Questionz?

Discussion in 'Port Explorer' started by bobby444, Jun 25, 2003.

Thread Status:
Not open for further replies.
  1. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Sorry if any of these questions sound stupid.

    Is internet explorer supposed to be listening? Remote address is local 127.0.0.1
    and is *SYSTEM supposed to be listening with internet explorer? remote address is 0.0.0.0

    Are those two supposed to be listening even with all web connections have been closed? Does that mean their both just listening for me to make a connection to visit a site?

    and HOW do I copy the ports to post them up?
    I can take a "small" pic of it if that would be ok.

    windows 98se | Spybot found 2 keyloggers a while back and Im just paranoid now I guess. and yes,I am the only one that uses this computer. Would my firewall have been blocking those keyloggers?
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Bobby444
    welcome here.
    First wash your mouth, as no question ever is considered stupid here, onle those burning ones never asked.
    We all learn from it, either reading or trying to find answers.

    You might like to look in this discussion, same problem, a screenshot, and links to an explanation.
    http://www.wilderssecurity.com/showthread.php?t=10639


    For the keyloggers: i suppose there would be data packets and maybe hidden connections (default in red) if those were there.
    If you don't trust a connection to a remote address other then your localhost you might like to use the socketspy on them. Any ideas how those keyloggers connected: websites or emailing logs?
    In that last case i hope it is possible to configure your email client to save a copy of all outgoing emails and to block or warn you if other programs are trying to email out: Outlook Express (in Options > Security) can warn if other applications are trying to email with you as a sender, i would like it to warn for everything i did not do myself!
    Did a TDS Full System Scan on highest sensitivity and everything checked and with the latest database find anything suspicious on your system?

    Your FW should have logged outbound connections or have had requests to grant them. I hope..... those are hidden guys of which one can expect everything.
    Do you remember which k/l they were?
     
  3. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Thanks for repling.
    The screen shot didn't have the *SYSTEM listed.
    But basicly your saying if the remote connection is local (127.0.0.1/0.0.0.0) there's nothing to worry about right.

    I reall don't remember if the keyloggers triggered the firewall or not,I did see a few unknowns in the program lists that I had denied all access in including localy.

    Spybot detected (Codename Alvin - www.codingworkshop.com/alvin/ ) and
    (NGC Pc and internet monitor keylogger -
    You can find that one on a google search)

    (I DID NOT SEE that option there.)

    Haven't got TDS. (Trojan defense suite?)
    Firewall would hopefully catch those...
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi bobby444, What if the Trojan or malware was to piggy back on say IE port 80?
    If you have your firewall set correctly it will probably be OK providing your rules are tight enough, does your firewall alert each time that IE or any other application is opened? If so you will probably be OK. :D
    I prefer a layered defence AV, AT, firewall, router etc. There may be some redundancy but I do feel secure.
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thought that Alvin was an own addition of the SB database to locate software piracy.
    Just remember to have seen a site for it i must confuse it with another name, yours was real.
    The other i'll google for; maybe it's known which files or residues to look for, registry keys, etc.

    The win98se systems have some other identifications then w2000/NT/XP systems, but the idea is the same.

    Of course you can make a screenshot (press print screen or alt-printscreen, open Paint and edit your own IP away and you might like to cut away unnecessary stuff, save as jpg or gif and attach here), or in PE > File > Save table and copy the txt in your posting (edit away your own IP)

    I have a dutch OE version 6.0
    Hope i use the proper terms for english versions:
    OE > Tools > Options > Security, in the upper part for Virus protection: check the "warn if other applications want to email with me as a sender"


    You might like to try TDS, get the evaluation (free) at http://tds.diamondcs.com.au , after install go back there for the update of the databases: just d/l it into the TDS-3 directory and start TDS.
    After the initial startup scans you can configure, in system testing check every option and the slider on highest sensitivity and do a Full System Scan to see if everything is ok.
    Possible illegal programs trying outbound access you would have seen in PE already, so i don't expect any of that kind.

