Results 1 to 6 of 6

Thread: Trojans

  1. #1
    ricksgotadrama Guest

    Default Trojans

    Hi all.

    My first post - looking for some help with trojan problems in particular, and a few other things if anyone will be so kind.

    I ran a ZASS 8.0.059 scan with everything at its full strength a few days ago and came up with three trojans. Like an ***** I quarantined and then deleted them without taking note of what they were and seeing whether they'd penetrated my system further. I can't find any details of them in the logs for ZA either, so I'm really after some general help and ideas to see whether I may have a continuing problem.

    I have since run a couple more ZASS scans on full strength and they came up clean. I also ran a deep scan with Windows Defender and came up clean. I've turned System Restore off, restarted, and turned it on again to clean any old recovery points, (but I haven't yet deleted my Avanquest Recovery Commander checkpoints).

    I know one of the trojans identified was Vaklik, which was found in the Microsoft CalcPlus.msi (downloaded from the official site only a few days prior). I presume that was a false positive (as the file seemed clean when scanning from a right click option with ZASS, and also with Defender), but since I don't really use it I deleted it anyway. Unfortunately I can't remember what the other two trojans I had were.

    I'm also concerned about ctfmon.exe/CTF Loader. It's in System 32, which seems correct, and I do use it as I switch between UK and US keyboard layouts often, but under Avanquest System Suite 9 Start Up Optimizer the following info is displayed:

    ctfmon.exe
    Type: Not recommended
    Filename: ctfmon.exe
    Publisher: Microsoft Corporation
    Version: 5.11.61.136 Date: 07/19/05 File size: 15.1 KB

    Description: Added by the RAIDYS [http://www.symantec.com/security_res...62417-1936-99] TROJAN! Note - this should not be confused with the valid Office XP file, see here [http://support.microsoft.com/default...;en-us;282599]
    Source: Paul Collins Startup list

    If I check its version myself through properties it's 5.1.2600.5512, and not the version listed above. ZASS doesn't pick up a problem with ctfmon.exe, but I'd like to be sure.

    A couple more things regarding general security - should I have any of the real time protection options running in Windows Defender if ZASS is running as normal? (I don't want any conflicts with ZASS's real time protection/on access scanning). Also, I've just started using Privoxy. It's currently set up at my localhost address, but I'm wondering whether it would be safer to run it at my routers IP address - 192.168.1.2. If yes, what should the last digit be .2, .1(Default Gateway) or .0? Would all my browsers and programs then need reconfiguring to this new proxy address, or would they run as normal without having any proxy settings? Would some kind guru (such as Oldsod) be able to provide a copy of their config/action files for Privoxy so I know I'm better protected? And - finally - in laymans terms, what are the benefits/disadvantages of having a host file (with Privoxy running at localhost or 192.168.1)?

    Apologies for the length of this thread and my obvious technical incompetence, but any help will be much appreciated.

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Trojans

    Copy the ctfmon.exe and upload it to
    http://virusscan.jotti.org/

    or

    http://www.virustotal.com/

    the full multi-antivirus engine scanners will show if the window's file is malware or not.

    You can only use the router IP for the privoxy address if the privoxy is installed in the router or in a gateway.
    If privoxy is installed only on the desktop (usually the case with a home user), then just use the normal 127.0.0.01:8118 address and port.

    A little discussion about privoxy here starting somewhere about here:

    http://forum.zonelabs.org/zonelabs/b...ssage.id=55014

    A host file vs privoxy.
    Host file can slow down the browser, but covers all internet applications and cover https traffic. Host files can not use wild cards, and will get bulky. Nor can they do raw IPs.
    Privoxy only covers the browsers (or anything else which can be set to use a proxy connection such as an updater or even a media player) and is only for http traffic (unless privoxy is installed in the gateway and then it will filter all of the http traffic for everything set to use the proxy server's IP using the proxy server set up in the windows network properties).
    Privoxy can use raw IPs and wild cards and various filters (if you know perl well enough) besides using raw url lists for filtering (which can include using edited host files with the 127.0.0.1 removed).

    Oldsod.

    Message Edited by Oldsod on 03-04-2009 12:39 AM
    Best regards.
    oldsod

  3. #3
    ricksgotadrama Guest

    Default Re: Trojans

    Thanks for the malware scanner links - very useful.

    Seems that Systemsuite was being overzealous as there's nothing wrong with ctfmon.exe according to the scanners. However it still shows up with the wrong version number and the same warning even after removing and reinserting the file in the startup optimizer again; so I'll give it a **bleep** good ignoring.

