Re: AIM Send out random messages

From: Jim Carlock (anonymous_at_localhost)
Date: 05/23/05 

Date: Mon, 23 May 2005 12:24:45 -0400

"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> Jim, you think its a trojan and i'm being hacked? or atleast my computer
> is being used for whatever?

Well, this is what I'd do:

1) Search the computer for files with dates later than the current date. If
you find a .dll in the windows\system32 or windows\system folder dated
later than today, then you've definitely been hacked. Hackers sometimes
future date files trying to prevent Microsoft updates from taking affect.

2) Let us know if you find any suspiciously dated files or folders.

3) Check to see if there are some files that do you not recognize. Maybe
all of them are unrecognized <g>. That'll help the folks here by letting
them know your current skill set.

4) Visit http://housecall.trendmicro.com/ and use their online antivirus
scan to scan your system. They seem to have beta software for new
antivirus software... Their online scan does a pretty good job.

5) Download ZoneAlarm from www.zonelabs.com. If you are having
problems installing ZoneAlarm, delete the folder where it's installed...
maybe C:\Program Files\ZoneLabs, and then try reinstalling it again.
If it fails again. Download a new copy from ZoneLabs then open a
DOS prompt to the folder where the two downloads are and type in:
fc /b <filename1> <filename2>
where filename1 is the name of the first download and filename2 is
the name of the second download. If the DOS fc (file compare)
command indicates the files are different, then you'll need to clear
your browser cache (Internet Explorer or FireFox cache) and
download the file again. Do the file compare to detect which two
copies are identical. This lets you know that your downloads are
valid and non-corrupted.

I'll stop there for the moment. ZoneAlarm used to make a really
nice firewall but in 2000 they seemed to have gone overboard
and I've lost interest in their firewall products myself. Maybe
someone else will know and provide an honest opinion of their
current software. I like the 1998/1999 versions of their software.

> what kind of "non-viral backdoor" something OTHER than spywar,
> adware, trojans, worms, and viruses (obviously)??? what else is
> there....?

Serv-U, other FTP server software. You can press CTRL+ALT+DEL
and open the task manager. Provide us with a list of processes running
on your system.

Also let us know if you have NTFS installed.
1) Open "My Computer"
2) Right-click on a hard disk drive and let us know if there is a Security
tab. 

--
Jim Carlock
Please post replies to newsgroup.
Ok, I retried to scan my computer in safe mode (this time using the msconfig
method...) and norton still wont open >.<
I downloaded the latest virus definations for intellegent updator... however
when i go to install them it says i cannot, and that its expired...
"Your virus protection cannot be updated.
Your subscription as expired. You must renew your subscription to continue
using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew your
subscription and then run Intellegent Updater again."
i ran live update again, just to be sure, its fully updated, tried
installing again and got the same message... i JUST bought norton a few
months ago its definatly not expired... is live update something i have to
pay for myself? (darn... more and more problems keep on coming...)
i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
accidently delete something very important...
also... i deleted aim, but aim was no longer connected to the virus once it
got in right? so if i reinstalled it, it'd be ok... because the one virus i
did delete was most likely THE aim virus? (since it gets passed through aim,
and thats what it does...) so i could reinstall aim? or should i wait longer?
Jim, you think its a trojan and i'm being hacked? or atleast my computer is
being used for whatever?
what kind of "non-viral backdoor" something OTHER than spywar, adware,
trojans, worms, and viruses (obviously)??? what else is there....?
yet again, thank you both for your assistance ^^
"Jim Carlock" wrote:
> FWIW there is software out there that is NOT considered virus but
> is used to open a PC up for "folks" to access it anytime "they" want.
>
> There is some FTP server software. Virus scanners will never catch it,
> but a good firewall should catch it and present a message that something
> is trying to open up a certain port (Serv-U ?).
>
> So if something opened up the system, "the attackers" commonly put a
> non-viral backdoor in place that will never be detected by virus scanners.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> "PA Bear" <PABearMVP@gmail.com> wrote:
> Lord Loki wrote:
> > I delted it... however... i dont think its that... >.< even though it does
> > sound right (i read the symantic thing before i deleted...) because when
> > ever i turn on the comp it still tries to "install" something... otherwise
> > everythings fine... i think...
>
> Not surprising.
>
> > by manually updating... you mean going to the site and manually
> > downloading,
> > or going into norton using live update, but dont just let live update wait
> > for a few weeks to do it itself? (NAV users?)
>
> Yes, manually seek and install updated definitions.  See Intelligent Updater
> section here: http://securityresponse.symantec.com/avcenter/download.html
> (posted earlier, too).
>
> > also... this morning, we found a virus on the home computer, this was a
> > bloodhound... do you think my virus would cause that to get through the
> > network into the home comp, or that its unrelated?
>
> There are literally /hundreds/ of Bloodhound variants and, yes, most likely
> "your" Bloodhound was "dropped" by the Trojan.
>
> > lastly... how do you run a system scan in safe mode? i tried... and i
> > couldnt even open norton >.<
> > every time i tried it froze.... >.< and went to "send error report?"
> > would a virus cause that (or hacker), or would that just be me, somehow
> > screwing things up?
>
> Again, see instructions on this page for booting to Safe Mode:
> http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
>
> It would be highly unusual for NAV not to work in Safe Mode but [stuff]
> happens.
>
> > Thanks for your help
>
> YW.  Let us know how you make out.  Note that it might take several updates
> and scans over several days in the coming week or so for NAV to be able to
> find and remove everything.
>
> You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
> then scan your system with HijackThis (don't let the name scare you) and
> post your log to an appropriate forum.  Do not post your log here, please.
> -- 
> ~PA Bear
>
> > "PA Bear" wrote:
> >> Well, yes, that could be /your/ Trojan...
> >>
> >> Symantec Security Response - W32.Allim.A:
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
> >>
> >> This one displays a message "hey check out _this_!" where "this!" is a
> >> link
> >> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> >> recipient must click on the link, download a file, and then execute the
> >> file which then installs a W32.Spybot.Worm
> >> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
> >>
> >> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
> >>
> >> From another post in this thread:
> >>
> >> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> >> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
> >>
> >> Here, the message is "check this out, is that you?", where "this" is a
> >> configured link that will download a copy of the worm if a user clicks on
> >> it.
> >>
> >> To be safe, I'd manually install virus definition updates via Intelligent
> >> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> >> then run a full system scan in Safe Mode
> >> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
> >>
> >> Note that NAV users who rely on LiveUpdate won't get definitions which
> >> include W32.Opanki until 25 May, according to the page!!!
> >>
> >> Let us know how you make out.
> >> --
> >> Lord Loki wrote:
> >>> well.... I came back from dinner today and norton had a large message
> >>> for
> >>> me
> >>> saying (memorized it)
> >>> VIRUS FOUND:
> >>> object: C:\im.exe
> >>> virus: W32.Allim
> >>>
> >>> i went to the C drive, scanned the im file to be sure, it said it was an
> >>> unreparable virus, i quarenteened, then deleted.... its gone forever now
> >>> right? and...... you think that is THE virus that was causeing the
> >>> strange
> >>> happenings? O.o ^^
Quantcast