    If you want more people's opinions, you might like to get from the DCS site the AutoStartViewer, (free tool), check every option and post that txt output here.
    We really want you to be sure, secure and happy internetting again!
     
  6. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Then hopefully a trojan would be blocked seems how I have Internet explorer Blocked from being a server. hehe..
    But yet,it prolly could still be used to send out stuff huh.

    welp.. off to sleep now...
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    For the email configuration, see this from the NGC keylogger site:
    "Send Email Log and Send Disk Log. It can be configured to automatically send you an email with the log file, every time it exceeds a given size. It can also be transferred as a Disk Log to anywhere you specify on the PC or network. The Send Email Log works 100% unvisible too, and can not be seen from the Outbox or Send Mails of the PC's email program. "
    So the email config would not have helped much.
    Those are commercial programs, any ideas how... ?

    The FW can be configured to block other applications to use other programs to access internet or at least to warn you for such attempts.

    Sleep well, see you soon with scan results etc.
     
  8. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    So the outlook wouldn't have blocked that either? Good griff.. I am starting to realy hate the internet! When you log on the internet it SHOULD have the lock icon saying its secure! The whole thing should be secure! But as long as it works for 10 minutes..pack it up... ship it off.. sell the heck out of it.. and dont worry about if people are not secure! ahhh!

    Would someone please tell me how do I update my outlook express to 6.0? The microsoft site only says "To get Outlook Express, you need to download Internet Explorer". DUHH I already have IE.. surfing with it now.. and I dont want ie 6.0! I have 5.5 with the security updates.

    ALSO.. how do I sent an encrypted email with outlook express? "That dont cost no money" I heard of pgp,but doesn't whoever you send the mail to also have to have pgp?

    (Where would that be located? Don't see that either. ahh!)
    Its blocks apps from connecting.. dont know about blocking other apps from using another app that can connect.

    Well, I am fixing to go download tds. will post back results.
    You think your secure untill you come here. hehe..
    Thanks for all the info and help.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Imagine you are among the lucky people who did come here and at least are finding your ways and you are willing to learn to do it better.
    Millions of people unfortunately don't know anything about security and are besides possible easy victims also potential spreaders of the nasties for which we are protecting our systems to the ultimate.
    The same with going for a driver's license: it is rather easy to drive a car, but tell this to all the others wanting to be at the same time at the same spot and have other ideas about how to and think different about rules for that!
    Remember your early days in the school as a child: you were proud to have learned your first characters to write and calculation and how all that was a base for all you learned afterwards in life and you discovered you have to make choices to concentrate on to learn as there is so much to learn, we can't grab it all at a time, so it is with internet security.
    You lock your door when you leave the house, so it is with the computer, firewall, AT/AV protection, PE showing what's going on real time.......etc.
    And so many hands when anything is strange to help you out!
    Of course you could have downloaded a trial of one of those keyloggers to be able to read the helpfile and configuration possibilities or to spy on your own system what is happening behind the surface and have logs of all the applications and in- and outgoing stuff.
    But you have TDS to discover and get rid of such hidden nasties, PE to see and be able to block traffic and spy on data packets, WormGuard to stop nasty scripts and more, your firewall blocks and alerts, so it is not really necessary to grab such monitors.

    The program control in ZAPro is under Program control > main tab Program control > Custom > enable advanced program control and enable component control
    These controls wil give a warning if other programs or components try to use others to gain internet access, hijacking others, trojans, whatever. For our convenience ZAPro has pre-defined the probably legal components and programs for us and it learns from our grants to have them granted or blocked for access or be used as a server permanently etc.


    OE 6.0 is integrated in IE 6.0, so i don't think it would be possible to have OE 6.0 alone. Any specific reasons why you don't want IE 6.0? For me it works much better, and there have been an update SP and several security patches, and beside that we have our TDS, PE and WG to keep an eye on our systems.

