Topic: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!  (Read 13450 times)

0 Members and 1 Guest are viewing this topic.

Dash Jones

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #40 on: February 17, 2003, 09:08:14 pm »
Quote:

I have Norton AnitVirus.

First, around the middle of last week (Feb11) my NAV stated I need to do an Alive Update on my virus definitions. I clicked ok. The next day it did it again! Clicked ok. Same thing every day, but Saturday night it started running sluggish. I figured it needed a break, so I didn't think about it until Sunday morning.

Sunday, I boot it up. It moved very slow. Very, very slow. I run NAV. It came out clean. So I shrugged my shoulders and started cleaning it up with all the programs made to do that sort of thing.

I even downloaded AVG a free antivirus program which did very well by me before. It came up clean.

I have to constantly reboot my system to remind it of what it is doing. I get no errors. Just extremely slow.

Now I've ran two anti trojans with really no success except there "could be, but not neccessarly" a trojan on that port.  




Do you really want help or are you just making noise?

There are several Trojans and programs that are NOT detected by Anti-virus programs, and usually can evade Ad-Aware and other programs.

Many times this is accomplished by you having clicked on something whilst browsing, or an activation of a Java link.  In your case, it sounds like you downloaded something and it INSTALLED itself into your computer.  This is why you should...again...check your msconfig to see what is running on startup.

Check your taskbar to see what is running.  Stop any programs that you cannot identify.

This helps if you know what is on your machine.  Disconnect from the internet...and clean the machine manually, deleting relations to the program that should not be there.  Do you need a guide on how to do this?

 

Dash Jones

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #41 on: February 17, 2003, 09:16:42 pm »
Okay...


First, it seems you've done the first steps of trying a virus-scan by an good company.  If you have not...do it now.  that is the first step if you are able.  If  you have done this, or the machine is unable to do it...do the following.

Go to your startbar...hit run.

In the runbox type in

msconfig.

Go to startup.  If you see something that looks like ToS:b5 or something similar, suspect it.  You can refer here to find out if it is as you suspect.

Next, disable those programs from starting up.

Now it is quite possible that it is installed but not running at startup.

Press Ctrl+Alt+delete...once.

See if you have something like that running.

If you don't know...try listing what is shown in that bar here (I sure hope you are not one who has half a million programs running at the same time or it could take a while to decipher some of it).

Next, clean your cache.  You may have downloaded a java program. Make sure it is cleaned.  Click on show hidden folders, and go through.  Delete anything in the directory tree below the temporary interenet files (now when I say below, I don't mean literally below, but anything that is a subdirectory of the Temporary interenet files).

Now the installation of certain programs and trojans, as well as backdoors, get around things by pretending to be an actual program, aka, they do an actual install.  Many times they fool you on a site by making you think you are installing something different.  Some Trojans are uncleanable...in fact a large number are if they are new or recently modified, at least uncleanable by virus protection programs.

Now after doing this, and disabling any non-known programs (for safe measure you can disable everything in your Windows Taskmanager except for System and Explorer if you are using a Win9x machine, otherwise it gets a little more complex).

If you've done this, next, if you've identified the offensive bugger, do a search on your hard drive for anything that refers to it.


continued below...

RogueJedi_XC

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #42 on: February 17, 2003, 09:23:19 pm »
According to  Pest Patrol :
Quote:


Blazer 5
Category: RAT.
A Remote Administration Tool, or RAT, is a Trojan that when run, provides an attacker with the capability of remotely controlling a machine via a ""client"" in the attacker's machine, and a ""server"" in the victim's machine. Examples include Back Orifice, NetBus, SubSeven, and Hack'a'tack. What happens when a server is installed in a victim's machine depends on the capabilities of the trojan, the interests of the attacker, and whether or not control of the server is ever gained by another attacker -- who might have entirely different interests. Infections by remote administration Trojans on Windows machines are becoming as frequent as viruses. One common vector is through File and Print Sharing, when home users inadvertently open up their system to the rest of the world. If an attacker has access to the hard-drive, he/she can place the trojan in the startup folder. This will run the trojan the next time the user logs in. Another common vector is when the attacker simply e-mails the trojan to the user along with a social engineering hack that convinces the user to run it against their better judgment.
Description: See http://pestpatrol.com/pestinfo/b/blazer.asp.
Release Date: 9/27/2001 (estimated)
Author: ClaudioClaudioCC




Search your cmputer for the file "port5000.exe", also check your startup folder, registry, and config.sys for references to this file. attempt to connect to your system on port 5000 (open a command prompt and type "\\[computername]:5000").

