Ryan, read this..............
If you want the trojans deleted automatically......... use one of these:
MooSoft's THE CLEANER (YES, IT WORX, I HAVE IT, IT'S THE BEST AT DETECTING THOUSANDS OF DIFFERENT VARIANTS).
Norton AntiVirus 2002
Trojan Defence Suite (T.D.S.x)
The author's alias is MobMan -of B.U.G. Mafia. One of his email addresses is [email protected]
BTW, DON'T EMAIL HIM ! Not only will you not get back a reply but you'll just waste your time and probably piss him off. He is working on 2 new versions of Sub7 including the soon to be released 2.3.
Hey Ryan, after you read HOW TO MANUALLY REMOVE A TROJAN , (listed below), why don't you just use the trojan's client/remote to connect to your computer and just delete it ? If the server is pw protected run Sub7crack on it or use RatCracker. If those don't work, run Sub7Sniper or try and bruteforce it with something else. You might be able to just hit "enter" if the trojan installed on your computer is M.U.I.E............ or was it BONUS ? Yes, I've tried the Universal Master password and it doesn't work for any of the versions in the 2's......... The pass goes like 1980xxxxxxxxxx blah blah blah. Doesn't work, trust me. Anyways, here's a re-post that you obviously need to read ==>
HOW TO MANUALLY REMOVE A TROJAN
I actually think that the easiest way, (atleast for me), is to manually detect and erase the trojan from your system. Over the years I have been infected numerous times and have always manually removed them. If you want to give it a try ----- do this:
goto: "RUN" => type "DOSPRMPT" => @ the cmd line type "NETSTAT -a"
Below it will list all of the ports that your computer is using to try and establish a connection remotely. If you are offline when you run this cmd, ignore the nb ports like 137 and 138 and only look for other open ports like :3000, 27374, 1243, 666, 5782, etc........... These ports will be in the "Listening" state as they are listening for a connection from the client remotely via the net. Running the "NETSTAT -a" cmd online may confuse you as you will see alot of crap that looks like this:
Proto Local Address Foreign Address State
TCP default:26886 DEFAULT:0 LISTENING
TCP default:1296 DEFAULT:0 LISTENING
TCP default:1475 DEFAULT:0 LISTENING
TCP default:1481 DEFAULT:0 LISTENING
TCP default:1482 DEFAULT:0 LISTENING
TCP default:1227 DEFAULT:0 LISTENING
TCP default:1228 DEFAULT:0 LISTENING
TCP default:1484 DEFAULT:0 LISTENING
TCP default:1521 DEFAULT:0 LISTENING
TCP default:1296 205.188.8.134:5190 ESTABLISHED
TCP default:nbsession DEFAULT:0 LISTENING
TCP default:1475 antionline.com:80 ESTABLISHED
TCP default:1481 ads.antionline.com:80 CLOSE_WAIT
TCP default:1482 ads.antionline.com:80 CLOSE_WAIT
TCP default:1227 www.google.com:80 CLOSE_WAIT
TCP default:1228 www.google.com:80 CLOSE_WAIT
TCP default:1484 65.114.157.132:80 CLOSE_WAIT
TCP default:1521 166.90.140.11:80 SYN_SENT
UDP default:nbname *:*
UDP default:nbdatagram *:*
UDP default:1285 *:*
UDP default:1210 *:*
If someone has made a connection to the server (trojan) in your system, the state will read "established" with all of it's appropriate info. If you would like to see who is in your system just find the port from which you believe he is connected to you on, make sure the connection reads "established", and look at the "foreign address" that corresponds to it. From there you can run a "tracert", "net view", dns, whois, or whatever you think you will need to catch the person --- and or report him/her if necessary. I wouldn't advise getting online though until you are positive that you have NO trojan(s) in your system. If your suspicious after running the Netstat -a cmd, do this..............
