Re: AIM Send out random messages

From: Jim Carlock (anonymous_at_localhost)
Date: 05/24/05 

Date: Mon, 23 May 2005 21:38:40 -0400

"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> if i tell just anyone, and they WERE a hacker... they couldnt hack
> with that knowledge right? because... i really dont know, and i
> dont want to take chances

I don't really know the full answer to that. :-) So I'll post mine. I've
removed alot of the duplicate stuff, so you'll likely see svchost.exe
listed a few times in yours.

If you see something different on your system you might want
to ask what it is.

File Cache
Idle Process
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
ati2evxx.exe
svchost.exe
spoolsv.exe
avgserv.exe
Runservice.exe
mdm.exe
OWSTIMER.EXE
alg.exe
explorer.exe
soundman.exe
AsusProb.exe
EM_EXEC.EXE
PRONoMgr.exe
avgcc32.exe
ATnotes.exe
gcasDtServ.exe
dllhost.exe
Tcpview.exe
gcasServ.exe
taskmgr.exe
notepad.exe
uPad.exe
firefox.exe
cmd.exe
MSDEV.EXE
msimn.exe
pstat.exe

If you have another firewall working... don't worry about Zone
Alarm.

Also, you might want to check out what's happening here:
https://www.grc.com/x/ne.dll?bh0bkyd2

That should take you the ShieldsUp test. Run the test there and let
us know what it tells you. They have a lot of information there, so
you might want to look through some of it and see if it helps.

Once you get there, click on the buttons on the silver bar near the
bottom:
File Sharing
Common Ports
All Service Ports

The "All Service Ports" test should show up as all green, and you'll
need to read the stuff on that page. Take some time to read it all.

If you have any questions, feel free to ask. Let us know what it tells
you.

Everything showed up as "green" when I ran the "All Service Ports" test.
It indicated that my system "failed" at:
  Unsolicited Packets: RECEIVED (FAILED)

<shrug> I'm only running the Windows XP SP2 Firewall and I think it's
doing a fairly decent job.

If someone else wants to advise me against this, I'd appreciate knowing
what's up.

The grc.com has been around since 1998 or thereabouts and I've used
them to test systems I've set up.

Hope that helps. 

--
Jim Carlock
Please post replies to newsgroup.
"Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
ok... obviously, i only have mediocre knowledge of this stuff.... so before i
post everything that is going on in task manager... is that info i can freely
give out? none of that would permit a hacker (if he wanted) to hack or get in
right? non of that stuff that always there and is part of my comp liks
svchosts and stuff....
and yes... my skills suck i know that much...
also, i DID use trendmicro... the second i first knew i got the virus, and
it didnt even find a single trojan, normally it finds them... even worms, but
they're all probally from my IE cache since  i deleted it then... so
trendmicro didnt help XD >.<
for the ZoneAlarm thing... you want me to install the firewall (thats what
it is right?) or do you want me to check to see if i can download properly??
because i've downloaded several other things and they've worked... just not a
program or anything... also.. if you DO want me to install it as a
firewall... is it really neccesary? i really dont want to trust too much
stuff on the web... >.<
and lastly... about the searching thing... i'm searching now, but exactly
HOW do i search for things dated later than today?
i'm currently searching my comp for anything with the modified date between
tomarrow and  2010... but.... is that what you meant? or look for ALL .dll
files then look at the date (im gonna do that next anyways), and... want me
too look at modified date or created date, or accessed date, and any specific
file names to search for?
ok well before i posted this the scans ended, i didnt find anything with a
date later than an hour and a half ago today, and in the first scan
nothing... none of the ways i've tried found anything... what way do you
suggest?
i right clicked on the local disk, and i do not have a security tab...
ftp stuff >.< the only one i belive i've personally installed would be
anti-leech... about a year ago... and i'm not even positive if you could call
it an FTP... else i dont know of any... but thats not positive...
i'm sorry if i'm hard to work with ^^ i just REALLY dont like to install
stuff on my comp....
and to lengthen this post even more... PAB, you think its an overal
subscription problem? everything else on norton works fine... and thats the
only thing thats ever mentioned having being expired.... maybe its possibly
something seperate that i have to buy? (i went through the subscription
trouble shooter... didnt seem to find anything...)
"Jim Carlock" wrote:
> "Lord Loki" <LordLoki@discussions.microsoft.com> wrote:
> > Jim, you think its a trojan and i'm being hacked? or atleast my computer
> > is being used for whatever?
>
> Well, this is what I'd do:
>
> 1) Search the computer for files with dates later than the current date. If
> you find a .dll in the windows\system32 or windows\system folder dated
> later than today, then you've definitely been hacked. Hackers sometimes
> future date files trying to prevent Microsoft updates from taking affect.
>
> 2) Let us know if you find any suspiciously dated files or folders.
>
> 3) Check to see if there are some files that do you not recognize. Maybe
> all of them are unrecognized <g>. That'll help the folks here by letting
> them know your current skill set.
>
> 4) Visit http://housecall.trendmicro.com/ and use their online antivirus
> scan to scan your system. They seem to have beta software for new
> antivirus software... Their online scan does a pretty good job.
>
> 5) Download ZoneAlarm from www.zonelabs.com. If you are having
> problems installing ZoneAlarm, delete the folder where it's installed...
> maybe C:\Program Files\ZoneLabs, and then try reinstalling it again.
> If it fails again. Download a new copy from ZoneLabs then open a
> DOS prompt to the folder where the two downloads are and type in:
> fc /b <filename1> <filename2>
> where filename1 is the name of the first download and filename2 is
> the name of the second download. If the DOS fc (file compare)
> command indicates the files are different, then you'll need to clear
> your browser cache (Internet Explorer or FireFox cache) and
> download the file again. Do the file compare to detect which two
> copies are identical. This lets you know that your downloads are
> valid and non-corrupted.
>
> I'll stop there for the moment. ZoneAlarm used to make a really
> nice firewall but in 2000 they seemed to have gone overboard
> and I've lost interest in their firewall products myself. Maybe
> someone else will know and provide an honest opinion of their
> current software. I like the 1998/1999 versions of their software.
>
> > what kind of "non-viral backdoor" something OTHER than spywar,
> > adware, trojans, worms, and viruses (obviously)??? what else is
> > there....?
>
> Serv-U, other FTP server software. You can press CTRL+ALT+DEL
> and open the task manager. Provide us with a list of processes running
> on your system.
>
> Also let us know if you have NTFS installed.
> 1) Open "My Computer"
> 2) Right-click on a hard disk drive and let us know if there is a Security
> tab.
>
> --
> Jim Carlock
> Please post replies to newsgroup.
>
> Ok, I retried to scan my computer in safe mode (this time using the msconfig
> method...) and norton still wont open >.<
>
> I downloaded the latest virus definations for intellegent updator... however
> when i go to install them it says i cannot, and that its expired...
>
> "Your virus protection cannot be updated.
> Your subscription as expired. You must renew your subscription to continue
> using Intellegent Updater. Run LiveUpdate from Norton AntiVirus to renew your
> subscription and then run Intellegent Updater again."
>
> i ran live update again, just to be sure, its fully updated, tried