This thing is bad news. It gives another person complete control over your computer. They can delete files, add files, they can even run a clone of your desktop and see what you are doing and record what you're typing.

I could not find any references to this thing on either Symantec's (Norton AV's parent corp) or McAfee's web sites, so they may not detect it. If you cannot get or find a program to remove this thing, and you cannot remove it manually, you may have to format your hard drive(s). Either way, get this thing off your computer asap.  

Dash Jones

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #43 on: February 17, 2003, 09:27:10 pm »
Okay, now if you still haven't found it look in your installation/remove programs control panel.  See what has been installed recently.  Now if you see something that you cannot identify and that has been installed recently(I take it you do know what has been installed recently), then chances are that this is your bugger.

If you still haven't found your culprit, it is then we get desperate.  Now this may or may help before you even do all the rest of the steps, it is also the easiest one to avoid be a skillful hacker/virus creator/evil person.  Go to Find or Search, dependant on which OS you are using, in your start taskbar.

Once you have it up...look up "Sockets de Troie, Blazer 5"  or a portion of the wording thereof.  If you can find it...do not go to it immediately.  Look very carefully at what directory it is located in.  Click on the harddrive and go to that directory.  If it has it's own directory...look at all the programs in it, and see what shortened versions of it's name it uses.  So if you see something like B5, you can know this is probably the abbreviation it is using.

With that, you have an idea of what it's shortened exe could be and it's program that is actually runnning it.  Delete all references to this.

After doing this, look in your registry.  You can do this by going to the run program again, and typing in regedit.  Now this is a tricky part, because you do the wrong thing, you can seriously screw up your OS...like big time.

Click at the very top of all the registry so it is at the root of all the files.  Next go to Edit and click on find.

Find all traces of the program "Sockets de Troie."  Next find all traces of the program Blazer 5.

Next, delete the small names of the files...this is the part where it's hardest to ascertain whether you are deleting a needed or unneeded file...but it also must be done.

So if it had the shortened program name of B5, you would find all traces of B5, and delete it.  This is where the Anti-Virus programs typically turn up the most useful, as they can find the registry files if they have the virus's and trojans registered already.

For the shortened file exe names in your Task  Manager and msconfig, typically a quick look on Yahoo by typing in that set of lettering will reveal what that Program shortname means, which is also useful.

KRolling

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #44 on: February 17, 2003, 09:31:36 pm »
Quote:

Okay...


First, it seems you've done the first steps of trying a virus-scan by an good company.  If you have not...do it now.  that is the first step if you are able.  If  you have done this, or the machine is unable to do it...do the following.

Go to your startbar...hit run.

In the runbox type in

msconfig.

Go to startup.  If you see something that looks like ToS:b5 or something similar, suspect it.  You can refer here to find out if it is as you suspect.

Next, disable those programs from starting up.

Now it is quite possible that it is installed but not running at startup.

Press Ctrl+Alt+delete...once.

See if you have something like that running.

If you don't know...try listing what is shown in that bar here (I sure hope you are not one who has half a million programs running at the same time or it could take a while to decipher some of it).

Next, clean your cache.  You may have downloaded a java program. Make sure it is cleaned.  Click on show hidden folders, and go through.  Delete anything in the directory tree below the temporary interenet files (now when I say below, I don't mean literally below, but anything that is a subdirectory of the Temporary interenet files).

