TECH SUPPORT Jan P Kajander www.bankcard.250free.com www.japan1.freewebspace.com +portals peter12345@linuxmail.org kajander12345@hotmail.com Matters found on this machine 1 of millions.. da patata planted to millions of users.. http://castlecops.com/startuplist-4369.html Inserted with windows versions delivered at shopchains bundled software without proper licence corrupted backdoor? eg like a t-junction at the piratized (privatized) telcos? http://www.cdt.org/privacy/govaccess/carnivore.gif and http://images.google.com.gr/imgres?imgurl=http://ice.citizenlab.org/blogimages/carnivore-2.png&imgrefurl=http://ice.citizenlab.org/%3Fp%3D72&h=528&w=591&sz=230&tbnid=69cOic22pTyO1M:&tbnh=117&tbnw=132&hl=el&start=14&prev=/images%3Fq%3Dcarnivore%2B%26svnum%3D10%26hl%3Del%26lr%3D%26sa%3DN and http://ice.citizenlab.org/ ______________________________________________________________________________________________ with Backdoor.DSNX is a Backdoor Trojan Horse that can give its creator access to your computer. Like many other Backdoor Trojans, Backdoor.DSNX is controlled by its creator using IRC channels. Also Known As: Backdoor.DSNX.05 Type: Trojan Horse Infection Length: 57,344 bytes Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me Systems Not Affected: Linux, Macintosh, OS/2, UNIX http://www.symantec.com/avcenter/venc/data/backdoor.dsnx.html Wild Number of infections: 50 - 999 Number of sites: 3 - 9 Geographical distribution: Medium Threat containment: Easy Removal: Easy Threat Metrics Wild: Low Damage: High Distribution: Low Damage Payload Trigger: Running the Trojan. Payload: Compromises security settings: Allows for unauthorized access to a computer. When Backdoor.DSNX is run on a computer for the first time, it does the following: Copies itself to %System% folder using various filenames. Some variants use a filename of the form Win????.exe, where the ???? are four random alphanumeric characters. Some use the name of a valid system .dll file, but with a .exe extension instead of a .dll extension. NOTE: %System% is a variable. The worm locates the \Windows\System folder (by default, this is C:\Windows\System or C:\Winnt\System32) and copies itself to that location. Adds the value: WinDSNX %System%\Win????.exe to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run so that the Trojan runs each time you start Windows. Creates a copy of the original file that it dropped, and then deletes the original file without displaying any message. This is done to conceal the Trojan's actions. When Backdoor.DSNX runs, it logs onto certain IRC channels to inform its creator of the compromised system, allowing him/her to remotely manipulate your computer and perform actions, such as uploading and running files on it. Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices": Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates. If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied. Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites. Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised. Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files. Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media. Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched. To remove this Trojan, delete all the files detected as Backdoor.DSNX and remove the changes that it made to the registry. Removing the Trojan Run LiveUpdate to make sure that you have the most recent virus definitions. Start Norton AntiVirus and make sure that it is configured to scan all the files. For instructions, read the document, "How to configure Norton AntiVirus to scan all files." Run a full system scan. Delete all the files detected as Backdoor.DSNX. Editing the registry CAUTION: We strongly recommend that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the keys specified keys only. Read the document, "How to back up the Windows registry," for instructions. Click Start, and then click Run. (The Run dialog box appears.) Type regedit, and then click OK. (The Registry Editor opens.) Navigate to the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run In the right pane, delete the following value: WinDSNX %System%\Win????.exe Click Registry, and then click Exit. Additional information: Possible