Topic: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!! (Read 13326 times)

KRolling · « **on:** February 17, 2003, 03:06:37 pm »

This is not an OT. I love SFC1,2, and 3!!! <plug>

Help!! I think I have a trojan!!! Computer barely works!!!

Need website info for the free anti trojan program!!

I have run Norton Antivirus, AVG, Norton Sweep, Norton Disk Doctor, and tried to Restore four times but it refuses!!

Can..... barely..... work......

Even tried the "Rolling Pin"!!

Rolling, the panicked!!!!

Maxillius · « **Reply #1 on:** February 17, 2003, 03:09:42 pm »

wow... that sux... perhaps that site can fix my memory/processor power leak

DONOTDELETE · « **Reply #2 on:** February 17, 2003, 03:34:04 pm »

Ad- Aware can be found here:
http://www.lavasoftusa.com/

or some will argue that Spybot Search&Destroy is better:
http://security.kolla.de/

This site has handy info too:
http://www.spywareinfo.com/

Myself, I've had problems with norton in the past though too...
it can be hell on a windows installation.

Commander Maxillius, your issue might be better addressed at:
http://www.pcpitstop.com/

Edit: If you think it's a trojan then spyware software may not find it.
This trojan scanner gets good reviews:
http://tds.diamondcs.com.au/

KRolling · « **Reply #3 on:** February 17, 2003, 06:47:39 pm »

What does "Sockets de Troie, Blazer 5" mean?

LongTooth · « **Reply #4 on:** February 17, 2003, 07:06:55 pm »

Sounds french apart from that I cant help you

You might want to start backing up any thing you dont want to lose just in case

Just went to bable fish. com
And it came up with this

Sockets of Troy, Blazer 5

Not sure if it helps any

Dash Jones · « **Reply #5 on:** February 17, 2003, 08:08:25 pm »

You are so screwed!

Okay, not certain if this can help.

You are right, you have downloaded a trojan...what you been doing, browsing Russian Bridal sites? Or somehow got a Frenchman mad at you?

Anyways, this is more than just a Trojan, it opens up a back door through ports I think. As I said, you are so screwed.

Here's something to try anyhow. First, open the msconfig file...SOON. Look for anything out of place that you absolutely don't know what it is doing (if you don't know, go and look up the abbreviations...quickly now) and DISABLE them. Next, search your machine for any FILE with that prefix, as well as the prefix of Blazer 5, Troi, SoT, etc. If possible, find out the exec title of the file. It may even show up in your exec files. Delete like crazy. You DO have a program installed somewhere.

Uninstall, and search in the directory through regedit.

Now with that in mind...unless you can find a good fix, since all this is tentative on whether you will actually find the file or not, a better way may to be back up what you absolutely need, and reformat (yes reformat) the drive. That should kill it for certain...or we hope...depending on exactly how it's stored...though I imagine that should kill it for certain.

I personally am not all familiar with it (Thank goodness, it sounds bad, but it also seems rather limited in it's spread). Perhaps someone else more into the tech field knows more specifics on this.

Good Luck.

KRolling · « **Reply #6 on:** February 17, 2003, 08:50:58 pm »

I downloaded and ran two different anti trojan programs and they both said I'm clean, except one said that there MAY be a trojan in this port. It did not give me any clue as to how to remove or close it.

So, I'm at a loss. My computer decides when it wants to do what I have told it to do, but yet I cannot seem to find any logical explaination for it.

SghnDubh · « **Reply #7 on:** February 17, 2003, 08:54:14 pm »

KRolling,

What anti-virus software are you running?

If you go shell out the $30 for McAfee, you can download their stuff right from their site and start scanning...it has not failed me yet.

What symptoms, exactly, are you having?

SghnDubh · « **Reply #8 on:** February 17, 2003, 08:58:42 pm »

Found this,

HOW TO REMOVE:
Sockets de Troie (Socket23) backdoor for Windows
Description:

The Sockets de Troie ("Trojan Sockets") backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent.

Once installed on a system, the Sockets de Troie backdoor binds to UDP port 1 and listens for client connections. The Sockets de Troie client connects to this port and sends a string ("/udp/ connect") followed by the TCP port the client is listening on. The backdoor server then connects back to the client on this port. At this point, an attacker can begin sending commands.

Platforms Affected:
Windows 95
Windows 98

Remedy:

Use a commercial antivirus program to remove this backdoor. To remove the Sockets de Troie backdoor:

If you do not have an antivirus program installed, download and install one of these virus scanners:
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
McAfee VirusScan: http://software.mcafee.com/centers/download/
Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/products/
Run the antivirus program to scan your system for this backdoor. The virus scanner should find and remove the Sockets de Troie backdoor from your computer.

Consequences:
Gain Access

References:
PCHelp's Web site, "Reproduction and translation of JCrun Softwares site" at http://www.nwi.net/~pchelp/st/jcrun.htm

Standards associated with this entry:

Reported:
Date not applicable.

