Topic: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!

[Pestalence]

KRolling.. I've been looking into your problem.. here is what I have come up with...

FBI Warning on this Sockets trojan :
http://grc.com/unpnp/unpnp.htm

How it is distributed :
http://softwaresecuritysolutions.com/RATS.htm

others with this problem :
http://computing.net/security/wwwboard/forum/2008.html

Removal software :
http://www.pestpatrol.com/PestInfo/PestFamilyCount.asp

Windows Security for Networking patch as related to this trojan : (top help prevent the software from being installed on your system)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

also running a windows update can help solve this problem as it is included with the Windows Secutity updates :
http://windowsupdate.microsoft.com/

Everyone is getting carried away about this.. is it serious? Yes, it is listed as critical.. however, the fix has been out for a very long time.. since XP service pack 1 came out.

to find out information on things like this in the future, if you come up with a trojan on your machine again and you have a trojan name, just run an MSN search engine check on the name of the Virus or trojan.. that is how i found the information above...

MSN Search, enter "Sockets de Troie, Blazer 5" in to the search bar and click search.. and wha-la, the information above came up

I hope that this information helps...






 

[DonKarnage]

if the reboot is slow maybe your hd is full of junk, like you install and uninstall software ther always trace of them so backup only what you want to keep (dont make a back pu of the hd cause your problem will copy also), so copy you save game and mods and spec file of your sfc, and if you have other game that you want to keep your save game, maybe your mail and then format your hd, that will clean your hd and remove any ******** on your hd.

[WDLL]

Well, I believe that the info from the above posts should be enough to help you.  

As a PS I just  want to add two things.  1) My favourite antivirus program that I like VERY much is H +BEDV AntiVir Personal Edition. Which you can find at  A Personal Edition  and yes, it is free, the personal edition that is.
2) About all this slowness, you might want to check if there isn't any hardware fault at the same time.  Like overheating of the cpu/motherboard or a HD problem.  I am talking from experience on this matter.... :-(

Good luck.  

[[RS]Cincinnatus]

 

Quote:
 There are two methods (that I know of) that Sockets de Troie can be unknowingly installed.

In the first, when the "server" portion is run, it shows an error dialog stating that SETUP32.DLL is missing. At the same time the "server" portion copies itself to WINDOWS\SYSTEM directory as MSCHV32.EXE and modifies the Windows Registry so it would be executed during every further Windows bootup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
MSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe

In the second, when the "server" portion is run, it shows an error dialog stating that ISAPI32.DLL is missing. The "server" portion copies itself three times to the WINDOWS\ and WINDOWS\SYSTEM directories under the following names:

c:\windows\rsrcload.exe
c:\windows\system\mgadeskdll.exe
c:\windows\system\csmctrl32.exe

The virus also modifies Windows Registry to make these files be executed on every further Windows bootup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoad
Rsrcload = C:\WINDOWS\Rsrcload.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesLoad
Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe
 

Hey KRolling, let us know how your efforts are going! I'm a professional software developer on Win32 platforms, and I know about stuff like different types of installers, C++, Java, VB, ActiveX Controls, and lots and lots of Win32 networking. I can invision creating an application that works exactly as described in some of these posts, and it would easily slip past all the antivirus and antitrojan programs out there. If something appears to have an intended purpose and its registry entry isn't a static string (known as a "virus/trojan signature") that the scanning program looks for, then the program declares it "safe".

In reality trojan and virus scanners are very unreliable... with new technology comes greater flexibility, and programs can randomly change all sorts of names, tags, registry entries, or other identifiers that virus scanners use to say "hey! that's a virus!"

If you haven't tried doing a search on your hard drive for the files I pasted in a quote above, then you should now. I think that's very sound advice, since usually the only thing that remains constant with a trojan is the application name. The "client" application on the Hacker's Computer has to know what application to run on your computer to enable the interface, so the name will be the same for every instance of the same virus-trojan. Of course, you could have a trojan with the exact same name and characteristics, but a renamed .exe file - there are countless ways to obscure a malicious program to seem like you installed it on purpose.

Do you ever get prompts while browsing the 'net that ask you if you want to install something? It's some window about a certificate.. and it lists the name of the "company" trying to install it. Some hackers have found a way to COMPLETELY emulate a valid Microsoft certificate, so just because it says Microsoft doesn't mean you should trust it. And Microsoft isn't the only company that has been emulated. As a result, you should NEVER click "Always trust content from [company name]"! Even if you LOVE Gator and its insidious-yet-non-malicious spyware, there's still a possibility that a hacker might sign his trojanware by Gator for some reason.