    I had considered using the router IP for Privoxy as I sometimes run my laptop through this PC on a LAN. I'll keep Privoxy on the localhost for now as there's a lot to learn about it for someone with my current knowledge of proxies.

    Regarding Privoxy only covering HTTP traffic - I downloaded Privoxy as part of the Vidalia bundle and read somewhere that HTTPS and FTP traffic should also be directed to the Proxy in the browser settings to plug information leaks, or is that only if you're running Tor and Privoxy with Firefox and doing that will otherwise reduce your browsers day to day functionality?

    I'm afraid that I don't know perl at all, which is why I'm thankful for the link to the old thread with some of your Privoxy settings. To confirm my lack of knowledge about Privoxy - would all of these settings be added to the user action file, as that's the only action file that won't be updated unless I manually edit it?

    Also, just checking about the real time protection options in Win Defender that I asked about in my post. Any suggestions for the settings?

    Thanks again.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Trojans


    <blockquote><hr>ricksgotadrama wrote:
    Thanks for the malware scanner links - very useful.

    Seems that Systemsuite was being overzealous as there's nothing wrong with ctfmon.exe according to the scanners. However it still shows up with the wrong version number and the same warning even after removing and reinserting the file in the startup optimizer again; so I'll give it a **bleep** good ignoring.

    I had considered using the router IP for Privoxy as I sometimes run my laptop through this PC on a LAN. I'll keep Privoxy on the localhost for now as there's a lot to learn about it for someone with my current knowledge of proxies.

    Regarding Privoxy only covering HTTP traffic - I downloaded Privoxy as part of the Vidalia bundle and read somewhere that HTTPS and FTP traffic should also be directed to the Proxy in the browser settings to plug information leaks, or is that only if you're running Tor and Privoxy with Firefox and doing that will otherwise reduce your browsers day to day functionality?

    I'm afraid that I don't know perl at all, which is why I'm thankful for the link to the old thread with some of your Privoxy settings. To confirm my lack of knowledge about Privoxy - would all of these settings be added to the user action file, as that's the only action file that won't be updated unless I manually edit it?

    Also, just checking about the real time protection options in Win Defender that I asked about in my post. Any suggestions for the settings?

    Thanks again.
    <hr></blockquote>


    Oops you are right, privoxy does cover https traffic (forgot as I skipped using privoxy for the https). But checking it does not seem to cover FTP.

    That and the answer for the use of the host file with along side of privoxy (never use any more hopsts files and just edit those files to add to the privoxy) and the use of Tor are listed here:

    http://www.privoxy.org/faq/misc.html

    The user action does change with updates as the file does change.
    You should make your own action file and enter it in the config.txt file (which will need to be re-edited again if upgrading). Usually they advise to copy and save any filters or action files of your own, then upgrade and replace your files and edit the user.action and config.txt as it was before or wanted.

    Haven't used Tor but I have a limited knowledge of it.
    The same for the defender - never used it but it should be able to use the full guard along side of the ZASS.

    Oldsod.
    Best regards.
    oldsod

  5. #5
    ricksgotadrama Guest

    Default Re: Trojans

    Didn't think Privoxy dealt with FTP, but just remember reading to set Firefox as if it did to plug any information leaks whilst using Tor. Only played with Tor for a little bit to see what all the fuss was about, so I suppose the browsers FTP setting isn't particularly relevant for me anyway. As for the rest, I'll play with the Privoxy config.txt file and see how I get on.

    Cheers for the help and advice, Oldsod. Much appreciated.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Trojans


    <blockquote><hr>ricksgotadrama wrote:
    Didn't think Privoxy dealt with FTP, but just remember reading to set Firefox as if it did to plug any information leaks whilst using Tor. Only played with Tor for a little bit to see what all the fuss was about, so I suppose the browsers FTP setting isn't particularly relevant for me anyway. As for the rest, I'll play with the Privoxy config.txt file and see how I get on.

    Cheers for the help and advice, Oldsod. Much appreciated.
    <hr></blockquote>
    I never felt the need to hide my true public assigned IP, so never I needed Tor. Can't really see it as necessary security tool.
    As for the FTP, if privoxy does not filter it anyways (not much to filter anyways with FTP downloads/uploads), then it will not really matter if the browser is set for FTP with using the Privoxy.

    Read the Faq for the Privoxy - most questions or problems are answered in there.

    Also http://www.privoxy.org/user-manual/index.html

    Note there are help files to be found in the Privoxy directory folder too.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •