Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Windows Me "User Connected"

Reply
Thread Tools

Windows Me "User Connected"

 
 
Jim
Guest
Posts: n/a
 
      02-22-2005
I had a strange message when I shutdown my PC today. The message said:

"user TRIFACA connected. Do you still want to shutdown?"

I assume someone accessed my PC but I'm not sure. A virus scan found a
Trojan dropper that I suspect may be related. Can anyone out there tell me
what I encountered? Were my files accessed?

Thanks for your help.

--
Jim


 
Reply With Quote
 
 
 
 
David H. Lipman
Guest
Posts: n/a
 
      02-22-2005
Not without stating which Trojan Dropper was found and maybe was dropped.

If you are on Broadband, use a Cable/DSL Router to block outsiders from connecting to your
PC via MS Networking.

--
Dave




"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| I had a strange message when I shutdown my PC today. The message said:
|
| "user TRIFACA connected. Do you still want to shutdown?"
|
| I assume someone accessed my PC but I'm not sure. A virus scan found a
| Trojan dropper that I suspect may be related. Can anyone out there tell me
| what I encountered? Were my files accessed?
|
| Thanks for your help.
|
| --
| Jim
|
|


 
Reply With Quote
 
 
 
 
Jim
Guest
Posts: n/a
 
      02-22-2005

"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I had a strange message when I shutdown my PC today. The message said:
>
> "user TRIFACA connected. Do you still want to shutdown?"
>
> I assume someone accessed my PC but I'm not sure. A virus scan found a
> Trojan dropper that I suspect may be related. Can anyone out there tell

me
> what I encountered? Were my files accessed?
>
> Thanks for your help.
>
> --
> Jim
>
>



 
Reply With Quote
 
Jim
Guest
Posts: n/a
 
      02-22-2005
Here's the info form the log file:

Source: C:\WINDOWS\TEMP\Installer2.exe
Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
Trojan dropper virus.
Click for more information about this virus

Jim


"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I had a strange message when I shutdown my PC today. The message said:
>
> "user TRIFACA connected. Do you still want to shutdown?"
>
> I assume someone accessed my PC but I'm not sure. A virus scan found a
> Trojan dropper that I suspect may be related. Can anyone out there tell

me
> what I encountered? Were my files accessed?
>
> Thanks for your help.
>
> --
> Jim
>
>



 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      02-22-2005
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend Pattern File.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download Sysclean.com and place it in that directory.
Dowload the Trend Pattern File by obtaining the ZIP file.
For example; lpt436.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adaware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDoc...SysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point


* * * Please report your results ! * * *

--
Dave






"Jim" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| Here's the info form the log file:
|
| Source: C:\WINDOWS\TEMP\Installer2.exe
| Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
| Trojan dropper virus.
| Click for more information about this virus
|
| Jim
|
|
| "Jim" <(E-Mail Removed)> wrote in message
| news:(E-Mail Removed)...
| > I had a strange message when I shutdown my PC today. The message said:
| >
| > "user TRIFACA connected. Do you still want to shutdown?"
| >
| > I assume someone accessed my PC but I'm not sure. A virus scan found a
| > Trojan dropper that I suspect may be related. Can anyone out there tell
| me
| > what I encountered? Were my files accessed?
| >
| > Thanks for your help.
| >
| > --
| > Jim
| >
| >
|
|


 
Reply With Quote
 
donnie
Guest
Posts: n/a
 
      02-23-2005
On Tue, 22 Feb 2005 13:20:33 -0800, "Jim" <(E-Mail Removed)>
wrote:

>Here's the info form the log file:
>
>Source: C:\WINDOWS\TEMP\Installer2.exe
>Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
>Trojan dropper virus.
>Click for more information about this virus
>
>Jim
>

#########################
Before you do all that work that David suggested, I would make sure
that file sharing is not enabled, then I would look in HKLM,Software,
Microsoft, Windows, CurrentVersion,Run and see what;s loading. Do the
same in HKCU. Many trojans hide in those places.
Also, I would run netstat -an and see what IP and port the conection
is using. Run a whois on the IP address and try to get the NetBIOS
table. nbtstat -A IP_address.
donnie
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      02-23-2005
At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
Sysinternals

http://www.sysinternals.com/ntw2k/utilities.shtml

It is a GUI utility and will show the information real-time and under NT Based OS's it will
also show the fully qualified executable opening a given port and communicating with a
remote site.

--
Dave



"donnie" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
| On Tue, 22 Feb 2005 13:20:33 -0800, "Jim" <(E-Mail Removed)>
| wrote:
|

| Before you do all that work that David suggested, I would make sure
| that file sharing is not enabled, then I would look in HKLM,Software,
| Microsoft, Windows, CurrentVersion,Run and see what;s loading. Do the
| same in HKCU. Many trojans hide in those places.
| Also, I would run netstat -an and see what IP and port the conection
| is using. Run a whois on the IP address and try to get the NetBIOS
| table. nbtstat -A IP_address.
| donnie


 
Reply With Quote
 
winged
Guest
Posts: n/a
 
      02-23-2005
David H. Lipman wrote:
> At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
> Sysinternals
>
> http://www.sysinternals.com/ntw2k/utilities.shtml
>
> It is a GUI utility and will show the information real-time and under NT Based OS's it will
> also show the fully qualified executable opening a given port and communicating with a
> remote site.
>

And the process explorer tool at the same site can tell you what process
is reinstalling the software and where it is located. I suspect an
activeX control on the system.

Winged
 
Reply With Quote
 
winged
Guest
Posts: n/a
 
      02-23-2005
David H. Lipman wrote:
> At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
> Sysinternals
>
> http://www.sysinternals.com/ntw2k/utilities.shtml
>
> It is a GUI utility and will show the information real-time and under NT Based OS's it will
> also show the fully qualified executable opening a given port and communicating with a
> remote site.
>

And the process explorer tool at the same site can tell you what process
is reinstalling the software and where it is located. I suspect an
activeX control on the system.

Winged
 
Reply With Quote
 
David H. Lipman
Guest
Posts: n/a
 
      02-23-2005
I was just made aware of a new utility by Sysinternals

http://www.sysinternals.com/ntw2k/fr...itreveal.shtml

"RootkitRevealer is a an advanced root kit detection utility. It runs on Windows NT4 and
higher and its output lists Registry and file system API discrepancies that may indicate the
presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all
rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender."


--
Dave




"winged" <(E-Mail Removed)> wrote in message news:cvgrgl$(E-Mail Removed)...
| David H. Lipman wrote:
| > At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
| > Sysinternals
| >
| > http://www.sysinternals.com/ntw2k/utilities.shtml
| >
| > It is a GUI utility and will show the information real-time and under NT Based OS's it
will
| > also show the fully qualified executable opening a given port and communicating with a
| > remote site.
| >
| And the process explorer tool at the same site can tell you what process
| is reinstalling the software and where it is located. I suspect an
| activeX control on the system.
|
| Winged


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
!Windows Live Mail replace Outlook Express on Windows XP and Windows Mail on Vista... Max Burke NZ Computing 8 05-18-2007 12:10 AM
Windows XP Home Connected to Windows XP Pro via TCP/IP Armstrong Wong Wireless Networking 1 11-25-2004 01:12 PM
wireless ad-hoc with Windows XP and Windows 2000 =?Utf-8?B?ZHVtbWthdWY=?= Wireless Networking 1 09-23-2004 11:34 AM
Windows XP laptop and Windows 2000 desktop won't communicate =?Utf-8?B?UmlmbGVtYW4=?= Wireless Networking 0 08-19-2004 03:35 AM



Advertisments