Now the installation of certain programs and trojans, as well as backdoors, get around things by pretending to be an actual program, aka, they do an actual install.  Many times they fool you on a site by making you think you are installing something different.  Some Trojans are uncleanable...in fact a large number are if they are new or recently modified, at least uncleanable by virus protection programs.

Now after doing this, and disabling any non-known programs (for safe measure you can disable everything in your Windows Taskmanager except for System and Explorer if you are using a Win9x machine, otherwise it gets a little more complex).

If you've done this, next, if you've identified the offensive bugger, do a search on your hard drive for anything that refers to it.


continued below...  





I ran the msconfig and did not find anything suspicious. I am running a seach for port5000.exe at this time.

How do I clean my cache? Sorry please be patient with me.

KRolling

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #45 on: February 17, 2003, 09:42:29 pm »
I'll have to pick this up tomorrow. My brain has followed my computer into mushville.

Thanks.

Dash Jones

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #46 on: February 17, 2003, 10:01:58 pm »
Go to your control panel.  Open up Internet Options.  It should open up to General.  You will there see delete Temporary Internet files about halfway down.  Click Delete Files.  Click Delete cookies.

Then open up settings.  Now there is the complete way, and the safe way.

Either way, first open up "Veiw Files"

this should open your cache.  next click on a picture above the open files called Folders.  this will show you the folders.  click on Temporary Internet files and see if there are any subdirectories/subfolders.  If there are...delete them.  Persist in deleting them even if it requires a restart and disconnect from the internet and not opening IE first.

Next comes the choice of a complete clean or a safe clean.

Now that your Temporary Internet files is cleaned, click on the View Objects.  This will show you programs installed to run with your Internet Explorer.

To do a complete clean, delete EVERYTHING in this directory.  This will ensure anything running with IE in either the Temporary Internet Folder and the Windows/Downloaded Programs files are gone.  The downside to this is that it also will delete programs that were installed and ran on your machine before such as the quicktime interaction with the browser, the realplayer interaction, the shockwave/Flash macromedia and other programs.  You will have to redownload, re-enable them after you have cleaned the system.

A safe way, can only be done if you know which programs do what.  Some of these should be obvious...such as Quicktime should be labeled if you have been using it in your browser (now if you have 2 or 3 installed, then you may have some questions and problems).  Keep the ones that are safe, and delete the rest.

The final step is only as a maximum harshness.  There is a file that may be called hosts that is connected to your IE program.  It is used to record TCP/IP addresses.  Typically this won't matter, but in some instances, it will store a bad address and be a key in to a trojan, causing you problems.  Clean this file by either deleting it (which may or may not have adverse effects), or deleting all IP addresses.  This file IS NOT the DRIVER file, and if it is in the DRIVERS folder or any thing related to it, you should not open it.  I think it is in the IE folder in Win9x and in a folder that is called something like I981 or something like that in XP.  Be very careful however, as if you mess with the wrong one, you can screw up your drivers.

The hosts file can be opened with Notepad or Wordpad, and can be saved again, or should be able to be saved again, and the extension restored as you see fit.  Make sure the "always use this program to open this file" chioce is NOT clicked in the lower left hand side of the box asking which program to use to open it with.  You will know that this is the file you seek if you can read what is inside, and it lists internet addresses.

This is one way to clean up your Internet browser and the Files saved in it.  Hope that fully answers the question.

FPF_TraceyG

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #47 on: February 18, 2003, 02:55:26 am »
Hey Kim, not sure if you've got your problem fixed yet, but if I was you, the first thing I would do is put up a software firewall on your computer. At least even if you have a backdoor trojan running on your computer, you can block it from using any ports. A free firewall download can be found at www.kerio.com if you dont already have one. I'm told this is a good one, and seems easy to use. There are others of course, but I like this one best.
That will keep hackers out and you can remove the trojan at your leisure.

Pestalence

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #48 on: February 18, 2003, 03:14:09 am »
KRolling.. I've been looking into your problem.. here is what I have come up with...