    With TDS, get the SS3 script examples and try to run some which will make you happy again!
     
  10. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Ok.. TDS returned back these so far.
    --------------------------------------------
    (1) C:\windows\fonts\français.EXE
    ( Google turned up different apps for different things (Like net metting and a few others.. any idea why its located there. and is hidden just by viewing the folder?)

    (2) C:\cpqs\patches\77777777.pif.pif and 77777778.pif.pif (dual extension - Probably nothing..just a patch right?)

    (3) C:\mirc\mirc32.exe (DDos.Rat.GT)
    (ahhh What does that do? I don't even use that app anymore.) (I had mirc denied server access anyway. Basicly dont use that much for an attacker can easily get your ip and hound you the whole time your chatting.) I should prolly try to uninstall it and go get a fresh new copy right?

    Then after scanning more files "hours".. TDS finally gave an Illegal Operation. (Maybe cause I didnt ever restart after installing? prolly huh?) (It Read: TDS-3 caused an invalid page fault in module UNRAR.dll at 01c7:059674a1) Thats prolly for win rar or win ace which ever one it is. hehe..

    Think it will illegal op out again? Really would like to get a whole scan. I will try it again tomorrow,for I need to use the pc for now. and it takes way long for "any" scanning app to scan on this slow "Bleep" 450mghz computer. hehe..

    (Wish I had that new 3.0 GHZ alienware / 1gig ram. Man I would love to get that. If I only made a grand a week I prolly could huh? hehe..)

    What all can you do with those? Test your system out or something?

    Thanks again for the help.
    Oh yeah.. So the IE 6.0 works better you say? Is it really better? I've read bad stuff about it back when it first surfaced. Bookmarks would be transfered over correct?
    I suppose you couldn't go back to 5.5 if didnt work right?
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again.
    first of all make sure you reboot after installing TDS, and before or after that reboot get the latest Radius update file which you just drop into the TDS-3 directory, overwriting the older, after which you can fire up or restart TDS.
    As long as you're not registered yet you've no keyfile to drop in it too (might come in zipped, not sure todays) which would enable you to do the updates automatically or with a press of the button in the menu and no reload of TDS.

    Yes, with my recommendation to check every option and choose for all your drives and network it can take a while if the drives are rather full, and if you have many other applications running at the time. TDS tries to use much space to speed up the process and that is the heaviest it has.
    I close unnecessary programs and windows or switch the full system scan on when i'm going to be off the screen for a while.

    You would make yourself really happy if you have one scan more and in the end in the alerts console at the bottom right click one of the finds and choose "save to text" which will save the alerts to "scandump.txt " which file you will find in your TDS directory, each time overwriting the former one so it will not eat up your diskspace with older logs you're never looking at anymore.
    I would like you to copy that text and post so we can tell you what to do with the files and see the exact alerts.
    It might be because of not rebooting, but i am at least worried about that mIRC bot in case the original exe got infected. If it says "possible" or "suspicious" after your reboot and update, would like you to send a sample to submit@diamondcs.com.au (zipped) for advice.
    I've never seen legal fonts as an EXE or it should be an install file (?), the patches... do you know the directory and what they are?
    Do they get alarms if you change their names into a single pif-extension?

    The SS3 scripts --with these you open a whole world only limited by your advancing scripting skills and imagination. In fact you can do anything with them, start programs, etc.


    Via the Add/remove click one time on the MSIE 6.0 and there should popup a console with among others a choice to return to the former IE install. (or to repair the current one if needed)
     
  12. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hi,

    Please zip and email mirc.exe and francais.exe > support@diamondcs.com.au

    mirc should be ok, we have some signatures for modified mirc clients though, perhaps I will have to fix one of those..

    There should never be an EXE file in the fonts folder, suspicious...
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did you get a recommendation already to make sure all files, folders and filetypes and fileextensions are shown via your settings and folderoptions?
     
