Trogan horse - GoFuckYourself.com

kenny · 11-17-2003, 02:26 AM

My anti-virus software Northon will not detect this trogan horse on my machine. My firewall keeps reporting a hacker alert from a backdoor program "Deepthroat" trogan.

I updated the virus scanner and downloaded every single trogram remover program I could find. Nothing detects it.

Any suggestions?

Jon Levi · 11-17-2003, 02:27 AM

Quote:

Any suggestions?

Learn to spell fucker

extreme · 11-17-2003, 02:31 AM

Trogan? Grogan?

LiveDose · 11-17-2003, 02:34 AM

what's up with the "g's" bro? Computer lisp?

kenny · 11-17-2003, 02:39 AM

so I spelled fucking trojan wrong.

I am also closing windows and programs are opened by a remote hacker.

took me 10 minutes to write this

LiveDose · 11-17-2003, 02:42 AM

relax. we were just goking...

irishfury · 11-17-2003, 02:53 AM

Close off port 6670

raceman · 11-17-2003, 02:54 AM

Hey Kenny I had a similar problem a while back, I edited all the files in the system32 folder which is were the hacker dumped his/her kit, sheeesh I found all sorts in there, via the date/time stamp on the files. The stuff all looks liked scripts for flooding and ddos attacks on IRC.

Nor saying its gonna cure the whole problem but at least you can screw the fucker up.

I only did this because I could not be assed re formatting, of yeah and I ramped up the Norton Firewall to Warp factor 10 not had a problem since.

RACEMAN

good luck

Tala · 11-17-2003, 02:55 AM

Zone Alarm pro

irishfury · 11-17-2003, 03:01 AM

This trojan adds a registry line not only when its run, but when its shutdown.
Version 1 used the name System32, and version 2 and 3 uses the name SystemTray.
This key will be located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

For version 1, look for the item 'System32', which should point to the file c:\windows\system32.exe
Version 2 or 3 will be listed under the item 'Systemtray', and should point to c:\windows\systray.exe
(Note: If you have an item 'SystemTray' = 'Systray.exe' with no path, then this points to C:\windows\system\ and is OK. Only copys residing in C:\windows are potentially dangerous.)

Becareful in that c:\windows\system\systray.exe is a real system program, and should NOT be deleted.

There is also a version, actually a modification to the DeepThroat server, called 'Reduced Foreplay'.
The removals for this version are the same as v2.0 or 3.0, however it does not have a numerical version.

First note the program/version it points to.. you will need to delete it later.

Next, go to start and shutdown.. Restart the computer in MSDos mode.
You should have a C:\windows prompt .. if not cd c:\windows to get to the right directory, and then delete the exe you found and noted using regedit. (del filename.exe)
Then type Exit to get back to windows, and then reboot your system.
After the reboot, go back to regedit and remove the registry entry. There is no need to reboot again, as the trojan was deleted.

Thats it. You should be uninfected!

For reference, DeepThroat's server is 305k in size and will open 3 ports. TCP 6670 for others to scan (But this will Not show in netstat), and UDP 3150 + 2140.

11-17-2003, 02:26 AM	#1
kenny Confirmed User Industry Role: Join Date: Mar 2002 Posts: 7,245	Trogan horse My anti-virus software Northon will not detect this trogan horse on my machine. My firewall keeps reporting a hacker alert from a backdoor program "Deepthroat" trogan. I updated the virus scanner and downloaded every single trogram remover program I could find. Nothing detects it. Any suggestions? __________________ 7

11-17-2003, 02:31 AM	#3
extreme Confirmed User Industry Role: Join Date: Oct 2002 Location: lalaland Posts: 2,120	Trogan? Grogan? __________________ Browse and find new paysites with screenshot-preview Export FHGs/FLVs/Paysites by JSON, XML, CSV and Text Find FHGs/FLVs/Paysites from any given Category or Search-query