FBI Warning on this Sockets trojan :
http://grc.com/unpnp/unpnp.htm

How it is distributed :
http://softwaresecuritysolutions.com/RATS.htm

others with this problem :
http://computing.net/security/wwwboard/forum/2008.html

Removal software :
http://www.pestpatrol.com/PestInfo/PestFamilyCount.asp

Windows Security for Networking patch as related to this trojan : (top help prevent the software from being installed on your system)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp

also running a windows update can help solve this problem as it is included with the Windows Secutity updates :
http://windowsupdate.microsoft.com/

Everyone is getting carried away about this.. is it serious? Yes, it is listed as critical.. however, the fix has been out for a very long time.. since XP service pack 1 came out.

to find out information on things like this in the future, if you come up with a trojan on your machine again and you have a trojan name, just run an MSN search engine check on the name of the Virus or trojan.. that is how i found the information above...

MSN Search, enter "Sockets de Troie, Blazer 5" in to the search bar and click search.. and wha-la, the information above came up

I hope that this information helps...






 
« Last Edit: December 31, 1969, 06:00:00 pm by Pestalence »

DonKarnage

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #49 on: February 19, 2003, 06:02:30 pm »
if the reboot is slow maybe your hd is full of junk, like you install and uninstall software ther always trace of them so backup only what you want to keep (dont make a back pu of the hd cause your problem will copy also), so copy you save game and mods and spec file of your sfc, and if you have other game that you want to keep your save game, maybe your mail and then format your hd, that will clean your hd and remove any ******** on your hd.

WDLL

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #50 on: February 20, 2003, 05:52:33 pm »
Well, I believe that the info from the above posts should be enough to help you.  

As a PS I just  want to add two things.  1) My favourite antivirus program that I like VERY much is H +BEDV AntiVir Personal Edition. Which you can find at  A Personal Edition  and yes, it is free, the personal edition that is.
2) About all this slowness, you might want to check if there isn't any hardware fault at the same time.  Like overheating of the cpu/motherboard or a HD problem.  I am talking from experience on this matter.... :-(

Good luck.  

[RS]Cincinnatus

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #51 on: February 20, 2003, 07:28:42 pm »
 
Quote:

 There are two methods (that I know of) that Sockets de Troie can be unknowingly installed.

In the first, when the "server" portion is run, it shows an error dialog stating that SETUP32.DLL is missing. At the same time the "server" portion copies itself to WINDOWS\SYSTEM directory as MSCHV32.EXE and modifies the Windows Registry so it would be executed during every further Windows bootup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
MSchv32 Drv = C:\WINDOWS\SYSTEM\MSchv32.exe

In the second, when the "server" portion is run, it shows an error dialog stating that ISAPI32.DLL is missing. The "server" portion copies itself three times to the WINDOWS\ and WINDOWS\SYSTEM directories under the following names:

c:\windows\rsrcload.exe
c:\windows\system\mgadeskdll.exe
c:\windows\system\csmctrl32.exe

The virus also modifies Windows Registry to make these files be executed on every further Windows bootup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad
Mgadeskdll = C:\WINDOWS\SYSTEM\Mgadeskdll.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunLoad
Rsrcload = C:\WINDOWS\Rsrcload.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesLoad
Csmctrl32 = C:\WINDOWS\SYSTEM\Csmctrl32.exe
 




Hey KRolling, let us know how your efforts are going! I'm a professional software developer on Win32 platforms, and I know about stuff like different types of installers, C++, Java, VB, ActiveX Controls, and lots and lots of Win32 networking. I can invision creating an application that works exactly as described in some of these posts, and it would easily slip past all the antivirus and antitrojan programs out there. If something appears to have an intended purpose and its registry entry isn't a static string (known as a "virus/trojan signature") that the scanning program looks for, then the program declares it "safe".

In reality trojan and virus scanners are very unreliable... with new technology comes greater flexibility, and programs can randomly change all sorts of names, tags, registry entries, or other identifiers that virus scanners use to say "hey! that's a virus!"

