Trojan - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Sep 8^th, 2008, 10:06am

   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   Trojan

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: Trojan (Read 1327 times)

Malice
Newbie

Posts: 7

Trojan
« on: Mar 4^th, 2007, 2:05pm »

Quote

Modify

Is there any support for Difisim.exe which is listed as an inactive trojan by PC Pitstops Exterminate. It keeps showing up and is deleted by Exterminate but not detected by Trojan Hunter 4.6.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #1 on: Mar 4^th, 2007, 5:49pm »

Quote

Modify

Welcome to the forum Malice, Cheesy

Would you please submit the file to Mischel Internet Security for analysis. The link below explains how to submit such a file. Gavin will create a new ruleset to detect the file once he has the file to analyze.

http://www.misec.net/forum/board/FAQ/1139308293

You may have to make all your files and folders visible in order to find it. The link below explains how to do this.

http://www.misec.net/forum/board/FAQ/1139610900

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Malice
Newbie

Posts: 7

Re: Trojan
« Reply #2 on: Mar 4^th, 2007, 6:46pm »

Quote

Modify

Thanks for the welcome seems like a nice forum.

PC Pitstop Exterminate did not give me much info on it but did say that it was inactive. There was a link for more information whick you may find helpful

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453102058

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #3 on: Mar 5^th, 2007, 12:10am »

Quote

Modify

If you do a SEARCH on your system, do you find either of the two files below? �If so, please submit them for analysis.

mdms.exe
rsvp32_2.dll

Did PC Pitstop place the files that it found on your system into its Quarantine bucket? �If so, see if you can find that specific quarantined file and submit it also. �

« Last Edit: Mar 5^th, 2007, 3:11am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Malice
Newbie

Posts: 7

Re: Trojan
« Reply #4 on: Mar 5^th, 2007, 5:46am »

Quote

Modify

I did a search including system and hidden files with no results. I then checked the log file for Exterminate and found an entry for this problem.

-- Begin Scan Phase at 23:17:15 --
-- Begin Memory Scan --
-- Begin Common-locations Scan --
-- Begin Registry Scan --
> Detected Difisim
-- Begin Cookie Scan --
Scanned 37,547 items, and detected 2 items associated with 1 threats

-- Begin Removal at 23:17:51 --
>> Removing Difisim
> Simple: Key "hkey_local_machine \software\microsoft\windows\currentversion\shell extensions\approved" value "{5e2121ee-0300-11d4-8d3b-444553540000}"
> Simple: Key "hkey_classes_root \clsid\{5e2121ee-0300-11d4-8d3b-444553540000}\inprocserver32" value "threadingmodel" data "apartment"

-- Reboot is not required --

-- Removal is complete at 23:17:51 --

-- Final Report --

Active Threats

==> None found!

Inactive Threats

Difisim

2 related item(s) detected, 2 removed

Tracking Cookies

==> None found!

Finished: Fri Feb 02 23:17:56 2007
====== EXIT ======

Hope this helps.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #5 on: Mar 5^th, 2007, 6:33am »

Quote

Modify

Hey thanks!

I've emailed Gavin asking him to check this forum thread to see what he can do for TrojanHunter's rulesets.

Thanks for your efforts. Cheesy

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Malice
Newbie

Posts: 7

Re: Trojan
« Reply #6 on: Mar 5^th, 2007, 7:56am »

Quote

Modify

This morning I had to reboot and thought I would check for Trojans and ran your program and nothing showed up. I then ran Exterminate and Difisim.exe was there again. Here is the log:
====== PC Pitstop Exterminate 1.0.0.31 ======
Started: Mon Mar 05 08:49:45 2007
Windows 5.1.2600 Service Pack 2; 2048MB RAM
Engine : 5.6.9.3
DATs : 2007.3.2.16

-- Begin Update Phase --
> Initializing
> Checking for updates
> There are no updates available - Exterminate is up to date.

-- Begin Scan Phase at 08:49:51 --
-- Begin Memory Scan --
-- Begin Common-locations Scan --
-- Begin Registry Scan --
> Detected Difisim
-- Begin Cookie Scan --
Scanned 38,549 items, and detected 1 items associated with 1 threats

-- Begin Removal at 08:50:18 --
>> Removing Difisim
> Simple: Key "hkey_local_machine \software\microsoft\windows\currentversion\shell extensions\approved" value "{5e2121ee-0300-11d4-8d3b-444553540000}"

-- Reboot is not required --

-- Removal is complete at 08:50:18 --

-- Final Report --

Active Threats

==> None found!

Inactive Threats

Difisim

1 related item(s) detected, 1 removed

Tracking Cookies

==> None found!

Finished: Mon Mar 05 08:50:35 2007
====== EXIT ======

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #7 on: Mar 5^th, 2007, 11:52am »

Quote

Modify

Do you have an ATI video card on your system? This "may be" a false positive by Pitstop.

