me that a netspy trojan horse was blocked.

    here's the log my firewall saved:
    Rule "Default Block Netspy Trojan horse" stealthed (localhost,1024)
    Inbound TCP connection
    Local address,service is (0.0.0.0,1024)
    Remote address,service is (localhost,1033)
    Process name is "C:\WINDOWS\Explorer.EXE"

    i tried to scan my C drive, but every time i do so my computer suddenly reasart.

    pleas help me. nothing i try didnt work. :doubt:
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi DT;

    That would appear to be just a normal use of an ephemeral port (wich are ports 1024 and above) When the OS needs a temporary port to use it will grab one starting at 1024 and each request for one will increment the port higher for that request. Also, the communication is coming from your system to your system. As well, many trojans try to use some of these lower ephemeral ports so default rules based on default trojan settings in this range (say 1024-1500) will frequently be fals positives.

    That being said, it is always best to be sure. YOu should download and run an Anti-Trojan application just to be sure. I recommend TDS which can be downloaded from

    http://tds.diamondcs.com.au/index.php?page=download

    Once you install it and before you launch it you should manually download the updated radius file (definitions) and put it in the tds folder. Then launch TDS and set all settings to highest sensitivity and scan your local drives.

    HTH,

    Dan
     
  3. DT

    DT Guest

    reply

    when i said that i scan my computer i ment with TDS ;)

    about 5 minutes after its start to scan, my computer suddenly restart without asking me. so that i cant know if i have a trojan or not.

    i hade this firewall for a long time, but just in the last few weeks this happens. an alerts on netspy a get only whan i turn on my computer.


    thanks for helping :)
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Have you tried to scan in safe mode?
    Dolf
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hey DT,

    Can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Unfortunately I have to step out for a bit but I should be back within 2 hours and hopefully other input will be placed here in the meantime.

    Regards,

    dan
     
  6. DT

    DT Guest

    here's the file i created using DCS's AutostartViewer:

    DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for ---@P9F47AG5XFB13FZ, 08-22-2003
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\system.ini [drivers]
    timer=timer.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NvCplDaemon
    RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nwiz
    nwiz.exe /install
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\SoundMan
    C:\WINDOWS\SOUNDMAN.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
    C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Advanced Tools Check
    C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\ctfmon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Babylon Translator
    d:\babylon\Babylon.exe
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\STYLEXP
    C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ICQ
    E:\ICQ\ICQ.exe -trayboot
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\ctfmon.exe
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\RunOnce\RunNarrator
    C:\WINDOWS\system32\Narrator.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\NAVW32.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    C:\Program Files\Microsoft Office\Office10\OSA.EXE
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\
    C:\WINDOWS\INF\unregmp2.exe /ShowWMP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigIE
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS\
    RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
    HKLM\Software\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\
    C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE
    HKLM\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\
    C:\WINDOWS\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
    HKLM\Software\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}\
    rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser
    HKLM\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub
    HKLM\Software\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}\
    %ProgramFiles%\Outlook Express\setup50.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\
    regsvr32.exe /s /n /i:U shell32.dll
    HKLM\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\
    C:\WINDOWS\system32\ie4uinit.exe
    HKLM\Software\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}\
    rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD
    HKLM\System\CurrentControlSet\Services\AFD\
    C:\WINDOWS\System32\drivers\afd.sys
    HKLM\System\CurrentControlSet\Services\AudioSrv\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Browser\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\C-DillaSrv\
    C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
    HKLM\System\CurrentControlSet\Services\ccEvtMgr\
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    HKLM\System\CurrentControlSet\Services\ccPxySvc\
    D:\Norton Personal Firewall\ccPxySvc.exe
    HKLM\System\CurrentControlSet\Services\CryptSvc\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dhcp\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\dmserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Dnscache\
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    HKLM\System\CurrentControlSet\Services\ERSvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Eventlog\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\Fax\
    C:\WINDOWS\system32\fxssvc.exe
    HKLM\System\CurrentControlSet\Services\helpsvc\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanserver\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\lanmanworkstation\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\LmHosts\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\navapsvc\
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    HKLM\System\CurrentControlSet\Services\NISUM\
    D:\Norton Personal Firewall\NISUM.EXE
    HKLM\System\CurrentControlSet\Services\NProtectService\
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    HKLM\System\CurrentControlSet\Services\NVSvc\
    C:\WINDOWS\System32\nvsvc32.exe
    HKLM\System\CurrentControlSet\Services\PlugPlay\
    C:\WINDOWS\system32\services.exe
    HKLM\System\CurrentControlSet\Services\PolicyAgent\
    C:\WINDOWS\System32\lsass.exe
    HKLM\System\CurrentControlSet\Services\ProtectedStorage\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\RemoteRegistry\
    C:\WINDOWS\system32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\RpcSs\
    C:\WINDOWS\system32\svchost -k rpcss
    HKLM\System\CurrentControlSet\Services\SamSs\
    C:\WINDOWS\system32\lsass.exe
    HKLM\System\CurrentControlSet\Services\SAVRTPEL\
    \??\C:\WINDOWS\System32\Drivers\SAVRTPEL.SYS
    HKLM\System\CurrentControlSet\Services\SBService\
    C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    HKLM\System\CurrentControlSet\Services\Schedule\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\seclogon\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\SENS\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\ShellHWDetection\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\Spooler\
    C:\WINDOWS\system32\spoolsv.exe
    HKLM\System\CurrentControlSet\Services\srservice\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\StyleXPService\
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    HKLM\System\CurrentControlSet\Services\Themes\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\TrkWks\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\uploadmgr\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\W32Time\
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WebClient\
    C:\WINDOWS\System32\svchost.exe -k LocalService
    HKLM\System\CurrentControlSet\Services\winmgmt\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\wuauserv\
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    HKLM\System\CurrentControlSet\Services\WZCSVC\
    C:\WINDOWS\System32\svchost.exe -k netsvcs


    Are you sure that's what you wanted? :p
     
  7. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Lol, well I didn't really *want* it :rolleyes: but I thought it might point to something (but didn't :p )

    However, since Explorer is the process that is apparently initiating the "bogus" activity we can do something else.

    Can you please download ProcessView from

    http://www.xmlsp.com/pview/PrcView.zip

    and extract the pv.exe file into your Windows directory. Open up your Command Prompt and type

    pv -m explorer.exe > modules.txt

    and hit "Enter". Then type

    modules.txt

    and hit "Enter" and copy the contents from Notepad and paste here so we can review the modules loaded within the Explorer process.

    Thanks!

    Dan
     
  8. DT

    DT Guest

    Are you sure?

    Are you sure it's necessary? i dont want extract unknoun files (to me) at my windows directory....

    what is the purpose of it? for the netspy trojan or the unwanted restars?


    thanks again, DT. :)
     
  9. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I suppose Dan asked you to extract it in your Windows directory, because it is in your path then, and you can execute the file from anywhere without having to type the full pathname, but you can place the file everywhere you want.
    Dolf
     
  10. DT

    DT Guest

    well, i did exactly what Dan Perez wrote, and i saw the process of it, but no file was created... o_O i dont know what i did wrong...
     
  11. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    pv -m explorer.exe > modules.txt ??
    during the process you shouldn't see anything because it should write to the file instead of the screen
     
  12. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Also, the main purpose is to see if there are any signs of trojanous modules that run within the explorer.exe process space. A good number of trojans will do this. The pv.exe file though does not need to be in the system directory I usually instruct people to put it there to make it easier for them to run the utility from the commandline and redirect it to a text file. If you put it in another folder then either specify the path to the pv file in the commandline or first change to that directory first before running the program.

    HTH,

    Dan
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In this case also type the > which means to write the output in a textfile with the name yiou just specified there.


    If you feel more comfortable with this:
    In c:\ create a folder named "Console"
    in the autoexec.bat add that c:\console to the path
    Now you can use the files you place inside that console folder from everywhere.
    So if you now open the MSDOS prompt you can type the line Dan just gave and you should get the results.
    Hope this helps!
     
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That's a great find CrazyM !
    As this fits the situation.

    The process might show up in Port Explorer too as a loopback, so you still know what happens on it.
     
  16. DT

    DT Guest

    Thanks

    :) thanks a lot CrazyM for the link, i tried to search on symantec web site but i didnt see this article... thanks!

    now, to my second problem > how can i scan with TDS-3 without unwanted restarting?


    thanks for all the help! :D
     
  17. DT

    DT Guest

    no one? o_O


    :doubt:
     
  18. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Have you tried to scan a single file and did that work?
    Dolf
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you sure you did not see the info on the link CrazyM gave you? i just clicked on it and was thereo_O
    Does the symantec siet have online scanning?
    Get one there or at any of the other known sites like www.ravantivirus.com or www.pandasoftware.com or www.bitdefender.com to name a few.
    With the recent Blaster of course that could be some to think of, and always better get another scan (second opinion) to make sure nothing is the matter in that part.
    Does the restart only happen with TDS scans, and if so with every or just special or full system scans?
    Have seen the problem mentioned before must try to find it back in the threads here if there was a configuration thing, missing or overwritten required system files or an infection. So i always first look at the greatest danger, a possible infection to make sure that is not the cause here and no harm can be done.


    Some more questions:
    --which windows version do you have?
    --do you have TDS longer time and registered version or recently an evaluation version?
    --was scanning with TDS before normal possible?
    --are there more occasions when the system restarts?
    --do you mean a reboot or TDS restart?
    For instance with XP systems there was some issue possible (not for everybody) with the rightclick scanning for exe files and those people are instructed to delete those registry keys. Must find that part back.
    Not exactly sure if this fits your problem.
     
  20. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi DT,

    In addition to Dolf's and Jooske's questions, I'm curious if you see any consistency on what directory TDS is currently scanning when your system forces a reboot?

    In addition to Dolf's suggestion of scanning a file, you might also try a larger directory (and subs) such as your Windows (or winnt) directory.
     
  21. DT

    DT Guest

    I'm very sorry that i didn't answering so far... i didn't have access to read in..... anyway, some answers:

    Have you tried to scan a single file and did that work?
    yes, i tried that, and it worked well.

    which windows version do you have?
    Windows XP Professional + sp1.

    do you have TDS longer time and registered version or recently an evaluation version?
    i have the last evaluation version.

    was scanning with TDS before normal possible?
    since the first time i tried to scan i hade this problem (if I understand the question correctly).

    are there more occasions when the system restarts?
    :eek: actually, it did happen sometimes, but since i update my graphic adapter it seems to work good... but the specific problem with tds-3 still occur :doubt: .

    do you mean a reboot or TDS restart?
    i mean that the windows restart... the whole system reboot.


    Jooske - I dont think that the Blaster virus is related, I did'nt infected by it.
    for the exe files issue - i try to scan an exe file and it worked well.


    Dan Perez - no, i didnt see any consistency on what directory TDS is currently scanning. i tried a lot of scans on a different partition.
    I didn't try to scan my Windows directory by separate, i will.



    Thanks a lot for helping! :D
     
  22. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi DT,

    I'm not sure I understand, the graphic adapter driver update resolved the reboot issue? So what is the remaining issue with TDS? (I thought that the issue was a reboot while scanning.)

    I know there was some issue regarding strangely constructed archives but I want to make sure I understand the current TDS issue before I look for it :)

    Thx,

    Dan
     
  23. DT

    DT Guest

    Hello,

    Whan i answered Jooske's question ("are there more occasions when the system restarts?") i ment that it happened while I *didn't* use TDS-3. The problem that has solved is the sudden reboots that not related to TDS-3.

    I hope that now I make my self clear. :)
     
Thread Status:
Not open for further replies.