Need help with Gremlins in my puter!

[gcarmine]

Where to begin…

There is something happening with my computer and documents I write and save to be printed at a later time. Words, sentences and paragraphs are changed the next time I open the documents.

Last semester for college, I put together a class assignment 12 pages long. I finished proofreading it at about 11 at night, but did not want to take the time to print it then because I was tired and wanted to go to sleep.

The next morning, feeling confident the computer and I had done a “great” job of putting the document together, I proceeded to just print it out.

When I started reading the document in class, I had to stop in the middle of it and excuse myself from continuing. Page #3, was completely changed and contained various demeaning expletives I can’t mention here. Not only did my grade go down below floor level, but it was very embarrassing as well.

Now, just about every time I turn the computer on, I am hit with a barrage of small windows, usually from 5 to 7, which contain nasty “greeting” messages. Some times, my full name is included in these; at times even my phone number and something threatening.

Just about a week ago, while I was connected to the college FTP site, the mouse pointer seemed to have a life of its own as it would move about the page on the screen and even click on links I didn’t need. I have also seen this happen if I am just surfing the Net. This usually doesn’t happen for a long time, but rather for a few seconds at a time.

There are a myriad other things that happen, but it would make this way to long.

Any ideas on where to start fixing this problem will be greatly appreciated!

[CableDude]

Do you have an updated antivirus program and have you scanned for viruses?

[gcarmine]

CableDude;

I've had 3 different a/v programs go through my hard drives and non have detected anything bugs.

Someone emailed me thinking I might have a backdoor program in my system.

Someone knows a lot of private information on me, and it worries me that now they are even communicating it on my screen.

[TonyT]

It sounds as if someone is using a 'pc anywhere" type of program. Do you have that app installed? Or a similar program.

I will wager that you have a trojan that is giving someone full privledges on your computer.

What are the apps in your startup folder/
What apps are in the tasklist/ (cntrl-alt-del)
What entries are in the Run line of autoexec.bat?

There is something on your system hiding & it can be found, but know that the behavior you are experiencing is NOT normal and it is not a windows glitch, it's a trojan or a misconfigured app of yours.

[gcarmine]

TonyT;

Let' see here...

Startup folder = nothing at all

Tasklist = Explorer, Rnaap, Navapw32, Systray, Poproxy, Point32, this page and the main SpeedGuide page.

Autoexec.bat =

@ECHO OFF
@SET SOUND=C:\PROGRA~1\CREATIVE\CTSND
@SET MIDI=SYNTH:1 MAP:E MODE:0
SET BLASTER=A220 I5 D1 H5 P330 E620 T6
PATH C:\BITWARE\

Another email suggestion is for me to look in my win98 regedit under Run= ?????

There is nothing in there...

PS. I just had another stupid message pop up as I was answering this.

[blebs]

Get yourself a good trojan cleaner and run it and also get a software firewall up and running! Try going to a Dos Prompt and type in netstat -an and see what ports and addresses show up in that.

Tauscan

Anti-Trojan 5

The Cleaner

Zone Alarm

[TonyT]

Are you on dialup? Rnaap is DialUpNetworking.

What is Poproxy? Some type of server?

Sorry, I meant to say win.ini and not autoexec.bat. Open the win.ini in Notepad and paste the first section here.

[TonyT]

Hey, look what I found out about Poproxy. (it's the Norton email protection app, but there is a huge security hole in it!)

Read this -

http://www.w00w00.org/advisories/nortonav.html

[gcarmine]

blebs99;

I did the netstart -an thingy and the DOS page fills with other computers connected to mine through these ports:

0, 1, 2, 20, 21, 23, 25, 30, 31, 59, 80, 110, 121, 170, 421, and a whole lot more.

Most of these say Established, others Listening, others say Time_Wait, others Atc: some have a "Remote IP"

I have no idea what the meaning of all this is, but it certainly looks like someone in watching every move my computer makes!