goto: "RUN" => type "MSCONFIG"=> then browse your WIN.INI, SYSTEM.INI, STARTUP, and the AUTOEXEC.BAT tabs, if you have one. Under the System.INI tab, look under "boot" and look for any weird .exe, .dl, .scr, .com, or .bat files that are listed ----- DON'T MESS WITH EXPLORER.EXE, USER.EXE, OR GDI.EXE ! These are system files core windows components. If you see something like this => shell=Explorer.exe "server.exe" then the trojan or server has added it'sself alongside explorer to startup with it. For Explorer.exe, GDI.exe, and User.exe, THERE SHOULD BE NO SECONDARY FILES BEING LISTED TO THE RIGHT OF THEM. Next is your WIN.ini tab. Simply check the Windows folder and see whether or not anything suspicious is under the load= or run= cmd's. Again, look for double entries --- ieg: explorer.exe "trojan.exe". Lastly is your STARTUP tab. Look for anything suspicious that is starting up as well as look again for double entries............. however, don't get them confused with parameters and/or switches like /autorun, SYSTEMBOOTHIDEPLAYER, or -r (read-only) -s (system) attributes. You can uncheck all of the startup boxes and your computer will still boot fine........ and of course most likely re-check the files that windows needed to force load -- meaning that mainly ScanRegistry, LoadPowerProfile, taskmonitor, etc......... should be alright. However, beware of the system tray file systray.exe as many trojans have been renamed and ran with this name. Check file sizes of the "suspicious" and when they were last accessed, created, and/or modified. Check the HKEY's under the registry editor for entries that the trojan could have made............ RUN=> "REGEDIT". Lastly, goto: RUN=> "MSINFO32"=> once loaded, go to SOFTWARE ENVIRONMENT and then to RUNNING TASKS. Under Running Tasks it will show you all of the programs that are currently being run by your system. Be very suspicious of files that are running with NO manufacturer listing, NO description, NO type, and NO Part of listing. It may or may not have the Version listing. In other words, reading from left to right, look for alot of blank spaces and gaps in the information on a particular file or file(s) that is/are running. Blank spaces are easy to spot as many of these files are ms files and have all the necessary information. If you are using Win 95 or Win 98, you would get the fields that I listed. If you are using Win ME, look for a blank version or weird filename that is running and investigate it. Never used XP, but if you are, simply close the process through ctrl-alt-delete and you can go from there. You can't manually delete a trojan if it is running in your system. The goal is to stop it from running and then delete it. If you found the trojan and all that you need to do is manually delete it, goto: SHUTDOWN then "Restart in Dos Mode" for 98 users. For WIN ME users, hold ctrl, F8, or F6 to get into the boot prompt that allows you to go to the command prompt. Once you're at the command prompt in DOS, change to the file's directory and delete it. Ieg: C:\> "cd C:\Windows" --or whatever directory it is in. Then, once in the directory, type "dir /p" and look at all the files. Try to pick out the file from list. The name might look like this "Trojan~1.exe" or something similar because of DOS's 8.3 format. Most likely though, the name of the trojan won't exceed 8 characters. If it does, expect the above name listing format. After you've found the file, type "erase trojan.exe". If done correctly the path at which you are currently at will repeat under the default path. If it says that the file is in use by WIN or the system and can't be deleted.......... try this ------> attrib -r -s -h C:\Windows\"trojan.exe". This insures that now the file can be deleted. Simply just do an erase trojan.exe and it is gone permanently. Type WIN to go back to windows and check the NETSTAT -a listing again in the DOS Prompt. If you want to try and connect yourself to the suspected trojan, look at the "listening" ports from the Netstat -a listing and apply them to TELNET. IEG:
WHILE YOU'RE OFFLINE=>
Proto Local Address Foreign Address State
TCP default:26886 DEFAULT:0 LISTENING
Port 26886 on your computer is listening for a connection. Goto: RUN=>TELNET=> goto the Connect tab and then to the REMOTE SYSTEM option. Under HOST NAME, type either LOCALHOST or 127.0.0.1 and under the PORT header type in the suspected port 26886. Hit Connect and if a connection is made, the trojan will read off information in your telnet window upon connection.............. ieg: "Sub7 2.1.4 M.U.I.E. connected. Date"/blah blah blah. If you get this, goto disconnect and you've found your trojan........... now all that you need to do is match it with it's filename as mentioned earlier in this article from checking the msconfig utility and the msinfo32 utility. If you connect to it and after a few seconds you get text that reads "PWD", a trojan is in your system and it is password protected ---set by the person that infected you so that no one else could connect to you or have access to your computer without knowing the password. If you get this, you can still delete it from DOS after you've found the trojan's filename, no sweat. Be aware that some trojans, such as SubSeven 2.2, only run when a connection to the internet is detected ------ which is really clever since running NETSTAT -a offline won't show you anything. Run the Netstat -a cmd online and again, look for "Listening" ports. Try ALL of the listening ports and if you see anything suspicious through telnet, you've found your trojan. All of this may sound quite confusing and/or out of order but this is how to do it, manually. Practice this once or twice and you'll never need trojan cleaners to do your work for you ! If you feel confident enough, infect yourself with a trojan that you yourself pwd protected and try and remove it manually offline. Keep repeating this under different circumstances like "LittleKnown", "NOTKNOWN", "REGRUNSERVICES", "MACHINERUNSERVICES" under EditServer if you're testing with SubSeven. Remember, if you can't delete it manually or just don't want to keep trying you can always just connect to yourself through Sub7's client (remote) and goto: "Server Options" and remove the server from there.
Some trojans, such as the ICQ Trojan, startup from the programs that they are named after. The AOL Trojan does this also. They use the load programs option upon connection to the internet through that particular program. ICQ is known the most for this as some trojans you will find in loading under the load with ICQ options. You may also want to go ahead and check AOL or ICQ if you use these particular services. And lastly, some trojans will use winstart.bat, config.sys, and even mess around with your filetypes and their registered extensions under the Folder Options - "File Types" tab. Some of them will set themselves (the trojan) to be used as the default program or resource to open executable files such as explorer.exe. Go to the file types area and check to make sure that no trojan has made it's self the clone of explorer.exe when it comes to opening executable filetypes. The executable file types should only say "Exectuable" next to them and not "Opens with: tkswzquidsf.exe". Deleting the trojan manually could mess up your filesystem this way so I would reccomend using a cleaner for this one........... especially if you're using Win ME ! It should be safe to do through Win 98 though as you can always revert back to the default executable file launcher -- explorer.exe.