system changes If the Trojan was run and a hacker executed files on the computer, it may be difficult to determine exactly what was done, even after the Trojan was removed. If you are familiar with your operating system and with using system repair or system checking tools, we suggest that you fully check the system for any of these modifications and reverse them. Otherwise, consider re-installing the Windows. How the Trojan uses IRC The Trojan can contain an IRC client of its own that is activated when the Trojan is run. It logs onto a hard-coded IRC channel that the hacker monitors. This means that the hacker can chat with the Backdoor Trojan that is running on the infected computer. The Backdoor Trojan not only provides information about the infected computer, it also listens for commands from the hacker. For example: If a hacker chats the words "get password," then the Backdoor Trojan recognizes that as a command and reacts by searching the computer for stored passwords. The Trojan will report to the hacker by chatting the results. For an example of such commands, read the Backdoor.Kaitex writeup. Revision History: August 20, 2003: Included reference to Win????.exe filenames. May 20, 2002: Included the "Additional information" section. ____________________________________________________________________________________________________ USERS at 6/2 2006 using or hijaaking your connection ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Hop | | IP Address | Node Name | Location | Tzone | ms | Graph | Network | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | 0 | | 83.235.182.250 | pc-09 | * | | | | Multiprotocol Service Provider to other ISP's and End users | | 1 | | 62.103.3.239 | athe730e-l0.otenet.net | ?(Greece) | +02:00 | 287 | ---x----- | Multiprotocol Service Provider to other ISP's and End Users | | 2 | | 212.205.223.129 | vlan32.otenet.net | ?(Greece) | +02:00 | 274 | ---x----- | Multiprotocol Service Provider to other ISP's and End Users | | 3 | | 62.103.6.141 | athe7609b-athe6509k2.backbone.otenet.net | ?(Greece) | +02:00 | 261 | --x----- | Multiprotocol Service Provider to other ISP's and End Users | | 4 | | 62.103.6.55 | athe-GSRa-po1.otenet.net | ?(Greece) | +02:00 | 261 | --x----- | Multiprotocol Service Provider to other ISP's and End Users | | 5 | | 212.205.223.194 | maro7300-athe-GSRa.backbone.otenet.net | ?(Greece) | +02:00 | 241 | ---x---- | Multiprotocol Service Provider to other ISP's and End Users | | 6 | | 212.205.222.109 | maro-MSFC2-A2-vlan2.otenet.net | ?(Greece) | +02:00 | 241 | ---x---- | Multiprotocol Service Provider to other ISP's and End Users | | 7 | | 195.167.100.39 | www.ote.gr | ?(Greece) | +02:00 | 254 | ---x------ | Multiprotocol Service Provider to other ISP's and End Users | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Roundtrip time to www.ote.gr, average = 254ms, min = 74ms, max = 693ms -- Feb 6, 2006 4:27:24 AM ________________________________________________________________________________________________________________________ http://adslgr.com/forum/showthread.php?t=30121&page=2 ????? latency - Overload/???ß??µa se router t?? Tellas ? - ADSLgr.com 7 168 ms 166 ms 171 ms maro7300-athe-GSRa.backbone.otenet.net [212.205. 223.194] 8 173 ms 183 ms 179 ms maro-MSFC2-A1-vlan2.otenet.net [212.205.222.110] ... adslgr.com/forum/showthread.php?p=458711 - 70k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? and http://64.233.179.104/search?q=cache:Mli7VmCxgQUJ:ftp.awmn.gr/forum/viewtopic.php%3Ft%3D13693%26postdays%3D0%26postorder%3Dasc%26start%3D60%26sid%3D100e4e4cd9e6bf845 dbf44e5888f7fa9+maro7300&hl=el&gl=gr&ct=clnk&cd=11 ________________________________________________________________________________________ Cookies placed AdRevolver - Evolution.Simplicity. Relevance. Multiplatform banner ad management available both as a stand-alone product and as hosted service solution. Provides detailed tracking and statistics and ... www.adrevolver.com/ - 12k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? http://www.google.com.gr/search?hl=el&q=spyware+slashdot+adrevolver&meta= Online marketing solutions: performance-based affiliate programs ... BFAST technology enables advertisers to build, track, manage, ... From recruiting to compensating publishers, BFAST guides advertisers every step of the way ... https://www.cj.com/solutions/adv_bfast.jsp - 21k - ?p????e?