www.grc.com, leaktester is a trojan!!

hello all,
VisualZone, which works well with zonealarm{which i have} leads us to www.grc.com to test our firewall.

it so happens that the free stuff they offer contains a trojan.
ther is a program called Leaktester, which is supposed to check out your firewall, but when it is installed, it turns out to be a trojan.its no.1 on the download list.

symptoms are cpu usage shoots up dramatically, even when no program is running, i have 3 iexplore programs in taskmanager, all working at around 6000 K, and i havent opened any site!!!

trojan hunter 3.8 detected 2 trojans.
1. leaktester.102
2. passdump.exe

i managed to delete them, but the sympoms are still there .
now, even after reboot, trojanhnter detects no other trojans, but my cpu usage still is high, and spiking erratically.

zonealarm tells me that iexplorer and genericprocess32 both have changed since the last time thy ran!
ihad to allowthem, because i need to post on this site!!

please, help me out.

 

Passdump is one of our programs, it will be detected by TDS-3 as POSSIBLE trojan with password stealing capability. This is because it uses a function the same way many trojans do, to read cached passwords. The alarm should say POSSIBLE, if it doesn't then thats bad

We also detect Leaktest at the request of users, however it is detected as Demo.Leaktest (not a trojan) so you know its NOT a trojan

Sounds like you have nothing to worry about, hope you can relax now

 

Hello guys,
thanks for the reply.

i didnt mean to sound crazy..i was totally flipping out though, because this is supposed to be a firewall tester, not a trojan in disguise.

and i am not like blaming or accusing grc.com of anything...i trust their shieldsup! tester .

i am just not sure that that download didnt contain a trojan, cause i think it did, because immediately after, my pc was showing the strange symptoms.

even now, my taskmanager is showing fluctuations of my cpu usage, immediately when i do cnt+alt+del.........it shoots up to 100%...then falls down to 30% then it becomes 3% then goes up to 25%..........!


now trojan hunter dosent detect anything now, but for ex. my zonealarm has just blocked......
Packet sent from 217.228.195.221{tcp port 1727} to [my ip address]
to port 1433 of my pc!

if this isint a trojan, is this a worm?

typically, why does cpu usage fluctuate in your opinion?
i tried quickkill worm killer, it turned up nothing........{www.quickheal.com}

my computer noise, the whirring has gone up quite a bit, meaning that the fan is turning faster to col the harddisk , which is running at an abnormal usage rate.

i have the dcs apm, but i dont know what to delete or end?
please help me.

 

hello again,

just additional info.

why are there 4 svchost running in the task manager?
iis in network service, local service, and the other 2 are classified as system, one is 1300K and the other is 6800K ?

i know this isint the right place fora log, but just in case....here goes

Logfile of HijackThis v1.98.0
Scan saved at 1:36:46 PM, on 7/13/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\TVR\RecSche.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\lvhidsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\admin\LOCALS~1\Temp\HijackThis.exe

O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [RecSche] "C:\Program Files\TVR\RecSche.exe"
O4 - HKLM\..\Run: [WinDVRCtrl] C:\WINDOWS\WDVRCtrl.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.computercops.net
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A04B6450-350D-41FF-850D-5F255B0A7E49}: NameServer = 202.88.130.67,202.88.130.9

also, when u say, passdump is one of our's , what do u mean?

thanks in advance!!

 

HI Adam.

Leaktest, as said before, is just a firewall testing utility.
It won't run if you have TDS with Exec Protection installed running.

In order to get Leaktest to run to test your FW, you will have to close TDS.
Then run Leaktest, if you have a good Firewall it should alert that Leaktest wants to connect to GRC.com. DENY it, then Leaktest should show the results like my pic.

Those 4 svchost running is NORMAL.. no probs.

Passdump is from DCS and TDS alerts it is a POSSIBLE Password stealer, for testing TDS.

Will post pic next post on what TDS says re Leaktest and if you rightclick on it and select 'Additional File Information', you get that window showing all the attributes like you will see in next post shot.

Cheers, TAS

 

Pic showing TDS in action and results of Information in right click on the Alert it gave with Leaktest.

TAS

 

Hi,

Answer about leaktests not being trojans nor viruses on my site :
http://www.firewallleaktester.com/lktvirus.htm

so obviously it includes the leaktest.exe from Steve Gibson.

regards,

gkweb.

 

Ok but since I tried these leaktests I will get a notification about afpansi.vxd during the booting process, that it could not be found and maybe an app needs it. I searched for it on Google and I found this: http://www.pestpatrol.com/pestinfo/i/informer.asp

So is it a trojan or is it maybe related to the leaktests? So far ZA didn't notify me about suspicious apps, but it is strange. Can I delete the key or the whole folder that it is in? The key is in the following registry folder:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\AFPAnsi\\StaticVxD

 

Hi guys,
Tassie Devils, thanks for clearing my doubts about leaktester being a real trojan. i think u explained it to me well, so then i guess i am back to square one!

LowWaterMark, thanks for narrowing it down for me, i guess svcshost is not the problem, and i am a little calmer about the cpu spikes.........

ther is just a couple of things that are worring me at the moment, and i think they require some close attention.
now we know , whatever this is, it is persisting on my pc and is not detected by normal virus or trojan or worm scans.

ok dont laugh, but i really think there is something going on, i am not just being paranoid! lol

for example.......
1. yes, LowWaterMark, right after i boot the machine, there are 2 iexplore process running, somethmes just one though...........and say i wait for 5-10 minutes, without doinganything....it steadily increases from 500K to 1200K to 3000K...right before my eyes.
2. then, after reaching i think critical mass, i get an alert on my pc about iexplorer trying to access the internet! and i deny it.
3. right after i deny it, the K's go down......it settles at around 4-700K..
4. now earlier, before this thing hit me, whenever i booted the machine, it never happened that iexplorer was involuntarily trying to access the net.
5. not only that, but i find that when i first try to a site, zonealarm tells me that iexplorer has changed since the last time it ran!
6. similarly it tells me generichost32 has changed since the last time it ran!
7. i have no other choice but to allow it access, but then i can connect to any site.
8. and it is not like any of my ports are open, in fact, even now ALL my ports are in the stealth mode.
9.then , the fluctuations are there as well{i tried what u said, they do indeed shoot up!}, but this is striking because till 2 days ago, nothing of this sort happened.

10. like, even right now, i just had an alert telling "generichostprocess32 trying to access the internet" i denied it.
in the visualzone, the intruded name is 'computer' and the DNS is also 'computer'.

11. now, i have downloaded mozilla firefox, it is installed on my E drive, i jusst have to install it so that it becomes my browser...but i have to take care of thismess first..who knows, maybe this thing will attack mozilla also.so i need to figure out what this is!

please, any suggestions??

 

Hi guys,
just check this out.

FILE: c:\documents and settings\admin\my documents\trojanscan3.9report.rtf
SIZE: 896 bytes
---------------------FILE BEGINS <Extracted Strings>---------------------
1: {\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Arial;}}
81: {\colortbl ;\red255\green0\blue0;\red0\green0\blue255;\red8\green0\blue0;}
157: \viewkind4\uc1\pard\b\fs20 Registry scan
199: \par \pard\li200\b0 No suspicious entries found
248: \par \pard\b Inifile scan
275: \par \pard\li200\b0 No suspicious entries found
324: \par \pard\b Port scan
349: \par \pard\li200\tx6000\cf1\b0 Port 2003/TCP is open (Matches TransmissionScout.100. Port being used by process IEXPLORE.EXE/PID 250\cf0 \tab (\cf2\ul Tell me more about port alerts...\cf3\ulnone )\cf1
556: \par Port 2003/TCP is open (Matches TransmissionScout.110. Port being used by process IEXPLORE.EXE/PID 250\cf0 \tab (\cf2\ul Tell me more about port alerts...\cf3\ulnone )\cf1
736: \par \pard\cf0\b Memory scan
766: \par \pard\li200\b0 No trojans found in memory
814: \par \pard\b File scan
838: \par \pard\li200\b0 No trojan files found
888: \par }

the lines 349 and 556 are peculiar.

ok, now this is a scan done by trojan hunter 3.9 .............
the reason it is looking like this, is because my Wormguard program thought it would be cool to 'safely view this file" which i had saved in 'my documents' to post here.

anyway, i think after i downloaded the 3.9 version, and ran the scan it found those 2 ports open.

but then i went to ZAP/Privacy/Cookiecontrol/custom/Mobilecode and rechecked the option'block mime type integrated objects'
and did the scan again, no open ports ............whew!

 

Hi guys,
you can say i was a little paranoid back there.........lol
{hope i didnt offend anyone}

its just that i am a novice pc user, i got my pc 2 months ago, and on the 4th day itself i had hundreds of spyware, adware, cookies, browser hijackers...and to top it all off, 2 deadly trojans >.bds_dumator, trojdumarin, mitglieder.100 or whatever...{to name a few!}
if this wasnt enough, also had a nasty trojan program that forced me to reformat my machine!!

turns out, it was a new trojan, it dropped 2 .dll files, and 2.exe files, and modified 30 registry entries!
it was embedded in my system32 folder.....

anyway, so now i have my registered version of ZAP 5.0, i do a live update of Norton everyday..and have webroot spysweeper 3.0 , which i think is a fantastic spyware detector......and things are looking much safer these days.

mysteriously, my cpu spikes have reduced, they are no longer that extreme, and sometimes just shoot up to 45% to 50%..... so now i think everything is fine{keeping my fingers crossed though!}