Hacker!!!

[blebs]

The file named csrss.exe is a windows service I believe.

I didn't have it before executing the file, but it showed up after execution. The same deal with those 2 reg keys. I played with the thing for over 4 1/2 hours and then reverted my drive to be sure I got rid of all of it. Like I said, Pest Patrol picked off the csrss.exe as Winspy. Now if we can find out exactly how to delete the whole thing, she'll be a happy camper.

[Norm]

Originally posted by blebs99
I didn't have it before executing the file, but it showed up after execution. The same deal with those 2 reg keys. I played with the thing for over 4 1/2 hours and then reverted my drive to be sure I got rid of all of it. Like I said, Pest Patrol picked off the csrss.exe as Winspy. Now if we can find out exactly how to delete the whole thing, she'll be a happy camper.

I have that file in my XP install. It's properties say MS made it. It is the 'client server runtime process'

[blebs]

Got a window 98se machine up and running? See if you have it on that?

[Norm]

Originally posted by blebs99
Got a window 98se machine up and running? See if you have it on that?

I do, and checked already. It's not used in 98 but it's in NT\2K\and XP.

The trojan may have slipped it's own version in, who knows. It acts as a server, so it has to be watched. WinSpy sounds appropriate.

[Norm]

http://support.microsoft.com/default.as ... bContent=1


Csrss.exe - You cannot end this process from Task Manager.
This is the user-mode portion of the Win32 subsystem (with Win32.sys being the kernel-mode portion). Csrss stands for client/server run-time subsystem and is an essential subsystem that must be running at all times. Csrss is responsible for console windows, creating and/or deleting threads, and some parts of the 16-bit virtual MS-DOS environment.

[blebs]

Duh, I never asked what OS she's running. I went and deleted the "Get rid of" things and replaced it with "Get a Trojan cleaner".

[Cameron203]

Here is my solution to the problem open up the command prompt type in netstat -n and see what ports are open when you narrow down the suspect post the ip and lets proceed to ping him to death, and have Norm infiltrate his A&&. I hate it when people do this crap. Just like someone said earlier Yahoo is like a breeding ground for these rats, and there right don't run yahoo messenger wooohooo! talk about problems. The Java Chat Ver 2.0 is alot safer through your web browser I use IE6 never have been booted. But then again they are probably just intimidated by all this massive hardware lol

But seriously you can check this list for the ports you have open to what ports they access.
http://www.simovits.com/sve/nyhetsarkiv ... r9902.html
Here also they actually have a free online port checker. You can download a port scanner and scan yourself. Then I would start scanning this criminal.
http://www.safersite.com/Support/About/ ... rojans.asp

[knightmare]

i once ran into a thug group that hangs out in the yahoo chatroom called booterz room~, yahoo id c0ldfry3- homepage http://www.eliteprodigy.com a bunch of em hang there, i have a friend named snakebyte that took em down, delete messenger tam', they used to run J-scripts, strings and other methods to zap peeps. I would advise just chat in here

[teaaememy]

OK Maybe I should of told you all this from the start lol. My best friend and I were talking via yahoo messenger. She mentioned a screen popping up for a split second but was too fast for her to catch what it said. She mentioned it looked like her fiances user name. She didn't seem to concerned with really. Both of them being IT's / radiomen in the Navy.
Later on she sent me a picture of him which was rather large file but this wasn't the first time I had received pictures from her in an unusual format. Next day I began getting the same popup on my computer. I told her I suspected it was him because I caught part of the user name. She then gave me his user name and when I finally did capture the screen I was right it was him.
However upon confrontation he denied it being him told her he didn't know what was going on and even showed her his email where the information was supposedly being sent. Right now I am just hoping I can prove its him so that she knows that he is lieing to her. Maybe she doesn't care but I don't like him in my computer.
Thank you all for your help.
P.S. I have Windows 98 second edition

[blebs]

I had the email address posted for you to see but must have deleted it while Norm and I were trying to figure the thing out.

What you have is Winspy and you need to get a trojan cleaner to get rid of it. I'm 100% sure that he is spying on her and by her sending you the file, it infected your computer, so now he's spying on you too. I'm pretty sure it's the Golden Eye version of Winspy. You can read more about it here: http://www.monitoring-spy-software.com/

This particular friend doesn't seem to be too smart about files that may be malicious. May I suggest that you don't open anything from her until she learns more about security.