> installing again and got the same message... i JUST bought norton a few
> months ago its definatly not expired... is live update something i have to
> pay for myself? (darn... more and more problems keep on coming...)
>
> i'm not so sure i'm ready for the HijackThis thing... with my luck i'd
> accidently delete something very important...
>
> also... i deleted aim, but aim was no longer connected to the virus once it
> got in right? so if i reinstalled it, it'd be ok... because the one virus i
> did delete was most likely THE aim virus? (since it gets passed through aim,
> and thats what it does...) so i could reinstall aim? or should i wait longer?
>
> Jim, you think its a trojan and i'm being hacked? or atleast my computer is
> being used for whatever?
>
> what kind of "non-viral backdoor" something OTHER than spywar, adware,
> trojans, worms, and viruses (obviously)??? what else is there....?
>
> yet again, thank you both for your assistance ^^
>
> "Jim Carlock" wrote:
>
> > FWIW there is software out there that is NOT considered virus but
> > is used to open a PC up for "folks" to access it anytime "they" want.
> >
> > There is some FTP server software. Virus scanners will never catch it,
> > but a good firewall should catch it and present a message that something
> > is trying to open up a certain port (Serv-U ?).
> >
> > So if something opened up the system, "the attackers" commonly put a
> > non-viral backdoor in place that will never be detected by virus scanners.
> >
> > --
> > Jim Carlock
> > Please post replies to newsgroup.
> >
> > "PA Bear" <PABearMVP@gmail.com> wrote:
> > Lord Loki wrote:
> > > I delted it... however... i dont think its that... >.< even though it does
> > > sound right (i read the symantic thing before i deleted...) because when
> > > ever i turn on the comp it still tries to "install" something... otherwise
> > > everythings fine... i think...
> >
> > Not surprising.
> >
> > > by manually updating... you mean going to the site and manually
> > > downloading,
> > > or going into norton using live update, but dont just let live update wait
> > > for a few weeks to do it itself? (NAV users?)
> >
> > Yes, manually seek and install updated definitions.  See Intelligent Updater
> > section here: http://securityresponse.symantec.com/avcenter/download.html
> > (posted earlier, too).
> >
> > > also... this morning, we found a virus on the home computer, this was a
> > > bloodhound... do you think my virus would cause that to get through the
> > > network into the home comp, or that its unrelated?
> >
> > There are literally /hundreds/ of Bloodhound variants and, yes, most likely
> > "your" Bloodhound was "dropped" by the Trojan.
> >
> > > lastly... how do you run a system scan in safe mode? i tried... and i
> > > couldnt even open norton >.<
> > > every time i tried it froze.... >.< and went to "send error report?"
> > > would a virus cause that (or hacker), or would that just be me, somehow
> > > screwing things up?
> >
> > Again, see instructions on this page for booting to Safe Mode:
> > http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
> >
> > It would be highly unusual for NAV not to work in Safe Mode but [stuff]
> > happens.
> >
> > > Thanks for your help
> >
> > YW.  Let us know how you make out.  Note that it might take several updates
> > and scans over several days in the coming week or so for NAV to be able to
> > find and remove everything.
> >
> > You might follow the QuickFix protocol here http://aumha.org/a/quickfix.htm,
> > then scan your system with HijackThis (don't let the name scare you) and
> > post your log to an appropriate forum.  Do not post your log here, please.
> > -- 
> > ~PA Bear
> >
> > > "PA Bear" wrote:
> > >> Well, yes, that could be /your/ Trojan...
> > >>
> > >> Symantec Security Response - W32.Allim.A:
> > >> http://securityresponse.symantec.com/avcenter/venc/data/w32.allim.a.html
> > >>
> > >> This one displays a message "hey check out _this_!" where "this!" is a
> > >> link
> > >> to the URL: http:/ /adw[domain removed]eo.com/gallery/pictures.php. A
> > >> recipient must click on the link, download a file, and then execute the
> > >> file which then installs a W32.Spybot.Worm
> > >> variant(http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html).
> > >>
> > >> But Allim.A dates from a few weeks ago (Discovered on: April 26, 2005).
> > >>
> > >> From another post in this thread:
> > >>
> > >> Symantec Security Response - W32.Opanki (Discovered on: May 18, 2005)
> > >> http://securityresponse.symantec.com/avcenter/venc/data/w32.opanki.html
> > >>
> > >> Here, the message is "check this out, is that you?", where "this" is a
> > >> configured link that will download a copy of the worm if a user clicks on
> > >> it.
> > >>
> > >> To be safe, I'd manually install virus definition updates via Intelligent
> > >> Updater (http://securityresponse.symantec.com/avcenter/download.html) and
> > >> then run a full system scan in Safe Mode
> > >> (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406).
> > >>
> > >> Note that NAV users who rely on LiveUpdate won't get definitions which
> > >> include W32.Opanki until 25 May, according to the page!!!
> > >>
> > >> Let us know how you make out.
> > >> --
> > >> Lord Loki wrote:
> > >>> well.... I came back from dinner today and norton had a large message
> > >>> for
> > >>> me
> > >>> saying (memorized it)
> > >>> VIRUS FOUND:
> > >>> object: C:\im.exe
> > >>> virus: W32.Allim
> > >>>
> > >>> i went to the C drive, scanned the im file to be sure, it said it was an
> > >>> unreparable virus, i quarenteened, then deleted.... its gone forever now
> > >>> right? and...... you think that is THE virus that was causeing the
> > >>> strange
> > >>> happenings? O.o ^^