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2003 Internet Security Systems, Inc. All rights reserved worldwide.

AND THIS

Sockets de Troie (French for "Trojan Sockets")

Sockets de Troie currently affects Windows 95/98 PC's.

The "server" portion is typically named "mschv32.exe".

Ports 5000 and 5001 (by default) are used to establish the connections between the "client" and "server".

Who is Responsible?

Unknown at this time...

There are two methods (that I know of) that Sockets de Troie can be unknowingly installed.

In the first, when the "server" portion is run, it shows an error dialog stating that SETUP32.DLL is missing. At the same time the "server" portion copies itself to WINDOWS\SYSTEM directory as MSCHV32.EXE and modifies the Windows Registry so it would be executed during every further Windows bootup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
MSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe

In the second, when the "server" portion is run, it shows an error dialog stating that ISAPI32.DLL is missing. The "server" portion copies itself three times to the WINDOWS\ and WINDOWS\SYSTEM directories under the following names:

c:\windows\rsrcload.exe
c:\windows\system\mgadeskdll.exe
c:\windows\system\csmctrl32.exe

The virus also modifies Windows Registry to make these files be executed on every further Windows bootup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoad
Rsrcload = C:\WINDOWS\Rsrcload.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesLoad
Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe

Dash Jones · « **Reply #9 on:** February 17, 2003, 08:58:54 pm »

just because a program does not detect something does not mean you do not have a trojan...as I stated, first thing first...since this creates a backdoor, it probably is running on start up or when you connect to the internet. Check your msconfig.

KRolling · « **Reply #10 on:** February 17, 2003, 09:03:15 pm »

I have Norton AnitVirus.

First, around the middle of last week (Feb11) my NAV stated I need to do an Alive Update on my virus definitions. I clicked ok. The next day it did it again! Clicked ok. Same thing every day, but Saturday night it started running sluggish. I figured it needed a break, so I didn't think about it until Sunday morning.

Sunday, I boot it up. It moved very slow. Very, very slow. I run NAV. It came out clean. So I shrugged my shoulders and started cleaning it up with all the programs made to do that sort of thing.

I even downloaded AVG a free antivirus program which did very well by me before. It came up clean.

I have to constantly reboot my system to remind it of what it is doing. I get no errors. Just extremely slow.

Now I've ran two anti trojans with really no success except there "could be, but not neccessarly" a trojan on that port.

KRolling · « **Reply #11 on:** February 17, 2003, 09:06:38 pm »

Quote:

just because a program does not detect something does not mean you do not have a trojan...as I stated, first thing first...since this creates a backdoor, it probably is running on start up or when you connect to the internet. Check your msconfig.

But I don't know what I am looking for.

Dash Jones · « **Reply #13 on:** February 17, 2003, 09:16:42 pm »

Okay...

First, it seems you've done the first steps of trying a virus-scan by an good company. If you have not...do it now. that is the first step if you are able. If you have done this, or the machine is unable to do it...do the following.

Go to your startbar...hit run.

In the runbox type in

msconfig.

Go to startup. If you see something that looks like ToS:b5 or something similar, suspect it. You can refer here to find out if it is as you suspect.

Next, disable those programs from starting up.

Now it is quite possible that it is installed but not running at startup.

Press Ctrl+Alt+delete...once.

See if you have something like that running.

If you don't know...try listing what is shown in that bar here (I sure hope you are not one who has half a million programs running at the same time or it could take a while to decipher some of it).

Next, clean your cache. You may have downloaded a java program. Make sure it is cleaned. Click on show hidden folders, and go through. Delete anything in the directory tree below the temporary interenet files (now when I say below, I don't mean literally below, but anything that is a subdirectory of the Temporary interenet files).

Now the installation of certain programs and trojans, as well as backdoors, get around things by pretending to be an actual program, aka, they do an actual install. Many times they fool you on a site by making you think you are installing something different. Some Trojans are uncleanable...in fact a large number are if they are new or recently modified, at least uncleanable by virus protection programs.

Now after doing this, and disabling any non-known programs (for safe measure you can disable everything in your Windows Taskmanager except for System and Explorer if you are using a Win9x machine, otherwise it gets a little more complex).

If you've done this, next, if you've identified the offensive bugger, do a search on your hard drive for anything that refers to it.

continued below...

Dash Jones · « **Reply #15 on:** February 17, 2003, 09:27:10 pm »

Okay, now if you still haven't found it look in your installation/remove programs control panel. See what has been installed recently. Now if you see something that you cannot identify and that has been installed recently(I take it you do know what has been installed recently), then chances are that this is your bugger.

If you still haven't found your culprit, it is then we get desperate. Now this may or may help before you even do all the rest of the steps, it is also the easiest one to avoid be a skillful hacker/virus creator/evil person. Go to Find or Search, dependant on which OS you are using, in your start taskbar.

Once you have it up...look up "Sockets de Troie, Blazer 5" or a portion of the wording thereof. If you can find it...do not go to it immediately. Look very carefully at what directory it is located in. Click on the harddrive and go to that directory. If it has it's own directory...look at all the programs in it, and see what shortened versions of it's name it uses. So if you see something like B5, you can know this is probably the abbreviation it is using.

With that, you have an idea of what it's shortened exe could be and it's program that is actually runnning it. Delete all references to this.

After doing this, look in your registry. You can do this by going to the run program again, and typing in regedit. Now this is a tricky part, because you do the wrong thing, you can seriously screw up your OS...like big time.

Click at the very top of all the registry so it is at the root of all the files. Next go to Edit and click on find.

Find all traces of the program "Sockets de Troie." Next find all traces of the program Blazer 5.

Next, delete the small names of the files...this is the part where it's hardest to ascertain whether you are deleting a needed or unneeded file...but it also must be done.

So if it had the shortened program name of B5, you would find all traces of B5, and delete it. This is where the Anti-Virus programs typically turn up the most useful, as they can find the registry files if they have the virus's and trojans registered already.

For the shortened file exe names in your Task Manager and msconfig, typically a quick look on Yahoo by typing in that set of lettering will reveal what that Program shortname means, which is also useful.

KRolling · « **Reply #17 on:** February 17, 2003, 09:42:29 pm »

I'll have to pick this up tomorrow. My brain has followed my computer into mushville.

Thanks.

Dash Jones · « **Reply #18 on:** February 17, 2003, 10:01:58 pm »

Go to your control panel. Open up Internet Options. It should open up to General. You will there see delete Temporary Internet files about halfway down. Click Delete Files. Click Delete cookies.

Then open up settings. Now there is the complete way, and the safe way.

Either way, first open up "Veiw Files"

this should open your cache. next click on a picture above the open files called Folders. this will show you the folders. click on Temporary Internet files and see if there are any subdirectories/subfolders. If there are...delete them. Persist in deleting them even if it requires a restart and disconnect from the internet and not opening IE first.

Next comes the choice of a complete clean or a safe clean.

Now that your Temporary Internet files is cleaned, click on the View Objects. This will show you programs installed to run with your Internet Explorer.

To do a complete clean, delete EVERYTHING in this directory. This will ensure anything running with IE in either the Temporary Internet Folder and the Windows/Downloaded Programs files are gone. The downside to this is that it also will delete programs that were installed and ran on your machine before such as the quicktime interaction with the browser, the realplayer interaction, the shockwave/Flash macromedia and other programs. You will have to redownload, re-enable them after you have cleaned the system.

A safe way, can only be done if you know which programs do what. Some of these should be obvious...such as Quicktime should be labeled if you have been using it in your browser (now if you have 2 or 3 installed, then you may have some questions and problems). Keep the ones that are safe, and delete the rest.

The final step is only as a maximum harshness. There is a file that may be called hosts that is connected to your IE program. It is used to record TCP/IP addresses. Typically this won't matter, but in some instances, it will store a bad address and be a key in to a trojan, causing you problems. Clean this file by either deleting it (which may or may not have adverse effects), or deleting all IP addresses. This file IS NOT the DRIVER file, and if it is in the DRIVERS folder or any thing related to it, you should not open it. I think it is in the IE folder in Win9x and in a folder that is called something like I981 or something like that in XP. Be very careful however, as if you mess with the wrong one, you can screw up your drivers.

The hosts file can be opened with Notepad or Wordpad, and can be saved again, or should be able to be saved again, and the extension restored as you see fit. Make sure the "always use this program to open this file" chioce is NOT clicked in the lower left hand side of the box asking which program to use to open it with. You will know that this is the file you seek if you can read what is inside, and it lists internet addresses.

This is one way to clean up your Internet browser and the Files saved in it. Hope that fully answers the question.

FPF_TraceyG · « **Reply #19 on:** February 18, 2003, 02:55:26 am »

Hey Kim, not sure if you've got your problem fixed yet, but if I was you, the first thing I would do is put up a software firewall on your computer. At least even if you have a backdoor trojan running on your computer, you can block it from using any ports. A free firewall download can be found at www.kerio.com if you dont already have one. I'm told this is a good one, and seems easy to use. There are others of course, but I like this one best.
That will keep hackers out and you can remove the trojan at your leisure.

News:

Topic: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!! (Read 13326 times) var addthis_config = {"data_track_clickback":true};

KRolling

Maxillius

**DONOTDELETE**

KRolling

LongTooth

Dash Jones

KRolling

SghnDubh

SghnDubh

Dash Jones

KRolling

KRolling

Dash Jones

Dash Jones

RogueJedi_XC

Dash Jones

KRolling

KRolling

Dash Jones

FPF_TraceyG

Topic: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!! (Read 13326 times)

DONOTDELETE