Finally, go to www.zonelabs.com and download the trial version of ZoneAlarm. I LOVE Zonealarm to the extent that I registered for 2 years. If you've tried everyone else's advice (INCLUDING reformatting) and the trojan finds a way to undelete itself, or if you're extremely desperate and can't possibly reformat your hard drive due to important data, let me know and I will purchase for you a registered copy of Zone Alarm so you can use Mobile Code Control, the best feature (imo) in the entire package. Mobile Code Control combined with a high level of firewall protection from ZoneAlarm (or, optionally, a TOTAL ceasure of ALL network and internet traffic) was enough to stop the file-corrupting trojan Werewolf 1500.B.E from deleting and shredding all .dll, .vxd and .com applications on my computer about a year ago, so for that I am thankful. Apparently it was a timed trojan that collected passwords and non-secure info I submitted on the web, as well as file uploads, and then force a reformat of my hard drive before I would have figured out the problem. But ZoneAlarm Pro put a stop to it until I could find a trojan detector to actually remove the program so I didn't have to run ZoneAlarm at maximum security all the time!

*VERY IMPORTANT*
I've been to this site before, but I forgot the name... and now I found it again!!!
Go here and make sure everything you have in your Task Manager (ctrl+alt+delete) is listed and make sure you actually WANT everything you have! Very very useful!!

http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
 

[KRolling]

I appreciate everybody's help. However, I sometimes get overwhelmed by it because I am so absolutely stupid when it comes to computers.

I finally followed some good advice that I could understand in Layman's Terms: get a firewall up!!! Duh on me!! LOL!! Thanks Tracey.

I download Norton's trial version, since I already had their AV. Nothing seem to change at first, then about the second day it appears that my problems may be gone.

Does this mean that I do not have the trojans any more? Did I have trojans in the first place? Who knows?

Anyway, thanks again guys, I really do appreciate the advice.

 

[RogueJedi_XC]

No, you probably still have the trojan it's just being blocked by the firewall. Does the Norton firewall keep logs? If so, that can be used to help track this nefarious program down so you can get rid of it.  

[Aliasalpha]

I don't suppose you have a second hard drive do you? Formatting & reinstalling is the single best way to get rid of all that nasty stuff.

I couldn't live without 2 HDs....

[Towelie]

   I didn't see it listed, but this one finds alot that OTHER AV prgrams DO NOT find.

http://housecall.trendmicro.com/

  Good luck and I hope it nails that trojan for you SOON!

  Turns out I had some hidden viruses laying doromant (hehe, I wasn't one that downloaded them) that Norton couldn't find even with latest software and updates. For this reason, I no longer recommend Norton.
   

[KRolling]

This is not an OT. I love SFC1,2, and 3!!! <plug>

Help!! I think I have a trojan!!! Computer barely works!!!

Need website info for the free anti trojan program!!

I have run Norton Antivirus, AVG, Norton Sweep, Norton Disk Doctor, and tried to Restore four times but it refuses!!

Can..... barely..... work......

Even tried the "Rolling Pin"!!


Rolling, the panicked!!!!

[Maxillius]

wow... that sux... perhaps that site can fix my memory/processor power leak

[**DONOTDELETE**]

Ad- Aware can be found here:
http://www.lavasoftusa.com/

or some will argue that Spybot Search&Destroy is better:
http://security.kolla.de/

This site has handy info too:
http://www.spywareinfo.com/

Myself, I've had problems with norton in the past though too...
it can be hell on a windows installation.  

Commander Maxillius, your issue might be better addressed at:
http://www.pcpitstop.com/

Edit: If you think it's a trojan then spyware software may not find it.
This trojan scanner gets good reviews:
http://tds.diamondcs.com.au/

[KRolling]

What does "Sockets de Troie, Blazer 5" mean?

[LongTooth]

Sounds french apart from that I cant help you
You might want to start backing up any thing you dont want to lose just in case

Just went to bable fish. com
And it came up with this

Sockets of Troy, Blazer 5

Not sure if it helps any

[Dash Jones]

You are so screwed!

Okay, not certain if this can help.

You are right, you have downloaded a trojan...what you been doing, browsing Russian Bridal sites?  Or somehow got a Frenchman mad at you?

Anyways, this is more than just a Trojan, it opens up a back door through ports I think.  As I said, you are so screwed.

Here's something to try anyhow.  First, open the msconfig file...SOON.  Look for anything out of place that you absolutely don't know what it is doing (if you don't know, go and look up the abbreviations...quickly now) and DISABLE them.  Next, search your machine for any FILE with that prefix, as well as the prefix of Blazer 5, Troi, SoT, etc.  If possible, find out the exec title of the file.  It may even show up in your exec files.  Delete like crazy.  You DO have a program installed somewhere.

Uninstall, and search in the directory through regedit.

Now with that in mind...unless you can find a good fix, since all this is tentative on whether you will actually find the file or not, a better way may to be back up what you absolutely need, and reformat (yes reformat) the drive.  That should kill it for certain...or we hope...depending on exactly how it's stored...though I imagine that should kill it for certain.

I personally am not all familiar with it (Thank goodness, it sounds bad, but it also seems rather limited in it's spread).  Perhaps someone else more into the tech field knows more specifics on this.

Good Luck.

[KRolling]

I downloaded and ran two different anti trojan programs and they both said I'm clean, except one said that there MAY be a trojan in this port. It did not give me any clue as to how to remove or close it.

So, I'm at a loss. My computer decides when it wants to do what I have told it to do, but yet I cannot seem to find any logical explaination for it.

[SghnDubh]

KRolling,

What anti-virus software are you running?

If you go shell out the $30 for McAfee, you can download their stuff right from their site and start scanning...it has not failed me yet.


What symptoms, exactly, are you having?

 

[SghnDubh]

 Found this,  

HOW TO REMOVE:
Sockets de Troie (Socket23) backdoor for Windows
Description:


The Sockets de Troie ("Trojan Sockets") backdoor is one of many backdoor programs that attackers can use to access your computer system without your knowledge or consent.

Once installed on a system, the Sockets de Troie backdoor binds to UDP port 1 and listens for client connections. The Sockets de Troie client connects to this port and sends a string ("/udp/ connect") followed by the TCP port the client is listening on. The backdoor server then connects back to the client on this port. At this point, an attacker can begin sending commands.


Platforms Affected:
Windows 95
Windows 98


Remedy:


Use a commercial antivirus program to remove this backdoor. To remove the Sockets de Troie backdoor:

If you do not have an antivirus program installed, download and install one of these virus scanners:
Norton AntiVirus: http://www.symantec.com/nav/indexA.html
McAfee VirusScan: http://software.mcafee.com/centers/download/
Trend Micro PC-Cillin: http://www.antivirus.com/pc-cillin/products/
Run the antivirus program to scan your system for this backdoor. The virus scanner should find and remove the Sockets de Troie backdoor from your computer.

Consequences:
Gain Access

References:
PCHelp's Web site, "Reproduction and translation of JCrun Softwares site" at http://www.nwi.net/~pchelp/st/jcrun.htm



Standards associated with this entry:


Reported:
Date not applicable.


 
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2003 Internet Security Systems, Inc. All rights reserved worldwide.
 
AND THIS  


Sockets de Troie (French for "Trojan Sockets")

Sockets de Troie currently affects Windows 95/98 PC's.

The "server" portion is typically named "mschv32.exe".

Ports 5000 and 5001 (by default) are used to establish the connections between the "client" and "server".


Who is Responsible?

Unknown at this time...

There are two methods (that I know of) that Sockets de Troie can be unknowingly installed.

In the first, when the "server" portion is run, it shows an error dialog stating that SETUP32.DLL is missing. At the same time the "server" portion copies itself to WINDOWS\SYSTEM directory as MSCHV32.EXE and modifies the Windows Registry so it would be executed during every further Windows bootup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
MSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe

In the second, when the "server" portion is run, it shows an error dialog stating that ISAPI32.DLL is missing. The "server" portion copies itself three times to the WINDOWS\ and WINDOWS\SYSTEM directories under the following names:

c:\windows\rsrcload.exe
c:\windows\system\mgadeskdll.exe
c:\windows\system\csmctrl32.exe

The virus also modifies Windows Registry to make these files be executed on every further Windows bootup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoad
Rsrcload = C:\WINDOWS\Rsrcload.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesLoad
Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe


 

[Dash Jones]

just because a program does not detect something does not mean you do not have a trojan...as I stated, first thing first...since this creates a backdoor, it probably is running on start up or when you connect to the internet.  Check your msconfig.

[KRolling]

I have Norton AnitVirus.

First, around the middle of last week (Feb11) my NAV stated I need to do an Alive Update on my virus definitions. I clicked ok. The next day it did it again! Clicked ok. Same thing every day, but Saturday night it started running sluggish. I figured it needed a break, so I didn't think about it until Sunday morning.

Sunday, I boot it up. It moved very slow. Very, very slow. I run NAV. It came out clean. So I shrugged my shoulders and started cleaning it up with all the programs made to do that sort of thing.

I even downloaded AVG a free antivirus program which did very well by me before. It came up clean.

I have to constantly reboot my system to remind it of what it is doing. I get no errors. Just extremely slow.

Now I've ran two anti trojans with really no success except there "could be, but not neccessarly" a trojan on that port.

[KRolling]

Quote:
just because a program does not detect something does not mean you do not have a trojan...as I stated, first thing first...since this creates a backdoor, it probably is running on start up or when you connect to the internet.  Check your msconfig.  

But I don't know what I am looking for.