Windows Me "User Connected"

Discussion in 'Computer Security' started by Jim, Feb 22, 2005.

  1. Jim

    Jim Guest

    I had a strange message when I shutdown my PC today. The message said:

    "user TRIFACA connected. Do you still want to shutdown?"

    I assume someone accessed my PC but I'm not sure. A virus scan found a
    Trojan dropper that I suspect may be related. Can anyone out there tell me
    what I encountered? Were my files accessed?

    Thanks for your help.

    --
    Jim
     
    Jim, Feb 22, 2005
    #1
    1. Advertising

  2. Not without stating which Trojan Dropper was found and maybe was dropped.

    If you are on Broadband, use a Cable/DSL Router to block outsiders from connecting to your
    PC via MS Networking.

    --
    Dave




    "Jim" <> wrote in message
    news:...
    | I had a strange message when I shutdown my PC today. The message said:
    |
    | "user TRIFACA connected. Do you still want to shutdown?"
    |
    | I assume someone accessed my PC but I'm not sure. A virus scan found a
    | Trojan dropper that I suspect may be related. Can anyone out there tell me
    | what I encountered? Were my files accessed?
    |
    | Thanks for your help.
    |
    | --
    | Jim
    |
    |
     
    David H. Lipman, Feb 22, 2005
    #2
    1. Advertising

  3. Jim

    Jim Guest

    "Jim" <> wrote in message
    news:...
    > I had a strange message when I shutdown my PC today. The message said:
    >
    > "user TRIFACA connected. Do you still want to shutdown?"
    >
    > I assume someone accessed my PC but I'm not sure. A virus scan found a
    > Trojan dropper that I suspect may be related. Can anyone out there tell

    me
    > what I encountered? Were my files accessed?
    >
    > Thanks for your help.
    >
    > --
    > Jim
    >
    >
     
    Jim, Feb 22, 2005
    #3
  4. Jim

    Jim Guest

    Here's the info form the log file:

    Source: C:\WINDOWS\TEMP\Installer2.exe
    Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
    Trojan dropper virus.
    Click for more information about this virus

    Jim


    "Jim" <> wrote in message
    news:...
    > I had a strange message when I shutdown my PC today. The message said:
    >
    > "user TRIFACA connected. Do you still want to shutdown?"
    >
    > I assume someone accessed my PC but I'm not sure. A virus scan found a
    > Trojan dropper that I suspect may be related. Can anyone out there tell

    me
    > what I encountered? Were my files accessed?
    >
    > Thanks for your help.
    >
    > --
    > Jim
    >
    >
     
    Jim, Feb 22, 2005
    #4
  5. 1) Download the following three items...

    Trend Sysclean Package
    http://www.trendmicro.com/download/dcs.asp

    Latest Trend Pattern File.
    http://www.trendmicro.com/download/pattern.asp

    Adaware SE (free personal version v1.05)
    http://www.lavasoftusa.com/

    Create a directory.
    On drive "C:\"
    (e.g., "c:\New Folder")
    or the desktop
    (e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

    Download Sysclean.com and place it in that directory.
    Dowload the Trend Pattern File by obtaining the ZIP file.
    For example; lpt436.zip

    Extract the contents of the ZIP file and place the contents in the same directory as
    sysclean.com.

    2) Update Adaware with the latest definitions.
    3) If you are using WinME or WinXP, disable System Restore
    http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
    4) Reboot your PC into Safe Mode
    5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
    platform and clean/delete any infectors/parasites found.
    (a few cycles may be needed)
    6) Restart your PC and perform a "final" Full Scan of your platform using both the
    Trend Sysclean utility and Adaware
    7) If you are using WinME or WinXP, Re-enable System Restore and re-apply any
    System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
    8) Reboot your PC.
    9) If you are using WinME or WinXP, create a new Restore point


    * * * Please report your results ! * * *

    --
    Dave






    "Jim" <> wrote in message
    news:...
    | Here's the info form the log file:
    |
    | Source: C:\WINDOWS\TEMP\Installer2.exe
    | Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
    | Trojan dropper virus.
    | Click for more information about this virus
    |
    | Jim
    |
    |
    | "Jim" <> wrote in message
    | news:...
    | > I had a strange message when I shutdown my PC today. The message said:
    | >
    | > "user TRIFACA connected. Do you still want to shutdown?"
    | >
    | > I assume someone accessed my PC but I'm not sure. A virus scan found a
    | > Trojan dropper that I suspect may be related. Can anyone out there tell
    | me
    | > what I encountered? Were my files accessed?
    | >
    | > Thanks for your help.
    | >
    | > --
    | > Jim
    | >
    | >
    |
    |
     
    David H. Lipman, Feb 22, 2005
    #5
  6. Jim

    donnie Guest

    On Tue, 22 Feb 2005 13:20:33 -0800, "Jim" <>
    wrote:

    >Here's the info form the log file:
    >
    >Source: C:\WINDOWS\TEMP\Installer2.exe
    >Description: The file C:\WINDOWS\TEMP\Installer2.exe is infected with the
    >Trojan dropper virus.
    >Click for more information about this virus
    >
    >Jim
    >

    #########################
    Before you do all that work that David suggested, I would make sure
    that file sharing is not enabled, then I would look in HKLM,Software,
    Microsoft, Windows, CurrentVersion,Run and see what;s loading. Do the
    same in HKCU. Many trojans hide in those places.
    Also, I would run netstat -an and see what IP and port the conection
    is using. Run a whois on the IP address and try to get the NetBIOS
    table. nbtstat -A IP_address.
    donnie
     
    donnie, Feb 23, 2005
    #6
  7. At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
    Sysinternals

    http://www.sysinternals.com/ntw2k/utilities.shtml

    It is a GUI utility and will show the information real-time and under NT Based OS's it will
    also show the fully qualified executable opening a given port and communicating with a
    remote site.

    --
    Dave



    "donnie" <> wrote in message
    news:...
    | On Tue, 22 Feb 2005 13:20:33 -0800, "Jim" <>
    | wrote:
    |

    | Before you do all that work that David suggested, I would make sure
    | that file sharing is not enabled, then I would look in HKLM,Software,
    | Microsoft, Windows, CurrentVersion,Run and see what;s loading. Do the
    | same in HKCU. Many trojans hide in those places.
    | Also, I would run netstat -an and see what IP and port the conection
    | is using. Run a whois on the IP address and try to get the NetBIOS
    | table. nbtstat -A IP_address.
    | donnie
     
    David H. Lipman, Feb 23, 2005
    #7
  8. Jim

    winged Guest

    David H. Lipman wrote:
    > At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
    > Sysinternals
    >
    > http://www.sysinternals.com/ntw2k/utilities.shtml
    >
    > It is a GUI utility and will show the information real-time and under NT Based OS's it will
    > also show the fully qualified executable opening a given port and communicating with a
    > remote site.
    >

    And the process explorer tool at the same site can tell you what process
    is reinstalling the software and where it is located. I suspect an
    activeX control on the system.

    Winged
     
    winged, Feb 23, 2005
    #8
  9. Jim

    winged Guest

    David H. Lipman wrote:
    > At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
    > Sysinternals
    >
    > http://www.sysinternals.com/ntw2k/utilities.shtml
    >
    > It is a GUI utility and will show the information real-time and under NT Based OS's it will
    > also show the fully qualified executable opening a given port and communicating with a
    > remote site.
    >

    And the process explorer tool at the same site can tell you what process
    is reinstalling the software and where it is located. I suspect an
    activeX control on the system.

    Winged
     
    winged, Feb 23, 2005
    #9
  10. I was just made aware of a new utility by Sysinternals

    http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml

    "RootkitRevealer is a an advanced root kit detection utility. It runs on Windows NT4 and
    higher and its output lists Registry and file system API discrepancies that may indicate the
    presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all
    rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender."


    --
    Dave




    "winged" <> wrote in message news:cvgrgl$...
    | David H. Lipman wrote:
    | > At alternative to the Command Line utility NETSTAT.EXE is TCPVIEW (tcpview.exe v2.34) by
    | > Sysinternals
    | >
    | > http://www.sysinternals.com/ntw2k/utilities.shtml
    | >
    | > It is a GUI utility and will show the information real-time and under NT Based OS's it
    will
    | > also show the fully qualified executable opening a given port and communicating with a
    | > remote site.
    | >
    | And the process explorer tool at the same site can tell you what process
    | is reinstalling the software and where it is located. I suspect an
    | activeX control on the system.
    |
    | Winged
     
    David H. Lipman, Feb 23, 2005
    #10
  11. Jim

    Jim Guest

    Thanks everybody. I've update and install the various tools recommended. I
    also installed the Microsoft patch that came out on Feb. 8 that describes
    the scenario I encountered. I guess the bottom line is I have no way of
    knowing whether or not my system was violated. Oh well, I hope for the
    best.