I played with the thing for 4 1/2 hours. It is a screen capture/keylogger trojan that believe it or not, is available for free on the web. I never did find full removal instructions which is why I recommend a trojan cleaner to do the job. Ghettoside posted this one which seems to be decent for a freebie online scan: http://www.trojanscan.com/

[Joint Chiefs of Staff]

Some outstanding information guys! Thanks Norm and blebbs and yes the rest for putting your time and energy into this.

There's more to this I suspect but I'm sure Tam and her friend will figure it out in more details when the time is right.

BTW...I've actually learned something today. I love this place! lol

[blebs]

Yeah JCOS the one thing that bugs me is neither version of winspy mentions anything about emailing results. I wonder if the guy didn't do some modifications of his own to the program. There are those types out, but mainly they are detected as viruses and this thing doesn't let out one little peep. Very stealthy.

Honk as you go through Ohio and I'll try to wave at ya!

[Joint Chiefs of Staff]

Originally posted by blebs99
Yeah JCOS the one thing that bugs me is neither version of winspy mentions anything about emailing results. I wonder if the guy didn't do some modifications of his own to the program. There are those types out, but mainly they are detected as viruses and this thing doesn't let out one little peep. Very stealthy.

Honk as you go through Ohio and I'll try to wave at ya!

Stealty, yes after all he's a Navy IT dude for a good many years now. Any chance of getting a trace route to Pearl Harbour? lol

He knows what he's doing.

BTW...I'm headed your way...ok north through Cleveland headed east to the Buffalo area. You will know when I pass for you will hear the sirens from all of the police cars as I get escorted through the state.

[Joint Chiefs of Staff]

Starting scan at 04:26:01:52...
Scan Memory
Memory not infected
Scan folder: 'C:\', recursive
Unable to scan C:\System Volume Information - Access is denied.
Scan folder: 'D:\', recursive
Scan folder: 'F:\', recursive
Unable to scan F:\ - The device is not ready.
Finished scan at 04:46:00:166
Total number of files is 61567, number of infected files is 0
Average files per second is 51, average file size is 3041834

Lappy is trogan free up until Norm gets on-line.

[Norm]

Originally posted by Joint Chiefs Of Staff
Lappy is trogan free up until Norm gets on-line.

It's a conspiracy I tell ya. Our wives are watching our every move. When I bootup, it connects to you, logs all key functions, and timed desktop pics. Then it sends to your wife, who forwards to mine lol

I hope you, and your friend can use the info provided to get rid of this trojan and it's files.

[WhiteMountains]

Any hacker worth his salt can ping your firewall and within seconds find out what firewall your using, then find its weakpoints and break thru the crust to the cream filling within minutes. NEVER trust just a firewall because they are EASILY breached!! and if you have Windows NT, just hand them the keys.
I suggest you go to Win Guide and learn how to manually adjust your registry.

[teaaememy]

Thank you all for your help it means a lot. After capturing the image I saw what file it was accessing I deleted the keylog but realized it was recreating with the same info it had when it started. So I deleted the folder as well. That seemed to stop it. Either that or my friend confronting her fiance, or maybe even yahoo stopped him when I reported him. Since then it has not happened again. I have the free versions of pestpatrol, xcleaner, and ad-aware. I used that trojan scan but it did not find anything. I uninstalled the tiny firewall that JCOS sent me because it was a 30 day trial. I just upgraded to Norton personal firewall 2003, and am about to install Norton Antivirus 2003. I had a few complications uninstalling Mcafee from my start up but finally figured that one out. So hopefully I am set. I really have too much crap on this computer I am still learning so I don't know what really safe to remove. Even when you unistall it leaves crap on your computer.
One last question, if it didn't find the trojan might I still have it? Thanks

[WhiteMountains]

and worse yet, I reported a virus to the FBI and they wanted my PC. YA sure I will!!

[blebs]

If pest patrol didn't find it, it's most likely disabled. When I executed the file and then ran pest patrol, it found it right away.

If your running Windows 98se what I found that totally disabled it was to go to into Registry Editor and navigate to HKLM\Software\SSET and delete that folder then go to HKLM\Software\Microsoft\Windows\Current Version\Run and then delete the csrss.exe key within that folder. Then I deleted the entire APP folder that the key log txt was in and emptied the recycle bin and rebooted the computer. I may have left pieces of it on, but it was effectively disabled by doing what I did.

If you have problems let JCOS, Norm or I know and we'll try to fix you up.

BE SURE TO BACK UP YOUR REGISTRY BEFORE MAKING ANY CHANGES!!!!

[Norm]

Originally posted by teaaememy
One last question, if it didn't find the trojan might I still have it? Thanks

Unfortunately, yes. It is possible, but unlikely. Whatever it was seems to be a custom made program. It may not be in any anti virus databases.

It also may have been eradicated, but with some of it's files left on your drive, dormant. Nothing to worry about if a few files were left behind, as long as the trojan isn't running, you're safe.

Since you use 98SE you could drop to Dos mode and use scanreg to replace the registry with an earlier one. 98 saves 5 of them for you. It saves on the first boot of everyday. Don't wait too long to do this, or there won't be a registry old enough to be clean of this trojan.

Restart in Dos mode, and type:
scanreg /restore
Then hit [enter]
In the window that appears, (use the arrow keys) to pick a file dated before this trojan was installed.
That should give you back a clean registry, and the trojan won't even try to load at startup.

[Joint Chiefs of Staff]

Originally posted by Norm
It's a conspiracy I tell ya. Our wives are watching our every move. When I bootup, it connects to you, logs all key functions, and timed desktop pics. Then it sends to your wife, who forwards to mine lol

I hope you, and your friend can use the info provided to get rid of this trojan and it's files.

It figures how Jen found those naked pictures of you on drive e:

[Norm]

For all that are interested...

I installed that trojan on my own system. I had a spare drive, and a spare image for Win98 so I put in on and removed all my other drives for safety. I used regshot (before and after) the install, and had it create a web page of the comparison.

It shows all keys added, modified in the registry. Plus it shows all files created by this trojan.

Keep in mind some of the reg keys shown are not done by the trojan, since the registry is dynamic, it changes constantly as we work. So there are a few keys that were changed due to what I was up to at the time. (I released and renewed my IP a couple of times before the install, as I needed the net to search) So those key changes are not the trojans doing. I didn't want it calling out, so I released my IP before installing it again.

Also, keep in mind that user.dat, and system.dat files on win98 are the registry, so don't go deleting them.

It's safe to delete
c:\windows\dll folder (main storage for the trojans files)
c:\Program Files\App (stores the logged keystrokes of the user)
C:\WINDOWS\csrss.exe (The two main files started at boot, but hidden)
C:\WINDOWS\sm.exe



Here's a link to the page of all the changes made by the trojan.

[blebs]

I didn't catch that many. Only enough to render it harmless, but I'd have left alot of files behind.

I like that program you use. Is that the link at the bottom cause if it is, I get an invalid page.

[Joint Chiefs of Staff]

Originally posted by Norm
For all that are interested...

I installed that trojan on my own system. I had a spare drive, and a spare image for Win98 so I put in on and removed all my other drives for safety. I used regshot (before and after) the install, and had it create a web page of the comparison.

It shows all keys added, modified in the registry. Plus it shows all files created by this trojan.

Keep in mind some of the reg keys shown are not done by the trojan, since the registry is dynamic, it changes constantly as we work. So there are a few keys that were changed due to what I was up to at the time. (I released and renewed my IP a couple of times before the install, as I needed the net to search) So those key changes are not the trojans doing. I didn't want it calling out, so I released my IP before installing it again.

Also, keep in mind that user.dat, and system.dat files on win98 are the registry, so don't go deleting them.

It's safe to delete
c:\windows\dll folder (main storage for the trojans files)
c:\Program Files\App (stores the logged keystrokes of the user)
C:\WINDOWS\csrss.exe (The two main files started at boot, but hidden)
C:\WINDOWS\sm.exe



Here's a link to the page of all the changes made by the trojan.

Norm your the cats meow! Here's a treat! lol

Good work man. Now to get the sob would be like adding sugar to some bitter coffee, eh?

Thank you and I'll forward this to Tammy.

[Norm]

Originally posted by blebs99
I didn't catch that many. Only enough to render it harmless, but I'd have left alot of files behind.

I like that program you use. Is that the link at the bottom cause if it is, I get an invalid page.

Ross, I emailed you a copy of the page created by regshot. Regshot is a nice app for taking snapshots of the registry before, and after an install to compare and see changes made. It will give out put as plain text, or html. Regshot download http://www.webattack.com/get/regshot.shtml


JCOS, it is still not clear whether or not 'this guy' wrote the trojan, or if he himself was infected and is spreading it. I'm leaning towards him writing it, but have no proof.

One thing I wonder about is why the trojan was designed to pop a picture of the emailer for a second unstealthed. If it was designed not to pop up the emailer, it would probably have gone unoticed.

[Joint Chiefs of Staff]

Originally posted by Norm

One thing I wonder about is why the trojan was designed to pop a picture of the emailer for a second unstealthed. If it was designed not to pop up the emailer, it would probably have gone unoticed.

My guess is that nobody is perfect.