------------

TonyT;

I am on a dial-up modem since all these strange things started happening, they have slowed down since I switch from cable modem, but have not stopped.

I just placed a call to a friend of mine who now live in Maryland, he used to work for Symantec, says Norton already fixed the problem with Poproxy a few months ago.

I'd hate to have to wipe my hard drive and re-install everything... Oh the pain of it!

[blebs]

Look for an active port 27374 or 1243! It's just a hunch, but someone definately has control of your computer and can use it any way they want to! Download Anti-Trojan 5 from the links above and let it run. I'll bet it finds a Sub 7 Trojan running. Let us know what happens. Anti-Trojan 5 is free for 14 days.

[Matt615]

Originally posted by gcarmine


I did the netstart -an thingy and the DOS page fills with other computers connected to mine through these ports:

0, 1, 2, 20, 21, 23, 25, 30, 31, 59, 80, 110, 121, 170, 421, and a whole lot more.

Most of these say Established, others Listening, others say Time_Wait, others Atc: some have a "Remote IP"

I have no idea what the meaning of all this is, but it certainly looks like someone in watching every move my computer makes!

Wow thats a lot of ports to have established connections

[gcarmine]

OK here's the latest so far, though I will have to keep on searching for more answers since I suspect there are still more Trojans still in my system.

I installed the Anti-Trojan 5 program, it found 3 trojan files in my system and clend them out.

I then installed The cleaner and it found a few more, it clened them out.

Though these programs are very good, I feel there is no one program which is capable of cleaning out all trojan files from any system, but I feel better about this.

Below are the names of the trojans which have been taken out of service in my system by AT5 and The Cleaner:

Locater, Webex1.4, TROJ_SONIC.80, Ruxtrojan, Dtv2.1, Hack'a'tack112, Server14, Backdoor, NetBus, W32.Resure.

I just did the netstat -an again, I still have many ports communicating with other computers, and yes, port 27374 is amongst many other which say "Established"

If I can't beat them at their game, I won't join them either...

Many thanks for all your help, I will keep watching this thread for any more suggestions.

Giuseppe

[TonyT]

Do this-
reboot computer and then run netstat BEFORE running any other programs.

Some of the open ports in netstat are legitamate ones, like even after closing a web browser, you can see an open port to the website last visited and a time-wait. (the last resoponse from the site never reached your computer before you closed the browser.

Run netstat alone, before you run email or browser.

[blebs]

After doing what TonyT said above, check for updates to the trojan removers and download any that they may have for them and run the programs again and maybe even a 3rd time! I'd like to see you trojan free before installing the firewall, but if this can't be, then some protection is better then none, until we see if they can all be removed. Worse case scenario here is formatting if you can't get rid of them.

[gcarmine]

TonyT;

I ran netstat as you said to do after a reboot and before dialing out, here's what I get.

I get a bunch of different IPs under "Foreign Address" with all kinds of different ports and most still say "Listening"

I'm also getting 4 of them that say UDP towards the bottom of the list. What does UDP mean?


TCP Ports:
142 - Listening
420 - Listening
532 - Listening
605 - Listening
1010 - Listening
1011 - Listening
1012 - Listening
1015 - listening
1269 - Listening
1099 - Listening
2311 - Listening
2773 - Listening
2774 - Listening
6212 - Listening
6969 - Listening
7000 - Listening
7215 - Listening
16959 - Listening
27374 - Listening
27573 - Listening
and about 8 more ports

UDP Ports:
1200 -
1201 -
2989 -
7424 -
and about 5 more UDP ports

After I connect to the Net, many more ports come up "Established"

[TonyT]

The trojans that you probably have based on the netstat you just ran. Ypou will be better of probably reformatting yourc hard drive! Dude, you are lucky that crackers have been nice to you. Believe me, you are just a sitting duck waiting to be used in a DOS attack somewhere. These guys can do ANYTHING THAT THEY WANT with your computer including stealing passwords, credit card numbers, ALL personal info, in short, they have probably copied every single piece of data and file already!

