Maybe a trojan, probably the Sub7Server.
Results 1 to 10 of 10

Thread: Maybe a trojan, probably the Sub7Server.

  1. #1

    Maybe a trojan, probably the Sub7Server.

    Hey, I think that i have a trojan, but i cannot track it. I have noticed that when i am on-line sometimes, the pointer of the mouse move without me. What do you think? Has any1 an anti-trojan program?

  2. #2
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    Woops double post.
    Have you tried a different mouse?
    Its not software piracy. Iím just making multiple off site backups.

  3. #3
    You think it's the mouse, or the software?

  4. #4
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    You never know so you might have to try both If you have more than one OS on your computer see if you get the same mouse wondering effect in both. If you do I would say its hardware.
    Its not software piracy. Iím just making multiple off site backups.

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    242
    if ya want.. go on to yahoo and search for "Trojan Cleaners". I'm sure, you'll bring up something half worth the download =)

    also.. check your registry, system.ini & windows.ini.

    and goto start--> run--> "msconfig" then, from there goto: startup, and look for any unknown, or interesting names "jlakjsd.exe" =)

    good luck, and hope this has helped ya.
    my pages: (great resources for everyone)
    geeksarecool.com resource for computers, hacking, virii, wutnot.
    thepillbox.net archive of logs and resource for laughter.
    --enjoy these pages, as they grow.

  6. #6
    Senior Member
    Join Date
    Oct 2001
    Posts
    255
    yeah try updating your virus scanner, getting a firewall prog or a prog called the cleaner, and a another calleld #Trojan First Aid kit# , try a firewall cuz it will have to do go though that to access the net.

    preep
    u can get a evaluation copy of the cleaner which will last 30 days.
    http://www.attrition.org/gallery/computing/forum/tn/youarenot.gif.html

  7. #7
    Banned
    Join Date
    Dec 2001
    Posts
    159
    run netstat to see if some other comp is try to access your. if it is a trojan block the persons ip using your firewall or some other util.

  8. #8
    Junior Member
    Join Date
    Oct 2001
    Posts
    5
    I actually think that the easiest way, (atleast for me), is to manually detect and erase the trojan from your system. Over the years I have been infected numerous times and have always manually removed them. If you want to give it a try ----- do this:

    goto: "RUN" => type "DOSPRMPT" => @ the cmd line type "NETSTAT -a"

    Below it will list all of the ports that your computer is using to try and establish a connection remotely. If you are offline when you run this cmd, ignore the nb ports like 137 and 138 and only look for other open ports like :3000, 27374, 1243, 666, 5782, etc........... These ports will be in the "Listening" state as they are listening for a connection from the client remotely via the net. Running the "NETSTAT -a" cmd online may confuse you as you will see alot of crap that looks like this:

    Proto Local Address Foreign Address State
    TCP default:26886 DEFAULT:0 LISTENING
    TCP default:1296 DEFAULT:0 LISTENING
    TCP default:1475 DEFAULT:0 LISTENING
    TCP default:1481 DEFAULT:0 LISTENING
    TCP default:1482 DEFAULT:0 LISTENING
    TCP default:1227 DEFAULT:0 LISTENING
    TCP default:1228 DEFAULT:0 LISTENING
    TCP default:1484 DEFAULT:0 LISTENING
    TCP default:1521 DEFAULT:0 LISTENING
    TCP default:1296 205.188.8.134:5190 ESTABLISHED
    TCP default:nbsession DEFAULT:0 LISTENING
    TCP default:1475 antionline.com:80 ESTABLISHED
    TCP default:1481 ads.antionline.com:80 CLOSE_WAIT
    TCP default:1482 ads.antionline.com:80 CLOSE_WAIT
    TCP default:1227 www.google.com:80 CLOSE_WAIT
    TCP default:1228 www.google.com:80 CLOSE_WAIT
    TCP default:1484 65.114.157.132:80 CLOSE_WAIT
    TCP default:1521 166.90.140.11:80 SYN_SENT
    UDP default:nbname *:*
    UDP default:nbdatagram *:*
    UDP default:1285 *:*
    UDP default:1210 *:*

    If someone has made a connection to the server (trojan) in your system, the state will read "established" with all of it's appropriate info. If you would like to see who is in your system just find the port from which you believe he is connected to you on, make sure the connection reads "established", and look at the "foreign address" that corresponds to it. From there you can run a "tracert", "net view", dns, whois, or whatever you think you will need to catch the person --- and or report him/her if necessary. I wouldn't advise getting online though until you are positive that you have NO trojan(s) in your system. If your suspicious after running the Netstat -a cmd, do this..............

