Jump to content


Photo

Argument - moved from "Hijacked"


  • Please log in to reply
8 replies to this topic

#1 CEOn10ec

CEOn10ec

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 16 July 2004 - 09:17 PM

Note - this discussion was disrupting http://forums.spywar...topic=15595&hl= so I have moved these posts to here. cnm

Hello, newyork
I'm not sure what criteria this forum requires in order
to be considered a "qualified" expert. I'm a newbie to
this post but definitely not a newbie in the world of
spyware, in particularly CWS and Backdoor trojans.
I am in the process of developing a tool that I hope
will help in the fight against CWS and other known
culprits. I will not promote my product here. But,
I can give you what I consider to be an expert opinion in
that field!
I agree that you do show signs of a Backdoor variant. Your system may
even show clean results in a virus scan; however, a tool is
needed to go back and "pick up the trash" that is left behind
(DLL files etc.) [Hopefully, I will help in that task for future references.]
MyDoom virures run a backdoor component, which is dropped as the file SHIMGAPI.DLL. (This trojan component opens TCP ports 3127 thru 3198 to allow remote users to access and manipulate infected systems. The backdoor routine has the ability to download and execute arbitrary files.)
CTFMON.DLL is another known culprit in the W32 trash pile. And, yes, the previous
Post was correct in suggesting the Mcafee Stinger tool. These should be deleted!
I didn't see taskmon.exe in your log file, but if you find it ...it's trash!

Ctfmon.exe is a process that can either cause a bunch of headaches or not affect you! If it keeps appearing at start-up, disable it as the previous post said to do!
I would recommend following the advice you have gotten thus far! (Scanning in safe mode, etc.) If the afore mentioned steps don't work for you, you may have an unknown variant.
Also, follow HJT's lead and remove the NO Name browser helper.
Hope this helps, newyork!

Edited by cnm, 17 July 2004 - 10:56 PM.


#2 CEOn10ec

CEOn10ec

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 July 2004 - 04:32 AM

All right, NewYork, let me see if I got this:
1.)You scanned with all the recommended tools
{Norton, Spybot, Adaware, HJT, CWShredder, Stinger,
Panda, Housecall} all updated and results are clean?
2.)You used Norton and Adaware in safe mode...clean?
3.) You don't have CTFMON.DLL or SHIMGAPI.DLL?
4.)Notepad is o.k.
5.)No weird popups or error messages bombarding you? (except monwow)
6.)No computer freezes or slow OS problems?
7.)No more About Blank?
Well, if all this is correct, and you've followed the advice
here, then I'd say, your system is fine.
Don't be paranoid!

Now, about your services and task manager woes::::
You have nothing to worry about with the wowexec.exe (which
is started by NTVDM when you run a 16-bit program (a DOS program, a Windows 3.1 program, etc.) Do this to end the process,so it won't waste memory:
Right Click on the system tray to open task manager/Find wowexec.exe, right click it,
and end the process/Yes to confirm.
Msmsgs.exe --again, no threat. Its' reappearing like that, believe it or not,
is normal, but annoying. Did you go into the Tools/Options/Preferences menu option in Messenger and uncheck "Run when Windows starts"? Is it running on startup in
msconfig? If so, unclick it. There is a tweak you can use in the registry to remove it from startup. Monwow--Norton products can be somewhat "finicky" and there are known conflicts with them in the presence of some other software, like a firewall. Or, maybe it has been damaged by spyware. You may have to remove it and reinstall. Contact Symantec. http://www.symantec.com/techsupp

I'll give you some links to help you learn about the services, and
processes, so that if you happen to find another strange process, you can look it up and figure out what it does and if you need it. (Or if it's Spyware or Virus material!):-o
I disabled about 20 so-called "necessary" services when I installed XP and my
computer runs better than ever. BUT, the key is KNOWING which services and
processes are necessary and what other programs on your system depend on them.
You can't just go on a deleting spree, or you'll really be in a mess. BE CAREFUL!!!!!!
So, here are some useful research links to help you with services, task manager, registry, etc. (And, I know you may get some people that don't like these sites or whatever.
Big deal. Not everybody agrees.Yadda, yadda... It's my opinion---works for me! Hope it helps you too.Take care, NewYork!)
:p (CEO in Tennessee)
http://www.theelderg...vices_guide.htm

This one has registry startup info. too
http://camica.netfir...om/services.htm

http://www.blkviper..../servicecfg.htm

Here's the Messenger Removal Link (Also on the eldergeek site.)
http://support.micro...n.asp?kb=302089

Before any registry edits are made, read here:
http://support.micro.....BEN-US;256986

And, I noticed the link to http://www.answersthatwork.com in the post above, clicked on it and found it to be very helpful; Check out the Ultimate Troubleshooting
Tool.

Edited by CEOn10ec, 17 July 2004 - 05:59 AM.


#3 terryb

terryb

    Member

  • Full Member
  • Pip
  • 51 posts

Posted 17 July 2004 - 07:03 PM

(Post this wherever deemed appropriate)

Dear Budfred and Jedi,

As you can see, my "Official Title" is not "Helper",
it is simply "Member", which means that

I am NOT affiliated with the "staff" of this forum, so my
advice should be taken on an AT Your Own Risk basis.

I would like to point out that in the link provided by Budfred,
http://forums.spywar...?showtopic=9270

Cnm states that ALL "Member" advice should be taken skeptically.