µ??? Se??da - Euniverse.Incredifind Removal Euniverse.Incredifind Removal - This is a hijacker that redirects data Euniverse.com All hijackers are scum and need to be removed immediately! ... articles.networktechs.com/358-p1.php - 14k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? doxdesk.com: database: KeenValue Description. KeenValue is adware operated by eUniverse.com. ... Included in software supplied by eUniverse sites, such as thunderdownloads.com, ... www.doxdesk.com/parasite/KeenValue.html - 9k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? http://www.google.com.gr/search?hl=el&q=Euniverse&meta= HitBox Web Analytics by WebSideStory. WebSideStory is a leading provider of on-demand Digital Marketing services, including Web Analytics and Web Site Statistics. www.websidestory.com/ - 19k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? HBX Web Analytics By ... - Active Marketing Suite - ... HBX Analytics - On-Demand Web ... - Log In ?e??ss?te?a ap?te??sµata ap? t? www.websidestory.com » Remove edge.ru4 cookie XoftSpy can remove edge.ru4 cookie, and thousands of other Data Miner ... Remove edge.ru4 cookie for Me. removal XoftSpy Detects & Removes this Item ... labs.paretologic.com/spyware. aspx?remove=edge.ru4%20cookie - 19k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? Spyware Encyclopedia - Browse ROISpy.com, Tracking Cookie, 5/9/2003, ROISpy.com. Ru4.com, Tracking Cookie, 5/13/2003, Ru4.com. Rub, Tracking Cookie, 12/12/2003, Rub ... www3.ca.com/securityadvisor/pest/ browse.aspx?let=R&cat=Tracking%20Cookie - 34k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? and http://www.google.com.gr/search?hl=el&q=2o7&meta= and Network Associates Inc. Program Name, Risk Assessment. Cookie-Atwola. Corporate User, :, N/A. Home User, :, N/A. Program Information. Discovery Date:, 02/23/2005. Origin:, Unknown ... vil.mcafeesecurity.com/vil/content/v_131992.htm - 33k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? http://www.google.com.gr/search?hl=el&q=atwola&meta= this is where CNN gets it's ads from. we can use the hosts file to redirect any requests to ar.atwola.com to Unwelcomed cookies ATWOLA.COM. I have never dealt with the company so why do they ... All day long, this one unwelcomed cookie comes in, ATWOLA.COM. ... www.alegsa.com.ar/Visitas/ index10/Unwelcomed%20cookies.php - 12k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? Remove Atwola - Adware & Spyware Removal Instructions Remove Cookie Atwola,Cookie removal instructions. ... Atwola is a cookie that is used to track user browsing history. Some compute users reported that their ... www.spyany.com/program/article_adw_rm_Atwola.html - 15k - ?p????e?µ??? Se??da - ?a??µ??e? se??de? and some tools http://www.alken.nl/tools.htm http://www.speedguide.net/downloads.php www.firewallguide.com http://www.speedguide.net/security.php and finally Microsoft Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. and getting zillions of backdoor version s of windows out there doing what? Like backdoors in ATM taxoffice roundingfigures and controlling databases with multipla and variable accounts in banks and so onnnnnnnnnnnnnnnn. wonder why the dont answer on sweety questions???? remote dialers in ATM's?? Ip adress updating open to customers?? 7 digit accounts transfers? what? Wroung accounting in roundings and decimals tax-bank and local shops T-junctions all over the places??? Rental schemes for urlaub sector etc?? Having no money for electricity?? QUE? ala thats why we dont answer??? nada? and now? time for othe op systems??? http://www.google.com.gr/search?hl=el&q=%22operatingsystems%22&meta= and kickbox out this rotten behaviours?? http://www.nuker.com/container/details/ and the guy steals as usual now my linuxmail.org mails ala privee with help of http://www.google.com.gr/search?hl=el&q=outblaze+fraud&meta= And who wants to invest in above sick mess created? ala himself? da gonzo? Jan P Kajander www.bankcard.250free.com www.japan1.freewebspace.com peter12345@linuxmail.org kajander12345@hotmail.com for work...and contracts... |