    goto: "RUN" => type "MSCONFIG"=> then browse your WIN.INI, SYSTEM.INI, STARTUP, and the AUTOEXEC.BAT tabs, if you have one. Under the System.INI tab, look under "boot" and look for any weird .exe, .dl, .scr, .com, or .bat files that are listed ----- DON'T MESS WITH EXPLORER.EXE, USER.EXE, OR GDI.EXE ! These are system files core windows components. If you see something like this => shell=Explorer.exe "server.exe" then the trojan or server has added it'sself alongside explorer to startup with it. For Explorer.exe, GDI.exe, and User.exe, THERE SHOULD BE NO SECONDARY FILES BEING LISTED TO THE RIGHT OF THEM. Next is your WIN.ini tab. Simply check the Windows folder and see whether or not anything suspicious is under the load= or run= cmd's. Again, look for double entries --- ieg: explorer.exe "trojan.exe". Lastly is your STARTUP tab. Look for anything suspicious that is starting up as well as look again for double entries............. however, don't get them confused with parameters and/or switches like /autorun, SYSTEMBOOTHIDEPLAYER, or -r (read-only) -s (system) attributes. You can uncheck all of the startup boxes and your computer will still boot fine........ and of course most likely re-check the files that windows needed to force load -- meaning that mainly ScanRegistry, LoadPowerProfile, taskmonitor, etc......... should be alright. However, beware of the system tray file systray.exe as many trojans have been renamed and ran with this name. Check file sizes of the "suspicious" and when they were last accessed, created, and/or modified. Check the HKEY's under the registry editor for entries that the trojan could have made............ RUN=> "REGEDIT". Lastly, goto: RUN=> "MSINFO32"=> once loaded, go to SOFTWARE ENVIRONMENT and then to RUNNING TASKS. Under Running Tasks it will show you all of the programs that are currently being run by your system. Be very suspicious of files that are running with NO manufacturer listing, NO description, NO type, and NO Part of listing. It may or may not have the Version listing. In other words, reading from left to right, look for alot of blank spaces and gaps in the information on a particular file or file(s) that is/are running. Blank spaces are easy to spot as many of these files are ms files and have all the necessary information. If you are using Win 95 or Win 98, you would get the fields that I listed. If you are using Win ME, look for a blank version or weird filename that is running and investigate it. Never used XP, but if you are, simply close the process through ctrl-alt-delete and you can go from there. You can't manually delete a trojan if it is running in your system. The goal is to stop it from running and then delete it. If you found the trojan and all that you need to do is manually delete it, goto: SHUTDOWN then "Restart in Dos Mode" for 98 users. For WIN ME users, hold ctrl, F8, or F6 to get into the boot prompt that allows you to go to the command prompt. Once you're at the command prompt in DOS, change to the file's directory and delete it. Ieg: C:\> "cd C:\Windows" --or whatever directory it is in. Then, once in the directory, type "dir /p" and look at all the files. Try to pick out the file from list. The name might look like this "Trojan~1.exe" or something similar because of DOS's 8.3 format. Most likely though, the name of the trojan won't exceed 8 characters. If it does, expect the above name listing format. After you've found the file, type "erase trojan.exe". If done correctly the path at which you are currently at will repeat under the default path. If it says that the file is in use by WIN or the system and can't be deleted.......... try this ------> attrib -r -s -h C:\Windows\"trojan.exe". This insures that now the file can be deleted. Simply just do an erase trojan.exe and it is gone permanently. Type WIN to go back to windows and check the NETSTAT -a listing again in the DOS Prompt. If you want to try and connect yourself to the suspected trojan, look at the "listening" ports from the Netstat -a listing and apply them to TELNET. IEG:

    WHILE YOU'RE OFFLINE=>

    Proto Local Address Foreign Address State
    TCP default:26886 DEFAULT:0 LISTENING

    Port 26886 on your computer is listening for a connection. Goto: RUN=>TELNET=> goto the Connect tab and then to the REMOTE SYSTEM option. Under HOST NAME, type either LOCALHOST or 127.0.0.1 and under the PORT header type in the suspected port 26886. Hit Connect and if a connection is made, the trojan will read off information in your telnet window upon connection.............. ieg: Sub7 2.1.4 MUIE Date/blah blah blah. If you get this, goto disconnect and you've found your trojan........... now all that you need to do is match it with it's filename as mentioned earlier in this article from checking the msconfig utility and the msinfo32 utility. If you connect to it and after a few seconds you get text that reads "PWD", a trojan is in your system and it is password protected ---set by the person that infected you so that no one else could connect to you or have access to your computer without knowing the password. If you get this, you can still delete it from DOS after you've found the trojan's filename, no sweat. Be aware that some trojans, such as SubSeven 2.2, only run when a connection to the internet is detected ------ which is really clever since running NETSTAT -a offline won't show you anything. Run the Netstat -a cmd online and again, look for "Listening" ports. Try ALL of the listening ports and if you see anything suspicious through telnet, you've found your trojan. All of this may sound quite confusing and/or out of order but this is how to do it, manually. Practice this once or twice and you'll never need trojan cleaners to do your work for you ! If you feel confident enough, infect yourself with a trojan that you yourself pwd protected and try and remove it manually offline. Keep repeating this under different circumstances like "littleKnown", "NOTKNOWN", "REGRUNSERVICES", "MACHINERUNSERVICES" under EditServer if you're testing with SubSeven. Remember, if you can't delete it manually or just don't want to keep trying you can always just connect to yourself through Sub7's client (remote) and goto: "Server Options" and remove the server from there. Hope that all of this stuff helps !

  9. #9
    Junior Member
    Join Date
    Oct 2001
    Posts
    5

    Exclamation Oh yeah, almost forgot...............

    Some trojans, such as the ICQ Trojan, startup from the programs that they are named after. The AOL Trojan does this also. They use the load programs option upon connection to the internet through that particular program. ICQ is known the most for this as some trojans you will find in loading under the load with ICQ options. You may also want to go ahead and check AOL or ICQ if you use these particular services. And lastly, some trojans will use winstart.bat, config.sys, and even mess around with your filetypes and their registered extensions under the Folder Options - "File Types" tab. Some of them will set themselves (the trojan) to be used as the default program or resource to open executable files such as explorer.exe. Go to the file types area and check to make sure that no trojan has made it's self the clone of explorer.exe when it comes to opening executable filetypes. The executable file types should only say "Exectuable" next to them and not "Opens with: tkswzquidsf.exe". Deleting the trojan manually could mess up your filesystem this way so I would reccomend using a cleaner for this one........... especially if you're using Win ME ! It should be safe to do through Win 98 though as you can always revert back to the default executable file launcher -- explorer.exe. Anyways, just thought I'd add this last piece. If anyone has anything else to add feel welcome to post it.

  10. #10
    I had a trojan, but it wasn't moving the pointer, it was hardware's fault. You're right cwk9 Thanks you all.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •