TCPOSMOD.EXE

Discussion in 'adware, spyware & hijack cleaning' started by Strad, Jul 13, 2003.

Thread Status:
Not open for further replies.
  1. Strad

    Strad Guest

    Hi, i have a problem a system32 file (tcposmod.exe), norton detect a pw stealer on it but was unable to access the file for cleaning. I will use tds-3, but i want to know if someone steals my passwords (and which passwords). Thanks
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you can get to the file try to zip it!
    then it can't run.
    Further besides TDS-3 get also Port Explorer which shows you all possible connections, you can spy on those connections and block them.
    After installing TDS-3 go back to that site and get the update for the detection databases.
    Configure TDS System Testing with everything checked and in highest sensitivity.
    If TDS says it's a positive identification you've the choice to delete it, if is says "suspicious" don't hesitate to send it to support@diamondcs.com.au (zipped if possible) or use the little menu when right-clicking on the alert in the result console.
    If TDS would not alarm i would certainly send the file in with the link to this thread in your email.

    Please keep us informed how it goes.
     
  3. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi Strad,

    Can you see if this key:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "DSS"
    is present in your registry?
    After disabling it from starting up there, you should have no problem removing tcposmod.exe
    From what I could find about this BackDoor I gather it deletes netstat.exe and adds c:\WINDOWS\readme-net.doc and the file you found.
    Mostly used to gather online passwords like Hotmail etc.
    To find out if any and which passwords were stolen, the first thing to do is find out if it was ever active. You can do that by checking if the changes I mentioned were indeed made.

    Regards,

    Pieter
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Munga bunga if i remember well? or DSSdoor?
    It's in the TDS primaries.
    Try hitting ctrl+ alt+ del and either end prog or task manager depending on your o/s end task on tcposmod.exe. Yes to the warning box.
    Look in the startup list using msconfig.
    start> run> type in msconfig> hit enter> go to startup tab and uncheck TCPOSMOD.EXE. Reboot and scan again to clean it. You couldn't delete it because it is running.

    And after removal i would try to change passwords just to be sure.
     
  5. Strad

    Strad Guest

    Ok, the changes you mentioned are maded, netstat.exe was deleted, the doc file is there. I have win 98 and 2k instaled on my computer, and i can delete tcposmod.exe by using win 98, but who stolen my passwords? and what passwords?, how do this back door works?
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    "What does this software do?

    It's a Brute Forcer, which uses the HTTP protocol to establish its connections. In English, this means the program tries various passwords for a given username (called brute forcing) and verifies whether those passwords are correct for the given username within the HTTP protocol (meaning, via web page connections).

    You can hack into any form you see on the Internet, this means any web based email account like Hotmail, Yahoo, Excite etc… or even affiliate accounts like AllAdvantage, GoToWorld, LinkExchange, or even actual Web Sites and many more. Basically, any thing that can be entered via a HTML form with a password and username, you would be able to brute force into with my program. The sky is the limit, it can even be used as a DoS (Denial of Service) program but I do not encourage such behavior and shall not be held responsible for your illegal doings."

    Do you have a firewall? It´s logs might come in handy.

    Regards,

    Pieter
    Source left out because of downloadlinks
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Does the readme-net.doc contain anything interesting?

    Did not find nothing about spreading the thing yet, as i thought it was in the first place looking for passwords combinations to get into a system, or webpage; do you run a server by chance making you an interesting goal for them?
     
  8. Strad

    Strad Guest

    The problem is solve. my little brother download the Munga bunga program and instaled it :mad: . Thank a lot.
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Glad you found it! So no outside onlookers i hope, but now you certainly should make sure! I mean, you had the nasty on your system and installed, so your system was very vulnerable for other users of it.
    I saw in the manual they say you can d/l passwordfiles all from internet, so you could google for such things and maybe check a few for a couple of your passwords; you will have changed them anyway by now i suppose!
     
  10. whkoh

    whkoh Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    4
    Someone installed Munga Bunga on my PC :( Now Norton AV wouldn't run, even if I reinstall it. Any solutions?
     

    Attached Files:

  11. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi whkoh,

    Welcome to Wilders!

    Can you please download and run HijackThis from

    http://www.tomcoyote.org/hjt/hijackthis.zip

    and scan the system but do *not* try to fix anything yet as many of the items listed are necessary, instead press the "save log" button and copy and paste the log here for someone to review and advise on.

    Thanks,

    Dan
     
  12. whkoh

    whkoh Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    4
    Thanks, this is the log:
     

    Attached Files:

    • hjt.txt
      File size:
      4.8 KB
      Views:
      5,722
  13. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi whkoh,

    I see no signs of it in the HT log though I did find two other nuisances, you might want to close all other programs/windows and select and fix the following two entries

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html

    Regarding your main issue, we will need more logs it seems...

    First I would do a remote scan of your system from an online AV such as Panda's ActiveScan which can be accessed here

    http://www.pandasoftware.com/activescan/com/activescan_principal.htm

    Then, can you please download and run DCS's AutostartViewer from

    http://www.diamondcs.com.au/downloads/asviewer.zip

    Go to the "Main" menu and make sure that all three top options are selected and then press "Save" and then copy & paste the results here for us to review.

    Also, can you please download DCS's OpenPorts program from

    http://www.diamondcs.com.au/downloads/openports.zip

    Unzip openports.exe in your Windows directory, and open up your Command Prompt and type;

    openports > openports.txt

    and then press the Enter key

    Then type;

    openports.txt

    and press the Enter key again, and then copy the contents of the file in Notepad and paste it here for us to review

    Thanks,

    Dan
     
  14. whkoh

    whkoh Registered Member

    Joined:
    Aug 8, 2003
    Posts:
    4
    It appears that other accounts in my PC can access the AV.
     
  15. davidcat

    davidcat Guest

    ok how to remove the TCPOSMOD.EXE Press CTRL+ALT+DEL end the task of TCPOSMOD.EXE then in anywindow click on Tools then Folder Options then click on the Tab " View " then click on Show Hidden Files and folders and make sure there is no check on the box Hide Extensions for known file types. Now go to C:\WINDOWS and you will see the TCPOSMOD.EXE file remove it from your system then in regedit go here HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run "DSS" and remove it from your reg and restart your system

    send me an email and tell me if it works ...

    Davidcat
     
Thread Status:
Not open for further replies.