The time it would take to root out all of those trojans would be more than a reformat and clean installl of windows.

Read this thread, understand it, backup any important files like images and txt documents, the pull the plug on your modem & get to work!

port 142 NetTaxi

port 420 Breach

port 531 or 532 Rasmin

port 605 Secret Service

port 1010 Doly Trojan
port 1011 Doly Trojan
port 1012 Doly Trojan
port 1015 Doly Trojan

port 1269 Matrix

port 1099 Blood Fest Evolution, Remote Administration Tool - RAT

ports 2311 - 2773 - 2774 ???

port 6212 - ?

port 6969 GateCrasher, IRC 3, Net Controller, Priority

port 7000 Exploit Translation Server, Kazimas, Remote Grab, SubSeven 2.1 Gold

port 7215 SubSeven , SubSeven 2.1 Gold

port 16959 - ?

port 27374 Bad Blood, SubSeven , SubSeven 2.1 Gold, Subseven 2.1.4 DefCon 8

port 27573 SubSeven


And those are just the ones running at boot up! There could be others on timers too. I want you to really clearly get the picture here. Imagine being around someone with a cold. And tghey are infectuous. Probably not that bad though, cause we all get a cold now & then. That would be like receiving an email attachment and realizing it's a virus and safeley deleting it.

Now.........imagine being around someone with leprosy. Very infectious. Very unhealthy to be around and contact usually means death after a while. That's your computer as it currently stands.

[gcarmine]

WOW TonyT, I thought it was bad, but I never suspected it was that way bad!

OK, I guess I have no choice but to reformat and reinstall. I guess I'll be gone from here for a day or 2.

Once I get my sorfware back in the system I will get a firewall software for when I'm on the net.

Zone Alarm? They tell me it is very easy to work with...

Before I go away for a while, how do you tie a port number to a trojan? I wish I were so knowlegeable on the subject...

Many thanks again to everyone who so graciously helped me out on this problem!

Giuseppe

[blebs]

Trojan Port List

Zone Alarm is by far the easiest for you to get along with. Once you get it installed, the firewall will ask YOU if you want to give a program permission to access the internet. YOU have to give it permission to do so. I think you'll love it when you become familiar with it.

Another Trojan Port List

[gcarmine]

Thanks Ken!

I know how to do the reformat thing here, so no problem with that.

I have to tell you though, I thought if I got a firewall software in my system, that the firewall itself would probably act as a server and spy on my connections and was very hesitant on getting any.

Zone Alarm it is then.

What is a UDP, what is its purpose?

Thanks,

Giuseppe

[blebs]

Just to show you what happens in Zone Alarm, while I was reading Kens post I got this:

The firewall has blocked Internet access to your computer (TCP Port 27374) from 24.168.105.253 (TCP Port 3760) [TCP Flags: S].

Time: 7/8/01 9:47:34 PM

[gcarmine]

OK people, many thanks!

I will now sign off and start reformatting here, but will soon be back. (Cross your fingers)

Cheers,

Giuseppe

PS blebs99, I've heard your advice too, ZoneAlarm it will be!

[TonyT]

UDP

[Matt615]

gcarmine it may also be a good idea to change any passwords you have when you get back from re-formatting.

[fredra]

WOW...WOW...WOW
I have never seen such an infection...that needs more than the ORKIN man....lol (j/k)

[TonyT]

well............fix it yet?

[Thorazine]

The question isn't "do I have a trojan on my machine?".

The question should be "which trojan don't you have on your machine!"

http://www.sans.org/newlook/resources/I ... dports.htm

[IronMan]

Even with all my years on "The Darkside" i have never seen such an infestation. My goodness besides reinstalling, may i suggest being more careful what proggies you run?? ( UNless of course its not soley your machine ) sounds like some lamers wre having a field day with you. besides a firewall how bout a good AV to notify you i fyou happen to download a server?? L8r

[W_I_Z_K_I_D]

YeaaH i agree with ya man
That was BAD..man im thinkin its someone with direct access to his computer.AnYwAy
HaHa IF ITS NOT who say's his not vunrable to an attack yet again....
Things to think about...
gcarmine :: man if i was you i would seriously think about changing my IP.
if your on dial up then think about changing to another ISP.
Did you have any REALTIME Anti Virus programs monitoring while you were connected to the net..?
InoculateIt Anti Virus
AVG Anti Virus
E'Safe Desktop
I got all those running so im prettyWell Safe man as far as viruses go..

~LaYtA~

[IronMan]

Wizkid and i seem to be agreed THATS A LOT OF TROJANS. We also seem to agree on realtime antivirus. It appears you have S7 trojan and theres not a half decent antivirus around that would let you run that server. And if it is not you running these progs id consider limiting direct acess to your puter. L8r
btw Scr1pt Kiddi3s SUCK Mentor ( sigh ) would be rolling over in his grave...... well if he was dead.....

[W_I_Z_K_I_D]

Originally posted by IronMan
Wizkid and i seem to be agreed THATS A LOT OF TROJANS. We also seem to agree on realtime antivirus. It appears you have S7 trojan and theres not a half decent antivirus around that would let you run that server. And if it is not you running these progs id consider limiting direct acess to your puter. L8r
btw Scr1pt Kiddi3s SUCK Mentor ( sigh ) would be rolling over in his grave...... well if he was dead.....

LoL...IronMan...
Some Good points There.::.Another thing i would suggest is a good Encryption Program.This is Just inCase you Get Infected again.It would Encrypt messages e-mails and your hard Disk so the Attacker cant read the Info..
IronMan im Lucky ..My Girlfriend cant even turn a Computer on and she's the only person i live with..So thats AlLgOoD..lol

[IronMan]

LoL maybe you should teach her man. NO ONE touches my puter i dont kare who they are. ( ok ok some exceptions , but not many ) And by the way great point about the encryption. Hope the reformat went well doesent seem to be bak on the board yet. I really hope it doesent happen to them again.

[gcarmine]

Sorry for the time it has taken, but I've been dealing with a whole lot of legal issues concerning things, which my computer has been doing for some time without me knowing it.

Because of legal reasons, I can't tell you everything, but every connection to the Internet I have made from 6 months to present has been followed by the Federal gov't because they have been trying to catch the original hackers because it seems they have been trying to get into some big time Gov't stuff, they won't tell me if there was success on the hacker's part...

Since all the hacking was done with the help of a lot of
unsuspecting computer users with their machines being compromised, mine was one, apparently it took them that long to catch the guys that were doing it, but they did.

I'm not allowed to explain which countries were involved, hacking came from 3 different places to my machine and others, and then on to through to other machines including some gov't offices.

I've been visited a lot of times by well dressed "gentlemen" and my original hard drive has been confiscated.

So far, it seems I am out of hot water since the hacking was not done by me, rather my puter was used indirectly for those
actions. I'm also allowed back on the Internet, but with dial-up, not with cable.

According to them, they got the go ahead and pay me a visit and take my HDD when they noticed I was not using cable to connect any more.

I have learned, the hard way, how important it is ti have a firewall
activated in my computer, won't be without one from now on!!!

OK, I think I have said enough and hope not more than I am really allowed to say, but want to thank everyone who has given me so much advice here when I needed it.

Giuseppe

[blebs]

Very Hard Way To Learn A Lesson!

As soon as you mentioned all the connections and ports open, I knew someone or more were in full control of your computer. I would advise that if certain people were to start this again, get a HARDWARE firewall/router added, along with a software firewall to act as a safety net and catch what may get past the router.

Well, good luck to you in the future. I'm sure you won't make that mistake again. If it makes you feel any better, there are still people out here that think that something like what happened to you, can't happen to them!

[fredra]

Well said blebs.... I concur
Hey gcarmine.....Sorry you had to be exposed in that fashion, but we all attend the school of experience.
Welcome back
PEACE!!!!!