    Jim

    "Jim" <> wrote in message
    news:...
    > I had a strange message when I shutdown my PC today. The message said:
    >
    > "user TRIFACA connected. Do you still want to shutdown?"
    >
    > I assume someone accessed my PC but I'm not sure. A virus scan found a
    > Trojan dropper that I suspect may be related. Can anyone out there tell

    me
    > what I encountered? Were my files accessed?
    >
    > Thanks for your help.
    >
    > --
    > Jim
    >
    >
     
    Jim, Feb 23, 2005
    #11
  12. Jim

    winged Guest

    David H. Lipman wrote:
    > I was just made aware of a new utility by Sysinternals
    >
    > http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
    >
    > "RootkitRevealer is a an advanced root kit detection utility. It runs on Windows NT4 and
    > higher and its output lists Registry and file system API discrepancies that may indicate the
    > presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully detects all
    > rootkits published at www.rootkit.com, including AFX, Vanquish and HackerDefender."
    >
    >

    Thanks, I hadn't used this one before. It is in my toolbox now. I
    tested it on a known compromised virtual and the rootkit stood right
    out. It doesn't ID ADS (alternate Data stream)rootkits that I could see
    but it is a very useful tool, once I figured out what I was looking at.
    Thanks again!

    Winged
     
    winged, Feb 24, 2005
    #12
  13. Jim

    nemo outis Guest

    In article <cvjrbl$>, winged
    <> wrote:
    >David H. Lipman wrote:
    >> I was just made aware of a new utility by Sysinternals
    >>
    >> http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
    >>
    >> "RootkitRevealer is a an advanced root kit detection utility. It runs on

    > Windows NT4 and
    >> higher and its output lists Registry and file system API discrepancies that

    > may indicate the
    >> presence of a user-mode or kernel-mode rootkit. RootkitRevealer successfully

    > detects all
    >> rootkits published at www.rootkit.com, including AFX, Vanquish and

    > HackerDefender."
    >>
    >>

    >Thanks, I hadn't used this one before. It is in my toolbox now. I
    >tested it on a known compromised virtual and the rootkit stood right
    >out. It doesn't ID ADS (alternate Data stream)rootkits that I could see
    >but it is a very useful tool, once I figured out what I was looking at.
    >Thanks again!
    >
    >Winged



    Sysinternals also has a ADS tool (Streams v1.5.1) as do may
    others.

    However, the best tool for actually manipulating (writing, etc.)
    ADSs that I have found (although I haven't looked all that hard)
    is called "ntfs streams info" at:

    http://www.isgeo.kiev.ua/shareware/

    There are cracks out there for it (but they don't seem to work on
    the latest version from the site - although they DO work for
    earlier versions with the same release number: 2.1).

    Regards,
     
    nemo outis, Feb 24, 2005
    #13
  14. Jim

    donnie Guest

    On Thu, 24 Feb 2005 23:56:34 GMT, nemo (nemo outis)
    wrote:

    >Sysinternals also has a ADS tool (Streams v1.5.1) as do may
    >others.

    #######################\
    crucialADS is another tool. As I said before, check netstat -an and
    the registry.
    donnie
     
    donnie, Feb 25, 2005
    #14
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?UmlmbGVtYW4=?=

    Windows XP laptop and Windows 2000 desktop won't communicate

    =?Utf-8?B?UmlmbGVtYW4=?=, Aug 19, 2004, in forum: Wireless Networking
    Replies:
    0
    Views:
    886
    =?Utf-8?B?UmlmbGVtYW4=?=
    Aug 19, 2004
  2. =?Utf-8?B?ZHVtbWthdWY=?=

    wireless ad-hoc with Windows XP and Windows 2000

    =?Utf-8?B?ZHVtbWthdWY=?=, Sep 23, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    932
    Joe Dow
    Sep 23, 2004
  3. Armstrong Wong

    Windows XP Home Connected to Windows XP Pro via TCP/IP

    Armstrong Wong, Nov 24, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    779
    Steve Winograd [MVP]
    Nov 25, 2004
  4. =?Utf-8?B?R3JlZw==?=

    Network Windows ME and Windows 2000

    =?Utf-8?B?R3JlZw==?=, Dec 29, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    730
  5. Max Burke
    Replies:
    8
    Views:
    1,992
    E. Scrooge
    May 18, 2007
Loading...

Share This Page