«

I had a strange message when I shutdown my PC today. The message said:

"user TRIFACA connected. Do you still want to shutdown?"

I assume someone accessed my PC but I'm not sure. A virus scan found a
Trojan dropper that I suspect may be related. Can anyone out there tell me
what I encountered? Were my files accessed?

Thanks for your help.

--
Jim

Not without stating which Trojan Dropper was found and maybe was dropped.

If you are on Broadband, use a Cable/DSL Router to block outsiders from connecting to your
PC via MS Networking.

--
Dave




"Jim" <> wrote in message
news:...
| I had a strange message when I shutdown my PC today. The message said:
|
| "user TRIFACA connected. Do you still want to shutdown?"
|
| I assume someone accessed my PC but I'm not sure. A virus scan found a
| Trojan dropper that I suspect may be related. Can anyone out there tell me
| what I encountered? Were my files accessed?
|
| Thanks for your help.
|
| --
| Jim
|
|

"Jim" <> wrote in message
news:...
> I had a strange message when I shutdown my PC today. The message said:
>
> "user TRIFACA connected. Do you still want to shutdown?"
>
> I assume someone accessed my PC but I'm not sure. A virus scan found a
> Trojan dropper that I suspect may be related. Can anyone out there tell
me
> what I encountered? Were my files accessed?
>
> Thanks for your help.
>
> --
> Jim
>
>

Here's the info form the log file:

Source: C:\WINDOWS\TEMP\Installer2.exe
Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
Trojan dropper virus.
Click for more information about this virus

Jim


"Jim" <> wrote in message
news:...
> I had a strange message when I shutdown my PC today. The message said:
>
> "user TRIFACA connected. Do you still want to shutdown?"
>
> I assume someone accessed my PC but I'm not sure. A virus scan found a
> Trojan dropper that I suspect may be related. Can anyone out there tell
me
> what I encountered? Were my files accessed?
>
> Thanks for your help.
>
> --
> Jim
>
>

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt436.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point


* * * Please report your results ! * * *

--
Dave






"Jim" <> wrote in message
news:...
| Here's the info form the log file:
|
| Source: C:\WINDOWS\TEMP\Installer2.exe
| Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
| Trojan dropper virus.
| Click for more information about this virus
|
| Jim
|
|
| "Jim" <> wrote in message
| news:...
| > I had a strange message when I shutdown my PC today. The message said:
| >
| > "user TRIFACA connected. Do you still want to shutdown?"
| >
| > I assume someone accessed my PC but I'm not sure. A virus scan found a
| > Trojan dropper that I suspect may be related. Can anyone out there tell
| me
| > what I encountered? Were my files accessed?
| >
| > Thanks for your help.
| >
| > --
| > Jim
| >
| >
|
|

On Tue, 22 Feb 2005 13:20:33 -0800, "Jim" <>
wrote:

>Here's the info form the log file:
>
>Source: C:\WINDOWS\TEMP\Installer2.exe
>Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
>Trojan dropper virus.
>Click for more information about this virus
>
>Jim
>
#########################
Before you do all that work that David suggested, I would make sure
that file sharing is not enabled, then I would look in HKLM,Software,
Microsoft, Windows, CurrentVersion,Run and see what;s loading. Do the
same in HKCU. Many trojans hide in those places.
Also, I would run netstat -an and see what IP and port the conection
is using. Run a whois on the IP address and try to get the NetBIOS
table. nbtstat -A IP_address.
donnie

At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
Sysinternals

http://www.sysinternals.com/ntw2k/utilities.shtml

It is a GUI utility and will show the information real-time and under NT Based OS's it will
also show the fully qualified executable opening a given port and communicating with a
remote site.

--
Dave



"donnie" <> wrote in message
news:...
| On Tue, 22 Feb 2005 13:20:33 -0800, "Jim" <>
| wrote:
|

| Before you do all that work that David suggested, I would make sure
| that file sharing is not enabled, then I would look in HKLM,Software,
| Microsoft, Windows, CurrentVersion,Run and see what;s loading. Do the
| same in HKCU. Many trojans hide in those places.
| Also, I would run netstat -an and see what IP and port the conection
| is using. Run a whois on the IP address and try to get the NetBIOS
| table. nbtstat -A IP_address.
| donnie

David H. Lipman wrote:
> At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
> Sysinternals
>
> http://www.sysinternals.com/ntw2k/utilities.shtml
>
> It is a GUI utility and will show the information real-time and under NT Based OS's it will
> also show the fully qualified executable opening a given port and communicating with a
> remote site.
>
And the process explorer tool at the same site can tell you what process
is reinstalling the software and where it is located. I suspect an
activeX control on the system.

Winged

David H. Lipman wrote:
> At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
> Sysinternals
>
> http://www.sysinternals.com/ntw2k/utilities.shtml
>
> It is a GUI utility and will show the information real-time and under NT Based OS's it will
> also show the fully qualified executable opening a given port and communicating with a
> remote site.
>
And the process explorer tool at the same site can tell you what process
is reinstalling the software and where it is located. I suspect an
activeX control on the system.

Winged

I was just made aware of a new utility by Sysinternals

http://www.sysinternals.com/ntw2k/fr...itreveal.shtml

"RootkitRevealer is a an advanced root kit detection utility. It runs on Windows NT4 and
higher and its output lists Registry and file system API discrepancies that may indicate the
presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all
rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender."


--
Dave




"winged" <> wrote in message news:cvgrgl$...
| David H. Lipman wrote:
| > At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
| > Sysinternals
| >
| > http://www.sysinternals.com/ntw2k/utilities.shtml
| >
| > It is a GUI utility and will show the information real-time and under NT Based OS's it
will
| > also show the fully qualified executable opening a given port and communicating with a
| > remote site.
| >
| And the process explorer tool at the same site can tell you what process
| is reinstalling the software and where it is located. I suspect an
| activeX control on the system.
|
| Winged