If you haven't tried doing a search on your hard drive for the files I pasted in a quote above, then you should now. I think that's very sound advice, since usually the only thing that remains constant with a trojan is the application name. The "client" application on the Hacker's Computer has to know what application to run on your computer to enable the interface, so the name will be the same for every instance of the same virus-trojan. Of course, you could have a trojan with the exact same name and characteristics, but a renamed .exe file - there are countless ways to obscure a malicious program to seem like you installed it on purpose.

Do you ever get prompts while browsing the 'net that ask you if you want to install something? It's some window about a certificate.. and it lists the name of the "company" trying to install it. Some hackers have found a way to COMPLETELY emulate a valid Microsoft certificate, so just because it says Microsoft doesn't mean you should trust it. And Microsoft isn't the only company that has been emulated. As a result, you should NEVER click "Always trust content from [company name]"! Even if you LOVE Gator and its insidious-yet-non-malicious spyware, there's still a possibility that a hacker might sign his trojanware by Gator for some reason.

Finally, go to www.zonelabs.com and download the trial version of ZoneAlarm. I LOVE Zonealarm to the extent that I registered for 2 years. If you've tried everyone else's advice (INCLUDING reformatting) and the trojan finds a way to undelete itself, or if you're extremely desperate and can't possibly reformat your hard drive due to important data, let me know and I will purchase for you a registered copy of Zone Alarm so you can use Mobile Code Control, the best feature (imo) in the entire package. Mobile Code Control combined with a high level of firewall protection from ZoneAlarm (or, optionally, a TOTAL ceasure of ALL network and internet traffic) was enough to stop the file-corrupting trojan Werewolf 1500.B.E from deleting and shredding all .dll, .vxd and .com applications on my computer about a year ago, so for that I am thankful. Apparently it was a timed trojan that collected passwords and non-secure info I submitted on the web, as well as file uploads, and then force a reformat of my hard drive before I would have figured out the problem. But ZoneAlarm Pro put a stop to it until I could find a trojan detector to actually remove the program so I didn't have to run ZoneAlarm at maximum security all the time!

*VERY IMPORTANT*
I've been to this site before, but I forgot the name... and now I found it again!!!
Go here and make sure everything you have in your Task Manager (ctrl+alt+delete) is listed and make sure you actually WANT everything you have! Very very useful!!

http://www.pacs-portal.co.uk/startup_pages/startup_full.htm
 

KRolling

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #52 on: February 20, 2003, 08:01:34 pm »
I appreciate everybody's help. However, I sometimes get overwhelmed by it because I am so absolutely stupid when it comes to computers.

I finally followed some good advice that I could understand in Layman's Terms: get a firewall up!!! Duh on me!! LOL!! Thanks Tracey.

I download Norton's trial version, since I already had their AV. Nothing seem to change at first, then about the second day it appears that my problems may be gone.

Does this mean that I do not have the trojans any more? Did I have trojans in the first place? Who knows?

Anyway, thanks again guys, I really do appreciate the advice.

 

RogueJedi_XC

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #53 on: February 20, 2003, 08:20:23 pm »
No, you probably still have the trojan it's just being blocked by the firewall. Does the Norton firewall keep logs? If so, that can be used to help track this nefarious program down so you can get rid of it.  

Aliasalpha

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #54 on: February 20, 2003, 08:34:48 pm »
I don't suppose you have a second hard drive do you? Formatting & reinstalling is the single best way to get rid of all that nasty stuff.

I couldn't live without 2 HDs....

Towelie

  • Guest
Re: SOS!! Quick! Help! <cough> <sputter> <wheeze> Mayday!!
« Reply #55 on: February 20, 2003, 09:27:40 pm »
   I didn't see it listed, but this one finds alot that OTHER AV prgrams DO NOT find.

http://housecall.trendmicro.com/

  Good luck and I hope it nails that trojan for you SOON!

  Turns out I had some hidden viruses laying doromant (hehe, I wasn't one that downloaded them) that Norton couldn't find even with latest software and updates. For this reason, I no longer recommend Norton.