Take a look at this forum post

http://www.wilderssecurity.com/archive/index.php/t-98909.html

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Malice
Newbie

Posts: 7

Re: Trojan
« Reply #8 on: Mar 5^th, 2007, 12:39pm »

Quote

Modify

I may have to clarify. PC Pitstop sells a lot of software two of which are Spyware Dr and PC Exterminate.
Spyware Dr runs with no problems and yes I do have a registered copy and use an Ati video card.
PC Exterminate is the program that detects Difisim.exe and removes it. No other software on my computer finds this little bugger.
I have rebooted several times today and it has not reappeared since it was removed this morning. My concern is it comes back sometimes when I do reboot. So the first thing I do before doing anything on my pc is to run PC Exterminate to check for Difisim.exe. It may be a false positive but I would like the peace of mind knowing that.
I even paid Symantec for assistance on this by way of remote access, They removed some entries they said were bad and said my system was cleaned. The next the trojan showed up again after rebooting. Again Symantec said they fixed the problem but it returned this morning. I think I wasted my money on Symantec.
If it reappears I can run Hyjackthis and send you the log file if there is a way to upload attachments. Undecided

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #9 on: Mar 5^th, 2007, 1:29pm »

Quote

Modify

I recommend that you run a REMOTE SCAN with both BitDefender and Kaspersky. �If those two do not find anything malicous on your machine I continue to think it is probably a false positive.....particularly if you have an ATI video card. �The link below leads you to both BitDefender and Kaspersky.

http://www.misec.net/forum/board/FAQ/1141894786

The fact that Exterminator is finding only a registry key and no dlls or executables to remove at the same time looks weird to me. �

« Last Edit: Mar 6^th, 2007, 8:02am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Malice
Newbie

Posts: 7

Re: Trojan
« Reply #10 on: Mar 6^th, 2007, 9:51am »

Quote

Modify

siliconman01
I'm so glad I started this thread. With your help I have determined that Norton is not doing it's job.
I have done a scan with Kaspersky and Bitdefender as you suggested and found 13 viruses on my pc and 16 on my wife's. I also found out that email that had been deleted without opening (spam) infected my systems anyway. Web pages were infecting me without my knowledge. Norton Antivirus and Personal Firewall have severly let me down. After using these scanners I ran Exterminate again and it found nastys. Here is the log:

> Initializing
> Checking for updates
> There are no updates available - Exterminate is up to date.

-- Begin Scan Phase at 10:44:26 --
-- Begin Memory Scan --
-- Begin Common-locations Scan --
-- Begin Registry Scan --
> Detected Difisim
-- Begin Cookie Scan --
> Detected About.com
> Detected Tacoda cookie
Scanned 38,416 items, and detected 3 items associated with 3 threats

-- Begin Removal at 10:45:08 --
>> Removing Difisim
> Simple: Key "hkey_local_machine \software\microsoft\windows\currentversion\shell extensions\approved" value "{5e2121ee-0300-11d4-8d3b-444553540000}"
>> Removing About.com
> Simple: Cookie "robert_bannister@about[2].txt" File "C:\Documents and Settings\Robert Bannister\Cookies\robert_bannister@about[2].txt"
>> Removing Tacoda cookie
> Simple: Cookie "robert_bannister@tacoda[1].txt" File "C:\Documents and Settings\Robert Bannister\Cookies\robert_bannister@tacoda[1].txt"

-- Reboot is not required --

-- Removal is complete at 10:45:16 --

-- Final Report --

Active Threats

==> None found!

Inactive Threats

Difisim

1 related item(s) detected, 1 removed

Tracking Cookies

About.com

1 related item(s) detected, 1 removed

Tacoda cookie

1 related item(s) detected, 1 removed

I will add About.com and Tacoda.com to my restricted sites list.
Which antivirus program do you recommend?
Again Thanks.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #11 on: Mar 6^th, 2007, 4:01pm »

Quote

Modify

Quote:

I have done a scan with Kaspersky and Bitdefender as you suggested and found 13 viruses on my pc and 16 on my wife's. I also found out that email that had been deleted without opening (spam) infected my systems anyway. Web pages were infecting me without my knowledge. Norton Antivirus and Personal Firewall have severly let me down.

Wow! �That's quite a major raft of malicous critters � Undecided

. �What version of Norton are you running?

It interesting that Kaspersky and BitDefender did not do anything about ">> Removing Difisim
> Simple: Key "hkey_local_machine \software\microsoft\windows\currentversion\shell extensions\approved" value "{5e2121ee-0300-11d4-8d3b-444553540000}" ". �I continue to think this registry entry may be a false positive. �It's showing up in a section of the registry that is not noted as a malicous address for "{5e2121ee-0300-11d4-8d3b-444553540000}"

As far as the tracking cookies that Exterminator found, you should be sure to turn off accepting third party cookies. �I assume that you are using IE6 or IE7. �To turn off third party cookies.

- �Open IE and select TOOLS>INTERNET OPTIONS>Privacy tab.
- �When the Privacy tab opens, click on Advanced.
- �Bullet "Block" under Third-party cookies.
- �Click on OK and OK to close out.