  14. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Suspicious indeed. There's gonna be a slight prob in zipping the francias.exe. One thing.. It doesn't show up in the windows/fonts/ folder. It doesn't even show up in winzip! ahhh! The "only" way I can even see it is with my BP-FTP. and then I see some readme.txt and a few gifs that was with a few legit fonts I had downloaded. and yes they were straight fonts that I had downloaded no exe's.
    And yes,I have "view hidden files" on. and I believe before I could see all the readme.txt and gifs that came along with the fonts..otherwise I couldn't have read'em. and I remember reading some of them.

    In BP-FTP The options are rename it or delete it. Didn't see any copy.. or maybe I could have pasted it into winzip.
    I could prolly ftp it somewhere if you'd like.

    (I just renamed the begining of the file francias.exe with bpftp and now I am seeing my firewall blocking access to TCP Port 3413 every minute. about 30 alerts now!) Would you care for the ip of the intruder?)

    I Just redialed back up.. and now my connection speed is really slow! Slow responses... Please help! ahhh!
    AT http://homepage.tinet.ie/~leslie/testpage/testpg56.htm
    The speed results read 3090 cps It WAS always reading like 4200-4620 cps and loading quickly. and I am connecting at the same bps as I have been.
    Please help me fix this...

    This is really making me very very angry.. My connection was slow enough as it was.

    Thanks...
     
  15. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    I hope you rebooted in the meantime,
    updated the radius again (there's a new one each day end of the working day mo-fr),
    did a full system scan on all drives and partitions with all options on highest scan sensitivity,
    saved the scandump.txt by clicking one of the alerts and will post the results here.
    We're not going to ask you to zip the whole fonts folder, but you might like to try to do, open it and delete the legal fonts manually and see if the rest stays in that way to be sent in.
    There is no chance for a readme belonging to the francais.exe?
    Hope you were able to send in all other suspicious files like the mIRC thing.

    And we like a saved table from PE if you see suspicious connections.
    Both you might prefer to send to Gavin personally, that's up to you. If you post it, you might like to edit out your own IP.
     
  16. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Ok.. Rebooted and connection speed is now back. Thank goodness for that. lol.

    and the français.exe is still renamed to what I gave it.

    You dont think it could be associated with any font making apps that I have? Or apps prolly dont put exe's in the fonts folder huh?

    OK. I'm gonna try me best to zip and send'em that francais.exe. Notice that the C is ç and not a regular c.

    Will scan again sometime this weekend with the newest updated files. Thanks again folks for the info and help.
     
  17. bobby444

    bobby444 Registered Member

    Joined:
    Jun 25, 2003
    Posts:
    10
    Hummm... I have the slightest idea of how to zip up the francais.exe file. It does Not show up in winzip/winrar/ or viewing the font folder. Nor does the legit fonts readme.txt's/gifs/doc show up in there either. which I belive they used to show up.

    and Yes I have "show hidden files" selected under folder options just as it has been for years. I can clearly see dll's and other files in all the other folders. except the fonts folder which is making me very suspicous.

    Seems I have only one option. and that is to ftp the file somewhere. since it shows up in bp-ftp. I also tried draging the file to a new folder from bp-ftp,but that didn't work either,dragging only works inside the ftp app.

    Any ideas? Or know any webspace provider that would be ok to upload it to? 39kb. I dont want to really upload that to any of my web hosters. hehe..

    Even if the file was a legit file for installing a font,it shouldn't be hidding itself and all the other legit files.
    Correct? Plus I believe I only downloaded straight font files into the font folder. and not no stupid exe file.

    Dang,I think I'll just go get a webtv. LOL! Sure won't have to worry about downloading anything with that. LOL! or doing anything with it for that matter....
     
  18. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    The FONTS folder is "special" ;) and wont allow you to view anything except fonts *sigh*

    You can use an MSDOS prompt to copy the file elsewhere then send it from there (then delete it if you like)

    C:\Windows\FONTS>copy fran*.exe c:\

    1 file copied :)
     
Thread Status:
Not open for further replies.