As far as the information that I have offered to those in this forum,
you are welcome to research it yourself and see that I gave no
information that could damage an operating system. And, you know,
as a "Malware Hound" that when any operating system has more than one problem affecting it, problems should be dealt with
one at a time, analyzing each result (which is what I did) rather than trying to fix everything at once,

Unlike CEON10EC, I do not claim to be an expert, nor do I view anyone
here as an expert. I have worked For Dell for several years as a support technician and have found that sometimes the best fix comes
from trial and error, as each person's system has unique features.
I based my information on what I have given to countless others experiencing the same problems.
Over the last few weeks, I'm sure you've noticed a rise in the infections
of the CWS persuasion. I have dealt with over 800 calls of Dell customers having had their notepad destroyed by malware and then trying to repair it themselves.
I get on forums such as these to research for myself and provide information for those I help in my work.

As for your generous offer to help train me----no thank you. I've only had 17 years of experience, and just going to work is a training experience for me.
But, I will offer you some free advice. The messenger features that
you proposed "fixing" in your post to newyork are as CEO said,
perfectly normal. I recommend that you research this topic on the
microsoft support site before you go trying to fix it; or I suppose,
"if it ain't broke, you can fix it till it is."
I will not post any further advice in this forum and make a request that, if possible, all my forum threads be removed, as I certainly wouldn't want to plague the forum's future visitors with "unqualified advice."

Sincerely, TerryB

Edited by terryb, 17 July 2004 - 07:08 PM.


#4 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 17 July 2004 - 07:44 PM

terryb,

It appears that you took the feedback personally and I am sorry you chose to do that... We ask all helpers here to get trained so that we and the users who post here can feel confident that they do know what they are doing... If you are working on this type of material on a daily basis, I would think that you would see the value in having the full resources of the malware fighting community at your disposal, but it appears that you do not...

As for fixing the Messenger problem... Just because it is normal does not mean that it does not need to be fixed... In my role as a Helper it is appropriate to help the user with whatever he/she perceives to be problem... That you do not choose to take that approach is your option...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#5 CEOn10ec

CEOn10ec

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 July 2004 - 09:12 PM

Butfred,

Did you even bother researching or verifying my post information,
before you automatically deemed it inappropriate?
Isn't that what you're supposed to do?

What's the deal, as Malware Hound, do you just go sniffing around
to find a post by a NON Qualified member, so you can be the first
to officially tell them they need to attend the prestigious Boot Camp,
before their advice is worthy of consideration?

With, all due respect, your comment,
"Just because it is normal does not mean that it does not need to be fixed... " is sub-par, and at the very least, absurd.

The product is not defective. It's settings can be changed, but there is no problem with its' internal functioning mechanisms just because it
is programmed to come on at startup. If you read the post, newyork was worried that spyware was operating from it. {He didn't have the problem he thought he had.}

Once again, did you research the microsoft Messenger link provided or another info. forum?
So, do you offer advice to the tune of terry's quote," if it ain't broke, fit it till it is."?

And, if you really support " the value in having the full resources of the malware fighting community at your disposal..." then you would realize
that the full fighting resource community includes members like myself
that have experienced the problems in these posts first-hand and have
resolved them. Didn't they teach you that in Boot Camp?

As, I said, research my information and advice if you choose. If it's faulty, call it faulty. If it's not, leave it alone.

*****Now why don't we get off the personal offenses and debates and let newyork resolve his issues?

(It is my opinion that he could take whatever helpful information he finds from a variety of posts, thought I realize some people, trying to be helpful can really screw a person up, here.)
By the way, how many hours a day, do you guys have to train in boot camp?
:mellow: Mellow out.........

Edited by CEOn10ec, 17 July 2004 - 09:16 PM.


#6 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,305 posts

Posted 17 July 2004 - 09:54 PM

CEOn10ec,

You obviously are misinterpreting what I am saying and seem to have an agenda... I gave you information about the Boot Camp and if you don't choose to take advantage of that opportunity, then at least respect the fact that this forum asks people to verify that they have skills prior to posting... It appears that you and terryb feel a need to resort to personal attacks and sarcasm when you think your unverified credibility is being questioned... If that is your choice, I am happy to let it go...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#7 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 17 July 2004 - 10:23 PM

Did you even bother researching or verifying my post information,
before you automatically deemed it inappropriate?

We control the help given here. Net-Integration and Computer Cops do the same thing; like us, they limit helpers to special credentialed groups. We would be delighted to have more trained helpers - all are welcome in the Boot Camp.

If you don't want to go along with the way this forum is run, then I suggest posting somewhere that you find more congenial. There are lots of antispyware forums.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#8 CEOn10ec

CEOn10ec

    Member

  • Full Member
  • Pip
  • 8 posts

Posted 17 July 2004 - 11:33 PM

These are your words, as I have read the forum, too.

"We try to catch and fix anything dangerous, misleading, or inadequate, but can't always get there in time."

And, for you to have moved my first two posts in this topic that
were NOT part of the argument, I assume you either found something
"dangerous, misleading, or inadequate" or you have a personal issue with me.
Since there is nothing "dangerous, misleading, or inadequate" in my post, then I have the tendency to believe the latter.

If that's the case, you have moved information that newyork could use
to resolve his issue. That is not good forum policy, but then again,
I should have expected it in the type of forum that considers expertise
to be logging on to a rinky dink bootcamp or subscribing to a
spyware newsletter.

Since you have the power to delete, censor, and move posts, while you're at it remove my membership as well as all the posts and comments that I have submitted.
But, you may want to keep this little one as a remembrance of me.

Here me roar?

P.S. What kind of expertise do you have besides being the mother cat?
Don't bother to reply.
:mellow:

#9 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 23 July 2004 - 11:47 AM

Hehe. Very forceful expression of opinion.
:wave:

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button