Quote:

Which antivirus program do you recommend? �

Kaspersky, NOD32, BitDefender are all good anti-malware detectors/removers. �You should trial them before buying if you decide to switch from Norton. �

To be honest, I use Norton Internet Security 2007 and have used NIS for years with no problems. �I have all the protection options set to the highest levels and have not been infected by anything for well over 3 years. �And I do randomly run a remote scan by BitDefender and Kaspersky as a cross check...every month or so. �They have not found anything on my system. �

But I also have a hardware firewall/NAT router as my first line of defense for my cable modem setup. �In addition, I use TrojanHunter, SuperAntiSpyware, AVG Anti-Spyware, SpywareBlaster, MVPS HOSTS file, and System Safety Monitor. �And I'm a pretty cautious surfer with IE settings tightly secured. �So NIS 2007 is not the only security element that I rely on. �

At any rate, the three anti-malware programs stated above are all top notch and I would not hesitate to test/use them if I were you.

As for as the Personal Firewall, I haven't kept up-to-date on what others are recommending for this. �ZoneAlarm is the most frequently used. �You would be best served to do some investigative browsing at www.dslreports.com (security section of the forum) and www.wilderssecurity.com concerning personal firewalls. �

Here's a firewall post on DSLReports that might help you.

http://www.dslreports.com/forum/remark,17934002

« Last Edit: Mar 7^th, 2007, 3:35am by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #12 on: Mar 7^th, 2007, 5:41am »

Quote

Modify

Here are some suggestions that will enhance your computer(s)' security.

1. Install a hardware firewall/NAT router as a first line of defense. There are several good brands available ranging in price from $60-$150. Personally I use the Linksys BEFSX41 firewall/NAT router; however, there are other comparable or better models out there. Setting up a router sounds a bit "tricky", but its not bad at all. The DSLReports forum has a section dedicated to supporting various brands of routers.

2. Add freebie SpywareBlaster to your systems. This will protect you against thousands of malicious elements that can infect you will surfing. This program does not hamper system performance because it loads its protection as system registry kill bits. There is no realtime component of SpywareBlaster running to take up system resources and memory.

http://www.javacoolsoftware.com/spywareblaster.html

3. Install a licensed version of SuperAntiSpyware and use its active realtime protection to guard against spyware. SAS is very good at spyware detection and removal. Plus it has an extremely "friendly footprint" on system resources.

http://www.superantispyware.com/

4. Implement the use of HOSTS file protection to guard against thousands and thousands of malicous websites. I use the MVPS set of HOSTS file guards coupled with HOSTSMAN V3.0.0.25beta1 to manage the files and perform updates.

http://www.mvps.org/winhelp2002/hosts.htm

http://hostsman.abelhadigital.com/

5. Ensure that the realtime protection THGuard.exe is utilized for TrojanHunter (licensed version).

6. Ensure that your Windows system is fully updated with all security patches from Microsoft, inclusive of Internet Explorer 7. If you are using MS Office products, ensure that updates are current.

Below is a link concerning hardening the settings with IE7.

http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci124131 9,00.html

- One key item is to disable downloading ActiveX. If a specific trusted site requires an ActiveX download, add that site to your trusted site zone.

7. Ensure that Java is updated to the latest security released version.

http://www.java.com/en/

8. Install freebie program CCleaner and use it routinely to clean out temporary files and junk files from your system.

http://www.ccleaner.com

9. Depending on what personal firewall and anti-virus/anti-malware software you install, harden their settings to maximize your systems protection. The default settings on most of this type of software is NOT adequate to fully protect your computer. User forums are typically available for the brand you select/implement which can furnish guidance for hardening. Unfortunately Symantec does not have a dedicated user forum; however, a lot of Symantec support is provided on the DSLReports forum under the Security section. The CastleCops forum also assists in the support of Symantec.

As said earlier, I am quite satisfied with NIS 2007:2

10. And of course there is all-encompassing statement of "practice SAFE surfing and email handling"....whatever that means. Wink

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Malice
Newbie

Posts: 7

Re: Trojan
« Reply #13 on: Mar 18^th, 2007, 8:23am »

Quote

Modify

siliconman01
It's been a while as I have been working on this Difisim thing.I have followed your suggestions and still at a loss as to why it keeps returning.
I am using a router and BitDefender (trial version) plus all the software you suggested. I can remove it every time but it's driving me nuts why it comes back. My suspicion is that it is a false positive since it is always listed as "inactive" with no other entries in the registry etc. Maybe it's just a cookie set by some site I go to but I can't figure out which one.
Many thanks for your knowledgable help.

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5604

Re: Trojan
« Reply #14 on: Mar 18^th, 2007, 1:29pm »

Quote

Modify

Yes, I am very inclined to think this is false positive too. �You should/could contact Exterminate support and get them to verify whether or not it is a false positive as per their investigation. � Wink

« Last Edit: Mar 18^th, 2007, 1:30pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register