11-17-2003, 02:34 AM	#4
LiveDose Show Yer Tits! Industry Role: Join Date: Feb 2002 Location: Somewhere Out there... Posts: 25,792	what's up with the "g's" bro? Computer lisp? __________________ Scammer Alert: acer19 acer [email protected] [email protected] Money stolen using PayPal

11-17-2003, 02:39 AM	#5
kenny Confirmed User Industry Role: Join Date: Mar 2002 Posts: 7,245	so I spelled fucking trojan wrong. I am also closing windows and programs are opened by a remote hacker. took me 10 minutes to write this __________________ 7

11-17-2003, 02:42 AM	#6
LiveDose Show Yer Tits! Industry Role: Join Date: Feb 2002 Location: Somewhere Out there... Posts: 25,792	relax. we were just goking... __________________ Scammer Alert: acer19 acer [email protected] [email protected] Money stolen using PayPal

11-17-2003, 02:53 AM	#7
irishfury Confirmed User Join Date: Aug 2003 Location: In the hearts of cowards Posts: 2,611	Close off port 6670 __________________ Trust no one there all snakes

11-17-2003, 02:54 AM	#8
raceman Confirmed User Join Date: Jul 2003 Location: Now offshore on an island paying a heluva lot less tax than you suckers Posts: 1,064	Hey Kenny I had a similar problem a while back, I edited all the files in the system32 folder which is were the hacker dumped his/her kit, sheeesh I found all sorts in there, via the date/time stamp on the files. The stuff all looks liked scripts for flooding and ddos attacks on IRC. Nor saying its gonna cure the whole problem but at least you can screw the fucker up. I only did this because I could not be assed re formatting, of yeah and I ramped up the Norton Firewall to Warp factor 10 not had a problem since. RACEMAN good luck __________________ "ILLEGITIMIS NON CARBORUNDUM" <-- "DON'T LET THE BASTARDS GRIND YOU DOWN" General Joe Stiwell ICQ: 213-684-158

11-17-2003, 02:55 AM	#9
Tala Fucked if I know Join Date: Dec 2002 Location: Do you have a flag? Posts: 23,368	Zone Alarm pro __________________ ICQ: 11120676 \| Google: mindcrime \| Skype: suitemindcrime\|E-Mail: mindcrime AT gmail.com\|PR girl with great writing skills for hire!!!! Contact me to work for YOU!\|TECHIEMEDIA? 24/7 support from some of the best techs in the biz. Tell Jim that I sent you.

11-17-2003, 03:01 AM	#10
irishfury Confirmed User Join Date: Aug 2003 Location: In the hearts of cowards Posts: 2,611	This trojan adds a registry line not only when its run, but when its shutdown. Version 1 used the name System32, and version 2 and 3 uses the name SystemTray. This key will be located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run For version 1, look for the item 'System32', which should point to the file c:\windows\system32.exe Version 2 or 3 will be listed under the item 'Systemtray', and should point to c:\windows\systray.exe (Note: If you have an item 'SystemTray' = 'Systray.exe' with no path, then this points to C:\windows\system\ and is OK. Only copys residing in C:\windows are potentially dangerous.) Becareful in that c:\windows\system\systray.exe is a real system program, and should NOT be deleted. There is also a version, actually a modification to the DeepThroat server, called 'Reduced Foreplay'. The removals for this version are the same as v2.0 or 3.0, however it does not have a numerical version. First note the program/version it points to.. you will need to delete it later. Next, go to start and shutdown.. Restart the computer in MSDos mode. You should have a C:\windows prompt .. if not cd c:\windows to get to the right directory, and then delete the exe you found and noted using regedit. (del filename.exe) Then type Exit to get back to windows, and then reboot your system. After the reboot, go back to regedit and remove the registry entry. There is no need to reboot again, as the trojan was deleted. Thats it. You should be uninfected! For reference, DeepThroat's server is 305k in size and will open 3 ports. TCP 6670 for others to scan (But this will Not show in netstat), and UDP 3150 + 2140. __________________ Trust no one there all snakes